Edit tour

Windows Analysis Report
EXQuAzl4Xn.exe

Overview

General Information

Sample name:	EXQuAzl4Xn.exe renamed because original name is a hash value
Original sample name:	11af773b372806835267a611ab1ec6ba.exe
Analysis ID:	1557307
MD5:	11af773b372806835267a611ab1ec6ba
SHA1:	821e0ceefd1e789671b1d6c69c89187cdff1c077
SHA256:	9ee4e1e0703b2bcd5e827daa1ae9495abab382f7d577c7854f2a528712d19198
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

EXQuAzl4Xn.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\EXQuAzl4Xn.exe" MD5: 11AF773B372806835267A611AB1EC6BA)

powershell.exe (PID: 5336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7496 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 5660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2016 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wBfGlYCdeX.exe (PID: 7396 cmdline: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe MD5: 11AF773B372806835267A611AB1EC6BA)

schtasks.exe (PID: 7704 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp261D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.241.208.193:1912"], "Bot Id": "Malwi", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1784943666.0000000003E48000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.2092501118.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.2040051369.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.1874726277.0000000003B18000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1784943666.0000000003B91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.2092501118.000000000334A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EXQuAzl4Xn.exe PID: 5820	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: EXQuAzl4Xn.exe PID: 5820	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7344	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: wBfGlYCdeX.exe PID: 7396	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wBfGlYCdeX.exe PID: 7396	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7752	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.EXQuAzl4Xn.exe.3c7c270.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.EXQuAzl4Xn.exe.3c7c270.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.EXQuAzl4Xn.exe.3c31050.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.EXQuAzl4Xn.exe.3c31050.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EXQuAzl4Xn.exe", ParentImage: C:\Users\user\Desktop\EXQuAzl4Xn.exe, ParentProcessId: 5820, ParentProcessName: EXQuAzl4Xn.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe", ProcessId: 5336, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp261D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp261D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe, ParentImage: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe, ParentProcessId: 7396, ParentProcessName: wBfGlYCdeX.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp261D.tmp", ProcessId: 7704, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EXQuAzl4Xn.exe", ParentImage: C:\Users\user\Desktop\EXQuAzl4Xn.exe, ParentProcessId: 5820, ParentProcessName: EXQuAzl4Xn.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp", ProcessId: 2016, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EXQuAzl4Xn.exe", ParentImage: C:\Users\user\Desktop\EXQuAzl4Xn.exe, ParentProcessId: 5820, ParentProcessName: EXQuAzl4Xn.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe", ProcessId: 5336, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EXQuAzl4Xn.exe", ParentImage: C:\Users\user\Desktop\EXQuAzl4Xn.exe, ParentProcessId: 5820, ParentProcessName: EXQuAzl4Xn.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp", ProcessId: 2016, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T02:07:15.278942+0100	2043234	1	A Network Trojan was detected	185.241.208.193	1912	192.168.2.4	49737	TCP
2024-11-18T02:07:19.422741+0100	2043234	1	A Network Trojan was detected	185.241.208.193	1912	192.168.2.4	49742	TCP

ET MALWARE Redline Stealer TCP CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T02:07:15.014593+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:19.160506+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49742	185.241.208.193	1912	TCP
2024-11-18T02:07:20.333080+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:24.459598+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49742	185.241.208.193	1912	TCP
2024-11-18T02:07:34.966017+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:35.465220+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:40.649918+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49742	185.241.208.193	1912	TCP
2024-11-18T02:07:41.009159+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49742	185.241.208.193	1912	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T02:07:20.595693+0100	2046056	1	A Network Trojan was detected	185.241.208.193	1912	192.168.2.4	49737	TCP
2024-11-18T02:07:25.838477+0100	2046056	1	A Network Trojan was detected	185.241.208.193	1912	192.168.2.4	49742	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T02:07:15.014593+0100	2046045	1	A Network Trojan was detected	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:19.160506+0100	2046045	1	A Network Trojan was detected	192.168.2.4	49742	185.241.208.193	1912	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1784943666.0000000003E48000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": ["185.241.208.193:1912"], "Bot Id": "Malwi", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: EXQuAzl4Xn.exe	ReversingLabs: Detection: 65%
Source: EXQuAzl4Xn.exe	Virustotal: Detection: 53%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: EXQuAzl4Xn.exe

Joe Sandbox ML: detected

Source: EXQuAzl4Xn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: EXQuAzl4Xn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: aosl.pdb source: EXQuAzl4Xn.exe, wBfGlYCdeX.exe.0.dr
Source:	Binary string: aosl.pdbSHA256 source: EXQuAzl4Xn.exe, wBfGlYCdeX.exe.0.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0728B628h	8_2_0728B130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 07288387h	8_2_07287C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_07286BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 07288C9Ch	8_2_072889D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 07285A35h	8_2_07285A14

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49742 -> 185.241.208.193:1912
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49742 -> 185.241.208.193:1912
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.241.208.193:1912 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49737 -> 185.241.208.193:1912
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49737 -> 185.241.208.193:1912
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.241.208.193:1912 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.241.208.193:1912 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.241.208.193:1912 -> 192.168.2.4:49742

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.241.208.193:1912

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 185.241.208.193:1912

Source: Joe Sandbox View

ASN Name: GBTCLOUDUS GBTCLOUDUS

Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193
Source: unknown	TCP traffic detected without corresponding DNS query: 185.241.208.193

Source: EXQuAzl4Xn.exe, wBfGlYCdeX.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: EXQuAzl4Xn.exe, wBfGlYCdeX.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: EXQuAzl4Xn.exe, wBfGlYCdeX.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000008.00000002.2041734469.000000000194E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: EXQuAzl4Xn.exe, 00000000.00000002.1782287769.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, wBfGlYCdeX.exe, 00000009.00000002.1872834612.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003280000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.0000000003280000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003280000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, EXQuAzl4Xn.exe, 00000000.00000002.1787542432.00000000056A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, EXQuAzl4Xn.exe, 00000000.00000002.1787654998.00000000056E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: EXQuAzl4Xn.exe, 00000000.00000002.1784943666.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, EXQuAzl4Xn.exe, 00000000.00000002.1784943666.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2040051369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, wBfGlYCdeX.exe, 00000009.00000002.1874726277.0000000003B18000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: EXQuAzl4Xn.exe, wBfGlYCdeX.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_01014204	0_2_01014204
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_01016F90	0_2_01016F90
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_0101DF14	0_2_0101DF14
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_051B0006	0_2_051B0006
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_051B0040	0_2_051B0040
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_0749DC40	0_2_0749DC40
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_07496768	0_2_07496768
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_07498267	0_2_07498267
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_07498278	0_2_07498278
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_07496FC9	0_2_07496FC9
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_07496FD8	0_2_07496FD8
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_07498C28	0_2_07498C28
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_07496B90	0_2_07496B90
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Code function: 0_2_07496BA0	0_2_07496BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02FADC74	8_2_02FADC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07286370	8_2_07286370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07287258	8_2_07287258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0728B130	8_2_0728B130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07288F20	8_2_07288F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0728DE08	8_2_0728DE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07284D68	8_2_07284D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07287C28	8_2_07287C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0728CCC0	8_2_0728CCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07286BE0	8_2_07286BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07285AC8	8_2_07285AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_072899A0	8_2_072899A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07281F48	8_2_07281F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07286BD0	8_2_07286BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07285AB8	8_2_07285AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_072838B0	8_2_072838B0
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_02824204	9_2_02824204
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_02826F90	9_2_02826F90
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_0282DF14	9_2_0282DF14
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_081D3878	9_2_081D3878
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_081D386A	9_2_081D386A
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_083E9270	9_2_083E9270
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_083ECAF0	9_2_083ECAF0
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_083ECAE0	9_2_083ECAE0
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_0879CEE0	9_2_0879CEE0
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_08796BA0	9_2_08796BA0
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_08796B90	9_2_08796B90
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_08798C28	9_2_08798C28
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_08796FD8	9_2_08796FD8
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_08798278	9_2_08798278
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_08798267	9_2_08798267
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Code function: 9_2_08796768	9_2_08796768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_0145DC74	14_2_0145DC74

Source: EXQuAzl4Xn.exe

Static PE information: invalid certificate

Source: EXQuAzl4Xn.exe, 00000000.00000000.1671888269.00000000007B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameaosl.exe: vs EXQuAzl4Xn.exe
Source: EXQuAzl4Xn.exe, 00000000.00000002.1788336389.00000000073B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs EXQuAzl4Xn.exe
Source: EXQuAzl4Xn.exe, 00000000.00000002.1784943666.0000000003E48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs EXQuAzl4Xn.exe
Source: EXQuAzl4Xn.exe, 00000000.00000002.1788983482.0000000008F80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs EXQuAzl4Xn.exe
Source: EXQuAzl4Xn.exe, 00000000.00000002.1784943666.0000000003CDB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs EXQuAzl4Xn.exe
Source: EXQuAzl4Xn.exe, 00000000.00000002.1784943666.0000000003B91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs EXQuAzl4Xn.exe
Source: EXQuAzl4Xn.exe, 00000000.00000002.1788626353.0000000008A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs EXQuAzl4Xn.exe
Source: EXQuAzl4Xn.exe, 00000000.00000002.1781324099.000000000103E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs EXQuAzl4Xn.exe
Source: EXQuAzl4Xn.exe	Binary or memory string: OriginalFilenameaosl.exe: vs EXQuAzl4Xn.exe

Source: EXQuAzl4Xn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: EXQuAzl4Xn.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wBfGlYCdeX.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, a1kWBN4JYNwAqa3q2A.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, a1kWBN4JYNwAqa3q2A.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/16@0/1

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

File created: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5476:120:WilError_03
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Mutant created: \Sessions\1\BaseNamedObjects\pquYsqpToxeGCWixFAeLPJRj

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

File created: C:\Users\user\AppData\Local\Temp\tmp111.tmp

Jump to behavior

Source: EXQuAzl4Xn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EXQuAzl4Xn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000008.00000002.2042109066.0000000003723000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.0000000003692000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.000000000366C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.0000000003684000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000036FD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.0000000003715000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: EXQuAzl4Xn.exe	ReversingLabs: Detection: 65%
Source: EXQuAzl4Xn.exe	Virustotal: Detection: 53%

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

File read: C:\Users\user\Desktop\EXQuAzl4Xn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EXQuAzl4Xn.exe "C:\Users\user\Desktop\EXQuAzl4Xn.exe"
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp261D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp261D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: EXQuAzl4Xn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EXQuAzl4Xn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: EXQuAzl4Xn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: aosl.pdb source: EXQuAzl4Xn.exe, wBfGlYCdeX.exe.0.dr
Source:	Binary string: aosl.pdbSHA256 source: EXQuAzl4Xn.exe, wBfGlYCdeX.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: EXQuAzl4Xn.exe, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: wBfGlYCdeX.exe.0.dr, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	.Net Code: Ld3Gq1F8Ua System.Reflection.Assembly.Load(byte[])
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	.Net Code: Ld3Gq1F8Ua System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

Code function: 0_2_07490198 push esp; retf

0_2_074901A5

Source: EXQuAzl4Xn.exe	Static PE information: section name: .text entropy: 7.750094835925298
Source: wBfGlYCdeX.exe.0.dr	Static PE information: section name: .text entropy: 7.750094835925298

Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, lYwhYvEoZbD7oXCsiQ.cs	High entropy of concatenated method names: 'AnR7xeukWu', 'FyX7X4Gjya', 'YD579aGfCl', 'BDJ7gsOwe2', 'mWG7ptEqmZ', 'DYZ9NEbVsA', 'R3W9Om0NAS', 'Q8e9ejItCV', 'HlO9F93wmq', 'Lhn9vU23qy'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, dNXaN3260jcCNCUhgM.cs	High entropy of concatenated method names: 'rAl34RFsHr', 'UkX3SjBAAv', 'FL23EbVV4P', 'XLF38Rp7mb', 'UXy3YqpcQc', 'CBM3LuLkai', 'dsX3uOJifG', 'dSY3QLDhvb', 'VyN3oiO06p', 'Xb73RkX7XM'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, k9D5o8SLjFMd4liLnM.cs	High entropy of concatenated method names: 'zofbBdUwDe', 'lK2bfeegZk', 'dwXb4Ik2h7', 'bXjbSSa5Ok', 'GXcbtpk5Ko', 'LvGbCFy9Cx', 'gtrbstTcNW', 'EdsbwdHKi6', 'W5qbZYOwv4', 'WkqbKDxl2Q'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, vmcHhnPW1RQoV4hlpYJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K73KRANJwc', 'fTOKyFqpuq', 'DA8K2kTbHk', 'U8hKmhBjc9', 'ogQK6Ny7Og', 'K58KMPHEsP', 'XwbKim4jwQ'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, uj142cznwxcPZwqsbv.cs	High entropy of concatenated method names: 'uU2KfkKDLt', 'bnTK4OtwnZ', 'EFRKSwibnD', 'BtmKEdgtmr', 'wO7K8Qr9MV', 'VKnKYWIqqa', 'JifKLQbTd1', 'IpDKlvB0DM', 'BhGK1YlxAU', 'S6kK0XbYJI'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, t54yfFjA3cKgT8yvO2.cs	High entropy of concatenated method names: 'BXtKbYimTI', 'SYHK92wxK2', 'AsBK7d7mpx', 'hiIKglhDdu', 'xHkKZlfRZM', 'TLbKpn4XmW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, J2Xm47vktVWKrWdfvQ.cs	High entropy of concatenated method names: 'SKJZErpYJo', 'fSTZ8Ov2Yt', 'UDdZkoeh08', 'sabZYTDY9R', 'rNYZL3WO6p', 'sJlZAJTg6j', 'cNYZuy77c5', 'EOmZQcD1ZN', 'e1cZr29G8r', 'AXlZoCxOAF'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, KB0TYRuH6n2w8nvOil.cs	High entropy of concatenated method names: 'BrNgaGU2mj', 'amZgbAXT5A', 'takg7SxTtx', 'LC87jp5Wg8', 'y0h7zbKNAo', 'lbsgWVSMS9', 'M5ugPvSw0N', 'FofgDtXXRe', 'WqogcVWu16', 'qb5gGLgZRd'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, AOsTPrrvRkHs1L5HuJ.cs	High entropy of concatenated method names: 'myTg1Vvqix', 'at0g0nXZh4', 'IfWgqweYNV', 'LrFgB1JJ23', 'nWsgnsmovO', 'pJ1gfx6os2', 'hqagTmRDIb', 'kbGg42sqhg', 'NvugSuwuri', 'tVCgUyH2bn'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, V1yEphMXY4a7BLLqok.cs	High entropy of concatenated method names: 'ToString', 'kg5CRbPBRX', 'ydqC8o0pHv', 'FH3CkaUQnY', 'RvVCYRrmUg', 'R84CLhmUy6', 'PJPCA0ct0H', 'cbeCubjfwc', 'aB6CQO3vIK', 's7bCrLmmwh'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	High entropy of concatenated method names: 'pi7cxH375b', 'k8pcanU056', 'uwUcX3nww6', 'leccb3iguv', 'lGwc9eKe4c', 'drec7o2JSA', 'gFDcgL5aKj', 'tUUcpC552J', 'UFYc539uOT', 'OIJcItSlSs'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, DuT9fpGN0Vjdf2hjqh.cs	High entropy of concatenated method names: 'yDPPg1kWBN', 'tYNPpwAqa3', 'HLjPIFMd4l', 'TLnPHMoIg0', 'NLyPt6FIYw', 'wYvPCoZbD7', 'yfQUVCoEIT9768qdkS', 'QHPvBvYhI2rZ4wxeo1', 'OfwrHvkPpxptWmSTNM', 'WWxPPTOL5L'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, j7AwgMO2dEPQa9CCg5.cs	High entropy of concatenated method names: 'qbSsFitLxa', 'XWhsjE5GHs', 'nOTwWvirTl', 'eIwwPNdN1C', 'idosRjpTMh', 'TrMsy2a1fW', 'ge8s2Rue1s', 'SjOsmjgITj', 'Yols6Ae8gv', 'gBMsMYsjId'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, a1kWBN4JYNwAqa3q2A.cs	High entropy of concatenated method names: 'zQDXmueJiP', 'bvVX608q5B', 'omeXMl9brq', 'MpSXilGaaj', 'tV7XNFhu0X', 's66XOA6ZQK', 'WNrXewEOLF', 'eZVXFN5CJK', 'b9vXva8yaA', 'JMdXj4eseL'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, fFAuHEDVRt94ht4aZJ.cs	High entropy of concatenated method names: 'uIsqsWKbv', 'A8nBA0vCy', 'j0AfVT3fH', 'BTDT8N0bI', 'LVnSqhX2C', 'g2oUZCT6G', 'UHeFHLAt8Hrf27qsLI', 'r5TmUVwBEQPhIyhCpr', 'fafwLGpsj', 'aRyK6iHVt'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, CRKP16PDlDfB9Q20gCg.cs	High entropy of concatenated method names: 'ToString', 'bSmJ4atBVY', 'aSPJSe6LOH', 'UEwJULYSyL', 'VTZJEhx74f', 'pdsJ8WLFDc', 'AkxJkACfpu', 'AtsJY2DQcE', 'twZxAHj5D8Z6rg7c8vf', 'LpKoblj9JqXME5yFINW'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, sntQ5meIVQDLcpWBQq.cs	High entropy of concatenated method names: 'HsdZtCe0JD', 'IbKZsMbnO0', 'fuNZZX928f', 'IiZZJU4kM2', 'A9pZdoIVlk', 'onVZlryYOs', 'Dispose', 'D77wa9YGK8', 'aZKwXRY2fU', 'AmuwbL2Vsw'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, jy44Gvi9skZMg3yZAJ.cs	High entropy of concatenated method names: 'Q30sIGsxtG', 'nWKsHxem00', 'ToString', 'SvhsaSuqVN', 'OPksX34Zg8', 'TSksb6o55J', 'Yx6s9BXoIo', 'DrRs7mxRkQ', 'bH7sgeJQIl', 'P8rspIVfL8'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, H4jmMuPGdFFGEvfebAm.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'U8JVZ7gxIy', 'jTmVKhRIbh', 'cCUVJSjFfH', 'BOlVV6WNMp', 'z7JVdIAm8Y', 'zOpVh80LXg', 'X2lVlBOTEu'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, cCdyGhPPUmtrMeoaxfT.cs	High entropy of concatenated method names: 'c02KjoRTsh', 'W0nKzvV4lQ', 'rJAJWBGsV4', 'N3OJPyyUjl', 'R7EJDalQml', 'BWYJcTQ9GJ', 'a1bJGZxQ0E', 'RVJJxxxSRY', 'GcMJayeZoy', 'N9MJXo3F7c'
Source: 0.2.EXQuAzl4Xn.exe.3e76f90.0.raw.unpack, S1SfMoXjxGg6BluZM8.cs	High entropy of concatenated method names: 'Dispose', 'MDLPvcpWBQ', 'OcBD8vm43O', 'DoA1g3PmUw', 'z1uPjfPeYa', 'nvmPzcbrVV', 'ProcessDialogKey', 'xqLDW2Xm47', 'ItVDPWKrWd', 'BvQDDJ54yf'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, lYwhYvEoZbD7oXCsiQ.cs	High entropy of concatenated method names: 'AnR7xeukWu', 'FyX7X4Gjya', 'YD579aGfCl', 'BDJ7gsOwe2', 'mWG7ptEqmZ', 'DYZ9NEbVsA', 'R3W9Om0NAS', 'Q8e9ejItCV', 'HlO9F93wmq', 'Lhn9vU23qy'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, dNXaN3260jcCNCUhgM.cs	High entropy of concatenated method names: 'rAl34RFsHr', 'UkX3SjBAAv', 'FL23EbVV4P', 'XLF38Rp7mb', 'UXy3YqpcQc', 'CBM3LuLkai', 'dsX3uOJifG', 'dSY3QLDhvb', 'VyN3oiO06p', 'Xb73RkX7XM'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, k9D5o8SLjFMd4liLnM.cs	High entropy of concatenated method names: 'zofbBdUwDe', 'lK2bfeegZk', 'dwXb4Ik2h7', 'bXjbSSa5Ok', 'GXcbtpk5Ko', 'LvGbCFy9Cx', 'gtrbstTcNW', 'EdsbwdHKi6', 'W5qbZYOwv4', 'WkqbKDxl2Q'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, vmcHhnPW1RQoV4hlpYJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K73KRANJwc', 'fTOKyFqpuq', 'DA8K2kTbHk', 'U8hKmhBjc9', 'ogQK6Ny7Og', 'K58KMPHEsP', 'XwbKim4jwQ'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, uj142cznwxcPZwqsbv.cs	High entropy of concatenated method names: 'uU2KfkKDLt', 'bnTK4OtwnZ', 'EFRKSwibnD', 'BtmKEdgtmr', 'wO7K8Qr9MV', 'VKnKYWIqqa', 'JifKLQbTd1', 'IpDKlvB0DM', 'BhGK1YlxAU', 'S6kK0XbYJI'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, t54yfFjA3cKgT8yvO2.cs	High entropy of concatenated method names: 'BXtKbYimTI', 'SYHK92wxK2', 'AsBK7d7mpx', 'hiIKglhDdu', 'xHkKZlfRZM', 'TLbKpn4XmW', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, J2Xm47vktVWKrWdfvQ.cs	High entropy of concatenated method names: 'SKJZErpYJo', 'fSTZ8Ov2Yt', 'UDdZkoeh08', 'sabZYTDY9R', 'rNYZL3WO6p', 'sJlZAJTg6j', 'cNYZuy77c5', 'EOmZQcD1ZN', 'e1cZr29G8r', 'AXlZoCxOAF'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, KB0TYRuH6n2w8nvOil.cs	High entropy of concatenated method names: 'BrNgaGU2mj', 'amZgbAXT5A', 'takg7SxTtx', 'LC87jp5Wg8', 'y0h7zbKNAo', 'lbsgWVSMS9', 'M5ugPvSw0N', 'FofgDtXXRe', 'WqogcVWu16', 'qb5gGLgZRd'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, AOsTPrrvRkHs1L5HuJ.cs	High entropy of concatenated method names: 'myTg1Vvqix', 'at0g0nXZh4', 'IfWgqweYNV', 'LrFgB1JJ23', 'nWsgnsmovO', 'pJ1gfx6os2', 'hqagTmRDIb', 'kbGg42sqhg', 'NvugSuwuri', 'tVCgUyH2bn'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, V1yEphMXY4a7BLLqok.cs	High entropy of concatenated method names: 'ToString', 'kg5CRbPBRX', 'ydqC8o0pHv', 'FH3CkaUQnY', 'RvVCYRrmUg', 'R84CLhmUy6', 'PJPCA0ct0H', 'cbeCubjfwc', 'aB6CQO3vIK', 's7bCrLmmwh'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, JgfibRpBWPBxdW0ddZ.cs	High entropy of concatenated method names: 'pi7cxH375b', 'k8pcanU056', 'uwUcX3nww6', 'leccb3iguv', 'lGwc9eKe4c', 'drec7o2JSA', 'gFDcgL5aKj', 'tUUcpC552J', 'UFYc539uOT', 'OIJcItSlSs'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, DuT9fpGN0Vjdf2hjqh.cs	High entropy of concatenated method names: 'yDPPg1kWBN', 'tYNPpwAqa3', 'HLjPIFMd4l', 'TLnPHMoIg0', 'NLyPt6FIYw', 'wYvPCoZbD7', 'yfQUVCoEIT9768qdkS', 'QHPvBvYhI2rZ4wxeo1', 'OfwrHvkPpxptWmSTNM', 'WWxPPTOL5L'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, j7AwgMO2dEPQa9CCg5.cs	High entropy of concatenated method names: 'qbSsFitLxa', 'XWhsjE5GHs', 'nOTwWvirTl', 'eIwwPNdN1C', 'idosRjpTMh', 'TrMsy2a1fW', 'ge8s2Rue1s', 'SjOsmjgITj', 'Yols6Ae8gv', 'gBMsMYsjId'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, a1kWBN4JYNwAqa3q2A.cs	High entropy of concatenated method names: 'zQDXmueJiP', 'bvVX608q5B', 'omeXMl9brq', 'MpSXilGaaj', 'tV7XNFhu0X', 's66XOA6ZQK', 'WNrXewEOLF', 'eZVXFN5CJK', 'b9vXva8yaA', 'JMdXj4eseL'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, fFAuHEDVRt94ht4aZJ.cs	High entropy of concatenated method names: 'uIsqsWKbv', 'A8nBA0vCy', 'j0AfVT3fH', 'BTDT8N0bI', 'LVnSqhX2C', 'g2oUZCT6G', 'UHeFHLAt8Hrf27qsLI', 'r5TmUVwBEQPhIyhCpr', 'fafwLGpsj', 'aRyK6iHVt'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, CRKP16PDlDfB9Q20gCg.cs	High entropy of concatenated method names: 'ToString', 'bSmJ4atBVY', 'aSPJSe6LOH', 'UEwJULYSyL', 'VTZJEhx74f', 'pdsJ8WLFDc', 'AkxJkACfpu', 'AtsJY2DQcE', 'twZxAHj5D8Z6rg7c8vf', 'LpKoblj9JqXME5yFINW'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, sntQ5meIVQDLcpWBQq.cs	High entropy of concatenated method names: 'HsdZtCe0JD', 'IbKZsMbnO0', 'fuNZZX928f', 'IiZZJU4kM2', 'A9pZdoIVlk', 'onVZlryYOs', 'Dispose', 'D77wa9YGK8', 'aZKwXRY2fU', 'AmuwbL2Vsw'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, jy44Gvi9skZMg3yZAJ.cs	High entropy of concatenated method names: 'Q30sIGsxtG', 'nWKsHxem00', 'ToString', 'SvhsaSuqVN', 'OPksX34Zg8', 'TSksb6o55J', 'Yx6s9BXoIo', 'DrRs7mxRkQ', 'bH7sgeJQIl', 'P8rspIVfL8'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, H4jmMuPGdFFGEvfebAm.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'U8JVZ7gxIy', 'jTmVKhRIbh', 'cCUVJSjFfH', 'BOlVV6WNMp', 'z7JVdIAm8Y', 'zOpVh80LXg', 'X2lVlBOTEu'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, cCdyGhPPUmtrMeoaxfT.cs	High entropy of concatenated method names: 'c02KjoRTsh', 'W0nKzvV4lQ', 'rJAJWBGsV4', 'N3OJPyyUjl', 'R7EJDalQml', 'BWYJcTQ9GJ', 'a1bJGZxQ0E', 'RVJJxxxSRY', 'GcMJayeZoy', 'N9MJXo3F7c'
Source: 0.2.EXQuAzl4Xn.exe.8f80000.4.raw.unpack, S1SfMoXjxGg6BluZM8.cs	High entropy of concatenated method names: 'Dispose', 'MDLPvcpWBQ', 'OcBD8vm43O', 'DoA1g3PmUw', 'z1uPjfPeYa', 'nvmPzcbrVV', 'ProcessDialogKey', 'xqLDW2Xm47', 'ItVDPWKrWd', 'BvQDDJ54yf'

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

File created: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: EXQuAzl4Xn.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wBfGlYCdeX.exe PID: 7396, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory allocated: 2B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory allocated: 4B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory allocated: 9110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory allocated: A110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory allocated: A330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory allocated: B330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory allocated: 88F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory allocated: 98F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory allocated: 9AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory allocated: AAF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5686	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5020	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2758	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7082	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2221
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7591

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe TID: 7144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe TID: 7488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: RegSvcs.exe, 0000000E.00000002.2102638418.0000000005A80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: RegSvcs.exe, 00000008.00000002.2054927420.0000000006427000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_072899A0 LdrInitializeThunk,

8_2_072899A0

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe"
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe"
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 432000	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 450000	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11EB008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 432000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 450000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EB7008	Jump to behavior

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp261D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Users\user\Desktop\EXQuAzl4Xn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Queries volume information: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\EXQuAzl4Xn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegSvcs.exe, 00000008.00000002.2040747509.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2058437900.0000000006487000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.EXQuAzl4Xn.exe.3c7c270.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EXQuAzl4Xn.exe.3c7c270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EXQuAzl4Xn.exe.3c31050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EXQuAzl4Xn.exe.3c31050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1784943666.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2092501118.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2040051369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1874726277.0000000003B18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1784943666.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EXQuAzl4Xn.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wBfGlYCdeX.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: RegSvcs.exe, 0000000E.00000002.2092501118.000000000334A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: RegSvcs.exe, 0000000E.00000002.2092501118.000000000334A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.walletLR^q
Source: RegSvcs.exe, 0000000E.00000002.2092501118.000000000334A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\walletsLR^qH
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: RegSvcs.exe, 0000000E.00000002.2092501118.000000000334A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
Source: RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: RegSvcs.exe, 0000000E.00000002.2092501118.000000000334A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q&%localappdata%\Coinomi\Coinomi\walletsLR^q
Source: RegSvcs.exe, 0000000E.00000002.2092501118.000000000334A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: Yara match	File source: 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2092501118.000000000334A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.EXQuAzl4Xn.exe.3c7c270.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EXQuAzl4Xn.exe.3c7c270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EXQuAzl4Xn.exe.3c31050.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EXQuAzl4Xn.exe.3c31050.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1784943666.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2092501118.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2040051369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1874726277.0000000003B18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1784943666.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EXQuAzl4Xn.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wBfGlYCdeX.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EXQuAzl4Xn.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
EXQuAzl4Xn.exe	53%	Virustotal		Browse
EXQuAzl4Xn.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Name	Source	Malicious	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23ResponseD	RegSvcs.exe, 00000008.00000002.2042109066.0000000003280000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id12Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id2Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id9	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id8	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id4	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id7	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://purl.oen	RegSvcs.exe, 00000008.00000002.2041734469.000000000194E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id19Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	EXQuAzl4Xn.exe, 00000000.00000002.1782287769.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, wBfGlYCdeX.exe, 00000009.00000002.1872834612.00000000028DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ip.sb/ip	EXQuAzl4Xn.exe, 00000000.00000002.1784943666.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, EXQuAzl4Xn.exe, 00000000.00000002.1784943666.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2040051369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, wBfGlYCdeX.exe, 00000009.00000002.1874726277.0000000003B18000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/sc	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1ResponseD	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id9Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id20	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id22	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id24	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id24Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000008.00000002.2042109066.0000000003756000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.0000000004407000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2042109066.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2047796617.00000000045E8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id10	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id11	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id12	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id13	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id14	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id17	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id18	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id19	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id10Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id8Response	RegSvcs.exe, 00000008.00000002.2042109066.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2092501118.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegSvcs.exe, 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	EXQuAzl4Xn.exe, 00000000.00000002.1787702463.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.241.208.193	unknown	Moldova Republic of		26636	GBTCLOUDUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557307
Start date and time:	2024-11-18 02:06:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EXQuAzl4Xn.exe renamed because original name is a hash value
Original Sample Name:	11af773b372806835267a611ab1ec6ba.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/16@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 359 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:07:07	Task Scheduler	Run new task: wBfGlYCdeX path: C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe
20:06:59	API Interceptor	2x Sleep call for process: EXQuAzl4Xn.exe modified
20:07:07	API Interceptor	35x Sleep call for process: powershell.exe modified
20:07:10	API Interceptor	2x Sleep call for process: wBfGlYCdeX.exe modified
20:07:20	API Interceptor	181x Sleep call for process: RegSvcs.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GBTCLOUDUS	shindeVi686.elf	Get hash	malicious	Unknown	Browse	37.221.92.199
	shindeVx86.elf	Get hash	malicious	Unknown	Browse	37.221.92.199
	shindeVm68k.elf	Get hash	malicious	Unknown	Browse	37.221.92.199
	Payload 94.75 (4).225.exe	Get hash	malicious	Kronos, Strela Stealer	Browse	45.94.31.29
	Payload 94.75.225.exe	Get hash	malicious	Unknown	Browse	185.241.208.71
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	37.221.93.101
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	37.221.93.101
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	37.221.93.101
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	37.221.93.101
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	37.221.93.101

Process:	C:\Users\user\Desktop\EXQuAzl4Xn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
MD5:	E193AFF55D4BDD9951CB4287A7D79653
SHA1:	F94AD920B9E0EB43B5005D74552AB84EAA38E985
SHA-256:	08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
SHA-512:	86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3094
Entropy (8bit):	5.33145931749415
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
MD5:	3FD5C0634443FB2EF2796B9636159CB6
SHA1:	366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
SHA-256:	58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
SHA-512:	8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wBfGlYCdeX.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
MD5:	E193AFF55D4BDD9951CB4287A7D79653
SHA1:	F94AD920B9E0EB43B5005D74552AB84EAA38E985
SHA-256:	08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
SHA-512:	86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379540626579189
Encrypted:	false
SSDEEP:	48:BWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeoPUyus:BLHxvIIwLgZ2KRHWLOugYs
MD5:	D820FBAEB0059724A3DA5EBC410E2293
SHA1:	E6B18135CA7D8044A602C0C71915AC199532A3E4
SHA-256:	185776767CA6717DDB000C5A6E7C98D088E73BF8902BEBA350C08656EC7168F1
SHA-512:	6ED3A96EC38688D7FB1CAF4018D21BA6F6B0B434DA600A0EE7034B70CBCB72DF1ECA7E0C9D04F9334CAA754F32CDAC40B50552756A03D895115DF8106E3B243F
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gtkvzgy.j4e.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3eynj31f.0ss.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4saod3lc.5l4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2du2e1r.jke.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_flyoyk5k.dn4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huh5sfd4.3re.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfqnqds2.ymu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xblckosf.u3t.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp111.tmp

Download File

Process:	C:\Users\user\Desktop\EXQuAzl4Xn.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.115938111549319
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta2xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTbv
MD5:	9D25D98CCEEE50E64F1380468EB60D93
SHA1:	92DE21D0ED8800B045A6DF138D1A072AD591F079
SHA-256:	3FE8BB43FB29EC7AF167E8E0C3A26D4A195639156ECC9A0D4185AFAAFAA60A67
SHA-512:	65B8148E16C3CD730944DE3DEF7D5ADFF496D5E95F93A706BD6CB6A72420FBAFA841545B5D1AAB6DDFD7F0AF64CC71E2CB2888541B73082BE60D943180E8EC65
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp261D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.115938111549319
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta2xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTbv
MD5:	9D25D98CCEEE50E64F1380468EB60D93
SHA1:	92DE21D0ED8800B045A6DF138D1A072AD591F079
SHA-256:	3FE8BB43FB29EC7AF167E8E0C3A26D4A195639156ECC9A0D4185AFAAFAA60A67
SHA-512:	65B8148E16C3CD730944DE3DEF7D5ADFF496D5E95F93A706BD6CB6A72420FBAFA841545B5D1AAB6DDFD7F0AF64CC71E2CB2888541B73082BE60D943180E8EC65
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe

Download File

Process:	C:\Users\user\Desktop\EXQuAzl4Xn.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	832520
Entropy (8bit):	7.743934333008164
Encrypted:	false
SSDEEP:	24576:Ab2CJV/5sFfoaZ251l7eATcl7ij+B0DFcbgMPxD:ix5KZk1l7TTci2J
MD5:	11AF773B372806835267A611AB1EC6BA
SHA1:	821E0CEEFD1E789671B1D6C69C89187CDFF1C077
SHA-256:	9EE4E1E0703B2BCD5E827DAA1AE9495ABAB382F7D577C7854F2A528712D19198
SHA-512:	9D4A25F76F283806A6BB3006C78348D28E9B02A6886A90A12602DAAD5E084D27EE6D201DE3A16BB43C545E8F9703FCDF1C7F177111A116F9D4A285796FA2F77B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5g..............0..r..........J.... ........@.. ....................................@.....................................O.......0............~...6...........T..T............................................ ............... ..H............text...Pq... ...r.................. ..`.rsrc...0............t..............@..@.reloc...............\|..............@..B................+.......H.......................................................................^..}.....(.......(.....&..(........0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s....}.....s....}.....s....}.....{....o......(......{.....o......{......s....o .....{....r...po!.....{.....\|.ss"...o#.....{.....o$.....{.....o%.....{......o&.....{.....o'.....{...... ....s....o .....{....r...po!.....{.... .....Ms"...o#.....{.....o(.....{....r3..po).....{.......vs....o .....

