Edit tour

Windows Analysis Report
RFQ.scr.exe

Overview

General Information

Sample name:	RFQ.scr.exe
Analysis ID:	1560132
MD5:	f30993e7984ac60c08d69710eaae6ef4
SHA1:	5caad7257cb88084ac77915bc6247450fdd7faf1
SHA256:	c8d717bc9d9c2bd335a79ac5e189d98f36fcd7ab0c62475a7aa7da5fd5ae75d1
Tags:	exeuser-lowmal3
Infos:

Detection

Discord Token Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Set autostart key via New-ItemProperty Cmdlet

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Discord Token Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

RFQ.scr.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

powershell.exe (PID: 7820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8032 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RFQ.scr.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

powershell.exe (PID: 2920 cmdline: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RFQ.scr.exe (PID: 7240 cmdline: "C:\Users\user\AppData\Roaming\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

RFQ.scr.exe (PID: 7484 cmdline: "C:\Users\user\AppData\Roaming\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

RFQ.scr.exe (PID: 7556 cmdline: "C:\Users\user\AppData\Roaming\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

RFQ.scr.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Roaming\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

RFQ.scr.exe (PID: 7364 cmdline: "C:\Users\user\AppData\Roaming\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

RFQ.scr.exe (PID: 6912 cmdline: "C:\Users\user\AppData\Roaming\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

RFQ.scr.exe (PID: 7916 cmdline: "C:\Users\user\AppData\Roaming\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

RFQ.scr.exe (PID: 7884 cmdline: "C:\Users\user\AppData\Roaming\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

RFQ.scr.exe (PID: 7896 cmdline: "C:\Users\user\AppData\Roaming\RFQ.scr.exe" MD5: F30993E7984AC60C08D69710EAAE6EF4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1374201957.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.1583023321.000000000300B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1366527069.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000002.1366527069.0000000003011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1366527069.00000000033E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ.scr.exe PID: 7364	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ.scr.exe PID: 7828	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: RFQ.scr.exe PID: 7828	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RFQ.scr.exe PID: 7828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ.scr.exe PID: 7240	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ.scr.exe PID: 7556	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RFQ.scr.exe PID: 7556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ.scr.exe PID: 7400	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.RFQ.scr.exe.57c0000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.scr.exe", ParentImage: C:\Users\user\Desktop\RFQ.scr.exe, ParentProcessId: 7364, ParentProcessName: RFQ.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe", ProcessId: 7820, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\RFQ.scr.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2920, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ.scr

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.scr.exe", ParentImage: C:\Users\user\Desktop\RFQ.scr.exe, ParentProcessId: 7364, ParentProcessName: RFQ.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe", ProcessId: 7820, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Set autostart key via New-ItemProperty Cmdlet

Source: Process started

Author: Joe Security: Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ.scr.exe", ParentImage: C:\Users\user\Desktop\RFQ.scr.exe, ParentProcessId: 7828, ParentProcessName: RFQ.scr.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String', ProcessId: 2920, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE [ANY.RUN] PureLogs Stealer C2 Connection M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T12:56:29.419547+0100	2048902	1	A Network Trojan was detected	192.168.2.7	49743	65.21.66.211	62520	TCP

ETPRO MALWARE Win32/zgRAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T12:56:04.952408+0100	2858791	1	Malware Command and Control Activity Detected	192.168.2.7	49703	65.21.66.211	62520	TCP
2024-11-21T12:56:26.681199+0100	2858791	1	