C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\EXQuAzl4Xn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.743934333008164
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	EXQuAzl4Xn.exe
File size:	832'520 bytes
MD5:	11af773b372806835267a611ab1ec6ba
SHA1:	821e0ceefd1e789671b1d6c69c89187cdff1c077
SHA256:	9ee4e1e0703b2bcd5e827daa1ae9495abab382f7d577c7854f2a528712d19198
SHA512:	9d4a25f76f283806a6bb3006c78348d28e9b02a6886a90a12602daad5e084d27ee6d201de3a16bb43c545e8f9703fcdf1c7f177111a116f9d4a285796fa2f77b
SSDEEP:	24576:Ab2CJV/5sFfoaZ251l7eATcl7ij+B0DFcbgMPxD:ix5KZk1l7TTci2J
TLSH:	A405F04067B8AB26E9BA4BF41072D2304775BD9EA424C30E8EE5ACCF3C25F459E54B53
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5g..............0..r..........J.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4c914a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6735C4ED [Thu Nov 14 09:37:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc90f7	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xca000	0x630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc7e00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc54b0	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc7150	0xc7200	1d265e4d7c28e4804ed1d18d53801033	False	0.8724326153483992	data	7.750094835925298	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xca000	0x630	0x800	97d49ec2e524b4f7f564930c7ea5685d	False	0.3359375	data	3.4763078303020754	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	324206ebe977cd10bde8e91691b3f1e8	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xca090	0x3a0	data			0.41594827586206895
RT_MANIFEST	0xca440	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T02:07:15.014593+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:15.014593+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:15.278942+0100	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1	185.241.208.193	1912	192.168.2.4	49737	TCP
2024-11-18T02:07:19.160506+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49742	185.241.208.193	1912	TCP
2024-11-18T02:07:19.160506+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.4	49742	185.241.208.193	1912	TCP
2024-11-18T02:07:19.422741+0100	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1	185.241.208.193	1912	192.168.2.4	49742	TCP
2024-11-18T02:07:20.333080+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:20.595693+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	185.241.208.193	1912	192.168.2.4	49737	TCP
2024-11-18T02:07:24.459598+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49742	185.241.208.193	1912	TCP
2024-11-18T02:07:25.838477+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	185.241.208.193	1912	192.168.2.4	49742	TCP
2024-11-18T02:07:34.966017+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:35.465220+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49737	185.241.208.193	1912	TCP
2024-11-18T02:07:40.649918+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49742	185.241.208.193	1912	TCP
2024-11-18T02:07:41.009159+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49742	185.241.208.193	1912	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 02:07:09.963999033 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:09.969422102 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:09.969527006 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:09.978786945 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:09.983815908 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:14.974879980 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:15.014592886 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:15.020050049 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:15.278942108 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:15.328406096 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:18.248106003 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:18.253175974 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:18.253262043 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:18.262284040 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:18.267191887 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:19.127880096 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:19.160506010 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:19.166002989 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:19.422740936 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:19.469122887 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:20.333080053 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:20.338186026 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:20.595482111 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:20.595532894 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:20.595571995 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:20.595593929 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:20.595611095 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:20.595650911 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:20.595664024 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:20.595693111 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:20.595794916 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.019619942 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.024858952 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.024924040 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.024928093 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.024955034 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.024983883 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.024992943 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.025024891 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.025038004 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.025049925 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.025067091 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.025099993 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.025115967 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.025125027 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.025146961 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.025171995 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.025175095 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.025212049 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.025213003 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.025242090 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.025274992 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.030282974 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.030319929 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.030349016 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.030350924 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.030378103 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.030402899 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.030484915 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.030514002 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.030539989 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.030549049 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.030571938 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.030580997 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.030605078 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.030615091 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.030651093 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.030684948 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.030963898 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.030992985 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.031023979 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.031044006 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.031052113 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.031074047 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.031111956 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.031135082 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.035593987 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.035669088 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.035763025 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.035876036 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036097050 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036125898 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036158085 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036178112 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036187887 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036210060 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036235094 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036261082 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036267042 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036289930 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036314964 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036319017 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036341906 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036346912 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036375046 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036468983 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036730051 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036783934 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036791086 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036812067 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036842108 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036868095 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036870003 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036897898 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036920071 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036946058 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.036951065 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.036981106 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.037002087 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.037008047 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.037040949 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.037043095 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.037064075 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.037070036 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.037094116 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.037097931 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.037128925 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.037152052 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.040982008 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041011095 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041038990 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041042089 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041079044 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041095972 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041630983 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041660070 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041688919 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041690111 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041718006 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041718960 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041748047 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041754961 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041785002 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041799068 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041805983 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041827917 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041851044 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041856050 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.041882992 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.041906118 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.042273998 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042303085 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042330980 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.042381048 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042408943 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042462111 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042490959 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042541027 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042567968 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042619944 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042648077 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042675018 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042704105 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042756081 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042783976 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042812109 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042840004 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042891026 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042917967 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042944908 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.042972088 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043020964 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043047905 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043075085 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043101072 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043129921 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043180943 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043207884 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043260098 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043287992 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043359995 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043387890 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043440104 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043468952 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043504953 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.043518066 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043546915 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043576002 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043584108 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.043605089 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043654919 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043682098 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043709040 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043736935 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043788910 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043817043 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043843985 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043872118 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043900967 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043951988 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.043978930 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.044006109 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.044033051 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.044059992 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.044087887 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.044115067 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.044150114 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.044179916 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.044205904 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.047660112 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048173904 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048207045 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048234940 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048285961 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048314095 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048763037 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048790932 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048844099 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048871040 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048897982 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048950911 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.048978090 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.049005985 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.049032927 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.049060106 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.049087048 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.049140930 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.049168110 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.049195051 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.049222946 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.049249887 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.050976992 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.051004887 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.051032066 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.051059961 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.051110029 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.051126003 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.051237106 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.051321030 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.052041054 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052072048 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052083969 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052095890 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052109003 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052133083 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052145958 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052167892 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052181005 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052202940 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052215099 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052289009 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052301884 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052350044 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052361965 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052377939 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052429914 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052443027 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052468061 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052479982 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052493095 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052515984 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052529097 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052541018 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052553892 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052581072 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052592993 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052604914 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052860975 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052930117 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052942038 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052958012 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052970886 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.052994013 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053047895 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053060055 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053105116 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053134918 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053148985 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053159952 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053188086 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053201914 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053214073 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053225994 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053239107 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053251028 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053276062 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053287983 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.053299904 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058196068 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058208942 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058221102 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058233023 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058263063 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058274984 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058285952 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058299065 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058314085 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058326960 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058351994 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058365107 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058376074 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058387995 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058412075 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058423996 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058454990 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058468103 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058492899 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058506012 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058521986 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058535099 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058558941 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058572054 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058594942 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058608055 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058643103 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.058660984 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058674097 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058686972 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058700085 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058722973 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058736086 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058747053 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.058775902 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058789015 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058800936 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058814049 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058839083 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058851957 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058864117 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058877945 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058902979 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058916092 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058950901 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.058964014 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.059000969 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.059036970 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.059061050 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.059075117 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.059097052 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.059109926 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.059171915 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.059185028 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.059200048 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066150904 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066164017 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066193104 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066245079 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066272020 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066284895 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066309929 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066338062 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066363096 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066375971 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066390991 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066416979 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066417933 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.066495895 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066528082 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066538095 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.066541910 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066555023 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066569090 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066582918 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066620111 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066632986 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066644907 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066679955 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066694021 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066718102 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066731930 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066745043 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066770077 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066782951 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066797018 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066821098 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066833973 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066845894 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066859007 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066874981 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066888094 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066921949 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066934109 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066946030 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.066957951 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.067939043 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068001986 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068015099 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068027973 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068052053 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068064928 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068078041 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068101883 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068114042 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068125963 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068139076 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068165064 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068176985 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.068188906 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.072475910 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.072899103 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.073004007 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.073023081 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073038101 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073074102 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073091030 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073124886 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073203087 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073266029 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073319912 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073332071 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073368073 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073383093 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073447943 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073477030 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073527098 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073554993 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073582888 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073611021 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073642969 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073702097 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073729992 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073757887 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073786020 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073812962 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073839903 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073868036 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073894978 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.073921919 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074021101 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074065924 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074110031 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074137926 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074171066 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074198008 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074224949 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074251890 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074280024 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074306011 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074333906 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074384928 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074412107 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074439049 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074465990 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074493885 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074521065 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074548006 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074582100 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074611902 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074640036 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074666977 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074693918 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074721098 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.074748993 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078028917 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078129053 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078156948 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078185081 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078237057 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078264952 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078285933 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.078327894 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078344107 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.078356981 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078419924 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078447104 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078480005 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078505993 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078532934 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078560114 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078588009 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.078614950 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.079762936 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.080317974 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.080346107 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.080380917 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.080441952 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.080493927 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.080522060 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.080583096 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.080617905 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.080643892 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.121218920 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.121537924 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.121692896 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.121692896 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.121798038 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.144664049 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.144825935 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:22.149907112 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:22.168514013 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:24.459598064 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:24.464728117 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:24.718532085 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:24.718581915 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:24.718621016 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:24.718656063 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:24.718691111 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:24.718727112 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:24.718801975 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:24.718802929 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:24.718802929 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.833044052 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.838476896 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838517904 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838551044 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.838574886 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838587046 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.838607073 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838638067 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838637114 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.838668108 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838695049 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.838696003 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838721991 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.838746071 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838757992 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.838799000 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.838799953 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838830948 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.838855028 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.838882923 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.844043970 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844086885 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844137907 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.844172955 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.844197989 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844228029 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844264030 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844266891 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.844295025 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844326019 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.844353914 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.844361067 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844415903 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844444990 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844475031 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844480038 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.844502926 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844515085 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.844553947 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844573021 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.844583988 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.844639063 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.849798918 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.849869967 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.849898100 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.849953890 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.849956989 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.849984884 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850011110 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850052118 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850080013 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850132942 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850258112 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850317955 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850356102 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850389957 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850410938 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850440979 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850519896 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850579023 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850610971 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850646019 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850661039 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850693941 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850699902 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850755930 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850756884 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.850785017 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850835085 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850862026 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850891113 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850944996 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.850971937 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851025105 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851051092 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851078987 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851104975 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851138115 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851186991 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851255894 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851284027 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851341963 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.851635933 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.854867935 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.854931116 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.855031967 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855063915 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855112076 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.855124950 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855155945 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855184078 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.855211973 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.855216980 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855247974 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855278015 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855297089 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.855305910 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855350018 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.855360985 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855379105 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.855402946 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.855417013 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855447054 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855475903 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855503082 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855530024 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855557919 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855587006 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855638027 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855665922 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855693102 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855720043 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855746031 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.855964899 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856132030 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856199026 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856226921 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856280088 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856307983 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856375933 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856434107 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856487036 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856513977 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856566906 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856595993 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856622934 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856651068 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856684923 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856800079 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856833935 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856889963 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856940985 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.856969118 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857004881 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.857018948 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857049942 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857108116 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857144117 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857146025 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.857173920 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857202053 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857253075 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857280970 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857309103 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857336998 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857366085 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857393980 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857445955 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857474089 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857501984 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857530117 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857558012 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857585907 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857613087 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857640028 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857692003 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857718945 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857747078 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857774019 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857800961 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857827902 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857856035 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857882023 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.857908964 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.860692978 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.860722065 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.860791922 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.860820055 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.860866070 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.860893965 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.860944033 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.860971928 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.860999107 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861027956 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861054897 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861104012 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861131907 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861157894 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861212015 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861239910 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861267090 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861299992 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.861326933 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.862808943 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.862864017 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.862890959 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.862917900 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.862970114 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.862998962 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863024950 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863053083 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863172054 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863200903 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863229036 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863255978 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863282919 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863308907 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863384962 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863414049 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863441944 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863468885 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863496065 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863518953 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.863523006 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863550901 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863579035 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863609076 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863636017 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863651037 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.863665104 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863738060 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863765955 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863794088 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863821030 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863848925 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863878012 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863904953 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863931894 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863959074 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.863986969 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864012957 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864039898 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864068031 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864094973 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864121914 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864155054 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864182949 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864211082 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864263058 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864294052 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864320993 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864347935 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864376068 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864403009 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864429951 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864455938 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864484072 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.864511013 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869431973 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869462013 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869513988 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869543076 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869596004 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869623899 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869673014 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869700909 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869729042 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869755983 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869781971 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869834900 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869864941 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869891882 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869919062 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.869924068 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.869946957 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870001078 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870028973 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870038986 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.870059013 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870085955 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870112896 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870141029 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870197058 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870223999 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870251894 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870279074 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870306969 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870333910 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870361090 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870388031 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870414019 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870440960 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870491982 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870521069 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870548964 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870575905 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870604992 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870632887 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870661020 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870688915 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870716095 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870743036 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870769978 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870795965 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870822906 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870850086 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870884895 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870935917 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870963097 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.870991945 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.871018887 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.871046066 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.871073961 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876211882 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876252890 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876281977 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876311064 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876338959 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876368046 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876394987 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876421928 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876449108 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876480103 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.876511097 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876540899 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876569986 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876602888 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876616001 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.876632929 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876662016 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876689911 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876718044 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876744986 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876780987 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876808882 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876837015 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876893997 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876921892 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876950026 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.876976967 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877005100 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877032995 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877060890 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877089024 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877118111 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877144098 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877172947 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877201080 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877228975 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877255917 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877284050 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877309084 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877336025 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877388000 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877415895 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877443075 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877471924 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877497911 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877523899 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877552986 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877579927 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877609015 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877636909 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877664089 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877692938 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877720118 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877746105 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.877774000 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.882814884 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.882857084 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.882917881 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.882946014 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.882976055 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883004904 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883030891 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883060932 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883124113 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883136988 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.883152008 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883183002 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883212090 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883235931 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.883244038 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883296967 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883351088 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883380890 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883409023 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883435965 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883464098 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883524895 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883553982 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883579969 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883610010 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883637905 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883666039 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883692980 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883719921 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883774996 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883801937 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883830070 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883857965 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883886099 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883913994 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883940935 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883968115 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.883994102 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884021044 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884048939 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884077072 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884104013 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884131908 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884188890 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884217024 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884243965 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884270906 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884298086 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884326935 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884354115 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884381056 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884408951 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884444952 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884470940 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.884497881 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889652967 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889694929 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889725924 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889754057 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889781952 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889810085 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889873981 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889904022 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889920950 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.889934063 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889961958 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.889991045 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890021086 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890023947 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.890049934 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890077114 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890144110 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890172958 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890202045 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890228987 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890255928 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890283108 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890311956 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890338898 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890392065 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890419960 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890448093 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890475988 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890502930 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.890531063 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.922148943 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.927541971 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.927841902 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.927994967 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.927994967 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.928101063 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.933402061 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933444023 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933476925 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933506966 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933535099 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933562994 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933593988 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933621883 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933650017 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933676004 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933703899 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933758974 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933787107 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933815002 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.933842897 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.956269979 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.956413984 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:25.961832047 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:25.994766951 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:34.965053082 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:34.966017008 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:34.971175909 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:35.226746082 CET	1912	49737	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:35.281565905 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:35.465219975 CET	49737	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:40.648305893 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:40.649918079 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:40.654942036 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:40.909662962 CET	1912	49742	185.241.208.193	192.168.2.4
Nov 18, 2024 02:07:40.953448057 CET	49742	1912	192.168.2.4	185.241.208.193
Nov 18, 2024 02:07:41.009159088 CET	49742	1912	192.168.2.4	185.241.208.193

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 02:07:19.366472960 CET	53	52885	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	20:06:58
Start date:	17/11/2024
Path:	C:\Users\user\Desktop\EXQuAzl4Xn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EXQuAzl4Xn.exe"
Imagebase:	0x7b0000
File size:	832'520 bytes
MD5 hash:	11AF773B372806835267A611AB1EC6BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1784943666.0000000003E48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1784943666.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:07:06
Start date:	17/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EXQuAzl4Xn.exe"
Imagebase:	0xa10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:07:06
Start date:	17/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:07:06
Start date:	17/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe"
Imagebase:	0xa10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:07:06
Start date:	17/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:07:06
Start date:	17/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp111.tmp"
Imagebase:	0xea0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:07:06
Start date:	17/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:07:06
Start date:	17/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x620000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.2040051369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.2042109066.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:07:07
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wBfGlYCdeX.exe
Imagebase:	0x490000
File size:	832'520 bytes
MD5 hash:	11AF773B372806835267A611AB1EC6BA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.1874726277.0000000003B18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:07:09
Start date:	17/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:07:16
Start date:	17/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBfGlYCdeX" /XML "C:\Users\user\AppData\Local\Temp\tmp261D.tmp"
Imagebase:	0xea0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:07:16
Start date:	17/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:07:16
Start date:	17/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xc10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.2092501118.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2092501118.000000000334A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	315
Total number of Limit Nodes:	13

Executed Functions

Function 0749DC40 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ae4b9e952d48b26245e55b3914399609433b4992d09006774a8072a6fd545b
Instruction ID: b7cb3378646b32a8dd9a8f8e8cee462e5d6c30dcb67b8ceb20291e05cd6cdfe7
Opcode Fuzzy Hash: 52ae4b9e952d48b26245e55b3914399609433b4992d09006774a8072a6fd545b
Instruction Fuzzy Hash: 2EC17BB1B016518FDB1ADB75C450BAFBBF6AF89200F14846ED186CB398DB39D902CB51

Function 01016F90 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781237928.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb91aeb5ec20af23a8e03a19740a44ca9b88e394403fd07cc5bdf02344902111
Instruction ID: bc77ed7ca36eab5f95112fef1e32d612a5a7092109a9eda4fca0ac13ce3a2436
Opcode Fuzzy Hash: fb91aeb5ec20af23a8e03a19740a44ca9b88e394403fd07cc5bdf02344902111
Instruction Fuzzy Hash: CF51BB70E012099FDB08DFA9D955AEEFBF2BF88300F148529E419AB368DB355946CF50

Function 01014204 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781237928.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737bdd8f2ffef931d57fa8b1cbeefc566bd2b1a0c1bd42a8d207f3761c3520ca
Instruction ID: 5621cd40141364b44cd93c05a722a417b1c40c5e9047bbc563ca3115631000e7
Opcode Fuzzy Hash: 737bdd8f2ffef931d57fa8b1cbeefc566bd2b1a0c1bd42a8d207f3761c3520ca
Instruction Fuzzy Hash: E151BC70E012099FDB08DFA9D955AEEFBF2BF88300F148429E419AB368DB355945CF50

Function 073DBE68 Relevance: 7.9, Strings: 6, Instructions: 429
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 073DBE83
4'^q, xrefs: 073DBEDE
4|cq, xrefs: 073DC058
4|cq, xrefs: 073DC073
$^q, xrefs: 073DBF30
4'^q, xrefs: 073DBF0E

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4|cq$4|cq$$^q
API String ID: 0-1027864050
Opcode ID: 2cd998bf21222cd9d74c6f11fd558d7100cda1a9c195f426d5ae0b9d2e8808e6
Instruction ID: cee4c4d991f96450156a9d58827aebd7641be9a754ad6f544aa1c6992358789f
Opcode Fuzzy Hash: 2cd998bf21222cd9d74c6f11fd558d7100cda1a9c195f426d5ae0b9d2e8808e6
Instruction Fuzzy Hash: 96E1E2B2B201168FDB18DF78E85856E7BEAEF89710B154469E40ADB3A1DF34CC41CB91

Function 073D7C30 Relevance: 7.8, Strings: 6, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 073D7D54
d8cq, xrefs: 073D80E0
(o^q, xrefs: 073D7D76
(o^q, xrefs: 073D7D82
Hbq, xrefs: 073D7FF1
,bq, xrefs: 073D7D48

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq$d8cq
API String ID: 0-1626189073
Opcode ID: 43152cd4832a938a1113b1f7ed9e19484c2ebca2abf99dab1121d4cb064eaee9
Instruction ID: 76e26f8e5d40e95b531117f7382c4dc6191efa1ac0cb636c92ce88c0d8e23d6c
Opcode Fuzzy Hash: 43152cd4832a938a1113b1f7ed9e19484c2ebca2abf99dab1121d4cb064eaee9
Instruction Fuzzy Hash: FCC18B71B101199FDB14DF68E958AAE7BF6BF88310F148069E809DB3A5DB34DC41CB91

Function 073DCD14 Relevance: 5.5, Strings: 4, Instructions: 459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pbq, xrefs: 073DCF75
:, xrefs: 073DCD6F
4'^q, xrefs: 073DCEAC
~, xrefs: 073DCD0E

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: 4'^q$:$pbq$~
API String ID: 0-999388165
Opcode ID: 49d7539cf3e556e7354779e6075bd50d3703bf460feaad9c1c5d20c4325f28d5
Instruction ID: 5181858d8c5f299a6ec2a7012a6a308e2b8ef5fc2de280603757f1f6b6637662
Opcode Fuzzy Hash: 49d7539cf3e556e7354779e6075bd50d3703bf460feaad9c1c5d20c4325f28d5
Instruction Fuzzy Hash: 1D22E2B6A10218DFDB15CFA8D984E98BBB2FF49304F1580D5E509AB262D732ED91DF10

Function 073D7C20 Relevance: 2.6, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 073D7D76
,bq, xrefs: 073D7D48

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: (o^q$,bq
API String ID: 0-3021502629
Opcode ID: 478005cc7b4c0f6180bca8138f604f4f2581c0ee183c46c143f5894b869e8d70
Instruction ID: 91b99eb5b674c37951b8204d2ed7e675f0e8f0c2685fa6d25a43f7d89730dc6b
Opcode Fuzzy Hash: 478005cc7b4c0f6180bca8138f604f4f2581c0ee183c46c143f5894b869e8d70
Instruction Fuzzy Hash: B1513AB6A1121ACFDB24CF68E588AADBBF5FF48311F148069E849A7360D7309C40CF90

Function 0749939C Relevance: 1.8, APIs: 1, Instructions: 254
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074995DE

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 56c296113b16a00e9e227ea7b4bcfd0f5516d6f5d825f7a098348e9e1e0d6608
Instruction ID: 697b5832140e835151ff7cea8b3eb875b250b25074e9ed660d767ba7e0a38795
Opcode Fuzzy Hash: 56c296113b16a00e9e227ea7b4bcfd0f5516d6f5d825f7a098348e9e1e0d6608
Instruction Fuzzy Hash: 7CA16FB1D0021ADFDF14CF68C8417DEBBB2BF84314F1481AAE859A7250DB74A985CF92

Function 074993A8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074995DE

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 99cf1f0139c5e7d500b99462a5de8231acff349987301931775b02ad72c922bb
Instruction ID: 865d80147fe1d31ca691fbe6839affedae069d7f3194faaa450de1056f2a710f
Opcode Fuzzy Hash: 99cf1f0139c5e7d500b99462a5de8231acff349987301931775b02ad72c922bb
Instruction Fuzzy Hash: 0B916EB1D0021ADFDF10CF68C9417DEBBB2BF84314F1481AAE859A7250DB74A985CF92

Function 0101B128 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0101B37E

Memory Dump Source

Source File: 00000000.00000002.1781237928.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_EXQuAzl4Xn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f1725b1abffad4d40d4377b267a5a594870356f1bbefc40120826c3d48f5adc5
Instruction ID: 8f0f71f22a3ae7c0b8acb473c39679cb5ca6242f4774c05f917a4e4b47fce0a7
Opcode Fuzzy Hash: f1725b1abffad4d40d4377b267a5a594870356f1bbefc40120826c3d48f5adc5
Instruction Fuzzy Hash: 9F716770A00B058FD764DF29D54179ABBF1FF88304F008A6ED48AD7A54DB78E949CB91

Function 051B1CE4 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 051B1E02

Memory Dump Source

Source File: 00000000.00000002.1786683401.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_EXQuAzl4Xn.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9e33666c8633b2af09024c5ee0790ead15c5405b97781aadbc22d2cffb9ab15d
Instruction ID: 3c89780bcde9be5acd056d12be73baa07cfb5c1f52c2c55a2295ac8d1ed95501
Opcode Fuzzy Hash: 9e33666c8633b2af09024c5ee0790ead15c5405b97781aadbc22d2cffb9ab15d
Instruction Fuzzy Hash: DA51D2B1D00309EFDB14CF99C994ADEBBB5FF48310F25852AE819AB210D7719985CF90

Function 051B1110 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 051B1E02

Memory Dump Source

Source File: 00000000.00000002.1786683401.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_EXQuAzl4Xn.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e750c31467028ca93fdb7bdce946f4e7b9db5e579a82740949d3e3f5df73998d
Instruction ID: 71728b6ec9e66075c54a50e0b488939b410e3ed4742d5b727f75fc4681ca2038
Opcode Fuzzy Hash: e750c31467028ca93fdb7bdce946f4e7b9db5e579a82740949d3e3f5df73998d
Instruction Fuzzy Hash: D051C2B1D00349EFDB14CF99C994ADEBBB5FF48350F25852AE819AB210D7B19885CF90

Function 051B1264 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 051B4381

Memory Dump Source

Source File: 00000000.00000002.1786683401.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_EXQuAzl4Xn.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b2e9374c0b81615dd44a86aeb60eb775a1bf2bfba7c69c1e014391ef91bbdf92
Instruction ID: aaf173f3edfe5471e7e261b873b3f79295ef67883c501f482a2abd15c8331166
Opcode Fuzzy Hash: b2e9374c0b81615dd44a86aeb60eb775a1bf2bfba7c69c1e014391ef91bbdf92
Instruction Fuzzy Hash: EA4139B4900315DFDB14DF99C488EAEBBF6FB88314F24C559D559AB322C7B4A841CBA0

Function 010144F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010159C9

Memory Dump Source

Source File: 00000000.00000002.1781237928.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_EXQuAzl4Xn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a93e8f068fc72e20e126992f7af20bb746e5e4b7206b4960dde8de5e327e00c9
Instruction ID: 1496f341d4a6364a4fc9b1ef79e12383e3f167b6510b852cca0f8c897648af95
Opcode Fuzzy Hash: a93e8f068fc72e20e126992f7af20bb746e5e4b7206b4960dde8de5e327e00c9
Instruction Fuzzy Hash: 4B41FFB1C00719CFDB24DFA9C884B9EBBF5BF89304F2480AAD448AB255DB756945CF90

Function 0101590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010159C9

Memory Dump Source

Source File: 00000000.00000002.1781237928.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_EXQuAzl4Xn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f077ccefa02d47216f2e887524716dd2d0461b5dc975d3a8ebf83c7359baa72b
Instruction ID: b6a4d47e6805068ab54ee7634b51305efed8337a9fa2c56f72053f6c57216582
Opcode Fuzzy Hash: f077ccefa02d47216f2e887524716dd2d0461b5dc975d3a8ebf83c7359baa72b
Instruction Fuzzy Hash: CD410FB1C00319CFDB24CFA9C884BDDBBB5BF49304F2480AAD448AB255DB756985CF90

Function 0749911A Relevance: 1.6, APIs: 1, Instructions: 78injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074991B0

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2926928bafb4cfc3910c0a978f61a7d9bdfb8e5d0a1a9b0d5c0d3108eb00df7d
Instruction ID: 6013ac2c710a74fe0122a9d4e361feb7bdf07ec158aa11c854986d812b52faa3
Opcode Fuzzy Hash: 2926928bafb4cfc3910c0a978f61a7d9bdfb8e5d0a1a9b0d5c0d3108eb00df7d
Instruction Fuzzy Hash: 763125B1900249DFDB10CFA9C8857DEBFF5FB88310F10842AE958A7251C775A944CBA4

Function 07499208 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07499290

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 87dac3526ff83db2adc787fafc776f8c4b50ea77c866a0fcc708f2c1fdfd4411
Instruction ID: 1ba519cf86301694d25aa750ad4166ad7e8712612406d6e8a445c2f415fd873b
Opcode Fuzzy Hash: 87dac3526ff83db2adc787fafc776f8c4b50ea77c866a0fcc708f2c1fdfd4411
Instruction Fuzzy Hash: C42137B18002499FDB14CFAAC885ADEBFF5FF88310F10842AE558A7251C775A945CBA4

Function 07499120 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074991B0

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a3dc03adce9cd65280c9b75f1046fa94605726623eb90c3825ae618541b7dca7
Instruction ID: 546ab01c700811382868b18ceb1af03f746280f68624f9e138e68239fd3dfcd6
Opcode Fuzzy Hash: a3dc03adce9cd65280c9b75f1046fa94605726623eb90c3825ae618541b7dca7
Instruction Fuzzy Hash: 5E2115B19002599FDB10CFA9C885BDEBBF5FB88310F10842AE959A7250C778A944CBA4

Function 0101B014 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0101D5CE,?,?,?,?,?), ref: 0101D68F

Memory Dump Source

Source File: 00000000.00000002.1781237928.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_EXQuAzl4Xn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e1683816cc5ebb1c802e5c334e86a4d3d8444519819d558fa154abf66d499945
Instruction ID: bcbd2f8f9a8c30c75c828475cc60ceed073d51920e66335e33cd2f2370bd9fa5
Opcode Fuzzy Hash: e1683816cc5ebb1c802e5c334e86a4d3d8444519819d558fa154abf66d499945
Instruction Fuzzy Hash: 9021E6B5900208DFDB10DF99D584ADEBFF4FB48310F14841AE958A7310D378A950CFA4

Function 0101D600 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0101D5CE,?,?,?,?,?), ref: 0101D68F

Memory Dump Source

Source File: 00000000.00000002.1781237928.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_EXQuAzl4Xn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 92511007a867f1af967b2a1aa1b86a94cd5f0b3501fadc5b9b74c42d7a81101f
Instruction ID: 6b9a4fe9bc8cd21a2b74a03b5f30ad31d8329eed813f5f78aa299b351c1029ad
Opcode Fuzzy Hash: 92511007a867f1af967b2a1aa1b86a94cd5f0b3501fadc5b9b74c42d7a81101f
Instruction Fuzzy Hash: 9321E6B5900248AFDB10CFA9D984ADEBFF4FB48310F14845AE958A3310D378A940CFA5

Function 07498B48 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07498BCE

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a7a064a2a978c97db2cfd9d602f3135ffa999cd1b7b72f1256f4bbc9eac4a645
Instruction ID: 63d3f4e3a4b565e7beaac8fcdc2884ce77c6f8a0f0414e49af98eb1829218460
Opcode Fuzzy Hash: a7a064a2a978c97db2cfd9d602f3135ffa999cd1b7b72f1256f4bbc9eac4a645
Instruction Fuzzy Hash: 3E2157B19003098FCB10CFAAC4847EEBFF4EB89324F14842AD459A7340CB789945CFA0

Function 07499210 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07499290

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 941076f2f5a3266a4adfda5181b5a4ae2646f752c09218c49b8227af0388d877
Instruction ID: 3074f101ef73a5187c12c21347859cc161e29404275b657396f65a4a6e3d0c85
Opcode Fuzzy Hash: 941076f2f5a3266a4adfda5181b5a4ae2646f752c09218c49b8227af0388d877
Instruction Fuzzy Hash: 532128B1C002599FCB10DFAAC881ADEFBF5FF48310F10882EE558A7250C734A944CBA4

Function 07498B50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07498BCE

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1e386f9920ee60926bd47da5832e94c37ed1fa2852ddc7b111b15719e28ef2da
Instruction ID: b7097bc2abada65aadc713a636b911549ec61d1adb340ba04bc5d930e4bf24a5
Opcode Fuzzy Hash: 1e386f9920ee60926bd47da5832e94c37ed1fa2852ddc7b111b15719e28ef2da
Instruction Fuzzy Hash: 8D2118B19002099FDB10DFAAC4857EEBBF4EF89324F14842AD459A7241CB78A945CFA5

Function 0749905A Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074990CE

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1de3ccf6508c83538b905c48a7c5d34606ac9c00e6e4cc6ed42ddbffd6e96f15
Instruction ID: eadbebaec39f22047c464ea0d423c2120b9fb14f6a2e270d752ec7c6459e7a7a
Opcode Fuzzy Hash: 1de3ccf6508c83538b905c48a7c5d34606ac9c00e6e4cc6ed42ddbffd6e96f15
Instruction Fuzzy Hash: D6219DB28043499FCF20CFA9C845ADEBFF5EF88310F24842ED558A7250C775A554CBA1

Function 073DE617 Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

@, xrefs: 073DE73F

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 91a1bce2cbacd77668985516d839711e71c701aa703879a451a23007af6ea332
Instruction ID: 83baf90e185e19dcbd32b34e71521a492118b2902633cf3085e8e19d4dfb12b1
Opcode Fuzzy Hash: 91a1bce2cbacd77668985516d839711e71c701aa703879a451a23007af6ea332
Instruction Fuzzy Hash: B4E180B5E142198FDB50CFA9D980A9DBBF1BF49214F1481AAE818EB345DB31AD81CF50

Function 07498A98 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07498B02

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e5116d2a509904a530e8946838459ded2f5d6a5c56e4d61d0ba7fb1edcb6961c
Instruction ID: a6c763f87d3bfb36c948f51eff09afba61f37661bac88061a7e11c7a93d8c434
Opcode Fuzzy Hash: e5116d2a509904a530e8946838459ded2f5d6a5c56e4d61d0ba7fb1edcb6961c
Instruction Fuzzy Hash: 76116AB19043988FCB20DFADC4457EEFFF8AB49314F24846AD099A7251C7749944CBA5

Function 07499060 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074990CE

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 364d32e574c8c60a3925e6f68da8147775859c7c815c98f3ff612f9427d66fb7
Instruction ID: dc0bf51f1d304d4e5e5cc658b330fee167fb8a2cef4335c8a85b605f18e2efc3
Opcode Fuzzy Hash: 364d32e574c8c60a3925e6f68da8147775859c7c815c98f3ff612f9427d66fb7
Instruction Fuzzy Hash: 1C1129B19002499FCB10DFA9C844BDEBFF5EB88324F14842AE569A7250C775A554CFA4

Function 07498AA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07498B02

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dec85c791ae06db6b3a4a08bd00b1eccde61969668e893b8d23fe04fefa2cc7c
Instruction ID: 15485b4ad8e5f0148f99e151820e7d05970f583418387480d42190bc819e45ce
Opcode Fuzzy Hash: dec85c791ae06db6b3a4a08bd00b1eccde61969668e893b8d23fe04fefa2cc7c
Instruction Fuzzy Hash: 61113DB1D002498FCB10DFAAC4457EEFFF4EB88324F14842AD459A7250C7756544CFA4

Function 0749D870 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0749D8D5

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c42aad468f2a5b5bd5c8fa9300b674caf6a037d1a7ed94618483363dff3af332
Instruction ID: 47bf9606a78a1f02937fb5503ac4510381f66be81186574249031624d3af5310
Opcode Fuzzy Hash: c42aad468f2a5b5bd5c8fa9300b674caf6a037d1a7ed94618483363dff3af332
Instruction Fuzzy Hash: 0411E6B59003499FCB10DF99D889BDEFFF8EB48324F10841AD569A7610C375A944CFA5

Function 07495D68 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0749D8D5

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e48461e2ce2d33824188d4786e624e5813081e384f5c68be1c74db7c62a09fbc
Instruction ID: 49e3115e8225c701194e1142fb237dab4d2837eea67bf24b7f92eb06610e59f7
Opcode Fuzzy Hash: e48461e2ce2d33824188d4786e624e5813081e384f5c68be1c74db7c62a09fbc
Instruction Fuzzy Hash: CA11F5B59003499FCB10DF9AD484BDEFFF8EB48310F10842AE569A7211C375A944CFA1

Function 0101B318 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0101B37E

Memory Dump Source

Source File: 00000000.00000002.1781237928.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_EXQuAzl4Xn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 72718eaec3cd9bffdc544a900991c66912511b0047a8e90b06839500662cb4d7
Instruction ID: 04f7f03f7968804294761612e09064b331392b1fdf8ccf0b705a5c48c499f104
Opcode Fuzzy Hash: 72718eaec3cd9bffdc544a900991c66912511b0047a8e90b06839500662cb4d7
Instruction Fuzzy Hash: 3811E0B5C003498FDB24CF9AD484ADEFBF4EB88324F10C56AD969A7210C379A545CFA5

Function 073D0CB0 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

Hbq, xrefs: 073D0DCD

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: d93fa983dfd161562d4d5ad2cfc4bbe7267080634df51dda705a187778bc3770
Instruction ID: ebcc7657347240c1d2229e21ad2d9cbac94d587371c3759638fbb4c35020c1b1
Opcode Fuzzy Hash: d93fa983dfd161562d4d5ad2cfc4bbe7267080634df51dda705a187778bc3770
Instruction Fuzzy Hash: 0581F6727006058FDB18DF68D894AAEB7F6EF88700F2484A9E409DB365DB35DD05CB90

Function 073DD3D6 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

LR^q, xrefs: 073DD452

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 6794733fa333feeb33afa06a4b68ab248b8cc5a44eda351f6abd71e781a5178a
Instruction ID: e6b1dc8c9ee17daa6e44237ba91f37d8d152ba88cea76714a520e10db65a088f
Opcode Fuzzy Hash: 6794733fa333feeb33afa06a4b68ab248b8cc5a44eda351f6abd71e781a5178a
Instruction Fuzzy Hash: 8B91FAB5E20219DFDB04DFA9E9806ADBBF6EF89314F10856AD819E7345DB319902CF40

Function 073DDA50 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

8bq, xrefs: 073DDB01

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 849d91f753eaa0dce6e27d876d91f9164e635812b190dec5f152067c3f00030f
Instruction ID: 468097730479164e9359f06b6626bd78ef57054fe7fa1209bc8f415e53cada88
Opcode Fuzzy Hash: 849d91f753eaa0dce6e27d876d91f9164e635812b190dec5f152067c3f00030f
Instruction Fuzzy Hash: B4412BB5E10209AFDB05DFA8E9415ADBBF2EF89314F14846AE809E7354DB319D02CF50

Function 073DDA60 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8bq, xrefs: 073DDB01

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: b9a2c330386b48beccf938b755dc2bba8f98cfddaf8b470f3e256cc392aff648
Instruction ID: 94d3893a8552607b67f042ac338ac43a70a438f21c9a948cc257f7ddad0b2943
Opcode Fuzzy Hash: b9a2c330386b48beccf938b755dc2bba8f98cfddaf8b470f3e256cc392aff648
Instruction Fuzzy Hash: B041E8B5E10109EFDB04DFA8E9859ADBBF6EF89314F10842AE809A7354DB319D42CF50

Function 073DD670 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

., xrefs: 073DD684

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: ae47ba45881f04de947e0db8e7d0e836739a946b4795051ec459e0950ad977dc
Instruction ID: 6cde83a721fe2f2bfb8393e470eea6267f046fd1a24c126a41177ff1488ad816
Opcode Fuzzy Hash: ae47ba45881f04de947e0db8e7d0e836739a946b4795051ec459e0950ad977dc
Instruction Fuzzy Hash: 1FE0C2F1A21109DBEB10EBF4F4482ACBBB8DB05200F5055A5D40E53280DB701E40CFC1

Function 073DC980 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

q, xrefs: 073DC994

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: c8b32a4f5df6b6ee401a9cb75b58c8e5f432bdb4100d8daf461046c225e3f06e
Instruction ID: 49026db8242370b44050ce92243a396baccfd4250a8bb9121626d7e3c0b22d5e
Opcode Fuzzy Hash: c8b32a4f5df6b6ee401a9cb75b58c8e5f432bdb4100d8daf461046c225e3f06e
Instruction Fuzzy Hash: CCE086B5914109DFD710DBA4F4092AD7BB5AB05311F006164D40993181EB701E40CB91

Function 073D30D8 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebe556a8ac6edeb3333eaef41fa99f5153bd51f66d9008b77f2ec968318675d
Instruction ID: 909f30ca2701f9245d9f0fcccbd490b2a3244722f02f583014ff756da42e4974
Opcode Fuzzy Hash: cebe556a8ac6edeb3333eaef41fa99f5153bd51f66d9008b77f2ec968318675d
Instruction Fuzzy Hash: 31421171D0061DCFDB15EFA8D8486DCBBB1BF49300F5182A9D5497B264EB30AA98CF81

Function 073D30E8 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87735e9c367c26db5d13ac76b4d8fb24775a0c46aae43350ede55e1747813279
Instruction ID: 616aac35c136f447168c6e115004c67e2329aa3efb6219d4eaca48da706d0199
Opcode Fuzzy Hash: 87735e9c367c26db5d13ac76b4d8fb24775a0c46aae43350ede55e1747813279
Instruction Fuzzy Hash: 91320171D1061DCFDB15EFA8D8486DCBBB1BF49300F5182A9D5497B264EB30AA98CF81

Function 073D02C8 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0d2916906fd73328eb15883e795c8a26c4640c58488dcace074515fbc22f89
Instruction ID: 10c654d63f5c399edc1286c9ae20554e3c474ebd9eb98e7d93619424ca7737c1
Opcode Fuzzy Hash: 8f0d2916906fd73328eb15883e795c8a26c4640c58488dcace074515fbc22f89
Instruction Fuzzy Hash: C4B10FB2E01209CFEB25DFA5E9446AEFBF6FF88300F20406AD109A7245DB719D51CB51

Function 073D6900 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4decd12e6ae8f9b75bf064da1546ccadccbc5c7f949a7689b1df166dd0a11907
Instruction ID: d86dc9e884ce62740a68b381aa1a61897c6038e0fb69e075749881ca5956ae05
Opcode Fuzzy Hash: 4decd12e6ae8f9b75bf064da1546ccadccbc5c7f949a7689b1df166dd0a11907
Instruction Fuzzy Hash: B7F1E971D1061ACBDF10EFA8D854AEDB7B5FF48300F1086AAD559B7214EB70AA85CF90

Function 073D68F0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d340af205d85e74851ba929c212e291e515b9e4dd639287fed55b7428852afeb
Instruction ID: b1c0a08d2b65f184f4cc80afe08e0306171415ff13447e3a6ad0690539304aec
Opcode Fuzzy Hash: d340af205d85e74851ba929c212e291e515b9e4dd639287fed55b7428852afeb
Instruction Fuzzy Hash: 18E1E771E1061ACFDF10DFA8D8546EDB7B5BF49300F1086AAD459B7214EB70AA89CF90

Function 073D53C8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21740f01e128754644accf13198c3578d7e381072b1bd51eff027157c6bb340
Instruction ID: 590b6c9ff83709309107febcd81df615f341afaa4811fe6c1c65a8afbb190da8
Opcode Fuzzy Hash: d21740f01e128754644accf13198c3578d7e381072b1bd51eff027157c6bb340
Instruction Fuzzy Hash: 8381A2F1A1111ADFEB11EF68E4586ECBBB5FF45301F604069E04AA72A4EB30DD64CB41

Function 073D5118 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb4ba7a8f40a8890858a5341698b3016d758993749e299a32dd8593dd5b0277
Instruction ID: 3031e5aee592dd85961cf61a7ec01239aeedf4e897aca8a90fdb63d3f72a12da
Opcode Fuzzy Hash: fcb4ba7a8f40a8890858a5341698b3016d758993749e299a32dd8593dd5b0277
Instruction Fuzzy Hash: A551B176A012499FEB10DFA8E850AEDBBB2FF85310F14855AE444EB3A1DB709D45CB90

Function 073D515A Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652fc2fe430a3df916a46c4299db0d83d3c344153edca90793e86c9c4cb13a8a
Instruction ID: 8458762664bb74114f994b47395fb460d14226dfcdcc5c7eaac13dc429dfcbb0
Opcode Fuzzy Hash: 652fc2fe430a3df916a46c4299db0d83d3c344153edca90793e86c9c4cb13a8a
Instruction Fuzzy Hash: 08518F72A012099FEB04DFA8E454AEDBBB2EF89310F148569E445FB3A1EB709D45CB50

Function 073D25A4 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcad64675bfef756616d06aa66562acc131763fda5a05f59a0f4c6ad0c07a42e
Instruction ID: 4ed43daf83656b2449e558414e6823192659e01592e8f7a537df8d3d87d4bcca
Opcode Fuzzy Hash: bcad64675bfef756616d06aa66562acc131763fda5a05f59a0f4c6ad0c07a42e
Instruction Fuzzy Hash: DF41A3F2E251179FEB16AF64E848AEB7BB8FB45300F104825E40AE7694E734CD118A81

Function 073D2670 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9513447fbebbfd171a259ba69792e0d05311ac0a004d419910f24c77e9e5d3
Instruction ID: 92adbd8469986b587b5fa71f594ed5bb89d5cb4a51e9968a483fecdc66e8d6f1
Opcode Fuzzy Hash: be9513447fbebbfd171a259ba69792e0d05311ac0a004d419910f24c77e9e5d3
Instruction Fuzzy Hash: F2416E71A112099FEB04DFA8D854AADBBB2FF89310F148569E405FB3A0EB70DD45CB50

Function 073D2EC7 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68da5f75d454055fbe1f970bcb4e95d8796f0a0aee2d09131016129759bc5911
Instruction ID: a74de0578533c235d9abead7fc0f3bdd893134945c0924bac340ca1662416cb8
Opcode Fuzzy Hash: 68da5f75d454055fbe1f970bcb4e95d8796f0a0aee2d09131016129759bc5911
Instruction Fuzzy Hash: E541D7F2E1511B9FEB16AF64E848AEB7BF8FF45300F500826D44AE7654E7348D118B81

Function 073D8647 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8641c6eb053fe514e6a8068cd6271dd09f5e46078eaf8ad57e9f1e8f2b0345
Instruction ID: 0cd3574410f340b690b49bd9c50168f0162a41b0c61b82531217830c8814ba61
Opcode Fuzzy Hash: 9a8641c6eb053fe514e6a8068cd6271dd09f5e46078eaf8ad57e9f1e8f2b0345
Instruction Fuzzy Hash: 0E41497570011A9FDB059F64E889AAE7BB6FF88710F148528F8069B394DB34DC96CB90

Function 073DC1E0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0de405b4f8e04382c3e8d558220e5ed249b5fd4c0fe8e92ec5c399b66b0a02c
Instruction ID: aa024dcc981c1a00bbb516b1ddb3a27979e13a92d70a206b3f3938f95b3aa586
Opcode Fuzzy Hash: e0de405b4f8e04382c3e8d558220e5ed249b5fd4c0fe8e92ec5c399b66b0a02c
Instruction Fuzzy Hash: 154117B5E2020A9FDB15CFB9F8595AEBBF1EF49211B049436E805E3290EB30C941CF60

Function 073D1E09 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b116c9333947fbf1df9d08eeaab53b9ab5d55875a7ac45ba7ed09b8db5479a
Instruction ID: 51a8da4e48a45b37f10887857305ebeef04679034e904a4af515425c1946be56
Opcode Fuzzy Hash: b2b116c9333947fbf1df9d08eeaab53b9ab5d55875a7ac45ba7ed09b8db5479a
Instruction Fuzzy Hash: 814125B1A05218DFEF219FA5DA889ADFFB2FF48304F214159D4456B25ACB7248A2CF41

Function 073D2D70 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998a5f69ccee6c77a17b52d7a4c28bcf73ab6075fcd7ef5063f4a82ba39ff039
Instruction ID: e7b7d8d04c674919e65dbf67913e37001823a88afbb7184a2c04da865d336939
Opcode Fuzzy Hash: 998a5f69ccee6c77a17b52d7a4c28bcf73ab6075fcd7ef5063f4a82ba39ff039
Instruction Fuzzy Hash: D1410771504349DFCB12EF78D9546DEBBF1BF4A300F40856AD0456B261DB34AD89CB92

Function 073D0CA1 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc7d88d3e30297257f8884177ce68895a09e7280134bd69fba5ed5e7d69a269
Instruction ID: 54b302f7466a5f3878fa0a0c4a52ee6cdb22ebb264f16ec3364ca08cd21e5bc0
Opcode Fuzzy Hash: 8cc7d88d3e30297257f8884177ce68895a09e7280134bd69fba5ed5e7d69a269
Instruction Fuzzy Hash: BF31AA767001098FDB05DF64D994AEEBBF6EF49300F1580AAE805AB362DB35ED09CB50

Function 073D1B48 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82141ec3e88463b92afc7bd8769fcf8ab692f8616e664d75e2808dcd3aebfe88
Instruction ID: 999f28e54cf62cae51aef0f8eedec06d787d6600cd2e7c7c96340d4fe21fde78
Opcode Fuzzy Hash: 82141ec3e88463b92afc7bd8769fcf8ab692f8616e664d75e2808dcd3aebfe88
Instruction Fuzzy Hash: 16315DB1A001098FEB14DFA8D944AEDB7F1EF49310F2541AAD549EB264DB359E00CF90

Function 073D6E90 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc860c30b6ab53f7e25ce2768ca445011fa9d84aac1affdfd7e2dfbb647eb0f
Instruction ID: 64c30e9abd029c26e5ca2490ee2becb66b3c835531dcb85ef40b87705f6a8b6f
Opcode Fuzzy Hash: 6fc860c30b6ab53f7e25ce2768ca445011fa9d84aac1affdfd7e2dfbb647eb0f
Instruction Fuzzy Hash: C1313AB5B002099FCB41DFA8D9449EEFBF6FF88200B14816AE949E7341EB349D45CB64

Function 073D6EA0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a37dc6e1f982afc85913c9e1942f091529647cac2172ca9ab168a79876fc01
Instruction ID: d9b82a4efa09d60e8cea2969df24dbd3fd1cf098c8632f10ef82708d0e3645e9
Opcode Fuzzy Hash: f6a37dc6e1f982afc85913c9e1942f091529647cac2172ca9ab168a79876fc01
Instruction Fuzzy Hash: 823116B5A0020A9FCB44DFA8D8449EEFBF6FF88210B108129E909E7341EB349D45CB60

Function 073D02B8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3df42b78a0bc95b44712eb44634d685db8f3217f2a0b0c26e28891f5eade2b
Instruction ID: 1a93ca0fcec2cac3f2ac724e1e31defc9f32ab895bfd04f0a37792985e36e063
Opcode Fuzzy Hash: ba3df42b78a0bc95b44712eb44634d685db8f3217f2a0b0c26e28891f5eade2b
Instruction Fuzzy Hash: 6B21D8F3E1410ECBEB257B65E4641B9BB74EF43200F524969C04EA7558EB31DD50C6D1

Function 073D6670 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6793105158eaf6242c0718f7d021804fe46ef94270d51b57c5ac5873de3d0d89
Instruction ID: 8cddfda95488a7e0e8afc50d7a8996a89ba0c347b626b73b5a28078ede98d8f1
Opcode Fuzzy Hash: 6793105158eaf6242c0718f7d021804fe46ef94270d51b57c5ac5873de3d0d89
Instruction Fuzzy Hash: 6C2183B5B10205CFDF44DF78D8858EEBBB5FF89240740456AD819EB252EB30AD09CBA1

Function 00F6D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780597933.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f6d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb696909587dcfe218baeac8b7257b80d03e02829fa687e6ab8d2779fdfb0e5f
Instruction ID: 5ce9d9b1e29b4ab903971eba07303b1ec42f6d710f7bb56e0c6e59039d3799c3
Opcode Fuzzy Hash: eb696909587dcfe218baeac8b7257b80d03e02829fa687e6ab8d2779fdfb0e5f
Instruction Fuzzy Hash: 48212872A00244DFDB05DF14D9C0B16BF65FB98324F24C169D9094B256C736EC56E6A2

Function 00F6D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780597933.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f6d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b99748d016b1e6bf9790820eab415c11f7fd28eaaf4504f5895d6b31a38431
Instruction ID: 4ae5b5125560b1b878b36ae82a2dedd6fcfad99dd8af3096d28f770a63291158
Opcode Fuzzy Hash: 84b99748d016b1e6bf9790820eab415c11f7fd28eaaf4504f5895d6b31a38431
Instruction Fuzzy Hash: D5212872E00240DFCB05DF14D9C0B26BF65FB98328F28C569D8064B656C336DC56E7A1

Function 073DE510 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1593ea0e0402cc64abcfdab39eb3cb2b82de90592be46f0b12834f4c12621c5c
Instruction ID: beebc16202835ad5db907d9dd26080318830906c0a25eae916897bc8e67638e4
Opcode Fuzzy Hash: 1593ea0e0402cc64abcfdab39eb3cb2b82de90592be46f0b12834f4c12621c5c
Instruction Fuzzy Hash: B9314FF5E1021ADFDB40DFA9E5856EEBBF5AB08250F148469E818F7340E7349A40DFA0

Function 00F7D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780686784.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f7d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce37209d3b7c69d7a60bbefedd8c74a379a8d4eabc1b512822bea769bfb6fa6
Instruction ID: e5297f2c1a23e6cf7c9081ffe3d2553526b165c5e1e39555b204db308b9973d3
Opcode Fuzzy Hash: 4ce37209d3b7c69d7a60bbefedd8c74a379a8d4eabc1b512822bea769bfb6fa6
Instruction Fuzzy Hash: 3421D371A04204DFDB05DF14D980B26BBB5FF84324F64C56AD94D4B256C336D846DA62

Function 00F7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780686784.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f7d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925d1a98d7f6f12aa257b9c1da72de3276da837a059fcbad23aa2e14cb523b86
Instruction ID: 3f697da5f892a4d06e000d8926302160071cb9bd0712f06ec524119d3c4c7a62
Opcode Fuzzy Hash: 925d1a98d7f6f12aa257b9c1da72de3276da837a059fcbad23aa2e14cb523b86
Instruction Fuzzy Hash: 3C21F275604200DFCB14DF14D984B26BBB5EF84324F64C56ED80E4B29AC33AD847DA62

Function 073D6680 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33f81d4b84109bfd3c880df2e5a5d949aedbb7c179d758db6645bcd08a5f4f3
Instruction ID: 6f233fcc0303be8df029c70f5106895bf4e09af62560c4ed7ee7b0bae88c48d8
Opcode Fuzzy Hash: a33f81d4b84109bfd3c880df2e5a5d949aedbb7c179d758db6645bcd08a5f4f3
Instruction Fuzzy Hash: 58213275A1020ACFDF44EF69D8848EEB7B9FF89300B508669D915B7311EB70AD45CBA0

Function 073D258C Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4430190e246cb7d6153bc018e782714661527e92528e0f60377bd5a52420bb
Instruction ID: 8c4c64856610625e71c9d09a07d86826d30ca26190e95997afe251b7aedd4158
Opcode Fuzzy Hash: 3b4430190e246cb7d6153bc018e782714661527e92528e0f60377bd5a52420bb
Instruction Fuzzy Hash: 5021F2B6D013499FDB10CF9AE984A9EFBF4FB48310F10842EE859A7301C374A944CBA4

Function 073DE500 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6360287ba34a0a1d7f3dc7b8d56e40ef997d565e9850468f1025cbca38630ec5
Instruction ID: a8654f88f0d43543c821102eaeea687665099cac7171d8c33557c880fb79efdd
Opcode Fuzzy Hash: 6360287ba34a0a1d7f3dc7b8d56e40ef997d565e9850468f1025cbca38630ec5
Instruction Fuzzy Hash: 7321BEF5E5020ADFDB41CFA9D9456EEBBF1AB08240F1485AAD824E7340E7349A41CFA1

Function 073D2C98 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d604a228fc770a5ffccb46273cb774ffa5d9a061b9eddd13cb655f8c64b7f9f8
Instruction ID: 4b237f0b508062adee7faa99c6113876acae0e8130b4a7654d2d980ec1589ede
Opcode Fuzzy Hash: d604a228fc770a5ffccb46273cb774ffa5d9a061b9eddd13cb655f8c64b7f9f8
Instruction Fuzzy Hash: 762103B6D013599FDB10CF99E984ADEFBF4BF08314F24842AE458A7300C375A944CBA4

Function 073D02A8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4adf94ac9e66f20d2dbf1ee92dddeac37a17cafd64e145657d0820480f9d9b6
Instruction ID: d5807fe8b42abef444c83879f9cc8ce2c8cd735deeae3b1d6d2ca3fc8cc7f37d
Opcode Fuzzy Hash: f4adf94ac9e66f20d2dbf1ee92dddeac37a17cafd64e145657d0820480f9d9b6
Instruction Fuzzy Hash: 641190F2F0110AEBDB126A95E6481EABBB4EB41640F6148A5D08DF3284F3308D308B94

Function 073D2DB8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb45b95b4db1ebd9f736904b3dde3f22d9cc1606286e19befef91976ffe9bad1
Instruction ID: c8efadcc97cd8b31d5af1cd87ea84fac9ac15c191beccd27b05599f5dffc44ea
Opcode Fuzzy Hash: fb45b95b4db1ebd9f736904b3dde3f22d9cc1606286e19befef91976ffe9bad1
Instruction Fuzzy Hash: 66217C71900609CFDB15EFA8D9546EEBBB2BF89300F00862DD44A7B254EF34AD48CB91

Function 00F7D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780686784.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f7d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe7accfc92fead2c2f56afe6b4b8cfcee0aa9644e8d1ae2608d17e1fca25d5a
Instruction ID: 161440c7dbc6ca4b015b47a9ab090ce4feb6728793bb0217cc39854d57c630f9
Opcode Fuzzy Hash: cbe7accfc92fead2c2f56afe6b4b8cfcee0aa9644e8d1ae2608d17e1fca25d5a
Instruction Fuzzy Hash: 21214F755093808FDB12CF24D994715BF71EF46214F28C5EBD8498B6A7C33A980ADB62

Function 073D0BF8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863cb6d9d4b15ec33b3001c367fd81f9aa253625f6f2c97e2f421f60aaa0eec0
Instruction ID: f1dfcaf7fc9fffab1b1956854e45f60680f1f0db5bc9ce54efc7d3fb813f0841
Opcode Fuzzy Hash: 863cb6d9d4b15ec33b3001c367fd81f9aa253625f6f2c97e2f421f60aaa0eec0
Instruction Fuzzy Hash: C811CE707202159FC704DB68CD48AAFBBFAEF89700F00846AE044CB366EA718D0683A1

Function 073D4960 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a48d80bc9ee86ab62b46a8cad6affa4c131a3bedb01e9aad3059dace23fbfc
Instruction ID: b7b52a6391a9eff19a3be9df8cdd2b19cb63112673faede61171b95819266383
Opcode Fuzzy Hash: 28a48d80bc9ee86ab62b46a8cad6affa4c131a3bedb01e9aad3059dace23fbfc
Instruction Fuzzy Hash: E911C2B3206154AFDB064F99F8048AB7F2FEF8925071C8056F94987156CB328D229BE1

Function 073D563F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449aa62c07d58b2cc63726ce8b78c7c68deb7f3f52905164d6923cd1bc6a5c77
Instruction ID: e8b44eeecf52923048cb89ea23bfa6829584abbd7bfcf3732b93d41a02801aca
Opcode Fuzzy Hash: 449aa62c07d58b2cc63726ce8b78c7c68deb7f3f52905164d6923cd1bc6a5c77
Instruction Fuzzy Hash: C11101F2E0024A8FEB11DFA8D8026AEBBB1EF44304F04466AD519AB350DB744D56CB92

Function 073D0208 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0829d7514573c6f968768e4c72cd0ce6506411556d47030d2ecdd5955357f87
Instruction ID: 10704f4bd70b071f1c7f4a232fbf0f44916f79df65a661ecc64359ab1b4f325b
Opcode Fuzzy Hash: a0829d7514573c6f968768e4c72cd0ce6506411556d47030d2ecdd5955357f87
Instruction Fuzzy Hash: 8B11AC307101059FCB04EB69DD88A6FBBFAEFC9700F008469E108CB365EAB1DD0583A1

Function 00F6D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780597933.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f6d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 178bd2450b45db49348205e2d598f3ab6b2853f8a996bfbaf946577eb240095f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 9911D376904280CFCB16CF14D5C4B16BF71FB94328F28C6AAD84A0B656C336D85ADBA1

Function 00F6D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780597933.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f6d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: ef65d82679139a69df83aa90bf261cfac12b380af42920492ba24f1c000d147c
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: ED110372904240CFCB06CF00D5C4B16BF71FB94324F24C2A9D8090B256C33AE85ADBA1

Function 073D09B8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf1ee9e1c5a8c6eb6f05145626264ca863e97e686872dd7c8ceb36b8ebaf9e6
Instruction ID: 2c0581aecd575d6f60393bfe85e8056f27b1c4ec449cbf6cf39c218101d2c224
Opcode Fuzzy Hash: bbf1ee9e1c5a8c6eb6f05145626264ca863e97e686872dd7c8ceb36b8ebaf9e6
Instruction Fuzzy Hash: C101B1763402018BE718AA79E490B6E73A7EFC4A14F1444BED20E8B361CE399C01C790

Function 00F7D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780686784.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f7d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3f7cc032fe7f5cfd72fc989b2aff86de77dbc6f701e9fda372ae8545ac0ea0b0
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: C311A975904280DFCB06CF10C9C4B15BBB1FB84324F28C6AAD8494B296C33AD81ADB62

Function 073D1C6F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4492f32fae514d0cad7f146366478caae29c1a8717a7b107e32f80c4d21b23d0
Instruction ID: 01c7736f9342eb4693a0f383bcfa3730f53b5a84c1404d45a8e67681fbfccdf4
Opcode Fuzzy Hash: 4492f32fae514d0cad7f146366478caae29c1a8717a7b107e32f80c4d21b23d0
Instruction Fuzzy Hash: 5101D4F3E04159AFEB235774E5440E97FF19B42610B1645A6E4CDE7385F3318D168B84

Function 073D706E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c643159636130c9e9ae58358bf932f8066a502267661167e437672c5979868b
Instruction ID: 8594e8f310a6c3f936a8ad74c4aa5059ad501135932f2d3b55277819ce3cfcea
Opcode Fuzzy Hash: 3c643159636130c9e9ae58358bf932f8066a502267661167e437672c5979868b
Instruction Fuzzy Hash: 3511C6B6D1938B9FDB02CF68DC516EABF74AF06310F054167E584E7182D3305915C7A2

Function 073D3057 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08898440ef3085131bedad3ee620ca9f54bfa34313252a63390fa9155ff797c
Instruction ID: d83ef32c8bfbdfe4324f37c963f954b0c8644a48466d31760de54e225b08487a
Opcode Fuzzy Hash: d08898440ef3085131bedad3ee620ca9f54bfa34313252a63390fa9155ff797c
Instruction Fuzzy Hash: 4D01F532D1030A9FCB11AF74D8448DDBB32FFCA304F15862AE0456B161EB70A99ECB90

Function 00F6D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780597933.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f6d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fe57673b5ad71fd44c1206498ba6386ec8b54d796fe5b19c9aeda2076b9ac8
Instruction ID: 04b9a594d6f30cfa9ec8ac0d0906c3a3e523c483663cf6099b2960d0d6157fee
Opcode Fuzzy Hash: d9fe57673b5ad71fd44c1206498ba6386ec8b54d796fe5b19c9aeda2076b9ac8
Instruction Fuzzy Hash: A3012B31E093409AE7104E29CDC4B67BF98DF41334F18C52AED190E286C639DC40E672

Function 073D5650 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a00192d59b04bf6d6062d5c8c8d3320d54115e548a8fea8352438039a2f2fca
Instruction ID: d1201af20010e0578948f01ede77350cb58b64b70b4b737bd644d91588acdb64
Opcode Fuzzy Hash: 8a00192d59b04bf6d6062d5c8c8d3320d54115e548a8fea8352438039a2f2fca
Instruction Fuzzy Hash: 7201CCB1E0020A8FEB00EFA8D8026AEBBB1EF08304F008129D419B7390DB749901CB91

Function 073D7090 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c29b393b3d4ca842300a193d9a85b5f8823ff23d7575ae0d8f8aee60118f3f9
Instruction ID: 3499980d941ee2cdc83c1b805dee4e1524703754225e0818e482722ffb5ba7d7
Opcode Fuzzy Hash: 3c29b393b3d4ca842300a193d9a85b5f8823ff23d7575ae0d8f8aee60118f3f9
Instruction Fuzzy Hash: 3301D2B291410A9BDF10DF95ED459FFB7B8EB44310F108126E919B7240D771AE54CBA1

Function 073D3D30 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78a0b20f7e5df379253512cd395d856103b99120809c5e178ec02cb7a3e0da9
Instruction ID: 93019065f4595fb78cb1b76c015400f11a6cc69d5c6e9e1097c0a84a5287561c
Opcode Fuzzy Hash: c78a0b20f7e5df379253512cd395d856103b99120809c5e178ec02cb7a3e0da9
Instruction Fuzzy Hash: F101F471419B849FC717AB3CE419084BFB1AF93205B0586EFD4C99B593EB34894ACB53

Function 073D0F78 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86129d16cf55171216bdaaf260e434a95f10d2336468624db31cd94113eada08
Instruction ID: e57a41bda1f41af09529658269049f6eeec4367434636033f6337ffa05856040
Opcode Fuzzy Hash: 86129d16cf55171216bdaaf260e434a95f10d2336468624db31cd94113eada08
Instruction Fuzzy Hash: 3C0108B4E0011ACFCB04EFA9D484AEEB7B5AF48710F20806AD919E7351DB749D01CB91

Function 073D0F68 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d3a2deca1c5b32daabe923a62f93bf25dfb66495eb3b4de665b0c37fe76550
Instruction ID: 8f2e4369d1a8aade54edc5cb29f744aee57033a925fe5ce0825122ad9bf49459
Opcode Fuzzy Hash: e0d3a2deca1c5b32daabe923a62f93bf25dfb66495eb3b4de665b0c37fe76550
Instruction Fuzzy Hash: CB015EB0E0011ACFD744EFA8D484AEEBBB1BF48710F20815AE425E7395C7749E01CB90

Function 073DEC08 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7399c65dba24b265628536df9a128179ce424d5f176954961de9a8857fdd3dc8
Instruction ID: d2180a31074c64db0954d0f753ab91cb5e4b41a60bbe99fc0929d5eae0c2b0a3
Opcode Fuzzy Hash: 7399c65dba24b265628536df9a128179ce424d5f176954961de9a8857fdd3dc8
Instruction Fuzzy Hash: DF018FB59042099FDB11CFA8E5042EEBFF1EF45320F1441AAD458A73A1DB314A42CB41

Function 073D7110 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30e0d16271d8d5863db754a9ee99b9358de5f51e7e3b02bb80cea5dc87278e4
Instruction ID: 018de7f73696a15c22d8f4b53cd081f92a79d621789c5b87618ce11255f7c170
Opcode Fuzzy Hash: b30e0d16271d8d5863db754a9ee99b9358de5f51e7e3b02bb80cea5dc87278e4
Instruction Fuzzy Hash: 0A013132A1062E87CF05EB68D8144EDB7B9EF89310F408629DA1677250EF716A198BE1

Function 073D3068 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab8ae4516ce6b8167004f0c23303185935fc9f23d84b2ff6b49a62682b74c61
Instruction ID: 6418d30151c4c4782478bc6aeb278da84dc802c5a8058c33d82287023a78fd75
Opcode Fuzzy Hash: 8ab8ae4516ce6b8167004f0c23303185935fc9f23d84b2ff6b49a62682b74c61
Instruction Fuzzy Hash: 6601D63291070ADBCF00AFA4DC448DEFB76FFC9304F008629E10567111EB70A599CB90

Function 073D499A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f5b75ec6feab136752b02c7e20668d964993908b95ab85c70daa1710e34079
Instruction ID: 578c80fc820ee53786a5933989f250ef1a733f54813536050020122f84839de3
Opcode Fuzzy Hash: f6f5b75ec6feab136752b02c7e20668d964993908b95ab85c70daa1710e34079
Instruction Fuzzy Hash: BEF0F977215109BFDF064F94EC499AB3F6AFF89251B148012FA05C2161CA358D32ABA1

Function 073DEC18 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15b1f63210c247a746b8d74c7db9836bbf0955ad4722374e9a29697d90f8c97
Instruction ID: ac11676653245ccda87aba3fc718f0a16ab877671ae70d677939ae0df76e7a99
Opcode Fuzzy Hash: c15b1f63210c247a746b8d74c7db9836bbf0955ad4722374e9a29697d90f8c97
Instruction Fuzzy Hash: E301E4B4E142099FDB40DFA9E5452AEBBF4AB09310F1080A9D849E3380EB308A00CF51

Function 073D7102 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9d366816d20b39530aae8e0c85d55e788c0babb0d2869eacdb39dd2ccf7b66
Instruction ID: 8dc0b092e8328b792748e6154fdd3120081d20966369a545be24e2fcdcb93643
Opcode Fuzzy Hash: eb9d366816d20b39530aae8e0c85d55e788c0babb0d2869eacdb39dd2ccf7b66
Instruction Fuzzy Hash: 3BF02872A00A198BCB06AB78DC000ED77B5AF46310B018756D955B7250EB305A29C7E1

Function 073DD9E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488d48d0f37ddd385e34d88555fa0cbea243f4b9838474eee575c2f5413e33df
Instruction ID: 655fbd02ef4ff5f70de9ee76b889c82950b1f46b2bafff3d9b35a97e5b24cecb
Opcode Fuzzy Hash: 488d48d0f37ddd385e34d88555fa0cbea243f4b9838474eee575c2f5413e33df
Instruction Fuzzy Hash: 31F04FB1E1920A9FDB11CBA9E9041ADBFB5EF45310F1482AAD41893791DB344A42CB51

Function 00F6D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1780597933.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f6d000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7096f22e0e75d6490fd32da79e6f249117a5324f14b34b2d42ea9551e454629
Instruction ID: 70e0891fe860745f1d69f060adb14ad887dfa58c83abff9db4f059b20e9a406a
Opcode Fuzzy Hash: b7096f22e0e75d6490fd32da79e6f249117a5324f14b34b2d42ea9551e454629
Instruction Fuzzy Hash: 9AF096719053449EE7148E1ADCC8B62FFA8EF51734F18C45AED484F286C2799C44DBB1

Function 073DFAA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b83c13f8e11b4f31ef6e59f0f98d3455324c1aeb67c078604dc3853fbb69c0
Instruction ID: 0327d821c3c5220b8dc0682e9e1849a3bb52304bd0ea0f1ca33d6efd0b8f60b2
Opcode Fuzzy Hash: 42b83c13f8e11b4f31ef6e59f0f98d3455324c1aeb67c078604dc3853fbb69c0
Instruction Fuzzy Hash: 7CF0A9F1D0820A9FCB11CBA8E8842EDBBB1AF05310B5081A6E468A7291EB314A03CB41

Function 073DC908 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148b7e8f44491db2f893f94a61286ea01703cc02f8deae78b7de39765f01e926
Instruction ID: 1f2bf33c1b2ffe23a2d0e42b72735a28d21fae8701aed36f4e4a48915fb7beca
Opcode Fuzzy Hash: 148b7e8f44491db2f893f94a61286ea01703cc02f8deae78b7de39765f01e926
Instruction Fuzzy Hash: 7AF0ECB4E141099FDB40DFA8D5456AEBBF5EB45304F1095A99818A3341EB759A01CF90

Function 073DFF30 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4aed405459c0c2abd76d4e2f855c4e45b8d04e24f68d3b0f1793d439f43ec6d
Instruction ID: c26446a74342375f40f2e432201ae381552ae61f6f8a7f51c4338ff497c5ea85
Opcode Fuzzy Hash: e4aed405459c0c2abd76d4e2f855c4e45b8d04e24f68d3b0f1793d439f43ec6d
Instruction Fuzzy Hash: 56F096F1D0529A9FCB51CBA8E4451DD7FB1DB07310F5485D6D865D7292D7310A42CB41

Function 073D3D60 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2ab4070c2e3dc130f3233ca072f4a7487fafc90f055400aed2418ecdc4f73f
Instruction ID: 95bab25a4b0bb9bb3607e1dcd1ef39bd6386bce69c434e3035b8f650a4e46ba6
Opcode Fuzzy Hash: 5e2ab4070c2e3dc130f3233ca072f4a7487fafc90f055400aed2418ecdc4f73f
Instruction Fuzzy Hash: 9BF09A32920A15CBC711EF6DE518499F7B9EFA5321B10862EE58967240EF31A898CB90

Function 073DFAB8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19275f6cb82458a24ef8d6d46958bf0927a041faa1a3674df2cbbbe95ccd5ef7
Instruction ID: 1baf0a894e9063f7a7395de2a7777163dba23ae16d7ed59f71e0b22a657dc8a8
Opcode Fuzzy Hash: 19275f6cb82458a24ef8d6d46958bf0927a041faa1a3674df2cbbbe95ccd5ef7
Instruction Fuzzy Hash: 4DF0E7B4D0420ADFDB40DFA9E9845AEBBF4BF49300F10916AA819E3340EB709A00CF91

Function 073D49A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932edff384dae5c325d840792485404e9d85ae267009ab1ef1cd47ff15bf6ba1
Instruction ID: f5b97a1df5b1cdc8d5386b4b630bacdf7e50edcfd245e4643d5b8271af7a33f2
Opcode Fuzzy Hash: 932edff384dae5c325d840792485404e9d85ae267009ab1ef1cd47ff15bf6ba1
Instruction Fuzzy Hash: D2F07A72211119BF9F055E85EC49CAF7F6EFF883A1B148025FA0582161CB729D72ABA1

Function 073DD9F8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfb49643dcb9cb56879832a30901e3e320c99c148249a1daef4eaa6811a2a4d
Instruction ID: 56f73846e3efd76a5511537f8a77b3dc48c4d5edbe0c148eee49e168fb18e8a6
Opcode Fuzzy Hash: fcfb49643dcb9cb56879832a30901e3e320c99c148249a1daef4eaa6811a2a4d
Instruction Fuzzy Hash: C7F0E7B4E1820ADFDB40DFE9E5045AEBBF5AB49300F10816A9818E3740EB309A01CF91

Function 073DD35A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13f4de3ac3d21def13e9f485305713d74e8b84e705e4168a1df4ee080388931
Instruction ID: 7153a7859eedabcc816117e4d6eaa2fcc0eaf3740e015103d03d401cfd332c2f
Opcode Fuzzy Hash: e13f4de3ac3d21def13e9f485305713d74e8b84e705e4168a1df4ee080388931
Instruction Fuzzy Hash: AAF090F1E28249EFCB11CBA8E50419DBFF1AF06320F5581ABD458E7292D7714A42CB41

Function 073DFF40 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3205893cdc7e2e038b74b7c0f633b6424bd9038f17480e50f5906bd0fa113ab9
Instruction ID: 3198e26b9e58521a22b8cd15765d28971bee6625d40b906b3c31d540cbe54144
Opcode Fuzzy Hash: 3205893cdc7e2e038b74b7c0f633b6424bd9038f17480e50f5906bd0fa113ab9
Instruction Fuzzy Hash: 80F0BDF5D15209AFDB40DFA9E4455EDBBF8EB0A310F0099A6D82AE3741EB705A50CF40

Function 073DD368 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a081fc84bb5afdebddad2af3079bf1c37d3e02414bb9cc9ec64a878d91cf15d
Instruction ID: b0a4323c8f23b73298d7b0e0bf3c1e68b4b6121e1d440dd184759c1b0c100854
Opcode Fuzzy Hash: 6a081fc84bb5afdebddad2af3079bf1c37d3e02414bb9cc9ec64a878d91cf15d
Instruction Fuzzy Hash: DEF0B7F5E24209EFDB40EFA9E5455ADBBF4AB49310F0095AAD819E3340EB719A40CF40

Function 073D7A7F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e00ae87799588f9c842c390e4ed1d2d99f11926cffa3130f3a912ffbb3d7720
Instruction ID: e51c4e30e780c795ac360ed81e1fc9248d9b41c7a63b1a0bbf22e3ac524133a7
Opcode Fuzzy Hash: 1e00ae87799588f9c842c390e4ed1d2d99f11926cffa3130f3a912ffbb3d7720
Instruction Fuzzy Hash: 9EF0E5F79091849FEB024BA4BC126D87F30FB61361F484083F5498A462E3668621D721

Function 073D2660 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe144baa7930553e5370766982af7a9e65a48c0b6b3c6ca9e929d72e72f917f1
Instruction ID: cf9f21d0d9539e177244a769562a8f9fb5044dae7353ebc92b9f3c079c7e42a3
Opcode Fuzzy Hash: fe144baa7930553e5370766982af7a9e65a48c0b6b3c6ca9e929d72e72f917f1
Instruction Fuzzy Hash: 9FD0977728812046FD20DA24BCC23EE7382FFC8300F288C26E08AD7248CA2ECDC24251

Function 073D719B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c93c6d6ab102bde31565d11f1e6a1ee36d28ea472ee247678e98ea86f31825
Instruction ID: f7412a59b4a88335a244f690cf81d8d70c1a452ad5aadbec6bf3f3b88230f88e
Opcode Fuzzy Hash: f8c93c6d6ab102bde31565d11f1e6a1ee36d28ea472ee247678e98ea86f31825
Instruction Fuzzy Hash: C8E026B3E116098BDB40DF24ECC54DCFB74FBA1352B04962FE54596014DB34D609C788

Function 073DE4C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adacbc4a1b69b3391c2d258edd909606f669b006ce9f3cdebbdec5a1bcab7c3a
Instruction ID: a0df623b864d2ba58b8f53041d6818d22dcfe0a58c2c2ce86fdf875a8ee83746
Opcode Fuzzy Hash: adacbc4a1b69b3391c2d258edd909606f669b006ce9f3cdebbdec5a1bcab7c3a
Instruction Fuzzy Hash: CCE0C2B1955128DBEB10EFF8F44C2BC7FB89B01200F0045A4E80A67280DB700E80DB81

Function 073D2C5F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1f4cae82d0734ac41fa2b7905c01e53df3994da4406d310ddb3c8ef0b11148
Instruction ID: 424389e3618836691fe9e728511366d946f79f77636657f1e9b91dca039e3d34
Opcode Fuzzy Hash: 7d1f4cae82d0734ac41fa2b7905c01e53df3994da4406d310ddb3c8ef0b11148
Instruction Fuzzy Hash: 09E0C273500158AFCB02EB44D8008C2FFB5BF4A240306C097E04C9B122D332DA2BCBA2

Function 073D80F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2c2dd071491937345ba6f2efec78a8a5592035c2ae74e97f849cb8cec29514
Instruction ID: 5e78661c3dd40fcbe9ededf9422fe7ae854a721cf1b1c8648e1616d150943d57
Opcode Fuzzy Hash: ac2c2dd071491937345ba6f2efec78a8a5592035c2ae74e97f849cb8cec29514
Instruction Fuzzy Hash: 7BE02BB25083C50EFF108FB1B80D7FD3F905711221F05847AD40886083D774854CCB11

Function 073D2C70 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c575ffb02fd39229b98ad03ddbcdc09e256e2005c1fc96e08815a2e1c825ad5
Instruction ID: abf20f81d258cf8a3c700e765e89359c1f54448ea3c4f5b2eeb6f3b1373e9b81
Opcode Fuzzy Hash: 7c575ffb02fd39229b98ad03ddbcdc09e256e2005c1fc96e08815a2e1c825ad5
Instruction Fuzzy Hash: 39C0127310001DBB8A01AB85D800C87FBADAF49655304C056E50C8B121D662E912DBE1

Function 073D8108 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2594cfe49b597b286b6e02d7fa78ac11236a4291c0bfc303a78e1739439035f4
Instruction ID: b6ab3bee6279ff2361a438daecc1f5738f46889753dacada9e94e4b1a754163f
Opcode Fuzzy Hash: 2594cfe49b597b286b6e02d7fa78ac11236a4291c0bfc303a78e1739439035f4
Instruction Fuzzy Hash: 3BD0A9712003098BEB004B72E809B6A3AA8AB00240F008030E80882150EB30D9048610

Function 073DF37F Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec29dbc528539c17623eb8f1f230e4f53ac7e7421e949cd8e79361095c51a0e
Instruction ID: 492d6cb9d1a8dea6243c66a050bcd3dd777fc676e69e4581fd99c3b17b07ee35
Opcode Fuzzy Hash: 7ec29dbc528539c17623eb8f1f230e4f53ac7e7421e949cd8e79361095c51a0e
Instruction Fuzzy Hash: B7C08C2950E3C09FD303E2702C059A43F608E93A0038801839261C9043840C063A83B6

Function 073D7A80 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6436defb3a634dc8ea64bd5a8040587e511d5cbae66ff6b3c9301179ca9a1af0
Instruction ID: 0a2561c17f01a8b00492587b277b00aa1d92c0fbb8ce6de53bc34d62b6119397
Opcode Fuzzy Hash: 6436defb3a634dc8ea64bd5a8040587e511d5cbae66ff6b3c9301179ca9a1af0
Instruction Fuzzy Hash: 8CC0023A04060DBBDF025EC1EC05EDA3F2AFB08750F048411FA590806187B39970EBA1

Function 073D924C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788406145.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa9f3c7066303d462e08533b05cc0c10184bd417e65693cb403a2ee3f37dcb4
Instruction ID: 35b644eb993e3a308142ebf5eda64d53006832da6a11120c51399d70449f4800
Opcode Fuzzy Hash: 3aa9f3c7066303d462e08533b05cc0c10184bd417e65693cb403a2ee3f37dcb4
Instruction Fuzzy Hash: 42B012FE7B4201F39500A3744AC8B3BE415EFAA700FD2AC11330F600948AB18CA4D12F

Non-executed Functions

Function 051B0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786683401.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8eac96a162cfde4d7b581c10e9374a849b7e7e55a0f2068d5c9fb7ee6990fa
Instruction ID: 5861a6edbf1a5f1d913337f9169c9407cfb34e354af49c40b8b84b8c11a11df8
Opcode Fuzzy Hash: af8eac96a162cfde4d7b581c10e9374a849b7e7e55a0f2068d5c9fb7ee6990fa
Instruction Fuzzy Hash: B61281F0C81746CAE710CF65E94C1897BB2BB85318BD04B09D2A56B6E1DFB8916BCF44

Function 07496768 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9725b8df5437ae06d9a289adc38f0f7a60bcaa4562f60eb818cecc06ca1ddc9e
Instruction ID: 285e590549cbdd17501f9f2100f7e0148692b717a27bdf2259910facd8e55add
Opcode Fuzzy Hash: 9725b8df5437ae06d9a289adc38f0f7a60bcaa4562f60eb818cecc06ca1ddc9e
Instruction Fuzzy Hash: 3AE1C8B4E101198FCB14DFA9C6809AEFBF2BF89305F25C16AD414A7356DB31A941CF61

Function 07498278 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe503701241c32b91882188213ce1b8dc2921929ebda3538bb1995a87d331872
Instruction ID: a64b06a43d29438c5a0f499812f78fbb77050dcd6f7cea806684723195973740
Opcode Fuzzy Hash: fe503701241c32b91882188213ce1b8dc2921929ebda3538bb1995a87d331872
Instruction Fuzzy Hash: 8FE1EAB4E101198FCB14DFA9C5809AEFBF6BF89305F24816AD414AB356DB31AD41CF61

Function 07496FD8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ed9e299e244dc179929d5c0442f59acfcd656dcba2f96b5437c24ef69586b9
Instruction ID: e8097dd4fe2b552c7d31e99a4ab4241baad3a01fc816fc3a94b9f50646b75f65
Opcode Fuzzy Hash: 64ed9e299e244dc179929d5c0442f59acfcd656dcba2f96b5437c24ef69586b9
Instruction Fuzzy Hash: B7E1EAB4E101198FCB15DFA9C5819AEBBF2FF89305F24816AE414A7356DB30A941CF60

Function 07498C28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc6a0bc398a8539f06b39afa9048b83cfe060847651a119fccf483d9131ee13
Instruction ID: 6fcaa12ac204e8ecc94ffa0cdfeb8dda4c6140b9957c2ee600fd175cf3fa379c
Opcode Fuzzy Hash: 2bc6a0bc398a8539f06b39afa9048b83cfe060847651a119fccf483d9131ee13
Instruction Fuzzy Hash: 09E1EAB4E101198FCB14DFA9C5809AEFBF6BF89305F24816AE414AB356DB31AD41CF60

Function 07496BA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946cebc93a793bf297deb2cfa61830c9c9f3fe55d63898b14971d25eb47090b3
Instruction ID: 3ffb09becee9b88594efd2890185ce788093fc8719d861abb122ecfa67997aea
Opcode Fuzzy Hash: 946cebc93a793bf297deb2cfa61830c9c9f3fe55d63898b14971d25eb47090b3
Instruction Fuzzy Hash: 68E1DBB4E101198FDB14DFA9C6809AEFBF2BF89305F24816AE414A7359DB31AD41CF61

Function 0101DF14 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781237928.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283cbda75bcbf8be254983a6b107b5ec96573644b0c5b28fb60c2c02430e4583
Instruction ID: cfc07f1966117c357dddd13b9a513280c958d16eaefe0e79f71a50d514823090
Opcode Fuzzy Hash: 283cbda75bcbf8be254983a6b107b5ec96573644b0c5b28fb60c2c02430e4583
Instruction Fuzzy Hash: 6EA16032E0021A8FCF05DFB5C8445DEBBF2FF84304B1545AAE945AB269DB35E956CB80

Function 051B0006 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786683401.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59155d719cc92aed1f72c2adde022f3c9dd83589f32cf404277fc06f7cf80c47
Instruction ID: 33f7c2bf6458d5197803a7f197ec999f1df3b70e00f342fc371dd2101d8a0775
Opcode Fuzzy Hash: 59155d719cc92aed1f72c2adde022f3c9dd83589f32cf404277fc06f7cf80c47
Instruction Fuzzy Hash: A3C116B0C81746CBD710CF65E94C1897BB2BB86318B954B09D1A16B2E1DFB894ABCF44

Function 07496B90 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22137a668e57b0e9143f7c9b3c8cfbf2253c874838278470373a165c584dfb2
Instruction ID: ec674fda54c12c2f40335e6642f9bdc8398c52dec3fd38a1b17f5717941945f4
Opcode Fuzzy Hash: c22137a668e57b0e9143f7c9b3c8cfbf2253c874838278470373a165c584dfb2
Instruction Fuzzy Hash: 6E511BB0E042198FDB14CFA9D9815AEFBF2FF89305F24816AD418A7356DB319941CFA1

Function 07496FC9 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081e2288ae779d8f44d06360466ff48688b07d11ab4aaca40b6f521d98c33b4c
Instruction ID: 02c03fe9bf81ed7a083595a41a712cb25ae3791208d5f50e703da958dba2f872
Opcode Fuzzy Hash: 081e2288ae779d8f44d06360466ff48688b07d11ab4aaca40b6f521d98c33b4c
Instruction Fuzzy Hash: A451FAB0E142198FCB15DFA9C9815AEBFF2BF89304F24C16AD418AB356DB319941CF61

Function 07498267 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788539500.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_EXQuAzl4Xn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c852e8f9aa98a6ce0909ec1a8ddda0bd2755bac73dbfdb6bbbcfabc59192ba
Instruction ID: 7b4922e7baa4a4b1dc552c916a0422d570bdac5478037525962b6284d4d61bd6
Opcode Fuzzy Hash: b2c852e8f9aa98a6ce0909ec1a8ddda0bd2755bac73dbfdb6bbbcfabc59192ba
Instruction Fuzzy Hash: 17510CB4E002198FCB14CFA9C5815AEFBF6BF89304F24C16AD418A7356DB319942CF61

Analysis Process: RegSvcs.exePID: 7344, Parent PID: 5820COMMON

Execution Graph

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.6%
Total number of Nodes:	61
Total number of Limit Nodes:	12

Executed Functions

Function 072899A0 Relevance: 8.1, APIs: 1, Strings: 3, Instructions: 1088
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k., xrefs: 0728A0DC, 0728A0E1
3., xrefs: 0728A062, 0728A067
;&, xrefs: 07289A80, 07289A85

Memory Dump Source

Source File: 00000008.00000002.2065392188.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7280000_RegSvcs.jbxd

Similarity

API ID:
String ID: 3.$;&$k.
API String ID: 0-4229762296
Opcode ID: a971999b2b4d13f7eda9ff82d718c79b40b3c504daaa1b0c0040fe8a49d2e5ad
Instruction ID: 21972d0a921eae1c5d5d57c05ef6fa17b2f0b4e2fafa97834f73ddf38ccba08e
Opcode Fuzzy Hash: a971999b2b4d13f7eda9ff82d718c79b40b3c504daaa1b0c0040fe8a49d2e5ad
Instruction Fuzzy Hash: 9DC29F74A012298FCBA4EF24D898B9DB7B2FB89301F1085E9D40DA7350DB35AE85CF50

Function 07286BE0 Relevance: 5.3, Strings: 4, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 07286E41
$^q, xrefs: 07286E2B
$^q, xrefs: 07286D7B
$^q, xrefs: 07286D91

Memory Dump Source

Source File: 00000008.00000002.2065392188.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7280000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 40a1a4b28236a65cb8ff6ebedc2411f0237ba82c987316e377e1f9b961999887
Instruction ID: 2bd17659195996a14efa08ed8ff4f9a1b6191e13189006d7f369fed43fe885ff
Opcode Fuzzy Hash: 40a1a4b28236a65cb8ff6ebedc2411f0237ba82c987316e377e1f9b961999887
Instruction Fuzzy Hash: 83C1FAB0E1121DCFDB64DFA5C890B9DBBB2BF89300F1085A9D40AAB355DB359985CF41

Function 0728B130 Relevance: 2.9, Strings: 2, Instructions: 364COMMON

Download Yara Rule

Strings

., xrefs: 0728B3B0
1, xrefs: 0728B435

Memory Dump Source

Source File: 00000008.00000002.2065392188.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7280000_RegSvcs.jbxd

Similarity

API ID:
String ID: .$1
API String ID: 0-1839485796
Opcode ID: a3f956637d2a80540e40f8222690e0623b3b208715bf6bac688c6b23aabaaac9
Instruction ID: 8bd6ea5ac395a933671996840451decd077e2cbd61f2098c4ec4f02bf8bc41b2
Opcode Fuzzy Hash: a3f956637d2a80540e40f8222690e0623b3b208715bf6bac688c6b23aabaaac9
Instruction Fuzzy Hash: 04F1CEB4E02229CFDB68DF65D884BDDBBB2FF89305F1081A9D409A7294DB315A85CF50

Function 07287C28 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2065392188.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7280000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646ec5e8f9a6cc406767799104785192746b0eb2e15263fe63661141db7c12cf
Instruction ID: e671dda0235865bee9227dbd1a0142a89775ded924af5c0c3272ce5cb9bada1c
Opcode Fuzzy Hash: 646ec5e8f9a6cc406767799104785192746b0eb2e15263fe63661141db7c12cf
Instruction Fuzzy Hash: 24228CB4D11229CFDBA5DF68C890BD9B7B2BF89300F5085EAD509A7250EB716E85CF40

Function 072889D8 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2065392188.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7280000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de3f60ea52b66011d06dff56389ed0601681ab40b8f11fea140bc9dccc175d5
Instruction ID: 3eb125ab44f19e4b9f563965e93c5556c266318337306682896b885ffa6ef2f7
Opcode Fuzzy Hash: 0de3f60ea52b66011d06dff56389ed0601681ab40b8f11fea140bc9dccc175d5
Instruction Fuzzy Hash: 4D91F274E11219DFDB64DFA8D984B9DBBB2BF89300F1081A9D409AB351EB316A85CF41

Function 02FAD0A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02FAD136
GetCurrentThread.KERNEL32 ref: 02FAD173
GetCurrentProcess.KERNEL32 ref: 02FAD1B0
GetCurrentThreadId.KERNEL32 ref: 02FAD209

Strings

ns9[, xrefs: 02FAD0D4

Memory Dump Source

Source File: 00000008.00000002.2041799298.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2fa0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID: ns9[
API String ID: 2063062207-1580698851
Opcode ID: 2384a201b72dab7d4f0f5b154a7a57a439ced7abdf71e1da32a4fc4d69eda4a6
Instruction ID: 23f8b4683e70ba29fa3083d88c92fc8991775210088cd38e0e7168c0aa8b7aeb
Opcode Fuzzy Hash: 2384a201b72dab7d4f0f5b154a7a57a439ced7abdf71e1da32a4fc4d69eda4a6
Instruction Fuzzy Hash: E05146B0900249CFDB14DFA9D548B9EBBF1EB88314F208469E119AB3A0DB349985CF65

Function 02FAD0B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02FAD136
GetCurrentThread.KERNEL32 ref: 02FAD173
GetCurrentProcess.KERNEL32 ref: 02FAD1B0
GetCurrentThreadId.KERNEL32 ref: 02FAD209

Strings

ns9[, xrefs: 02FAD0D4

Memory Dump Source

Source File: 00000008.00000002.2041799298.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2fa0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID: ns9[
API String ID: 2063062207-1580698851
Opcode ID: 116919029bf846125f7ce02c9911ecb95571eb3877806e4425572ed5c8e24bcd
Instruction ID: a5cba688f210736570e9f167af5f700ce963ed4280e22867ccf30ac606da43f9
Opcode Fuzzy Hash: 116919029bf846125f7ce02c9911ecb95571eb3877806e4425572ed5c8e24bcd
Instruction Fuzzy Hash: F75137B0900209CFDB54DFA9D548B9EBBF1FB48314F20C469E519A73A0DB349984CF65

Function 02FAAE30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02FAB086

Strings

ns9[, xrefs: 02FAB03F

Memory Dump Source

Source File: 00000008.00000002.2041799298.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2fa0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID: ns9[
API String ID: 4139908857-1580698851
Opcode ID: 6733006bbd6ee3690968e46a511a8a11319f267ecc695604c4a5269af6252c15
Instruction ID: bd451e2a41ea961555cc69f22a19c465088550d4cd1466298a7ada351f3534ae
Opcode Fuzzy Hash: 6733006bbd6ee3690968e46a511a8a11319f267ecc695604c4a5269af6252c15
Instruction Fuzzy Hash: 797156B0A00B058FD724DF2AD59175ABBF1FF88744F00892DD58ADBA50DB75E849CB90

Function 02FA4248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FA59F1

Strings

ns9[, xrefs: 02FA5974

Memory Dump Source

Source File: 00000008.00000002.2041799298.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2fa0000_RegSvcs.jbxd

Similarity

API ID: Create
String ID: ns9[
API String ID: 2289755597-1580698851
Opcode ID: ceaf6fe202e63883e6b169d04d45aa3bf2f3636facbc8e02ce42fb1a34d96781
Instruction ID: fa9fe51303a653f4239c272ce5d8536bd81d90103641cca12c143c50ead0a6ba
Opcode Fuzzy Hash: ceaf6fe202e63883e6b169d04d45aa3bf2f3636facbc8e02ce42fb1a34d96781
Instruction Fuzzy Hash: 6B41FFB0D00619CFDB24DFA9C894B8EBBF5FF48304F60806AD509AB255DB756989CF90

Function 02FA5935 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FA59F1

Strings

ns9[, xrefs: 02FA5974

Memory Dump Source

Source File: 00000008.00000002.2041799298.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2fa0000_RegSvcs.jbxd

Similarity

API ID: Create
String ID: ns9[
API String ID: 2289755597-1580698851
Opcode ID: 5c1a628301ada20ede13fb54a226c6007af54758035f1a6d79c497040aa9482b
Instruction ID: a15ced29ce05140200ddf3bde397ef083f1c60186239920a7f9d5ec706942917
Opcode Fuzzy Hash: 5c1a628301ada20ede13fb54a226c6007af54758035f1a6d79c497040aa9482b
Instruction Fuzzy Hash: E04110B0D00619CFDB24CFA9C994B8EBBF5BF48304F24806AD509BB250DB756989CF90

Function 02FAD2F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FAD387

Strings

ns9[, xrefs: 02FAD31F

Memory Dump Source

Source File: 00000008.00000002.2041799298.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2fa0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID: ns9[
API String ID: 3793708945-1580698851
Opcode ID: a37dd895ead4078cb29f77e0eeae085486a900877be760a3a9580314e9dce334
Instruction ID: 6aba962c09fbf459af5606af2e1888cf81c686a4c527f125f1eebc5ec44e2e84
Opcode Fuzzy Hash: a37dd895ead4078cb29f77e0eeae085486a900877be760a3a9580314e9dce334
Instruction Fuzzy Hash: C321D2B5D002199FDB10CF9AD584ADEBBF5EB48314F14801AE918A7250D374A954CFA4

Function 02FAD300 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FAD387

Strings

ns9[, xrefs: 02FAD31F

Memory Dump Source

Source File: 00000008.00000002.2041799298.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2fa0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID: ns9[
API String ID: 3793708945-1580698851
Opcode ID: 05b32de72684dd78424474280063f7738ac710792f887f92cc09478c5e89d12f
Instruction ID: 1826b2f4208d2a3ae43ef3f6423c3659b4d4ec1f3b5d218ed52a6a6e1453b74b
Opcode Fuzzy Hash: 05b32de72684dd78424474280063f7738ac710792f887f92cc09478c5e89d12f
Instruction Fuzzy Hash: 4E21E0B59002089FDB10CFAAD984ADEBFF8FB48320F14801AE918A7350C374A944CFA4

Function 02FAB020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02FAB086

Strings

ns9[, xrefs: 02FAB03F

Memory Dump Source

Source File: 00000008.00000002.2041799298.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2fa0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID: ns9[
API String ID: 4139908857-1580698851
Opcode ID: d0a19ec94441d7f6d25f748036c0a647528e0643d64338b22467e01f91614693
Instruction ID: 3611065086ed99f55ac56141547ae29e1497c79bc76afae0e62228eae47bbd13
Opcode Fuzzy Hash: d0a19ec94441d7f6d25f748036c0a647528e0643d64338b22467e01f91614693
Instruction Fuzzy Hash: 5A110FB5D003498FCB20DF9AD444ADEFBF4BB88624F10842AD968B7210C375A545CFA5

Function 0157D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2040650134.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_157d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2020a8f551e9b5e6486809989c2c263700a34b3d41345a591a7f3975868d5c
Instruction ID: 1c2f992a90e9c7cd43047be51967463ebf8fde65a96b8119bf880bc7abe3e642
Opcode Fuzzy Hash: 2f2020a8f551e9b5e6486809989c2c263700a34b3d41345a591a7f3975868d5c
Instruction Fuzzy Hash: 6D214872100200DFDB01DF48E9C5B5ABFB6FF84324F20C569D9094F256C376E446C6A1

Function 0157D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2040650134.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_157d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4d324c531bc41a696696a6b8329f6cc8aff9d052f0586dbb2f473532c5ed77
Instruction ID: 3fdde7dec7d10f0bfc89f8909699b436b6ce7905e0563ca4cd2f3215078561bc
Opcode Fuzzy Hash: 4b4d324c531bc41a696696a6b8329f6cc8aff9d052f0586dbb2f473532c5ed77
Instruction Fuzzy Hash: 57210371500240DFDB05DF58E9C5B2ABFB6FF88318F24C669E9090F256C336D456CAA1

Function 0158D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2040727007.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_158d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e275f62f324ddcd996ac9fd747474b0c9d5099268c684b829d52777ec3f7050
Instruction ID: 53f62fd4db00b335803edd40f646e09a4764b0564f660e87581c10419d27fba8
Opcode Fuzzy Hash: 7e275f62f324ddcd996ac9fd747474b0c9d5099268c684b829d52777ec3f7050
Instruction Fuzzy Hash: 84213071604200DFDB15EF98D980B2ABBF1FB84314F20C969D80A5F296D33AC407CA61

Function 0158D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2040727007.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_158d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f265fe4c7623af0f305d94f066bc3bd1e895996e494135be9be2f9ce99d625e
Instruction ID: af6334ecb0aae5808242f36f35ef5cf856559cc54cd118e2e0371071975cd706
Opcode Fuzzy Hash: 6f265fe4c7623af0f305d94f066bc3bd1e895996e494135be9be2f9ce99d625e
Instruction Fuzzy Hash: E2217C75509380CFDB02DF64D994715BFB1FB46214F28C5EAD8498F2A7C33A980ACB62

Function 0157D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2040650134.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_157d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e2e1b2d8ec4b928343dd9f6cd4afa90dd46c0e202df3080e64a065b6aff0f269
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8011DF72404240DFDB02CF44D5C4B5ABF72FB94324F24C2A9D9090F256C33AE45ACBA1

Function 0157D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2040650134.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_157d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: bd7c27a0c08f59752d42682c2968394798aa109819f28b9492c804a584c53c1c
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0B11AF76504280CFDB16CF54D5C4B1ABF71FB84328F24C6A9D9490F656C33AD45ACBA1

Function 0157DA01 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2040650134.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_157d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03993fb4d4450039d5301db5782e8c4106f94b4263983001116699278dd68af5
Instruction ID: fc7314ff9759502011783e85d1158bc56b76231c828c8c1df70bf58dd0a6c613
Opcode Fuzzy Hash: 03993fb4d4450039d5301db5782e8c4106f94b4263983001116699278dd68af5
Instruction Fuzzy Hash: 56012B3110C3449AE711AE5ADD8576BBFF8FF41360F18C469ED090E282C2B9D840C6B1

Function 0157DA00 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2040650134.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_157d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabd2238f37e42168bae6ffc9cc06d48c68ba0b29d4408c1cfb2bcc1065e32e7
Instruction ID: 201a1c23804ca4891af10f57fcf768bd9d9626b60f1ed5cac5c40924cbd2a394
Opcode Fuzzy Hash: cabd2238f37e42168bae6ffc9cc06d48c68ba0b29d4408c1cfb2bcc1065e32e7
Instruction Fuzzy Hash: 7FF0CD72008344AEE7209E1AD8C4B66FFA8FF40734F18C45AED080F282C2B99844CAB0

Non-executed Functions

Function 07285A14 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2065392188.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7280000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aac2ee768243fb89b73f7687fb179983adc93e9d662e7b3bede313dff182806
Instruction ID: 5c33764da64229adf783c94692b9fa46848de6dd0f4691aae86c63c18fe47074
Opcode Fuzzy Hash: 4aac2ee768243fb89b73f7687fb179983adc93e9d662e7b3bede313dff182806
Instruction Fuzzy Hash: EEF0C9B096621ACFDB64AF51D8D87BDBBB0AB0A305F145055D01677180CBB64694CF84

Analysis Process: wBfGlYCdeX.exePID: 7396, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	278
Total number of Limit Nodes:	16

Executed Functions

Function 083E9270 Relevance: 15.2, Strings: 10, Instructions: 2650COMMON

Download Yara Rule

Strings

4'^q, xrefs: 083EBE83
4|cq, xrefs: 083EC058
4|cq, xrefs: 083EC073
$^q, xrefs: 083EBF30
(o^q, xrefs: 083E9346
4'^q, xrefs: 083EA0D3
4'^q, xrefs: 083EA25B
4'^q, xrefs: 083EB141
4'^q, xrefs: 083EBEDE
4'^q, xrefs: 083EBF0E

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4|cq$4|cq$$^q
API String ID: 0-2723476363
Opcode ID: e484bc71d5e27ea0800e3f9e3558f04c740afbbd4e01de646845c6c153e18129
Instruction ID: e20105dc8c2fad910b1c64d01eff038791adcedd8b163fbad2ed9048b09a23dd
Opcode Fuzzy Hash: e484bc71d5e27ea0800e3f9e3558f04c740afbbd4e01de646845c6c153e18129
Instruction Fuzzy Hash: 1153ED74A00229CFCB25DF68C894A9DB7B2BF89311F1585D9E419AB3A5DB30ED81CF50

Function 083ECAF0 Relevance: 5.6, Strings: 4, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:, xrefs: 083ECD6F
4'^q, xrefs: 083ECEAC
pbq, xrefs: 083ECF75
~, xrefs: 083ECD0E

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: 4'^q$:$pbq$~
API String ID: 0-999388165
Opcode ID: 92fe3f27162344ed0285aebab12c1964f29615df4a0dbe8680b83b97c98e6ab3
Instruction ID: 7ff985bd96df9589331e78c2f7d7c24855722fee3ef2a7d26537aca0dbc33ab2
Opcode Fuzzy Hash: 92fe3f27162344ed0285aebab12c1964f29615df4a0dbe8680b83b97c98e6ab3
Instruction Fuzzy Hash: 1542D375A00228DFDB25CFA9C944B99BBB2FF88300F1590E9E509AB265DB319D91DF10

Function 081DCC08 Relevance: 7.9, Strings: 6, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 081DCFD0
LR^q, xrefs: 081DCF7D
$^q, xrefs: 081DCC75
(bq, xrefs: 081DD090
$^q, xrefs: 081DCFDC
PH^q, xrefs: 081DD014

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: (bq$LR^q$PH^q$$^q$$^q$$^q
API String ID: 0-1731962052
Opcode ID: 99178c2fc43388cc6c7fadd39c07479e4b85a657a212d5e38b018866464d9bd8
Instruction ID: adcd90c39c14d0f3f6167477da93390a2c1fe6d72966021e937e7a4c372d713b
Opcode Fuzzy Hash: 99178c2fc43388cc6c7fadd39c07479e4b85a657a212d5e38b018866464d9bd8
Instruction Fuzzy Hash: 65F13934A00605CFCB14DFA9D594A9DBBF2FF88311F258969E405EB364DB31E846CBA1

Function 083E7C30 Relevance: 7.8, Strings: 6, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 083E7D48
d8cq, xrefs: 083E80E0
,bq, xrefs: 083E7D54
Hbq, xrefs: 083E7FF1
(o^q, xrefs: 083E7D82
(o^q, xrefs: 083E7D76

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq$d8cq
API String ID: 0-1626189073
Opcode ID: 6489b7767cb9d537fea4bc44ce8e084863cd59f24fa8d0e906e564bcc076bfa5
Instruction ID: 757ffffee5a1cc95e58adb8e8da6a60fb7830af397ef8206a7fba7a8d1c7b247
Opcode Fuzzy Hash: 6489b7767cb9d537fea4bc44ce8e084863cd59f24fa8d0e906e564bcc076bfa5
Instruction Fuzzy Hash: 74C12630B001289FCB149F68D958AAE7BB6FFC8751F148069F905AB3A5DB31DC418BA1

Function 081DCBF8 Relevance: 5.2, Strings: 4, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 081DCFD0
LR^q, xrefs: 081DCF7D
$^q, xrefs: 081DCC75
PH^q, xrefs: 081DD014

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: LR^q$PH^q$$^q$$^q
API String ID: 0-2238246019
Opcode ID: 230eeba2b30be3c9b1b187ea801550a8070c57fbeb613558badf829a7aa3d185
Instruction ID: 60fc99e7338c55ed9e54a2d96abbc068850eea0531b45051defaab8e965b21b7
Opcode Fuzzy Hash: 230eeba2b30be3c9b1b187ea801550a8070c57fbeb613558badf829a7aa3d185
Instruction Fuzzy Hash: 89715F31A007098FDB14CFA9D594B9DBBF2EF88711F148869E405DB354EB31E846CBA1

Function 081D8C08 Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 081D8EAC
Hbq, xrefs: 081D8E79

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: a719e5876ae90cdee76ee6c29e293da418ddf763a92fe8b999ea49270982ea3b
Instruction ID: 5e35f402a6397fe49f0736f7d78ac9326a223df6396a71466f7a3e1eb849a472
Opcode Fuzzy Hash: a719e5876ae90cdee76ee6c29e293da418ddf763a92fe8b999ea49270982ea3b
Instruction Fuzzy Hash: 0871FA39B006188FCB14EFA8D554AAE77F2EF88311B2048A8D501EB7A1DB35ED41CF61

Function 081D2CC8 Relevance: 2.7, Strings: 2, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 081D2D8C
Te^q, xrefs: 081D2E89

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: Hbq$Te^q
API String ID: 0-4204034466
Opcode ID: 0297d0b11be054cde920a71824311b10455b191184a8226e3cf586e6116de587
Instruction ID: 1cb145df55d2e97d9ec9bbe221338e174c1f3af8d812decf275465ece6babb96
Opcode Fuzzy Hash: 0297d0b11be054cde920a71824311b10455b191184a8226e3cf586e6116de587
Instruction Fuzzy Hash: 9F519D34B002158FCB14DB7DD894A6EBBEAEFC8721B148569E419DB3A5DF30DD0287A0

Function 081D8FB8 Relevance: 2.7, Strings: 2, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 081D9093
Hbq, xrefs: 081D904A

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 4524ccc74c7b56849854dd28696d077602198dfa1cf917d66a87b7b2cd81fed8
Instruction ID: 6c7b40fbc5dd1ce9cf943d01deae2e01a7aa6b941ca934d15134519158c10a3b
Opcode Fuzzy Hash: 4524ccc74c7b56849854dd28696d077602198dfa1cf917d66a87b7b2cd81fed8
Instruction Fuzzy Hash: 5F515B347006108FCB14DF79D498A6EBBE6EFC861171545A9E906CB7A1DF36DC42CB90

Function 083E7C21 Relevance: 2.6, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 083E7D48
(o^q, xrefs: 083E7D76

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: (o^q$,bq
API String ID: 0-3021502629
Opcode ID: 39c575a78a4d8b64f9db710d70038f36d69415fa1de3c368cd2230b731b3898d
Instruction ID: 7c606dc811a853fe494c9882323361fc12f1b14595f081a56655ccd224693d95
Opcode Fuzzy Hash: 39c575a78a4d8b64f9db710d70038f36d69415fa1de3c368cd2230b731b3898d
Instruction Fuzzy Hash: 9F511634A11229DFCB24CF68D588AAEBBF5FF88716F148069F845A73A0D7709C41CB90

Function 087993A2 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 087995DE

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f883ec4fa4b74149f879ee587dbd06e4b27b79a34d5f22b8e54419e682428584
Instruction ID: 8be095c897c128c5c46da11a565e23fc505641b10033c01f19725d2de127a347
Opcode Fuzzy Hash: f883ec4fa4b74149f879ee587dbd06e4b27b79a34d5f22b8e54419e682428584
Instruction Fuzzy Hash: 5AA16B71D00219DFEF10CFA8D8407DEBBB2BF45311F0481A9D949A7294DB749985CFA2

Function 087993A8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 087995DE

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 934930b7e4ef9fd114e8d38524bd38b96bb5cfa02c478d61a2fa397034813226
Instruction ID: 69d768a7a911e178813bc44e7b46bc8e15768aa57e0cffa508559dc8da5a1dd1
Opcode Fuzzy Hash: 934930b7e4ef9fd114e8d38524bd38b96bb5cfa02c478d61a2fa397034813226
Instruction Fuzzy Hash: 4E916B71D00219DFEF10CFA8D8407DEBBB2BF49311F0481A9E949A7294DB749985CFA2

Function 0282B128 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0282B37E

Memory Dump Source

Source File: 00000009.00000002.1872645156.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_wBfGlYCdeX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7dad17b885eac6a625ad363978add0635751c6dd2a72e3a0cb4b706b6eb8c1b5
Instruction ID: 1ea81ad6300ff8299982637146e5713f4d89ec609b7c8db8643b48733196e02b
Opcode Fuzzy Hash: 7dad17b885eac6a625ad363978add0635751c6dd2a72e3a0cb4b706b6eb8c1b5
Instruction Fuzzy Hash: C0713278A01B148FD724DF29D14579ABBF1FF88308F008A2DD48AD7A50DB34E989CB91

Function 0282590D Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 028259C9

Memory Dump Source

Source File: 00000009.00000002.1872645156.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_wBfGlYCdeX.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6fe7b4b06d431822c45d53bf706cf8f7bd508234bca447033bfeaf1eba2fbc7e
Instruction ID: b6b19606d1e75b82a2aead308a2bb3a28bbb253c81c627e616cc1788b40594fa
Opcode Fuzzy Hash: 6fe7b4b06d431822c45d53bf706cf8f7bd508234bca447033bfeaf1eba2fbc7e
Instruction Fuzzy Hash: C941E2B4C00729DFDB24DFA9C88478EBBB5BF49304F60806AD449AB254DB756989CF90

Function 028244F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 028259C9

Memory Dump Source

Source File: 00000009.00000002.1872645156.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_wBfGlYCdeX.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0d6d3742a05739693b3f9ac717947b1473e6e8af86bb265bef687d13fb99699c
Instruction ID: e2adf5640b1d1bca620171cd2631dbfd3d67afb406354f09faf9c7d4641838e8
Opcode Fuzzy Hash: 0d6d3742a05739693b3f9ac717947b1473e6e8af86bb265bef687d13fb99699c
Instruction Fuzzy Hash: 5241F4B4C0062DCFDB24CFA9C84479DBBB5BF49304F60806AD409BB255DB756989CF90

Function 0879911A Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 087991B0

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5c1cc65ce8fceb352082ec8a20a86fc75f7835b2a3a0ceacca19d8a3beda588d
Instruction ID: f7a25020cf411635ec755c977fa3b728dc6105879958a94164ff648ba485a9cd
Opcode Fuzzy Hash: 5c1cc65ce8fceb352082ec8a20a86fc75f7835b2a3a0ceacca19d8a3beda588d
Instruction Fuzzy Hash: 263140B1900249DFDB10CFAAC884BEEBBF5BB48310F10842AE958A7244D7799944CBA4

Function 08799120 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 087991B0

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1a69b8f631ceb07537db5b1f65d12628b8a26beb1529f9f9bc3942762e09b202
Instruction ID: 14ba1a7f43386187987e8dd71e8628d7c519db77cf2c0faec2a89ff68dc6ca50
Opcode Fuzzy Hash: 1a69b8f631ceb07537db5b1f65d12628b8a26beb1529f9f9bc3942762e09b202
Instruction Fuzzy Hash: 702133B19002099FDB10CFAAC884BDEBBF5FB48310F10842AE958A7250D7789944CBA4

Function 0282D600 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0282D5CE,?,?,?,?,?), ref: 0282D68F

Memory Dump Source

Source File: 00000009.00000002.1872645156.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_wBfGlYCdeX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 573e3bb379883001f73c5ca8066c35f9d896834f5c570a40097b7b4d9e201ca2
Instruction ID: 035478b60ac77c528089c5ce23bb2445464755c8303b79380ffab3723a77eb16
Opcode Fuzzy Hash: 573e3bb379883001f73c5ca8066c35f9d896834f5c570a40097b7b4d9e201ca2
Instruction Fuzzy Hash: 382114B5901218DFDB10DFAAD984ADEBFF4FB48320F10841AE958A7310C374A945CFA1

Function 0282B014 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0282D5CE,?,?,?,?,?), ref: 0282D68F

Memory Dump Source

Source File: 00000009.00000002.1872645156.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_wBfGlYCdeX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 814f7199817b3563d4fa86de7485a1a3a25545c0035acae6f7ab9c67e783b597
Instruction ID: 0b37badccdf196d83b56ab2ae97f56ec015c3eeeb574e25402eee5832bdfe9a7
Opcode Fuzzy Hash: 814f7199817b3563d4fa86de7485a1a3a25545c0035acae6f7ab9c67e783b597
Instruction Fuzzy Hash: F22103B5901218EFDB10CF9AD584ADEBFF4EB48314F10801AE958A3311D374A944CFA4

Function 08798B48 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08798BCE

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 392afe470d6e7791ef22b31dc7548c39e41ff028df61d443eb23586d1c354723
Instruction ID: fed5e13f8697aa8e21eafa98ff2ff837018f61b8a4b7fb3a345d1ef312a6ed18
Opcode Fuzzy Hash: 392afe470d6e7791ef22b31dc7548c39e41ff028df61d443eb23586d1c354723
Instruction Fuzzy Hash: 382137B19002098FDB10DFAAC4857EEBBF4AB89324F14842AD499A7245C7789945CFA5

Function 08799208 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08799290

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 218a30e139d710cdb6a94176dd83fd9573e2d004bf730a81b397fe600fbf67e2
Instruction ID: 84d54327ad7da2da633f33680083405083eda7af07f06d706fc8c6be761f530d
Opcode Fuzzy Hash: 218a30e139d710cdb6a94176dd83fd9573e2d004bf730a81b397fe600fbf67e2
Instruction Fuzzy Hash: F22136B18002499FDB10DFAAC881BEEFBF1FF48320F10842EE558A7250C7399544CBA4

Function 08798B50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08798BCE

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 15fa0a80f7b8f735f70b802dd034883043cfdc3e485bb25d942a4c4be8253db9
Instruction ID: 382582368c81169cc54c3860e6c54a2c72a13f20867401cc26d0ed0540c80ef7
Opcode Fuzzy Hash: 15fa0a80f7b8f735f70b802dd034883043cfdc3e485bb25d942a4c4be8253db9
Instruction Fuzzy Hash: 162149B19003098FDB10DFAAC4857EEBBF4EF89324F14842ED459A7240C778A945CFA5

Function 08799210 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08799290

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 053244576b9038cd0cdff22f6de5752fa9c8440dcf31eb38349108ff62b49883
Instruction ID: 8c22aa5719b164de58e3fd37c79f50cf33fd20aae73a5eadbabebc6b1523f6fb
Opcode Fuzzy Hash: 053244576b9038cd0cdff22f6de5752fa9c8440dcf31eb38349108ff62b49883
Instruction Fuzzy Hash: 812128B18002599FDB10DFAAC841BDEFBF5FF48320F10842EE558A7250C7349544CBA4

Function 083EE617 Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

@, xrefs: 083EE73F

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 07d4580343aa6a3c2542f698725196e3c62c400d5e6ff1d5b5ad2c453e118d71
Instruction ID: 4b7581cd6e910318aa6a77a2b0dc0bf165c91bce4bd638ca7c92e5603b7e305f
Opcode Fuzzy Hash: 07d4580343aa6a3c2542f698725196e3c62c400d5e6ff1d5b5ad2c453e118d71
Instruction Fuzzy Hash: CAE18274E002298FDB60DFA9D980A9DBBF1FF89315F1491AAE818E7345D731A981CF50

Function 08798A98 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08798B02

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a9e6105432eaac9184944f7b7cd18cd96dc00c6f8c8c8e26257ae5a095c51d37
Instruction ID: a17c26708f2ee377d2e94ec2f6fbd0bac0762573f173250aaca78fca1a0c9c71
Opcode Fuzzy Hash: a9e6105432eaac9184944f7b7cd18cd96dc00c6f8c8c8e26257ae5a095c51d37
Instruction Fuzzy Hash: 12119AB19043888FCB20DFAAC44579EFFF4EF89324F24846EC098A7245C6349544CBA5

Function 0879905A Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 087990CE

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: dfba241ae4b5835e96ca338b960481363684f7c2ad7202ef0ff044212d53fd45
Instruction ID: 8128d02c2617ca2290a0578ca209498263af196b61d1f1c99d796a44d7af78dc
Opcode Fuzzy Hash: dfba241ae4b5835e96ca338b960481363684f7c2ad7202ef0ff044212d53fd45
Instruction Fuzzy Hash: DB1156718002499FCB10CFA9C444BEEBFF1AB88320F10842DE569A7260C7759554CFA0

Function 08799060 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 087990CE

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 695b8f3c080ef38bae3bf274db360f3ea8d9d4f7a3c94b0567bf046be247cbc2
Instruction ID: bde8271f155528fbf00bef17f002137f847d1e226d3d2fd2d718bd2ca08c7264
Opcode Fuzzy Hash: 695b8f3c080ef38bae3bf274db360f3ea8d9d4f7a3c94b0567bf046be247cbc2
Instruction Fuzzy Hash: 5B1156718002499FCB10DFAAC844BDEBFF5EB88320F10842AE569A7250C775A550CFA0

Function 08798AA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08798B02

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0fab23ea4597311d679c066fc18809013337b70ab60537a88026bff9945e1e58
Instruction ID: b6f61fa5b9ad07ca55e2793ac0ef9b5312539ac732f0ac884a5c80bea26815a6
Opcode Fuzzy Hash: 0fab23ea4597311d679c066fc18809013337b70ab60537a88026bff9945e1e58
Instruction Fuzzy Hash: 28116AB19002488FCB10DFAAC4447DEFBF4EB88324F248429C459A7244C734A544CFA5

Function 0282B318 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0282B37E

Memory Dump Source

Source File: 00000009.00000002.1872645156.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_wBfGlYCdeX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0992e73dd91fd97371747b6f13d9647fa9d2de19d5f619409bad50c77e034714
Instruction ID: f155d80dce4b6dabec6cb3f2bbe578c6279363f3102c35f20a957b775cb5a53c
Opcode Fuzzy Hash: 0992e73dd91fd97371747b6f13d9647fa9d2de19d5f619409bad50c77e034714
Instruction Fuzzy Hash: C41102B9C012598FCB10CF9AC544BDEFBF4AB88324F14842AD419A7210C375A545CFA5

Function 08795D68 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0879CB7D

Memory Dump Source

Source File: 00000009.00000002.1878107795.0000000008790000.00000040.00000800.00020000.00000000.sdmp, Offset: 08790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8790000_wBfGlYCdeX.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ee1cbbf5516eeeb2d13c149d82673df3c3505ca33dc8b34aadc6d308efb8d38e
Instruction ID: d13e8781c08f1cd6ce6b9498e41f373f5e55411ab9d09b758fe513d680a1cb0d
Opcode Fuzzy Hash: ee1cbbf5516eeeb2d13c149d82673df3c3505ca33dc8b34aadc6d308efb8d38e
Instruction Fuzzy Hash: 981103B5800348DFDB10DF9AD445BDEBBF8EB88324F10846AE958A7310C375AA44CFA5

Function 083E0CB0 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

Hbq, xrefs: 083E0DCD

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 0bb359f5660f03314ca62f5c9539da5a5bb254b57dcc45f1bf5380dbbdee9854
Instruction ID: ef6d2e6f16435856b731245ec1e3f338390acdc353f150a953ae20745701e5df
Opcode Fuzzy Hash: 0bb359f5660f03314ca62f5c9539da5a5bb254b57dcc45f1bf5380dbbdee9854
Instruction Fuzzy Hash: 8C817D35700A148FDB18DB68D894AAEBBE6FFC8311F1484A9E405DB3A1DB71ED45CB90

Function 083ED3D6 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

LR^q, xrefs: 083ED452

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: b749f85d9a027ecc7a516add603f4c6cc6859687d1b2c3d0b666730223d40cbc
Instruction ID: 6a4068778024a604d1c194c53a1a381cb6819e3b3e584bd530a8a208e7a54c53
Opcode Fuzzy Hash: b749f85d9a027ecc7a516add603f4c6cc6859687d1b2c3d0b666730223d40cbc
Instruction Fuzzy Hash: DD91F574E00218DFCB44DFA9D4806ADBBF2EF88315F10956AE819E7385DB359942CF50

Function 081D03B4 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(bq, xrefs: 081D6944

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 9af58700d3b304b47ef9804e9db7a8ba5b61a4f84e9823148f0d60b686dcd4da
Instruction ID: d1203c9271362c8484b7ef337e22ffdfb2cccc81e7b1f1c24ce9ac42712219ca
Opcode Fuzzy Hash: 9af58700d3b304b47ef9804e9db7a8ba5b61a4f84e9823148f0d60b686dcd4da
Instruction Fuzzy Hash: 3A41B034A006058FCB04EB6CD4447AEBBF6EFD9311F15856AD405EB361DB70AD85CB91

Function 083EDA60 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8bq, xrefs: 083EDB01

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: b23a065b0e4514a2505237604fe16037207acfc6e1fab5532d866eaf38b028aa
Instruction ID: 7684275dd3f1544ad3c33deb898213de9691133b3a5efb02549a449f0f27869c
Opcode Fuzzy Hash: b23a065b0e4514a2505237604fe16037207acfc6e1fab5532d866eaf38b028aa
Instruction Fuzzy Hash: 4641D874E01119DFCB05DFA9E5809EEBBF6EF88315F10842AE805A7394DB319942CFA1

Function 083EDA50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

8bq, xrefs: 083EDB01

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: d3894c92eec093563372a3915d488d63ec926acf23a0a65f76b83424faed726e
Instruction ID: 3233679faccdbd982a9994f0e74f626db8ac28290347c7ff9b309dd6087a2ddd
Opcode Fuzzy Hash: d3894c92eec093563372a3915d488d63ec926acf23a0a65f76b83424faed726e
Instruction Fuzzy Hash: A641E674E01119DFCB05DFA9E9909EEBBF2EF88315F10846AE805A7394DB319942CF61

Function 081DB5E8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 081DB653

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 3cb5ca66bb28913ddb9d8a6f80d0f082e997df0d1b95c7b353b148edbe6ecd6e
Instruction ID: 87f02c3acb238f2354d1f066ec2bd830710115d2b169ad1445e4d656f57751e9
Opcode Fuzzy Hash: 3cb5ca66bb28913ddb9d8a6f80d0f082e997df0d1b95c7b353b148edbe6ecd6e
Instruction Fuzzy Hash: 37115E71B002198BCB44EBB999006EEB7F2AF98311F50446AC50AE7344EF318E06CBA1

Function 083EC980 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

q, xrefs: 083EC994

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: bb40f00e271bc5327a73b555ab95a34129b05ccd9743ed76af587477e70fbbe7
Instruction ID: 9c8fad8e6e43a15287cdd551a17a5b6db368b70bdc513a430ad93d1c9cfc56fa
Opcode Fuzzy Hash: bb40f00e271bc5327a73b555ab95a34129b05ccd9743ed76af587477e70fbbe7
Instruction Fuzzy Hash: 94E0C230904208DBCB10DFF4E4082BCBBB8EB45302F0060ACF80A93281DB701A81CBC2

Function 083ED670 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

., xrefs: 083ED684

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: a5465a717c7bbdf8df31ae53e7e33bb324948aa52352d668367ebd29748c3d8d
Instruction ID: 3fc47071ef21d6fce27cbeccaaa5ff7d6f20f6fac9bed9013fce03e801c3976e
Opcode Fuzzy Hash: a5465a717c7bbdf8df31ae53e7e33bb324948aa52352d668367ebd29748c3d8d
Instruction Fuzzy Hash: AEE0C234901118DBCB10EFF8E4482ACB7B8DB44202F5050A8F40A633C0D6B41A80CE81

Function 081D4A58 Relevance: .8, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aec8b989184d41d05c09c50057332efa7bb2eba9c421bf700b5100852242fcb
Instruction ID: 748b8c8fc467b84c24534d2fab77a8c7b1f9d6ef72d0fa2b219d6f28e4d272a0
Opcode Fuzzy Hash: 5aec8b989184d41d05c09c50057332efa7bb2eba9c421bf700b5100852242fcb
Instruction Fuzzy Hash: 1D62EFB4D11F418FDB759F7494883EEBAA3AF85301F50492ED0FBCA294DB34A4918B52

Function 083E30E8 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f8c3088da99d9d0baca79896920da654f5af882ecabf64c702601289bf5518
Instruction ID: 27a20ba64c14c272a9c8bf02eb9f9781eaef01fcaa4fc0bd8d6d580d9d489c1b
Opcode Fuzzy Hash: 84f8c3088da99d9d0baca79896920da654f5af882ecabf64c702601289bf5518
Instruction Fuzzy Hash: FA42E330D10659CFCF15EFA8C8446DCBBB1BF89300F518699E5497B264EB30AA99CF91

Function 081D7AF8 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6e52731a86120cd6033a61eda1a1257bc3dedbb4d5ae1b3a33f711a028c49d
Instruction ID: 5486c37940cb9b8cc082503c09c0c49cbfad9cad9d2e462a193dcee44c4680f9
Opcode Fuzzy Hash: 0b6e52731a86120cd6033a61eda1a1257bc3dedbb4d5ae1b3a33f711a028c49d
Instruction Fuzzy Hash: 26E15360B403015BCB16AF7E69A022EAAD2DFC4211394CDBD954A9F3DADF68DD0947F0

Function 081D7B20 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e328f0138df05401931793966ac0a3733915109265bb88e7bc27224c0749aff
Instruction ID: f7c451c31753f0f4df3957b9409492aa8c42bbd5f9cdf75df80f3f5f3fbb6626
Opcode Fuzzy Hash: 8e328f0138df05401931793966ac0a3733915109265bb88e7bc27224c0749aff
Instruction Fuzzy Hash: 66E14260B403015BCB16AF7E69A022EA9D2DFC4211394DDBD990A9F3DADF68DD0907F0

Function 081D4A99 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c810d55c103915fdb071add6d89a2e139f2c43b199889ad9eb5e4992b8e4d1
Instruction ID: e190ec2b1ae2b1db38b53cc6446e913dedabe9ce7cf8aa74c65eaa1f9ea9fa69
Opcode Fuzzy Hash: b9c810d55c103915fdb071add6d89a2e139f2c43b199889ad9eb5e4992b8e4d1
Instruction Fuzzy Hash: 6B1256B0915F428FD7755F6485883EFBA92AF86301F20491FC0FBCA259D734E0968B66

Function 083E02C8 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb3d82fbf9c0d7a292a9635e094b6a778f151948d27ac740bb71c02f5090c62
Instruction ID: 312d4b694fe6ae38244e457b520813078c83d814f764144bda5b0ffd965cfc21
Opcode Fuzzy Hash: bbb3d82fbf9c0d7a292a9635e094b6a778f151948d27ac740bb71c02f5090c62
Instruction Fuzzy Hash: F1B1BE34A00228CFDF25DFA9C9546AEBBB6FFC8302F20456DE005A7285DB719991CB91

Function 083E6900 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbb04b894dde7c053cc2118b23ddd55834c486243492029f9e17db57bbc799f
Instruction ID: fb12a1aad4356d59202e222f2472ef95a0888955b2629f9008d854e7e981e89d
Opcode Fuzzy Hash: 0fbb04b894dde7c053cc2118b23ddd55834c486243492029f9e17db57bbc799f
Instruction Fuzzy Hash: C1F1DA75D1061ACBCF10DFA8C854AEDB7B5FF58300F1086A9D949B7254EB70AA85CF90

Function 083E68F8 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678f74a94503c372888a1bdded5397d60f90794a5f3910b2812ccb5343627764
Instruction ID: 2162166453352435e111d090236e2c5baf453993dd86fdd59bb31bd8b0ad2789
Opcode Fuzzy Hash: 678f74a94503c372888a1bdded5397d60f90794a5f3910b2812ccb5343627764
Instruction Fuzzy Hash: 35E1EA75D1061ACBCF10DFA8C8545EDB7B5FF98300F1086AAD949B7254EB70AA85CF90

Function 083E84F9 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5415ca8fd3969d65c2ee156fd158f707805f2444334fd35c7d52a72c96cd0b23
Instruction ID: 40c69cd7ea5318cc9eb10ea3ef79510a75c95212925923b470ba17d947c8ba43
Opcode Fuzzy Hash: 5415ca8fd3969d65c2ee156fd158f707805f2444334fd35c7d52a72c96cd0b23
Instruction Fuzzy Hash: 6FB1AF30A00219AFCB05EF68D894AAE7BA7FFC4301F148429F9059B391CB34DD42CB91

Function 081D79F4 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b59101b18a9d9efac8bdfbb828a0b907a079e0561923c2a4f50a82aa7a645c
Instruction ID: 4e2ee081bfacaa0c4edb0bd1a966d8c63910bc8cb2f22a54d30517a02521a2fa
Opcode Fuzzy Hash: 24b59101b18a9d9efac8bdfbb828a0b907a079e0561923c2a4f50a82aa7a645c
Instruction Fuzzy Hash: 27919035A007099BCB14EFB9C8905AEF7B6FF89311B21C51DD859AB351EB31E942CB90

Function 081D4230 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be14a246730cb829f4c10b7f26c506bbf790665e67016f2a6098bc7f7a95e815
Instruction ID: 1345d37b6051ac179a76cdcd8de119235e085f3a303137be3660f4f125326c8d
Opcode Fuzzy Hash: be14a246730cb829f4c10b7f26c506bbf790665e67016f2a6098bc7f7a95e815
Instruction Fuzzy Hash: 5DA12C35A007199FDB14DF64C850BAEBBB5FF89300F10859AE949A7351EB31AE82CF51

Function 081D90F0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f250d1cca6dde18658d78b4c07ba78abc3e1c72a8cbffc05a9f10612463cb39
Instruction ID: f737c3b628af2ae5cadf050e113a31fb942a3e5947b42f279c188fb994d1a587
Opcode Fuzzy Hash: 0f250d1cca6dde18658d78b4c07ba78abc3e1c72a8cbffc05a9f10612463cb39
Instruction Fuzzy Hash: E081F239710610CFCB08EF28D488A697BF6FF89615B1541A9E906CB3B6DB71EC41CB90

Function 081D0044 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc49d6e1a63ba022c0a5caee110890572460aedf3a6da57ec1c3fa1ac7c6350
Instruction ID: 12577c4999c36140b3b8876e39fe4956526fff4b89b6b2c8d22be8c081ed64a7
Opcode Fuzzy Hash: acc49d6e1a63ba022c0a5caee110890572460aedf3a6da57ec1c3fa1ac7c6350
Instruction Fuzzy Hash: 3D910831D00619CFDF15DFA8C844ADDB7B1FF58300F1186A9E949AB221EB31AA85CF90

Function 083E53C8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ec0938b09232a273f1555dfa1b44bd8efeff6a429d8fa01e02f37dfe1f6762
Instruction ID: ee10aedf30a5fa1f6f44fe217df41d02c6a13f4a3b94a8d557e8ff9606b1899a
Opcode Fuzzy Hash: 95ec0938b09232a273f1555dfa1b44bd8efeff6a429d8fa01e02f37dfe1f6762
Instruction Fuzzy Hash: FC819230A00529DFCB14EF68D4586EDBBB5FF84306F11406AE446AB6E4EB70D955CF40

Function 081D6BC8 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7891c56ccde7eca84f4247a3d524bfdd878cad279405ebd22495da3e0690116
Instruction ID: 4814514a091d7deaa8e7b6adf888c63b15daa5676e7b917468c7f78ec5c1302a
Opcode Fuzzy Hash: a7891c56ccde7eca84f4247a3d524bfdd878cad279405ebd22495da3e0690116
Instruction Fuzzy Hash: 0191D735A00619CFDB10EF68C884AD9F7B1FF89310F15C699D9497B225EB30AA85CF91

Function 081D4220 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7eab0df40db077d1c64524b63f9524c8fc3df67b85f9da84e894cf0c9d6429
Instruction ID: d6073e442a82372020ed3915320813587c6a0dd5156460cc1057fb7dd3976f51
Opcode Fuzzy Hash: 6f7eab0df40db077d1c64524b63f9524c8fc3df67b85f9da84e894cf0c9d6429
Instruction Fuzzy Hash: 12910974910719DFDB14DF64C840BAEBBB5FF88300F14829AE949A7351EB71AA82CF51

Function 081DA8A0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fa243351b78b66bed30189f1329924543a9212afde6c23480c9cdbd95c536f
Instruction ID: d4118564839962e7cf45124700b6f7cfe8d286399dd03f320820c2b7e83cc201
Opcode Fuzzy Hash: b2fa243351b78b66bed30189f1329924543a9212afde6c23480c9cdbd95c536f
Instruction Fuzzy Hash: AA716C70E00619CFDB08EFA9C8547ADBBB1FF88301F15816DD846A7390EB349A45CBA0

Function 081DD0D6 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc311144cb22726230cd64383927d25b2ca1c363eabb2c3912e89b912175d25
Instruction ID: 5cddbe9b3940cdaf05b70f46d9f8887e310802fc497a807f63c1ddf06bfe0bfd
Opcode Fuzzy Hash: abc311144cb22726230cd64383927d25b2ca1c363eabb2c3912e89b912175d25
Instruction Fuzzy Hash: EA71DF34740A109FE705BF90E4AAA2D7766FBD8B01F109069E9428B3D9CFB95D42CF85

Function 081DB180 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd75177f8010ee9b6dc443c9826eaec750e6739f325775fe493071fc2cf3a172
Instruction ID: 05cf000db69ed394e7a4b6b067aaf264dac5bc1a494ed488ebee5285feb627c3
Opcode Fuzzy Hash: dd75177f8010ee9b6dc443c9826eaec750e6739f325775fe493071fc2cf3a172
Instruction Fuzzy Hash: FF711B35900759DFCF00DFA4C8405AEFBB5FF89315B20C55AE958AB221EB31E992CB51

Function 081DB190 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517e5ef8f85aa740feecd7062ce0594e45b6743d5cda25277415b64fcdc4d16e
Instruction ID: c4144ccafc625b5bbeda84ed22fb420caa43e9815f5f35463ee1bbe0747c357f
Opcode Fuzzy Hash: 517e5ef8f85aa740feecd7062ce0594e45b6743d5cda25277415b64fcdc4d16e
Instruction Fuzzy Hash: F5711B35900749DBCF00DFA4C8405AEFBB5FF88315B20C55AE959AB221EB31E992CB50

Function 081D0632 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cfd5baa5e5935fc05e852c9431c3de0ed54b083c80defae4cb7c3152e3a427
Instruction ID: ffaaffa6fb6c5e6ef48b457d2dc415aa8a9ccf397415a9536572ca16819f5cf9
Opcode Fuzzy Hash: e3cfd5baa5e5935fc05e852c9431c3de0ed54b083c80defae4cb7c3152e3a427
Instruction Fuzzy Hash: 76513C75D00609DFCB15DFA8C8406DDBBB5FF48300F1086AAD959AB311EB71AA85CF90

Function 081D6ED8 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab2df1d47d6c722f9687552f5f15cd5018528b21f16ec096bf1f2600ef9a7bc
Instruction ID: 4d0f68e442f45e4712dc4f41ac23f5fb315792c6c45396f20361a4e9e19c6663
Opcode Fuzzy Hash: 3ab2df1d47d6c722f9687552f5f15cd5018528b21f16ec096bf1f2600ef9a7bc
Instruction Fuzzy Hash: C561D975A002099FCB14DFA5C995BADBBF2BF48301F209069E915A73A0DB32AD41CF60

Function 081D6EE8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4a0740d8bd392c2235f6f3d4084d1c7c9477a9035143d7e7051ea5b198dac5
Instruction ID: be80f4e2139408afcc80cab0a9deee20d7ae6e28f2b8deae516783cbe5a7afa9
Opcode Fuzzy Hash: 4c4a0740d8bd392c2235f6f3d4084d1c7c9477a9035143d7e7051ea5b198dac5
Instruction Fuzzy Hash: 1361C975A00209DFCB14DFA5C994BAEBBF2BF48301F209069E915A73A0D731AD41CF60

Function 081DDA80 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6625d996a482b6e132831bf3a19bc1454d2c81ec3eebc84cb59aa4535f0ac9b2
Instruction ID: 35bc9011828e58021ca04879efc18064f08dfdef3eca2c2709ef125ebd877219
Opcode Fuzzy Hash: 6625d996a482b6e132831bf3a19bc1454d2c81ec3eebc84cb59aa4535f0ac9b2
Instruction Fuzzy Hash: 4251D531914B4A9ACB01BFB8C4541AAF7B0EF95350F11DB4EE8996B221FF7095C4CB82

Function 081D3E48 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2ef3802cd9b7e89b7f8f5bad54a493872731d501c4d29c6ac38361d23ae42c
Instruction ID: e6c766d267e4ed09536c7cc4f36354557fc686bd6fd397f102f85602ff8fade0
Opcode Fuzzy Hash: ea2ef3802cd9b7e89b7f8f5bad54a493872731d501c4d29c6ac38361d23ae42c
Instruction Fuzzy Hash: 51417875A04348AFCB10DFA9D884A9EBFF9EF49310F14846EE909E7350D735A940CBA4

Function 083E25A4 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763e5a77ae28600054d532db9ba707bd7b4834295f95c8a1a0545bc6aa56ea49
Instruction ID: 504c9048de45d8af5f1d2fca1478c18fccad5d254e3c8947a626b393535a7405
Opcode Fuzzy Hash: 763e5a77ae28600054d532db9ba707bd7b4834295f95c8a1a0545bc6aa56ea49
Instruction Fuzzy Hash: D3419271E1413A9FCB16AF64C8586AB7BF8FB84301F10442AF406E76DCFA34C9528A90

Function 081D95E8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91d3922da3a13174e216814aa7678bade22283a857edd853552f1ac5a26d7dc
Instruction ID: fdb46fce3f795e75290e651a8aede7f70151430b5c502b3ad3fd44094accfc14
Opcode Fuzzy Hash: a91d3922da3a13174e216814aa7678bade22283a857edd853552f1ac5a26d7dc
Instruction Fuzzy Hash: 34415E35E00305CFDB14EFB8D4547EEBAB2EF88216F145469D401AB384DB399982CBE6

Function 083E2670 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c7064b94422bb301dd7eff87ee9d535251fed7237cd6284202bec48b3ceee1
Instruction ID: 1069e0d55c8aab61eff66dc980d7bcc6cbbde5071759f0fe3af64dedfb72e1f0
Opcode Fuzzy Hash: 84c7064b94422bb301dd7eff87ee9d535251fed7237cd6284202bec48b3ceee1
Instruction Fuzzy Hash: 39414B34A016189FDB04EFA8C850AADBBB6EF89315F148569F401FB3A0DB70E941CB90

Function 081D0C78 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db4591b1312d430415e24dbe63caa5c3cc3400785e3a6006365b53a2cbbd10a
Instruction ID: 08f2292d65e846a9beb271eeb1736c1f78daeeeb05ee500670c1e792e93cbf40
Opcode Fuzzy Hash: 0db4591b1312d430415e24dbe63caa5c3cc3400785e3a6006365b53a2cbbd10a
Instruction Fuzzy Hash: C3414D75A00605DFCB14DF68D884A9EBBF5FF88310B14C669D809DB355EB34E985CBA0

Function 083E515A Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85b7d09ed248be75c8b0f26352f1e6906e0f73238117d31223cfe0bc642cd04
Instruction ID: f752d350dfaba1440b3bba0613039509b8e8eb4cbfde50deed3fa38797e38ce9
Opcode Fuzzy Hash: d85b7d09ed248be75c8b0f26352f1e6906e0f73238117d31223cfe0bc642cd04
Instruction Fuzzy Hash: FF416C34A012189FDB04EFA8D854AADBBF2AF89315F148569F441FB3A0DB70E941CB50

Function 083E2EC7 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4483e3c0b294fd5a069652a3a59139591e13215aaae302597df4918a40ecdf9
Instruction ID: e02bf600cacf52deacc203324d489bba29549d1560c1a1abfc67ccb3e09757dd
Opcode Fuzzy Hash: c4483e3c0b294fd5a069652a3a59139591e13215aaae302597df4918a40ecdf9
Instruction Fuzzy Hash: 7841A271E0413A9FCF16AF64C959AAB7BF9FB84301F11042AF406E76DCE63089138E80

Function 083E8647 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9293fd8972bcb7379e770676b07de4ade166f3a549a38011ae457217447a6141
Instruction ID: 529ee76fe49359a8cecea07f6bdc8a2ab063419ce921ee07b66601a2848cedf1
Opcode Fuzzy Hash: 9293fd8972bcb7379e770676b07de4ade166f3a549a38011ae457217447a6141
Instruction Fuzzy Hash: 67413634A00229DFCB05AF64D894AAE7BA7FFC4715F148429F8069B394CB34DD96CB90

Function 083EC1E0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34de7bc936a0b99e258d9f326941bf8cd6bdb8868628ae4abfef50b27888508c
Instruction ID: 0f10c6dd3a86cceb1513ae0cbe0fbdfcc8aab1edcbc23cb28f17ffb327689234
Opcode Fuzzy Hash: 34de7bc936a0b99e258d9f326941bf8cd6bdb8868628ae4abfef50b27888508c
Instruction Fuzzy Hash: 8041F774E1121A9FDF14CFB9D8945AEBBF1EF89201F109829E815E7290EB34D942CF50

Function 083EC1F0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5bef9dcf8fe6b82bbc2a465adfddf6b3e2248d4e30236cd38e2e3b3af6ee80
Instruction ID: a2c5f6180379e7595d5d251edb7c402e5b1790844140410227d35b29ad25bcfe
Opcode Fuzzy Hash: 6d5bef9dcf8fe6b82bbc2a465adfddf6b3e2248d4e30236cd38e2e3b3af6ee80
Instruction Fuzzy Hash: 1031C374E1021A9FDF54DFB9D8545AEBBF1EF89201B10982AE815E7290EB34D942CF50

Function 083E1E09 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d74ec62d863e759679ceb8c9e5ff1c7cb9d532793c781406c8108daa12e0ac
Instruction ID: 56fe2dbc49df6b69c3ba1323e594a0ba551d1c3e1d276da4cc690741fabc7be8
Opcode Fuzzy Hash: 99d74ec62d863e759679ceb8c9e5ff1c7cb9d532793c781406c8108daa12e0ac
Instruction Fuzzy Hash: 38414770A05218DFDF159FA5D9549ADFFB2FF88301F214199E4417B29ACB7188A1DF80

Function 081DBCF8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e0d9f798306ee39c38cec3363bc4923223405e0a9bc2bc73537d4b6ef82477
Instruction ID: 7dc83ada14652a4dccf98f753e868083096245487b4977264bf40b213df0beb7
Opcode Fuzzy Hash: d2e0d9f798306ee39c38cec3363bc4923223405e0a9bc2bc73537d4b6ef82477
Instruction Fuzzy Hash: D6415B31E0074A8BCB14DFA9C450AEDFBF1FF88321F118629D516BB255DB70AA85CB90

Function 081DDA70 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5a6e28a680ec18aa9e7a56851c4708967981c8e79d79447c7b3fc268e339bf
Instruction ID: 539e0f45c92d24e1283af361a8c067a032cb2657f100764f3167ef0b9a327bb5
Opcode Fuzzy Hash: 5e5a6e28a680ec18aa9e7a56851c4708967981c8e79d79447c7b3fc268e339bf
Instruction Fuzzy Hash: E141D431914B4A9ADB01BFB8C4541A9F7B0EF95310F50DB4EE8996B221FF70A5C4CB82

Function 083E0CA1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab04462a61c0ec81fd7fd64989ddb7c14d37aaeb8a7ff662f09deacd4f61c95b
Instruction ID: b56fe464eef2d8a24e02298669b6b0b2ae95d09a4724237f5d6aecd47bebe559
Opcode Fuzzy Hash: ab04462a61c0ec81fd7fd64989ddb7c14d37aaeb8a7ff662f09deacd4f61c95b
Instruction Fuzzy Hash: 1C31A935A005188FCB04DF64D894AEEBBF6EF89301F1480A9E805AB3A1DA75ED05CF60

Function 081D1B98 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8e020a4f224514a6b56fe80fdc804a9ab4b4f5773aae44e75283d3e058fafc
Instruction ID: dcadbff893e53e5b4fd0941b647dc8976f7ac28c5c1dd7a0ac425f5beaf2a440
Opcode Fuzzy Hash: 3a8e020a4f224514a6b56fe80fdc804a9ab4b4f5773aae44e75283d3e058fafc
Instruction Fuzzy Hash: 3341EB74B006099FCB14DF69C584A9EBBF2FF88204B14C659E919DB365EB30E941CB90

Function 083E1B48 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03163fd66c438725456d6ffdcdfc1a0d1c4a8bf7cc1e219ebba755851f1a47ea
Instruction ID: b88c708f2c5a944a6829dfd94f1836df1a486ec3316f993e548dfa722b3c3fc9
Opcode Fuzzy Hash: 03163fd66c438725456d6ffdcdfc1a0d1c4a8bf7cc1e219ebba755851f1a47ea
Instruction Fuzzy Hash: FC315D35A001188FCB14DFA8C944AEDB7F5EF89302F2441A9E515EB3A0DB319E40CFA0

Function 083E6E90 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80668df47a75d3a11a2063f4f697c4fcb6076bf72ccf1ca89090f6a37c59e7e
Instruction ID: 772b1fa29b7d93b6a6c4d154ae99ffec6291345274e27331ea5cd8c8717fa473
Opcode Fuzzy Hash: d80668df47a75d3a11a2063f4f697c4fcb6076bf72ccf1ca89090f6a37c59e7e
Instruction Fuzzy Hash: 46313BB5A002199FCB04DFA8D8549AEFBF5FF8C310B148169E909E7341EA34DA46CB61

Function 083E6EA0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b926d68a5e6baaa72f2dddc629e6e9ffa465f25b75282d1e2d7cb8a99aa6cadd
Instruction ID: 3117f4d73039c537805a8403b851a3eaa18926caf6e2291f9a7ab10df7b6fde8
Opcode Fuzzy Hash: b926d68a5e6baaa72f2dddc629e6e9ffa465f25b75282d1e2d7cb8a99aa6cadd
Instruction Fuzzy Hash: 3C311875A002199FCB04DFA8D8549AEFBF5FB8C310B108169E909E7341EB349946CBA1

Function 083E2D70 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced7370aa7518b7296ba0baf16871f4bca73f3ed81d294ff847fd5adc33b27c0
Instruction ID: 856717fa76ad369d0e1deabb672e09f332d5e75918a46d0c274d581d4cf1743f
Opcode Fuzzy Hash: ced7370aa7518b7296ba0baf16871f4bca73f3ed81d294ff847fd5adc33b27c0
Instruction Fuzzy Hash: D431A530900718DFCB15EF68D9556EEBBF1AF89301F00856AE445AB3A0EB309988CB91

Function 081D95D8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a52e68a5911c1f51d43ba6f5dad48517e03495aa74357fc0977dca7f2c4bce
Instruction ID: 0bd34bf588d0cea88e64618607a27bea2e96f11425cc5c79b2d8020712312d75
Opcode Fuzzy Hash: 07a52e68a5911c1f51d43ba6f5dad48517e03495aa74357fc0977dca7f2c4bce
Instruction Fuzzy Hash: 27314175D00705CFDB15EF74D4547EDBAF2EF88606F108869C401AA384DB798982CBE6

Function 081DF1E0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf385ebf6ed0906bfb34ea8dd433392a0d45d4cf77c2c5be6985f948e73e728a
Instruction ID: f273fcc8c54ee8a591163e41b8cb03f391358e803c3469809f408932b2e95daa
Opcode Fuzzy Hash: bf385ebf6ed0906bfb34ea8dd433392a0d45d4cf77c2c5be6985f948e73e728a
Instruction Fuzzy Hash: 4C21F73A7007108FDB24CB65D88167E77F6EFC4215F148469D54793794CA38E982C761

Function 081D1B88 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496548b1cd62f9e018104245de39f829e10846d32d2d18f3530fef994e34dcc1
Instruction ID: 54ed1a208bce37a3f2ca63e17bed0539c665ca091b3ba0c885c71856c77c6552
Opcode Fuzzy Hash: 496548b1cd62f9e018104245de39f829e10846d32d2d18f3530fef994e34dcc1
Instruction Fuzzy Hash: D9310C75B00605DFDB14DF68C584AAEBBF5FF88210B14C69AE819DB365EB30E941CB90

Function 081D2780 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145a0b0193bbbdec787d8f811ee0a3a1429b0fcd06ff9c11eb97a31e8cb04794
Instruction ID: 77b2acb489c30e0e9415c9779e37b4390c056a64f2f5e54a51611fb07a61eb90
Opcode Fuzzy Hash: 145a0b0193bbbdec787d8f811ee0a3a1429b0fcd06ff9c11eb97a31e8cb04794
Instruction Fuzzy Hash: 0B21BD356046618FD719AF6DD8A06AE7BE6EFC8222B0540AAE445CB361DF70DC4587A0

Function 083E02B8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c10278907556aed3ebf5d3837e979d2a18d50b0acfbf6816fdbd42a6b57268e
Instruction ID: 9961f7dbfc9902cf2f5def90725384c48126b15c28efa503a514e1b590778a18
Opcode Fuzzy Hash: 0c10278907556aed3ebf5d3837e979d2a18d50b0acfbf6816fdbd42a6b57268e
Instruction Fuzzy Hash: 9221D630E00629C7CB257BA9C4541BFBBB4FFC2213F50496AE0C6A76D8EB71D954CA91

Function 081DF1F0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9244053ff0304e8aab6e4203bbf917966339aeaa4d51a64c515eafd44a7ce539
Instruction ID: fd4072b096b6ac6f0e4b179401dc390cd5443a0a42376c56dd0ca2ee143f5ad7
Opcode Fuzzy Hash: 9244053ff0304e8aab6e4203bbf917966339aeaa4d51a64c515eafd44a7ce539
Instruction Fuzzy Hash: B521F53AB007108FEB24CA69D48167EB7F6EFC4211F188429D54793794CB34E982C761

Function 083EE500 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b91f38a8c8be2f4b287fcda64eafcecdcb2c2635a2ff63ecb621c4f08d1b11
Instruction ID: 85efc4a3b6f529cfebaf1f1509a2114e0766e48f7f9a7b167201526e8bf47885
Opcode Fuzzy Hash: d3b91f38a8c8be2f4b287fcda64eafcecdcb2c2635a2ff63ecb621c4f08d1b11
Instruction Fuzzy Hash: 3F315EB4E0421EDFDB40CFA9D5846EEBBF5AB48201F14846AE814E7390E774DA40DFA1

Function 081D6841 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2059146253cbdab475dbbf2198992d41c4e201fd8238cb2155ad66bcdaee62
Instruction ID: f8ad3af2ebc4be12872c234fbfaec4f51d9ff6825f84aa13ff60c4faa6a22653
Opcode Fuzzy Hash: aa2059146253cbdab475dbbf2198992d41c4e201fd8238cb2155ad66bcdaee62
Instruction Fuzzy Hash: 4A216D74B006058FCB04EB68C454AAEBBF6EF88311F158159E505DB361EB70ED81CB91

Function 00D1D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1871983576.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d1d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749f42b3ac41fec87641d9652f6a91d1d9e3b97b377306609cef261d423ee7e5
Instruction ID: 06c7097c8aadb23f539f05484267632e0c2f8d1af1f0b7deae7a48c4a845009f
Opcode Fuzzy Hash: 749f42b3ac41fec87641d9652f6a91d1d9e3b97b377306609cef261d423ee7e5
Instruction Fuzzy Hash: 7F216A71100200EFDB04DF04E9C0B57BF66FB98314F24C169E8090B256C736E886C7B2

Function 00D1D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1871983576.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d1d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8a51cec4927e65abf2a0c6bc6bc3a05588f3278738e1a55657df39d4da1854
Instruction ID: 4221c544231b0c6f91771d43fdbf5dca453f2be8de00fa9f04c850459d7df308
Opcode Fuzzy Hash: ef8a51cec4927e65abf2a0c6bc6bc3a05588f3278738e1a55657df39d4da1854
Instruction Fuzzy Hash: CC212571504240EFEB05DF14E9C0B67BF67FB98318F24C569E8490B256C736D896CAB1

Function 081D2040 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b790750324c607f2523bc099f7951c7a87d03a705083d54f6aa034d23d90857d
Instruction ID: 94c9e092be541c7c47044a209e3af5136113119adef2fcb9f5b098eea3ac1655
Opcode Fuzzy Hash: b790750324c607f2523bc099f7951c7a87d03a705083d54f6aa034d23d90857d
Instruction Fuzzy Hash: EC21F33C3406304FE709A76CD812B6F76A7EBC9704F08446AE146D77E6CEB9A88547A1

Function 083E6670 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e183ee517365bfcae559942e1081e52458ff32e1850e92046ea45ccca72c45e0
Instruction ID: ca68352ddf78110f8c4c059e227f25303c696a17e1d5c2abcad92d86df93f7e8
Opcode Fuzzy Hash: e183ee517365bfcae559942e1081e52458ff32e1850e92046ea45ccca72c45e0
Instruction Fuzzy Hash: A8214175A003058FCB44EF69C8949AFBBB9FF99200B10467DE906E7355EB74E905CBA0

Function 00D2D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1872033036.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d2d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c10f2dd2b841de3bb15a3b5bb15c2441f6a1cadfc34c4895fd82512ac9ef26
Instruction ID: 44a617dafde124fa2e26d8026da70a3d4c93d5fbc1e8562cf7df147796bdf162
Opcode Fuzzy Hash: 07c10f2dd2b841de3bb15a3b5bb15c2441f6a1cadfc34c4895fd82512ac9ef26
Instruction Fuzzy Hash: 6E212671504200EFDB05DF14E9C4B26BBA6FFA4318F34C6ADE8494B296C336D846CA75

Function 00D2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1872033036.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d2d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e7cd7a3870aa56f61cd9b2d1fd7ee777e30499cbf7885598d78b695551ade0
Instruction ID: eeae6b5f470f842657ce19ba74f33493da6a9076c5d84af24360b93cb9381e46
Opcode Fuzzy Hash: 72e7cd7a3870aa56f61cd9b2d1fd7ee777e30499cbf7885598d78b695551ade0
Instruction Fuzzy Hash: E221F571504240DFCB14DF14E684B16BB66EBA4318F24C569D9494B2A6C336D847CA71

Function 083E6680 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de60c5e013b9a35f4158ae8bf1136dc96f96f5c4fc014398836d9a202c1a7b87
Instruction ID: c4b1574e2626413331380216dc1a8efd93cacf4b0456d4034e31bd2d058c396f
Opcode Fuzzy Hash: de60c5e013b9a35f4158ae8bf1136dc96f96f5c4fc014398836d9a202c1a7b87
Instruction Fuzzy Hash: EF213275A002098FCF44EF69C8948EEB7B9FF98300B108669E905F7351EB70A945CBA0

Function 081D98B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db8e9b5b605317964448b1194c0aa26a68fdddac43faf61c4e542b13ddfcea8
Instruction ID: 89a75c738c870e6fea49b95ebcc2ea4d760232300dbbf1cc8e596af61e3ba9ce
Opcode Fuzzy Hash: 0db8e9b5b605317964448b1194c0aa26a68fdddac43faf61c4e542b13ddfcea8
Instruction Fuzzy Hash: 6F21D431A0021AEFDB05EFA4D854EDEBBB6FF89304F048555E0017B260DF70A845CB91

Function 081D03F4 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57ca4c07993dd6fc29b0a8ffd10245ee89fb6a97ab6dd507e4a89963d395c02
Instruction ID: 90541899743f7e0bd6dfad393ae0d2e8aed7ea870d9a7d5fb80e41ca51cdd263
Opcode Fuzzy Hash: b57ca4c07993dd6fc29b0a8ffd10245ee89fb6a97ab6dd507e4a89963d395c02
Instruction Fuzzy Hash: 7E11B238340A204BEB08676DD41172F76E7EBC8B04F008429E206D77E9CDB9EC8547A2

Function 081D1E00 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17ca9e5de13074a6bf307f16360729bbb6748e2adc9b38b944f51b83186a64f
Instruction ID: 824df78bb273a73813068ce33e02bcdfdfe5050d9f089560fa9f0f9cc106daf6
Opcode Fuzzy Hash: e17ca9e5de13074a6bf307f16360729bbb6748e2adc9b38b944f51b83186a64f
Instruction Fuzzy Hash: 54112B353006608FCF19F738942866E3397AFC9A52B1440BDD60ACB3A0EE7ACC42C749

Function 081D98A6 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8785914d93d19f34d2363346236cbfb4737da545ea6c51dd922626fa16104f91
Instruction ID: 82224d971e8a9a05eb8633016bebdfbede899efeb820d7140b476a5e3a9dce3c
Opcode Fuzzy Hash: 8785914d93d19f34d2363346236cbfb4737da545ea6c51dd922626fa16104f91
Instruction Fuzzy Hash: 9721C535A1021AEFDB05EFA4E854ADEBBB7FF88304F158555E101BB264DF70A849CB80

Function 083E2C98 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a09cf72297bca211857e5bda4f5a51326b0079002d26ef5eec4bfc4beddddb9
Instruction ID: 4ebdfab6a920669d0ae2e2b3dee919eba635ac197a1f794de4087ad801d402bb
Opcode Fuzzy Hash: 6a09cf72297bca211857e5bda4f5a51326b0079002d26ef5eec4bfc4beddddb9
Instruction Fuzzy Hash: 122124B59012599FDB10CF99D884AEEFBF4FB48310F10842EE959A7250C3B5A944CB60

Function 081D2CB9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51fac1e0813bd31859ff8573ca6451e0a42c4a82591f8c3fe7d841dd63d55d3
Instruction ID: 6b3dc02f3cf8659e0cdd53483f54c571bf3097a8814f035f3b366fcd779a6b04
Opcode Fuzzy Hash: a51fac1e0813bd31859ff8573ca6451e0a42c4a82591f8c3fe7d841dd63d55d3
Instruction Fuzzy Hash: 8211DA39B006218FCB25DB29D884A6E77EAFFC86117048468E805DB320DF70EC028BA0

Function 081D2758 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203286dede5c32b4c04bd57f25466384dab2c8c5cec7a34ca8c85129e4f88dda
Instruction ID: 3cd2a90a66db4613b4066618953f6b3bfe01d69681468485d11d056356f298bd
Opcode Fuzzy Hash: 203286dede5c32b4c04bd57f25466384dab2c8c5cec7a34ca8c85129e4f88dda
Instruction Fuzzy Hash: D531C0B4D01318DFDB20DF99C588B8EBBF4AF48714F248469E418BB254C7B5A885CFA1

Function 083E258C Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e6cbfa8d1415798ee8ebfbdbe6486bf305db2c4d0d04cc6437e1d6df8e9dcf
Instruction ID: bc5f12bb70f5efe19cc449ca341de759fd8d22b9800ba6bb6df1a14230a3af6a
Opcode Fuzzy Hash: 92e6cbfa8d1415798ee8ebfbdbe6486bf305db2c4d0d04cc6437e1d6df8e9dcf
Instruction Fuzzy Hash: F72103B59013599FDB10CF9AD984A9EFBF8FB48310F10842EE959A7340C3B4A944CBA4

Function 081D2ECD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6a7aaf0f1441de2b73e83ff373537280aa850cbb398a1f36f6bdd65d63478f
Instruction ID: 8cc7d4d85ae9046ca959d18bbb734c741246f4cc64b2f8bb786345becfc0379e
Opcode Fuzzy Hash: 3d6a7aaf0f1441de2b73e83ff373537280aa850cbb398a1f36f6bdd65d63478f
Instruction Fuzzy Hash: 6A31C0B4C01318DFDB20CF99C584B8EBBF4AF08314F24842AE418BB254C7756985CFA0

Function 083E02A8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0bdc90bdb710d6468cc97e96578934a805a97c274445dade877e7f0e64f899
Instruction ID: 2c3f3cc834147bde614178404f873661552cc733f5472c14ece630edd1752e59
Opcode Fuzzy Hash: ed0bdc90bdb710d6468cc97e96578934a805a97c274445dade877e7f0e64f899
Instruction Fuzzy Hash: 9B118271F00126EBCB116A95D5485FEBFB4EB80746B604CA6E189F26D4E63089348B98

Function 083E2DB8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7a9b4c692431aae38b631c02b00459d5fc7c1562d48f48ecfd17a613f23d53
Instruction ID: 447d824fa3459ce7f6001ac41767eb33b0eb2ecd535212280cdcb8fe00e888ac
Opcode Fuzzy Hash: 3f7a9b4c692431aae38b631c02b00459d5fc7c1562d48f48ecfd17a613f23d53
Instruction Fuzzy Hash: 242130309006298FCB14EF68D9556EEBBB5EF89301F00452DE4467B394EF74A988CB91

Function 083E4960 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be397a1a43c2abe1286dbe4dca090f987498efbba05c431810116780bf59eaa
Instruction ID: 1f2438f42b5774e64a64f390b410940a09d6a876b0d2e662405fc05483509499
Opcode Fuzzy Hash: 7be397a1a43c2abe1286dbe4dca090f987498efbba05c431810116780bf59eaa
Instruction Fuzzy Hash: 7211CE32615128AFCB024E89EC448FF7F6EEF8D2517188016F904E7251CA33CC229BE8

Function 00D2D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1872033036.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d2d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c075dad15e9c17948031f3b9fb84935c4002d857f817c1a7e5d35d91d9decc35
Instruction ID: a49afa169715c95f4c49274b183a3575d1a600aa2df32a007c7604068a2e6e12
Opcode Fuzzy Hash: c075dad15e9c17948031f3b9fb84935c4002d857f817c1a7e5d35d91d9decc35
Instruction Fuzzy Hash: 812153755093808FD712CF24D594715BF72EB56314F28C5DAD8498F6A7C33A980ACB62

Function 083E7190 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273fec2bb2af445e8801d3a20a872d751582f3a455c9a8e1aaa48c34534126db
Instruction ID: 86fa7884408d87ee6f04b54670aa6d486b9c66ddb080340bf01a4b8022f26416
Opcode Fuzzy Hash: 273fec2bb2af445e8801d3a20a872d751582f3a455c9a8e1aaa48c34534126db
Instruction Fuzzy Hash: CD1125327042049FCB14AE7DA85056EBBA6EFC2312B10493ED60597380EF35C88583A1

Function 081D0A2F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2f7b87fe3c80dba586cec40789bef4c8fad4a9fa34a218e0c095062488237a
Instruction ID: 7e2e1576c1604d551ed079ce1a4711551a3b78c5e30433e1596eba95b50e83d8
Opcode Fuzzy Hash: 4e2f7b87fe3c80dba586cec40789bef4c8fad4a9fa34a218e0c095062488237a
Instruction Fuzzy Hash: A51151B5E002199FCB40DFA8E4417EEBBF4EF49310F148169E949EB341E7349A41CBA1

Function 081DB6B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b6ec41039576e18f75cc1aca21acf8a9d54408f42efa71f604adc74420bd38
Instruction ID: 8dc4e0b619d4a3ce277dc5cd8535fc06e3cb719381e3e5f1ada728037b805e84
Opcode Fuzzy Hash: 86b6ec41039576e18f75cc1aca21acf8a9d54408f42efa71f604adc74420bd38
Instruction Fuzzy Hash: E2118279A003159B9B15EA79DC407BFB7FBEFC8261B15492CD829D7380EF34990587A0

Function 081DDF10 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0df45115cc4ae8f98cbe3cef8cab03b9e0b687411c1192723df81abfc7601a
Instruction ID: 935bc5fc143d4f771ee358d25e45cf187ff3f8a6fff4c59494af8210f9583fcb
Opcode Fuzzy Hash: 8f0df45115cc4ae8f98cbe3cef8cab03b9e0b687411c1192723df81abfc7601a
Instruction Fuzzy Hash: A82190B4D01219DFCB44DFA9D5406AEBBF1BF89301F2094AAD414B3250D7389A42DFA1

Function 083E0BF8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e6aa8da36f946a9b9a5182bc6658aa44b249518e8b2f7e7311425001d6d800
Instruction ID: d711131d320b3e48aacb9df49f92e96e7f9a23b21862c8fd8525682bcf64ad73
Opcode Fuzzy Hash: 26e6aa8da36f946a9b9a5182bc6658aa44b249518e8b2f7e7311425001d6d800
Instruction Fuzzy Hash: 5C119E347101145FDB04DB69D884AAFBBE6FFC8700F1084A9E005CB372EAB19D0587A1

Function 081D0A00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe10eed6561f57e5659df2d7c8b8a3e703ea9701c3ab4c6f2576c982311380a
Instruction ID: 625737d56313e9b50e072fa7317120c658177ed5acf0414f2e55042872867334
Opcode Fuzzy Hash: ebe10eed6561f57e5659df2d7c8b8a3e703ea9701c3ab4c6f2576c982311380a
Instruction Fuzzy Hash: 1E213AB9E002199FDB40DFA8D4417EEBBB1FF48310F54856AE809EB345DB349A41CBA1

Function 081D0A40 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cdb8a2b338a31437936ce69d51b24fc988d2cddd4693921c72d2e1521f9243d
Instruction ID: d61ba160216afb75e2b72d0bd50d11df71be35b209e3aac3747885fdd26c7b31
Opcode Fuzzy Hash: 8cdb8a2b338a31437936ce69d51b24fc988d2cddd4693921c72d2e1521f9243d
Instruction Fuzzy Hash: A6113D75A002199FCB00DFA8E4517EEBBF4EF48210F10815AE949EB345DB349E54CBE1

Function 083E0208 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f546d3a0c7cc0dd54257a0f90140ed6e0014b0db0cc01fca44af3b252ac79c8a
Instruction ID: 06b1692afe5e4aa8bf96b449b036889425c8f6d680089ff898a313b1099e9c69
Opcode Fuzzy Hash: f546d3a0c7cc0dd54257a0f90140ed6e0014b0db0cc01fca44af3b252ac79c8a
Instruction Fuzzy Hash: D011AC347101149FCB04DB69D948A6FBBEAFFC8701F008869E108DB365EAB1AD0587A1

Function 081DF330 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2212ba6699cda71a2a503318be812a5d0e551548fa8a479aef05ca61d8d21c6e
Instruction ID: 98e44732bd5ee039189695385b9967503ea0ae010e1c4af7e46f77d66b485962
Opcode Fuzzy Hash: 2212ba6699cda71a2a503318be812a5d0e551548fa8a479aef05ca61d8d21c6e
Instruction Fuzzy Hash: DA11B8B5E002199FCB44DFADD4849AEBBF1FF89210B14816AE959E7311E7309911CB91

Function 081D3E80 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0b85d20d0b2e34b0d5b55681daa7d0845e0e06f17298d7d1b7d7fa05427fff
Instruction ID: 999d70100398182b1832f2ce5c321ac2892b6fd41027e4e0e7cc7c53eb487c0d
Opcode Fuzzy Hash: ef0b85d20d0b2e34b0d5b55681daa7d0845e0e06f17298d7d1b7d7fa05427fff
Instruction Fuzzy Hash: 8321FFB5900349DFCB10CF9AD884BDEBBF4EB49320F10842AE918B7210C375A954CFA5

Function 00D1D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1871983576.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d1d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a7c7e23eecc2e78060e2c8d82c1b25ad5c19f8d9f77cc12cd167fabf05f0dcca
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: A2112672504240DFCB16CF00D5C4B56BF72FB94324F28C6A9DC090B256C33AE85ACBA1

Function 00D1D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1871983576.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d1d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 85f3ac5301fe0f651bc2f77a1264cf629ede89d918c51247bcf3c9ad3cb316cb
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 17110372504280DFDB06CF10D5C4B56BF72FB94318F28C6A9D8090B256C336D85ACBA1

Function 081D2B40 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f3538d8f99eb2ca66c4e94ad0fb66fac42543798f24f9f31af24e73886fdf8
Instruction ID: c227c49b9d142682b7d27320f7a3d4fa808070cb9997d492cca681d094a0d6f4
Opcode Fuzzy Hash: 69f3538d8f99eb2ca66c4e94ad0fb66fac42543798f24f9f31af24e73886fdf8
Instruction Fuzzy Hash: E8113A79A00219DFDB10DFA8C840BAFB7B6FF88304F014819D559A7260E7759946CB91

Function 083E09B8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60920dfc0b5229d8b3291be2459098785c2fe43965e0d2573d49cda3acbab046
Instruction ID: b91f32b453df7a95cd276699ee513afe165743ec7369a574d149a4d42e4a74c4
Opcode Fuzzy Hash: 60920dfc0b5229d8b3291be2459098785c2fe43965e0d2573d49cda3acbab046
Instruction Fuzzy Hash: 140192393406108BD718AA29D4A0B6E7397BFC4616F14447EE1099B791CE799C418750

Function 00D2D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1872033036.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d2d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3bf857200bd532dc0c810d27c1292898f276c4bed49fb34d8eb6f36e39b43f8c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 33118B75504280DFDB16CF14D5C4B15BBA2FF94318F28C6AAD8494B696C33AD84ACB61

Function 081DF340 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a923edceff8b3082d6e01eea372f5ca5e9acb33b682c72b203dceec0eac8d261
Instruction ID: 3cc307c58e63424f4f7948dd05f15a2712c06b83fb1a0c214bfd1800d3347186
Opcode Fuzzy Hash: a923edceff8b3082d6e01eea372f5ca5e9acb33b682c72b203dceec0eac8d261
Instruction Fuzzy Hash: 321189B5E0021A9F8B44DFADC9449AEBBF5FF88310B10816AE919E7315E7309911CBA1

Function 083E563F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fcb1ea90fa8456bf62f2da1da1c32be3b8c58c6a91083ec0da6590dd108dd1d
Instruction ID: 81d0fc06912f7ff23fcba374ef608762ef4c94381eb4f01fc4706ae85cc9b905
Opcode Fuzzy Hash: 3fcb1ea90fa8456bf62f2da1da1c32be3b8c58c6a91083ec0da6590dd108dd1d
Instruction Fuzzy Hash: 81112170D0031A9FCB00EF6CC8412AEBBB1EF85314F00456AD411FB391EB788905CBA1

Function 081DB4C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02aae47055988b658458c4911b66623c0b69548130e43c8a365fbffffed15142
Instruction ID: 8acbc9f649a64d437f9b17e8824ab16e6f518a1f61f73b57372a13a490a32830
Opcode Fuzzy Hash: 02aae47055988b658458c4911b66623c0b69548130e43c8a365fbffffed15142
Instruction Fuzzy Hash: 3B019235200300CFC714DB69E894E5A77FAEF8A714B1544AAE106CB372CB35EC858BA1

Function 081D1F42 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e300d686405b92e3e32f98f8c7f1e18033527d468027c64fcaa2fee00ec47404
Instruction ID: a0a3705b615a117f171546888fd98d442bffcf7842b1734c89d61cbd1d85d84b
Opcode Fuzzy Hash: e300d686405b92e3e32f98f8c7f1e18033527d468027c64fcaa2fee00ec47404
Instruction Fuzzy Hash: 9F110031240214DFC711DB18D880B9EB7E6BF85315F548859E905CB241C772F895CBA0

Function 083E1C6F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093efb13ddd1528c87472a1c043539fd8d45bea347c2cb8afb8b3fe9ab381529
Instruction ID: 62716483e0ba4202567e5e8ae78776a7c90d3fa72218c0abaf5c67bec3aada62
Opcode Fuzzy Hash: 093efb13ddd1528c87472a1c043539fd8d45bea347c2cb8afb8b3fe9ab381529
Instruction Fuzzy Hash: 910121B2E00031AFCB122664D8885FE3BF0E7C0207B24486BE44AE73C0E2308916CA98

Function 081D2B50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b9d6af650c7fa02b0d49dcb0ddd5e343ff06a003685bf24d32214bf828fcdd
Instruction ID: d7acf244cb0e672461738f8154324fb0f4d5817a5c147c8db5b67c8d1af358ea
Opcode Fuzzy Hash: 08b9d6af650c7fa02b0d49dcb0ddd5e343ff06a003685bf24d32214bf828fcdd
Instruction Fuzzy Hash: 1E117C74A002199FCB00DFA8C840BBFB7B6FFC8304F008819D959A7350E7759946CBA1

Function 081D05D0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1ac9ec1ebd00febf95a369d9f1aeb882a83fcada684cb36a9f50995f2255ed
Instruction ID: 05d2ab931be9fcb13a317301f555dcf3560e814b44d3f9f6467d30cbe6d0a466
Opcode Fuzzy Hash: ff1ac9ec1ebd00febf95a369d9f1aeb882a83fcada684cb36a9f50995f2255ed
Instruction Fuzzy Hash: D301D4B6900614AFCB11DB94EC00AEEB774EFC9240F14814AE504A7240D730AA51CB61

Function 081D9672 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2877e0112204be60d6b99bff968b764f4adf215dc483e0bb9a853ae29f91ff9
Instruction ID: d8d67065b49fd2e8ba8a8cf2e1ce0e93757597258d4c9e368e517d2a841227c5
Opcode Fuzzy Hash: c2877e0112204be60d6b99bff968b764f4adf215dc483e0bb9a853ae29f91ff9
Instruction Fuzzy Hash: 9B012974E0030ACFEB14AFA5A5547ED7AE2EF84316F149469C401AA284DB794982CFA6

Function 00D1D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1871983576.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d1d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939759658ee287e5c8aa1e0bdc2532c67dc47ce79fe151619bbf677741de8cfc
Instruction ID: 75c39f7692f0075288efb6111506947f71115de1b25731fc2734b69b5d3c2a5f
Opcode Fuzzy Hash: 939759658ee287e5c8aa1e0bdc2532c67dc47ce79fe151619bbf677741de8cfc
Instruction Fuzzy Hash: 9901F731009340AAE7105E25DD84BA7BF99DF41324F1CC52AED1A0A2C6DB79D880C671

Function 083E305A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1236b7bb65290f1fca382e87fd7c3ce7dae364dfaab5447d78a548d7673ccd
Instruction ID: 586dc6cea5308fa6e6d2b143083571a3440fabd4de99400ae4198098c39d8159
Opcode Fuzzy Hash: 9e1236b7bb65290f1fca382e87fd7c3ce7dae364dfaab5447d78a548d7673ccd
Instruction Fuzzy Hash: 2B01F23291030AABCF00AFA4DC449DAFB76FFC5308F01C62AE40567251EB70A599CB90

Function 083E7090 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b3b75eb2abcd7c36c9bdd9fbcf13baf9a9b6c91fe85d930ff778b8635196c3
Instruction ID: 91419a5148f85332287d1884246b4e605007734e45e6f86c9951da51097afe1d
Opcode Fuzzy Hash: f4b3b75eb2abcd7c36c9bdd9fbcf13baf9a9b6c91fe85d930ff778b8635196c3
Instruction Fuzzy Hash: 9501DA7291421ADBCF10DF99D9459FFBBB8EB48311F10812AF919B7240E731AE14CBA1

Function 083EEC08 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eafe2bba0d06bd7331e350f761e20639ddd51f52130a24fd5e14824025971d3
Instruction ID: 23bdc928e51915eed685eebcdf1650a384749b60f653c8a3d50cd7207db34322
Opcode Fuzzy Hash: 9eafe2bba0d06bd7331e350f761e20639ddd51f52130a24fd5e14824025971d3
Instruction Fuzzy Hash: 310144B4E082199FCB40CFB8C4406AEBFF0EF49200F1081AAE409E7382E7318A41DB51

Function 083E5650 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d88ba9eaccd9bb404bdeb40f50bf69755503c90ab4057345cf092c47093c9d1
Instruction ID: de096cd0115b2cfae217ccb2d07e4961357643d43eedd62baad22a92e23437f6
Opcode Fuzzy Hash: 5d88ba9eaccd9bb404bdeb40f50bf69755503c90ab4057345cf092c47093c9d1
Instruction Fuzzy Hash: 6D019E70D0061A8FDB04EFACC8117AEBBB1EF48304F108529D415F7390EBB99A41CBA0

Function 083E0F68 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c038e62551a878ed9555485a63ef0d6ed16eef5710597e7da2a8d934561cc5
Instruction ID: 9786e708e4ed034c7bd9f701965811f1a5a72bb432f628b67404c268a2d28b82
Opcode Fuzzy Hash: 35c038e62551a878ed9555485a63ef0d6ed16eef5710597e7da2a8d934561cc5
Instruction Fuzzy Hash: 72018074E0021ACFC704EFA9C484A6EBBB1BF48710F1081AAD814EB391C7749902CB91

Function 081D1632 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b37ca8e1eda3df949764f466a46bd89bcc19f6f6a3d25453df25c541a878015
Instruction ID: d6ea04c0a4cce02bc7774f5da7c600f08850eaafe4c9182c0aae1b1a71c81f6c
Opcode Fuzzy Hash: 7b37ca8e1eda3df949764f466a46bd89bcc19f6f6a3d25453df25c541a878015
Instruction Fuzzy Hash: 5D01F239A002148BCB01EB68D888AFEB7B9EFC9310F008759E414A7350DB309A41CBA1

Function 081D8B48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2411d1c0223b47b8e6ee43cacd9868ad0c235c89e1d0c3f04ce19594b2053b7b
Instruction ID: 811a787a085f0bbf2f9dbd5c7acd97ea5a28c6ecb3366755aa3a8ba1f30c5911
Opcode Fuzzy Hash: 2411d1c0223b47b8e6ee43cacd9868ad0c235c89e1d0c3f04ce19594b2053b7b
Instruction Fuzzy Hash: 8BF03C753006088FCB18AB2DC460A6B77A6EFC5712715887DED468B324DB31EC0287A0

Function 081D1640 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90163fd12d904f9902a8338db506afa92d34d7f6b75ef24354c3f12625f248cd
Instruction ID: 3762a0295215575a26fceaac55b2f2baf720705a375d61bfcfb8bcc63775f0a5
Opcode Fuzzy Hash: 90163fd12d904f9902a8338db506afa92d34d7f6b75ef24354c3f12625f248cd
Instruction Fuzzy Hash: 2201A939A007149BCB05FB64D8588EEF7B9EFC9310F508259E505A7350DB706945CBF5

Function 083E7082 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59c294bee5dd142d614ceefd09cbb1b30746c77b54f2b4d58f264d33c119194
Instruction ID: bd206c74e90f77013271289a40ff96fc9aee4150ca58c79cc235cc3427c41269
Opcode Fuzzy Hash: b59c294bee5dd142d614ceefd09cbb1b30746c77b54f2b4d58f264d33c119194
Instruction Fuzzy Hash: D10162B6D1021AABCF10DF98D8456EEBBB8EB58310F108026E954F3240D7315A148BA1

Function 083E0F78 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2ead440d797dfd15563d698f9549090bfc379a3e13efe38a9f52d38195ec3a
Instruction ID: 26cc816b656946ef12a6710ad7382a0014bac2babf60ee77660b9c23b47a3f51
Opcode Fuzzy Hash: de2ead440d797dfd15563d698f9549090bfc379a3e13efe38a9f52d38195ec3a
Instruction Fuzzy Hash: 38012174E00519CFC704EFA9D454AAEBBB1FF48711F10806AD915E7351DB74A902CF91

Function 081D8B42 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a7d3fbd3612db34c88a73cf4ef427265db1dcfb5c2dc992119715f316d879e
Instruction ID: 07159e6cfd9d5dbb2ebbd2eb05cea7cf41acc28cd0bba56f7dfc9219874ef6be
Opcode Fuzzy Hash: a8a7d3fbd3612db34c88a73cf4ef427265db1dcfb5c2dc992119715f316d879e
Instruction Fuzzy Hash: 5FF03C753006088FCB18EB2DC460E6B77E6EFC9612715887DEA46CB324DB31EC4287A0

Function 083E3068 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596fa73142c70d43700791cd853c89f97a2abc350b9213b83ae7508c16d4f407
Instruction ID: 47b34011a3897080cb4376a0c54672dc6b6137cc3661e835159d1849de18ab69
Opcode Fuzzy Hash: 596fa73142c70d43700791cd853c89f97a2abc350b9213b83ae7508c16d4f407
Instruction Fuzzy Hash: F801D63291070AABCF00AFA4DC448CAFB76FFC5304F00872AE00567250E770A599CB90

Function 083EC8F9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af69bb90bf01a93168444f13d86be6fa7e4448cb0824eaf070ea964769f6c7ab
Instruction ID: 8b67b401b2e13bac09485749eb74fba189c01fb726142433b04279e6aa5f3e45
Opcode Fuzzy Hash: af69bb90bf01a93168444f13d86be6fa7e4448cb0824eaf070ea964769f6c7ab
Instruction Fuzzy Hash: FE014F74E14209DFCB45DFB8D4406ADBBF0EB49304F0094E9E854A3381E7759A02CF90

Function 083E7110 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520801ecd3210e2421a836996571913920ec85b4b3015f8d3316e41135cb0a17
Instruction ID: 75427fdfb93cc83fa7a3079d18036e0d69d7ace2713ed51fea5a77f814e58d88
Opcode Fuzzy Hash: 520801ecd3210e2421a836996571913920ec85b4b3015f8d3316e41135cb0a17
Instruction Fuzzy Hash: CF013131A1062D87CF05ABA8D8144EEB7B9EF89311F008929D916B7250EF706A19CBE1

Function 083ED9E8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84965c81065eeae223482f7b826c97ffad52edb14cbdec991d6daae01ff1ad35
Instruction ID: ead9de1433ecc6f9369a97ad6889f1030089a34526c414c5b3172092dc8e6f00
Opcode Fuzzy Hash: 84965c81065eeae223482f7b826c97ffad52edb14cbdec991d6daae01ff1ad35
Instruction Fuzzy Hash: 350124B4D092599FCB51CFB9D8005AEBFF1EF8A200F1091AAE805E3252E7704A41CB51

Function 081D03E4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a4c990f6ddc0f336baec9f52f8a1aba25257977e4314f5196dbcf59efd2192
Instruction ID: f2608b95355965359051600594502dff6004335f7ed9f9d3945c2d9ba2f296cb
Opcode Fuzzy Hash: f6a4c990f6ddc0f336baec9f52f8a1aba25257977e4314f5196dbcf59efd2192
Instruction Fuzzy Hash: A9F0822E300724138A18727E589067EB1575FC2E137158A2E9129D73C8DF37884A43DA

Function 081D0640 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae74c58af1fca50b95aa616a5a97ac3c1accee9c1c39e00e2eef897513a333ac
Instruction ID: d1d047f55557e93a44942b037ddbe0616332e9bc25faa92493023ed8d2b4613a
Opcode Fuzzy Hash: ae74c58af1fca50b95aa616a5a97ac3c1accee9c1c39e00e2eef897513a333ac
Instruction Fuzzy Hash: E80163B5D00619AF8F41EFA8C5409EEBBF5EF48210F10865AE958A7310E770AA50CBA1

Function 083EFAA8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad867694eae090796586634cd8defcb0878babb75b0cc45de00589a5cfb86992
Instruction ID: 67f6c4491207b97946f375239bb0cc35b3a06c0117903dcd3cb738ba68f0d65f
Opcode Fuzzy Hash: ad867694eae090796586634cd8defcb0878babb75b0cc45de00589a5cfb86992
Instruction Fuzzy Hash: DB01FBB4D0921ADFCB50CFA9D9406AEBBF5FF49301F1085AAD444E7651DB708A41CF51

Function 081D6169 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1924ba969d971f91ccad946851660cc71128bdc6c6704574d382258b7944c9
Instruction ID: f4f2267090ecef3db53ca8daa16723d36cdf7dd59e9f4058a4dcc01a254c82b8
Opcode Fuzzy Hash: 7c1924ba969d971f91ccad946851660cc71128bdc6c6704574d382258b7944c9
Instruction Fuzzy Hash: D6F0EC3E70072003D718B27948907AEA2575FC6A12B188A2ED429D77C8DF36880A43EA

Function 081D3328 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5860b93482e40166a2c34f739dfc29365c2eb48d81c507e7636baa57393ec5f
Instruction ID: 248cf60e8fd807c9ac7d2a5058a82d1e48fa7a0b70ec2079dfbce7f6c6973ce7
Opcode Fuzzy Hash: d5860b93482e40166a2c34f739dfc29365c2eb48d81c507e7636baa57393ec5f
Instruction Fuzzy Hash: 05F058727001246F9304DBAAECC4E6BBBEDFB8E660B218029F509C7310DA319D0187A4

Function 083EFF30 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b9a8b0553e487954ec8cc6e7462a98e338790e68c0a748c64476334ef03924
Instruction ID: 7109544a66b8b89f9cc317cb0e7a3bf1667796097c89151ef073ab34223c12de
Opcode Fuzzy Hash: a9b9a8b0553e487954ec8cc6e7462a98e338790e68c0a748c64476334ef03924
Instruction Fuzzy Hash: D6F019B4D082589FCB40DFB9D8851ADBBF4EB4A201F1099AAE859E3691DBB046518F40

Function 081DF2CA Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ae0e4291818c5c4876b9c603585a55813c46abed4115b52b40f5fc4b4ca8e5
Instruction ID: 580b1a316b39a83d05b63d7d1d24e515b87f69487427885abdab740a7ca3d981
Opcode Fuzzy Hash: b1ae0e4291818c5c4876b9c603585a55813c46abed4115b52b40f5fc4b4ca8e5
Instruction Fuzzy Hash: FDF0C272A106149FCB10EB69D4C48DEBBB4EFC5310B10416AE14597320EB309946CFA1

Function 00D1D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1871983576.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d1d000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe1b6321065ac8ce8787c8b467661fdbb529a64f64ca01fbe271b46038e5504
Instruction ID: 7100d829a75fef2b3f0f50a216ed87103b8734846917aa15efb574ed0f16f42b
Opcode Fuzzy Hash: 4fe1b6321065ac8ce8787c8b467661fdbb529a64f64ca01fbe271b46038e5504
Instruction Fuzzy Hash: E9F06271409344AEE7109E16D888BA2FFA8EB91734F1CC45AED094B286C7799C84CAB1

Function 083E7102 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27af9e9807879bacc51e8d040ef802941c91b10264a836d47b1e89ea60ad14fa
Instruction ID: 98352bb8d21c56f4f0394c4ceab12ab0add788bf25a41c7d0cdbfadb2b56cfc8
Opcode Fuzzy Hash: 27af9e9807879bacc51e8d040ef802941c91b10264a836d47b1e89ea60ad14fa
Instruction Fuzzy Hash: 93F0F632A046284BCF15AB68D8100EDBB75AF89311F04C66EE945B7280EF31961987E1

Function 081DB4D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549e56917fd7049151bd8bc69c78eed41d65c74a2c01e2457db9852d36e22e66
Instruction ID: 9d03b6c68099a23ab80629903c27d4da2c7038f1de53ee7c884ba6e6fd7a74ce
Opcode Fuzzy Hash: 549e56917fd7049151bd8bc69c78eed41d65c74a2c01e2457db9852d36e22e66
Instruction Fuzzy Hash: 78F090343002108FC724EB69D444D5AB7FAEFC9725B1105AEE106C7372DB71EC468BA1

Function 083E499A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9c71b4ea05ea437df2c8e31be2db013e81d6c0bfad37c7cdf861075708e0f5
Instruction ID: 0f95d8ed5ba1db38d3c684b7cf4e66b0efabc93caeae9f76fd02281433f68d5f
Opcode Fuzzy Hash: fd9c71b4ea05ea437df2c8e31be2db013e81d6c0bfad37c7cdf861075708e0f5
Instruction Fuzzy Hash: B0F0BDB7610119BFDF025F84EC458AE3F6AFF48251B148011FA05C1111CE368D72ABA0

Function 083ED35A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8c65144208418c0466900a77a0ed370605c1c727bae1a15a8781641a8b92be
Instruction ID: 3dc5073ee6cf67921972c5f4c6839680a0b401f58f4862d06402bb52196326d8
Opcode Fuzzy Hash: 2e8c65144208418c0466900a77a0ed370605c1c727bae1a15a8781641a8b92be
Instruction Fuzzy Hash: 26F0CFB4E08218AFDF50DFB9D8856ADBBF4EB49211F1089AAE859E3251E77046408F40

Function 081D7050 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90338a0aa3ef6ad241e904520e51e6e85ba8514242c7d990ec8793b859cf00e2
Instruction ID: 91e293ba80a8334a270037f4d7da66f8d8cf8f9ace73458083e4ca9e3d2204ac
Opcode Fuzzy Hash: 90338a0aa3ef6ad241e904520e51e6e85ba8514242c7d990ec8793b859cf00e2
Instruction Fuzzy Hash: F301C035A40208EBDF15CF94C949BEDBBB2AF48302F148059E9057A2E0C7729990DFA5

Function 081D3298 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7f344bb7880caa1d3f5ef2094aa4c6c462577913674a12f1bf3a827283bec0
Instruction ID: 316956a7d14353f96187dca3b576270da413dce1baa406a255d63a5d7d07dea9
Opcode Fuzzy Hash: ff7f344bb7880caa1d3f5ef2094aa4c6c462577913674a12f1bf3a827283bec0
Instruction Fuzzy Hash: B201E871C00219DFDB14CFAAC4053AEBBF1BF49351F218629E828AA290E7744A44CFA1

Function 081D1CB8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb11661d0a25f278f1216732b64139fa07d1de1222831fd43d626477aa5c8ff
Instruction ID: 3830cab5d12f3bff64bca37f76498e4248b05598a980af53fa53594aa8bad9e5
Opcode Fuzzy Hash: 2bb11661d0a25f278f1216732b64139fa07d1de1222831fd43d626477aa5c8ff
Instruction Fuzzy Hash: 1CF068759006099FCB00EF54C844CEBFB79FF89310B04C75AE95567211E730A584CBA0

Function 083E49A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a26fb4b9edb61ffbf3de59607bb2b805f8872862de921e4ed773c3668b29593
Instruction ID: 80b196e6c763e22545d99a7c167e8bb661fe0839a8ffcb2668ea6346b1787210
Opcode Fuzzy Hash: 8a26fb4b9edb61ffbf3de59607bb2b805f8872862de921e4ed773c3668b29593
Instruction Fuzzy Hash: CEF07A76210119BFDF015E85EC45CAF7F6EFF883A1B148015FA0582120CF368D72ABA1

Function 083E3D60 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dc929f4535a531d316ba66421594345d8f82eabaef278e8b0a127d198bd456
Instruction ID: 44d4468654a97a0e4a4d268795c5984f457ac77546942f7794629b3993d2539a
Opcode Fuzzy Hash: d3dc929f4535a531d316ba66421594345d8f82eabaef278e8b0a127d198bd456
Instruction Fuzzy Hash: 1DF0BE32920B158BC711EF6CE404489F7B5EFD5322B10863EE58A67240FF31A899CBD0

Function 081D297C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afb9766b40ca3f451ded093d1c859cf3ad9041e137faf8c3bcfcd8b735ea598
Instruction ID: 43501d2d1b470f8c211f562659ca425a9a65e1a8dbea1ed2980e495cbe7dad08
Opcode Fuzzy Hash: 3afb9766b40ca3f451ded093d1c859cf3ad9041e137faf8c3bcfcd8b735ea598
Instruction Fuzzy Hash: 18F0A732600208BF9F48DF98D881D9EBFEAEF84215F04806AE409D7324E731ED408754

Function 081D329A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1309ca07ed2a8e5d3d8ba65739754f18ed4d3f6a5204b8e2b92183af4f8a584f
Instruction ID: e86340d815c26df40c329f45e247f4cf0efa77f55df7d25695d1b2123981c71e
Opcode Fuzzy Hash: 1309ca07ed2a8e5d3d8ba65739754f18ed4d3f6a5204b8e2b92183af4f8a584f
Instruction Fuzzy Hash: 3701FB71C00219DFDB14CFAAC4043EE7BF1BF48311F218629E428AA290E7744A44CFA1

Function 081D1CB6 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75ea192d003789167a5ecb623146c2f51263809fb20053f810aed6da9547d79
Instruction ID: 3bd495ec836b999822025ee032c76315e73b9b843d6815e398ef6c3376c10f40
Opcode Fuzzy Hash: d75ea192d003789167a5ecb623146c2f51263809fb20053f810aed6da9547d79
Instruction Fuzzy Hash: 71F0127AD006099FCB00EFA4D984CEBF779FF88310B05C75AE95967215E730A595CBA0

Function 081D475A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddd2696b454354af1c2875761ada4fafc788391628025e98dca1bc8dd6690ea
Instruction ID: 5e177214925462f84b7d5d287bdbdd16ca5f77d0c433dd79ba06ccfa82bc5139
Opcode Fuzzy Hash: 8ddd2696b454354af1c2875761ada4fafc788391628025e98dca1bc8dd6690ea
Instruction Fuzzy Hash: 8EF01C36600208BFDF58DF98D881E9EBFEAEF48255F14816AE508D7320E771E9908B54

Function 081D3338 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61270edcee731bc25242a2aeb95ce0d7b65bd727933de394ac9db1ce494965e
Instruction ID: e40e9f2f348e796ae3daa4bad20c7c57b223fadf42f3708d6099dd308bc1a64a
Opcode Fuzzy Hash: d61270edcee731bc25242a2aeb95ce0d7b65bd727933de394ac9db1ce494965e
Instruction Fuzzy Hash: 3DE039727041286F93049AAEE884D6BBBEEEBCC660311807AF508C7310DA319C0086A0

Function 081DB530 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197480112482055224b4b0275fe814dc3867038ceb4e1095b492fc5d9cb2dbaa
Instruction ID: b8a2edff455b845e4234eb906a57096546d3732d4232619b9d566990873d0d50
Opcode Fuzzy Hash: 197480112482055224b4b0275fe814dc3867038ceb4e1095b492fc5d9cb2dbaa
Instruction Fuzzy Hash: D1F0A772B047955FDB05AF95AC4089BFB79EFC6324704167AED0567243D6726804C790

Function 083E7180 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c092e9047681565dbb54c511ac0c2a0a71ae344c08de39a730428aeebc78d30
Instruction ID: 4418d701a99807fec66c4951c3ac8b0162ed42361b27fc2d5fc8be2e676aa9cc
Opcode Fuzzy Hash: 9c092e9047681565dbb54c511ac0c2a0a71ae344c08de39a730428aeebc78d30
Instruction Fuzzy Hash: 1DF08C326003048FD728AE69E99056DB7A6FFC9212B55897ED609D3294EF31D885CBA0

Function 081D298C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae759694210e4229d8dc623971c0e951cf8915fcf091f39464ded21442c7ed9
Instruction ID: 045f085e6ed6194e82434b62b2b5692419c3dc934f18ec4c13fc4d35f891f881
Opcode Fuzzy Hash: 9ae759694210e4229d8dc623971c0e951cf8915fcf091f39464ded21442c7ed9
Instruction Fuzzy Hash: 81F0A0742483848FCB0A5B79986C62A3FF4AF85201B00486BE842C7292EE34DC058661

Function 081D6090 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb19ee94345c1058efb5cea61ce9cc3c397ee9ac826b75e1030da75ad8d3446
Instruction ID: 92304895ffd8b5184ad7b325e58a0a68c907e0c306510c40549067e70f0bcdea
Opcode Fuzzy Hash: 7cb19ee94345c1058efb5cea61ce9cc3c397ee9ac826b75e1030da75ad8d3446
Instruction Fuzzy Hash: 1CF092B4E0020A9FDB44DFA9D846AAEBFF4AF48601F104569D514E7341E77586418B90

Function 081D60A0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc42035d830f6398cd1e80d8096231886b1fc595cecf0d84ec2711a04574fe36
Instruction ID: f9650d28d853afdc16a925728df7c1f59126d96f7e3d61ef673cbd482c63abc7
Opcode Fuzzy Hash: cc42035d830f6398cd1e80d8096231886b1fc595cecf0d84ec2711a04574fe36
Instruction Fuzzy Hash: 4DF0B2B0E0430A9FDB54DFA9C842BAEBBF4AF88200F1045A9D918E7341E7759A008BD0

Function 081D1FE0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210e73d1f23de44db51e1417274b3e4d5a34d6f2bd947dba3fa4aa406e88671b
Instruction ID: bad567ce86cb65287eeddfe0792cfc233882216da3f3f0b8a8c1661bb25d655a
Opcode Fuzzy Hash: 210e73d1f23de44db51e1417274b3e4d5a34d6f2bd947dba3fa4aa406e88671b
Instruction Fuzzy Hash: B1E0923671061157CE14A2AAA48576D379ADFC9722F150426E205C7381CF789C4293A1

Function 083E3D50 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2417c1b709a977e5eeb26e150b334976e78393b3c1cf4a32f7d97806a0044b44
Instruction ID: 868a9ae2257aeb51b914fa1dacdefc09d7380a1852b1f9139bd99cdf41c7e2ca
Opcode Fuzzy Hash: 2417c1b709a977e5eeb26e150b334976e78393b3c1cf4a32f7d97806a0044b44
Instruction Fuzzy Hash: A9F0E231910B458BC712EF6CE505089BBB1AF92201B04CAAEE48AA7691EB34D985C790

Function 081D00F4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c3f6275b9c4860ed413097182efb9a94dbb9e563301fb199387bd86bb49041
Instruction ID: b2a858a3bb5437cf14db1c34336dcb4e80fc82efcb271786c279bea7a502562d
Opcode Fuzzy Hash: e8c3f6275b9c4860ed413097182efb9a94dbb9e563301fb199387bd86bb49041
Instruction Fuzzy Hash: 01E06D30281700DBD715A668D844BEFF3A6EFC9311F40483DD55A87358DB72E8498BE0

Function 081D4A00 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391c7dbe99982d0629d4873b624be5691769ade2a0ab3837a9b62185a08765e0
Instruction ID: 7993fd95789f10770ee4854421c1f6e40f475195f57a4cf8d06f3a73181f6540
Opcode Fuzzy Hash: 391c7dbe99982d0629d4873b624be5691769ade2a0ab3837a9b62185a08765e0
Instruction Fuzzy Hash: 07E06D3AA40A24878210DF98F4814B5B3E8F74466A3198456E40CCA654F333D823C798

Function 081DB540 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2262522a42578beabef5b0440d6aa32cb35e90247f1ccfbf9cb4d30f3c72de38
Instruction ID: 1f9e86a596d61700a35cafeb4c200815f73e3bca8ea00ed9bb9a4098fab8f4c5
Opcode Fuzzy Hash: 2262522a42578beabef5b0440d6aa32cb35e90247f1ccfbf9cb4d30f3c72de38
Instruction Fuzzy Hash: B3E092327007559BCB04AF95EC4089FB77DEFC9324710566AEE0967306E67268048A90

Function 081DFF70 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1494527f7bed4ef719c33185f08cc3353212b93ef9247a60faeda0bcf633f9
Instruction ID: ae5933c21331f5f977eaef92fcc0482d4b824686006efcdaf8eaa3dcf1b274fc
Opcode Fuzzy Hash: ef1494527f7bed4ef719c33185f08cc3353212b93ef9247a60faeda0bcf633f9
Instruction Fuzzy Hash: 0FF0A571D05208AFCB50DFB8A4446ADBBF4AB0A201F1094A9D409E3240EB349A85CF40

Function 081D96CD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2407fbb05e2b69da62a7b2fbe78ea94676469fa27f11255d5157e38295df5803
Instruction ID: 40adf5081b5b6af765c45e6483e638fa9140e7fbc2ce0767d339c7e34b3afda4
Opcode Fuzzy Hash: 2407fbb05e2b69da62a7b2fbe78ea94676469fa27f11255d5157e38295df5803
Instruction Fuzzy Hash: C0F01C30E0070ACBDB18AFB995547AD7EE2AF44346F008479C006EA290DF784842CFA5

Function 081D1FF0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cb5a9b8b1520e2ec5ffb753d45fbb76dc00c246cba0cc1fc677a3a9c91eedd
Instruction ID: c7f99afda79e3727762de55014288498df2d89fe0e70011f47a2d7bf5f2f33ca
Opcode Fuzzy Hash: f3cb5a9b8b1520e2ec5ffb753d45fbb76dc00c246cba0cc1fc677a3a9c91eedd
Instruction Fuzzy Hash: 09E08636B107515BCA0472BEA45576E399A9FC9663F050036F105C7380CF745C0283F1

Function 081DE6B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70ab0a28240c91912e18f05816d843d1d1dabc63ca91cd620142d3acbb8601c
Instruction ID: ae94e21049db000a1456b449979bfcb7511bcef789521d998182a6b726775e99
Opcode Fuzzy Hash: a70ab0a28240c91912e18f05816d843d1d1dabc63ca91cd620142d3acbb8601c
Instruction Fuzzy Hash: 8DF07F74D00208EFCB51DFA9E99579CBBF0EF08305F1485AA9818E7350EB35AA90DF51

Function 081D1FA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d63aea349c62c3f316c9e29c99b5223d777e6e049cbe0d1408e02a5a850193a
Instruction ID: 4efe05235f0ba2bac3bf60940917921c66c087e388700c188f6083a59df20071
Opcode Fuzzy Hash: 7d63aea349c62c3f316c9e29c99b5223d777e6e049cbe0d1408e02a5a850193a
Instruction Fuzzy Hash: A1E07231309760AFCB14836AA8E138EBFEA9B08215F00012EE54CC3301CB2EA44683E6

Function 081D4A48 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c612cee3d6c99308655a83ce9391273f9c437695fea42521376efbd3308f395b
Instruction ID: 28041048ecec9be35eba1b6684dc7ba62b7c868be090011babf7bbf2b575b66e
Opcode Fuzzy Hash: c612cee3d6c99308655a83ce9391273f9c437695fea42521376efbd3308f395b
Instruction Fuzzy Hash: 05E08C32800B619FE720A648E4417C47B98EB003A6F468165E846A3104E778E8428BED

Function 083E2660 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e78f16035d738811110250db7d514aba96021e1384f7e03c027b99027e298a
Instruction ID: 8fae29ff7f26b2d2194f174ac4b4e054e9e0e3e94ec7febdfc378f66402d3e7f
Opcode Fuzzy Hash: 87e78f16035d738811110250db7d514aba96021e1384f7e03c027b99027e298a
Instruction Fuzzy Hash: 26D02E3F28403043DD20AA14BCC17DA3386FBC830AF288D2AF181D7288C86EC8864251

Function 081D017C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f82f8e5c836ab17698b3dac0a921db23d7029601c32afaaa1fd36fed6d7b33
Instruction ID: d6afbdc8e65d42ab2f4177fde92fd2f4c2ce52926043a42f3529055cee24fdf9
Opcode Fuzzy Hash: 70f82f8e5c836ab17698b3dac0a921db23d7029601c32afaaa1fd36fed6d7b33
Instruction Fuzzy Hash: 5FD02B3134E7646BCA04537E68D53AAFECBDF49215F00051AF94EC3301CB5A5804819A

Function 081DE6C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada2551f710fdad4d54e31d5631dca1a3d629c398fd08f3d3c1184fb16330b00
Instruction ID: a757d69bb2e793560dac845e39b319eec8f8804393dba71a64c495fce0cbfb60
Opcode Fuzzy Hash: ada2551f710fdad4d54e31d5631dca1a3d629c398fd08f3d3c1184fb16330b00
Instruction Fuzzy Hash: F5E04E74E00209EFCB94DFA9E54569CBBF4EF48301F5081A99818A7350EB755E54CF51

Function 083EE4C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53dc5a6928f863cb8f5214e979ee92cb53ca8d2931d85a3e8a374c8706f447a7
Instruction ID: 76fe6c58f0c3dc012d39b33dc5a278a5e186d758303a9f2e2900d2ef161fe31a
Opcode Fuzzy Hash: 53dc5a6928f863cb8f5214e979ee92cb53ca8d2931d85a3e8a374c8706f447a7
Instruction Fuzzy Hash: 12E01230905128DBCB10EFF8D4446BD77B8AB85206F1055A9E80573AC1D6B05E95DE81

Function 081DD3B0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb6628c3909d714ceb86b5fcae9ee00e3b1725682b249db3ed9721826eff335
Instruction ID: 4ff3d566446a268e7229d9ac19d61e071a181ec805bbcb4c11f5f706e21ce351
Opcode Fuzzy Hash: 0cb6628c3909d714ceb86b5fcae9ee00e3b1725682b249db3ed9721826eff335
Instruction Fuzzy Hash: F2D05E373502249FD7009BB9F848E9277ECEF48665B0140A6E20CCB721DA62DC008B90

Function 081D9F58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886c3c6ec31f10bc705a3bf3983561151517b7caeae994154dd31f341d522e02
Instruction ID: 31810298a2f89e5655c4397c2baeceb9f8804819d73cabdd817af5b5c3f56dfd
Opcode Fuzzy Hash: 886c3c6ec31f10bc705a3bf3983561151517b7caeae994154dd31f341d522e02
Instruction Fuzzy Hash: 42D0123EB4092547D7562754A46537D3F65CF80557F09086AD0468B3C0DF1C4E228789

Function 083E511A Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5863c12b2f82343fc58a108c1dc4bcbd08ce7487534a899eea6a0441c5cd716
Instruction ID: 630a46afff14e13251d2681326ac4a3fdde4c4a53417d1a5400cba8673d31251
Opcode Fuzzy Hash: f5863c12b2f82343fc58a108c1dc4bcbd08ce7487534a899eea6a0441c5cd716
Instruction Fuzzy Hash: 7DE0C23B54957047DB50DA14E8C1B893755BB94212F198DADE094DF2C4C46AD48A8391

Function 081D49AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ef9404e988b5e0eb553af8b8884b0f445441e9231a33df5ef174148236db3f
Instruction ID: b7b0f1c39ce13689163147b40650e755c6d2e91b0ab58b6b9ad8bf81301257f5
Opcode Fuzzy Hash: 84ef9404e988b5e0eb553af8b8884b0f445441e9231a33df5ef174148236db3f
Instruction Fuzzy Hash: EDD05E75200608EFD704DF65EA98F2A37ECBB88201F208429E805C3341EB35FC528AA1

Function 083E80F8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d16b4a564047e8ea30fa13e2afa06b90cd0fbfde7ae231071e67b13f055c445
Instruction ID: 4182fb6f66cd5242e8a50ac03ccc6d8fb0bef3e09337af7713b2bf370a827225
Opcode Fuzzy Hash: 6d16b4a564047e8ea30fa13e2afa06b90cd0fbfde7ae231071e67b13f055c445
Instruction Fuzzy Hash: 18E0C2305083985BCF115FB0E8187693E94AB41656F09847CE840851D2E675C110D311

Function 083E2C5F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39345388148646a44797444886b8a8ae4542285257bbecac4500a05a1c551756
Instruction ID: 42ebf8cc175e4f0de7f7629d3def77cbba5efe3aff1b5b9c16a67f88435a587c
Opcode Fuzzy Hash: 39345388148646a44797444886b8a8ae4542285257bbecac4500a05a1c551756
Instruction Fuzzy Hash: A2D05EBB9000196BDB417A84CA01AC6BFA8EF55702B86C0A2E58C9B165D539855B8F90

Function 081D9F68 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffe5e3122604602173033e1c17b969818a3139d3524d7d2f644c95cf4dd1359
Instruction ID: d785947d6c7b750d930e0d11e4b566f9eb8596e46a9adefd0da3cb4b7dfc062c
Opcode Fuzzy Hash: 4ffe5e3122604602173033e1c17b969818a3139d3524d7d2f644c95cf4dd1359
Instruction Fuzzy Hash: B5D0123A740B34038A5A3358A4393BD7B9ECF84957744046FE40A8B3C0DF5C5E1682DE

Function 081DA858 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8a3996321f0055505e5128fb2834640204e894369dd24c352a621ad4c80702
Instruction ID: e883c4de291a5d6e596dcab356a0449b8de32b2a24ba06fbbcf6f643e88b443c
Opcode Fuzzy Hash: 6a8a3996321f0055505e5128fb2834640204e894369dd24c352a621ad4c80702
Instruction Fuzzy Hash: 8FD01CB95001419FC380EF38A8A5B5AB7EABB88201F008829D888C2200EA3894199A12

Function 081D6140 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9dbda6db94595f04e0fd2d721dad5b647690addef0eff5f18dfbcd2e4d5920
Instruction ID: 38456b3ff2c81cb6e9c381e434571b3d5c42cff842e16486390e56d9e026119d
Opcode Fuzzy Hash: af9dbda6db94595f04e0fd2d721dad5b647690addef0eff5f18dfbcd2e4d5920
Instruction Fuzzy Hash: 99D0123B24420C9F4B40EED4E804D56B7EDBF64600B008432E508C7622E722F434D792

Function 083E8108 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1bd96ed387e9448f5d6de27dfb2b3e6a262f2bee86ec73cc8a9f8f04ddba8c
Instruction ID: 427956e52753edfa0620973636530ae3a0b2f0dc1127a24f59779d97416a3afa
Opcode Fuzzy Hash: 8f1bd96ed387e9448f5d6de27dfb2b3e6a262f2bee86ec73cc8a9f8f04ddba8c
Instruction Fuzzy Hash: D4D01230A1431C9FDF105FB1D81C7267ED8EB80652F048839F905C2290EB75C550D555

Function 083E2C70 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c575ffb02fd39229b98ad03ddbcdc09e256e2005c1fc96e08815a2e1c825ad5
Instruction ID: ab8c5b237616b7539168edb6d4da3155d9b657b5d00b3932a8ceb7c88e2f51c3
Opcode Fuzzy Hash: 7c575ffb02fd39229b98ad03ddbcdc09e256e2005c1fc96e08815a2e1c825ad5
Instruction Fuzzy Hash: 68C0123610002D7B4A01AB85D900CC7FBADAF89655304C066F5088B121D662E512DBD0

Function 081DF18E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb3ebe05fcd7751ba2718f7ea84db0a152f4c92a56fd9f9f043fbc80dec4dfd
Instruction ID: 9742601d389aaf0f4c396be7dd1b7d7c4c19f107ed2611a289a5f2ba9499abd8
Opcode Fuzzy Hash: 6cb3ebe05fcd7751ba2718f7ea84db0a152f4c92a56fd9f9f043fbc80dec4dfd
Instruction Fuzzy Hash: FDD0229140CB800DE302BB30086205C3F30BE53000BA3A6D2C0C1EF022F918805DD393

Function 083E7A78 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c9e6f4b7e584e4d52bf721f30cc6f6d418436f0f7311bbaae45a2985a3437c
Instruction ID: 97552cecfb9d337fdc937e74c7a7472041c4889aec78919b67c82f67a00eda00
Opcode Fuzzy Hash: 60c9e6f4b7e584e4d52bf721f30cc6f6d418436f0f7311bbaae45a2985a3437c
Instruction Fuzzy Hash: 60D0C93B040148BBCF024F90E815AC93F31EB48711F048044FA1909551C6738570EB91

Function 081DF1BA Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5c27ca6d1691b844de2fa6e9550bbe21fc3986217d69463a1f64a445c93ac3
Instruction ID: 748b862071eaceffe51f5a86387e80e0933deb561e6c3a52e9374de23ec51b73
Opcode Fuzzy Hash: 0c5c27ca6d1691b844de2fa6e9550bbe21fc3986217d69463a1f64a445c93ac3
Instruction Fuzzy Hash: BED09EB5544148AFCB51CF24D495D987B62EB55220F568095E9898B622C671D856CF00

Function 081D95A8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af42fac9102514939e6069cc4cf69d3f54eb09d69d5030635042ce3e509df61
Instruction ID: f2c3a0ac2354ae3c0a4a93881380ced0c15ae0cbd13627f737a84b3989db721d
Opcode Fuzzy Hash: 9af42fac9102514939e6069cc4cf69d3f54eb09d69d5030635042ce3e509df61
Instruction Fuzzy Hash: A3D0A73800A744AFCF21A720F8447013F70EB02314F0520DAD040C627BCFE54499CF81

Function 083E7A80 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71151149aaed02044e4f22874b53778737b18629943b95c87b85fbde727079af
Instruction ID: f7317c57d172776cfab0cc87c7ac985d8968f716505980c82ed6e45a3cc1b053
Opcode Fuzzy Hash: 71151149aaed02044e4f22874b53778737b18629943b95c87b85fbde727079af
Instruction Fuzzy Hash: 52C0023A04020DBBCF025EC1EC15EDA3F2AFB48750F048401FA190416187B39970EBA1

Function 081DB5B0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22571a67485700c562097d7a8f4a0434bcaf7adc43f1ad05539328cd550dd91a
Instruction ID: 090e9775edb3cf39408cba80a006479d90406d959fa09e76fffe6c3a14560858
Opcode Fuzzy Hash: 22571a67485700c562097d7a8f4a0434bcaf7adc43f1ad05539328cd550dd91a
Instruction Fuzzy Hash: 4AC08C3A000000DFEF06DB00C881F44BBB0FF95304F008D82E0048A230C331E429EB02

Function 081D79D4 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada2249f5980d2ec3c6c6f4b6d9a6e75f66beeeefc69bd4c9e8b093a8b7bfa90
Instruction ID: 330d488960cfe3170eeeb91d408dab685265ade354e7b32c2f0bbbf59a713934
Opcode Fuzzy Hash: ada2249f5980d2ec3c6c6f4b6d9a6e75f66beeeefc69bd4c9e8b093a8b7bfa90
Instruction Fuzzy Hash: 7AC02B3B008100AFC605A700C540C39FBF1FFC0300B01CE52F10241134C731C818D701

Function 081DF1C8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 083E924C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877869676.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83e0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eea5fa860acc0b4732e5c55ea9070a0c000dd6fb3d47ae3df539d0d2fb754a9
Instruction ID: 2d9a348fde882a12d8d57d37d93c66a3d3480ae81bfb89261eb457a51359c984
Opcode Fuzzy Hash: 4eea5fa860acc0b4732e5c55ea9070a0c000dd6fb3d47ae3df539d0d2fb754a9
Instruction Fuzzy Hash: 25B012F9694310B36C01A3744940B3BE415EFE5705F008C12730D512588970E865D13F

Function 081D03C4 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877608815.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81d0000_wBfGlYCdeX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708891145e8bed201ad6d9fea023ed4c8b292dfb00f4213376cda16012ebcfee
Instruction ID: eea627835b49f168c58385ed4e528a7b424731c1440a798a94e0e3d039c4567e
Opcode Fuzzy Hash: 708891145e8bed201ad6d9fea023ed4c8b292dfb00f4213376cda16012ebcfee
Instruction Fuzzy Hash: CBA0220E0C0300238C0833AC83C033E8800EEC8302FC08C008A028000C8B30E0C3800B

Analysis Process: RegSvcs.exePID: 7752, Parent PID: 7396COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	7

Executed Functions

Function 0145D0A8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0145D136
GetCurrentThread.KERNEL32 ref: 0145D173
GetCurrentProcess.KERNEL32 ref: 0145D1B0
GetCurrentThreadId.KERNEL32 ref: 0145D209

Memory Dump Source

Source File: 0000000E.00000002.2091023713.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1450000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c59d3a83f2ab4440b0fbbe3725520aaffafd5fb6ef56a4fa2d5a9cc301b6b8e3
Instruction ID: 6f0915f9de16fba8fc1507c9f5096d3132c3927ab02a5b2c9e2771d5bcbbd6ce
Opcode Fuzzy Hash: c59d3a83f2ab4440b0fbbe3725520aaffafd5fb6ef56a4fa2d5a9cc301b6b8e3
Instruction Fuzzy Hash: 1D5186B0D00249CFDB55DFA9D948B9EBBF1EF48304F20846AE519AB3A1C7349884CF65

Function 0145D0B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0145D136
GetCurrentThread.KERNEL32 ref: 0145D173
GetCurrentProcess.KERNEL32 ref: 0145D1B0
GetCurrentThreadId.KERNEL32 ref: 0145D209

Memory Dump Source

Source File: 0000000E.00000002.2091023713.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1450000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c4f966d11a37e118adb3c81eaa3dca7d6eca49870bd7461400ae744f3ccdc2c3
Instruction ID: b06968a1bda5060018c3df098974e694c8facb06c0fb6d7643ce9f2f10caa001
Opcode Fuzzy Hash: c4f966d11a37e118adb3c81eaa3dca7d6eca49870bd7461400ae744f3ccdc2c3
Instruction Fuzzy Hash: 3A5167B0D00209CFDB54DFA9D548B9EBBF1EF48314F20846AE519AB360C7349984CF65

Function 0145AE30 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0145B086

Memory Dump Source

Source File: 0000000E.00000002.2091023713.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1450000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d2128ca2ae6f85d956121967020448681ee2040129a2c57558796571e6d07d73
Instruction ID: a223110dcbeed0e8259a7b21310f244cebfafad0abb75e9464fd730606e74830
Opcode Fuzzy Hash: d2128ca2ae6f85d956121967020448681ee2040129a2c57558796571e6d07d73
Instruction Fuzzy Hash: 238146B0A00B058FD764DF2AD45075BBBF1FF88214F108A2ED98A9BB61D775E845CB90

Function 01455935 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014559F1

Memory Dump Source

Source File: 0000000E.00000002.2091023713.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1450000_RegSvcs.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3dad4852e9631ac8755d73c8ea28ddcc257b838f3665492a02b5b253072645ea
Instruction ID: abc3993ab9c325f8f3abb48a95f9af16e59b4c40eadc83373fbd09873434609d
Opcode Fuzzy Hash: 3dad4852e9631ac8755d73c8ea28ddcc257b838f3665492a02b5b253072645ea
Instruction Fuzzy Hash: 8941C2B0D00719CBDB14CFA9C884B9EBBB5FF45304F24806AD409AB265DB756986CF90

Function 01454248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014559F1

Memory Dump Source

Source File: 0000000E.00000002.2091023713.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1450000_RegSvcs.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9e220c283397aa42c35604bde5ca3ea54a0d1e880065856f015bab9c4dfad069
Instruction ID: edcce5c774f5d6c0cd68c414886263a79f6411896263f0f0fc9599df1b66afb3
Opcode Fuzzy Hash: 9e220c283397aa42c35604bde5ca3ea54a0d1e880065856f015bab9c4dfad069
Instruction Fuzzy Hash: 2F41DFB0D0071DCBDB24CFA9C884B9EBBB5FF49304F24806AD409AB265DB756985CF90

Function 0145D2F9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0145D387

Memory Dump Source

Source File: 0000000E.00000002.2091023713.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1450000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 231d352f1336b6abf8bf9aac8d1656e025c0b72ff6e9d14150fd9cc81e273323
Instruction ID: e5221f3a0f452bb254911f3740e2119a755ebaf4c24ebaedbcbc9710021ce975
Opcode Fuzzy Hash: 231d352f1336b6abf8bf9aac8d1656e025c0b72ff6e9d14150fd9cc81e273323
Instruction Fuzzy Hash: 022105B5D002589FDB10CFAAD484ADEBFF4EB48310F14841AE914A7311D374A940CFA5

Function 0145D300 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0145D387

Memory Dump Source

Source File: 0000000E.00000002.2091023713.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1450000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4ce61eb14551a6063750aa9ee3a43dc6e5937caf5aa6b49a2107cf108b6f7e34
Instruction ID: 412ee0f21fe08af68060f31c14bd4a8716f6501d086653fe9e3c288b3aa4cb63
Opcode Fuzzy Hash: 4ce61eb14551a6063750aa9ee3a43dc6e5937caf5aa6b49a2107cf108b6f7e34
Instruction Fuzzy Hash: 2621E4B5D00208DFDB10CFAAD584ADEBFF4EB48310F14841AE918A7311D374A940CFA4

Function 0145B020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0145B086

Memory Dump Source

Source File: 0000000E.00000002.2091023713.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1450000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c20c03f69debd26a5cf2c9c905cd6d5b260a99f519395c94375aa0af4c0277c9
Instruction ID: da9c099a8a0101fb04500da97b866bacd3cd602454696c25768970472217d77f
Opcode Fuzzy Hash: c20c03f69debd26a5cf2c9c905cd6d5b260a99f519395c94375aa0af4c0277c9
Instruction Fuzzy Hash: 201110B5C003498FDB20CF9AC444ADEFBF5EB88720F10842AD968B7210C379A545CFA5

Function 013FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2090424366.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_13fd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9b2435f7f22b196acb8ccaaab17ee37fb04c1d795cb7ce995985fd3a8b097e
Instruction ID: 1c66405fb6958d4037228c522fdc691608b2fdeb2c0939eb37fea80e811a6dfa
Opcode Fuzzy Hash: 5c9b2435f7f22b196acb8ccaaab17ee37fb04c1d795cb7ce995985fd3a8b097e
Instruction Fuzzy Hash: 2D216A71100204DFDB05DF48D9C8B56BF65FB84318F20C16DDA091F256C736E446C7A1

Function 0140D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2090496743.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_140d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9682fbbe968578683641b32cb2e5d4c7d2a05dcf7b8732b6a7e65888ca9a5b
Instruction ID: 195b856a8d88b1b1b101f9578e65b575c75f3cf59f1d5e5b6653e5870caae001
Opcode Fuzzy Hash: 1b9682fbbe968578683641b32cb2e5d4c7d2a05dcf7b8732b6a7e65888ca9a5b
Instruction Fuzzy Hash: A02128B1904200DFDB16DF99D984B16BF65EB84318F20C57ED90D4B3A6C336D44BCA61

Function 0140D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2090496743.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_140d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0a08b72e9b64bcb21d0a79627bdb4df172ae673d5f1307c5b4ce13efb13ad7
Instruction ID: c2cb4fee91bd4a8da893cdcbc8ed7b7e604de18a409aeae0f9d10a11c3a8236d
Opcode Fuzzy Hash: eb0a08b72e9b64bcb21d0a79627bdb4df172ae673d5f1307c5b4ce13efb13ad7
Instruction Fuzzy Hash: 8B2195755093808FD703CF64D594716BF71EB46214F28C5EBD8498F6A7C33A980ACB62

Function 013FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2090424366.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_13fd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a3b4a91c51d98f5c8e65081da1440c93ff0c7699a74417d2fde6892b513de3f6
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5C11DF72404240CFDB02CF44D5C4B56BF71FB94328F24C2ADD9090B656C33AE45ACBA2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EXQuAzl4Xn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EXQuAzl4Xn.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wBfGlYCdeX.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gtkvzgy.j4e.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3eynj31f.0ss.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4saod3lc.5l4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2du2e1r.jke.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_flyoyk5k.dn4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huh5sfd4.3re.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfqnqds2.ymu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xblckosf.u3t.psm1

Windows Analysis Report
EXQuAzl4Xn.exe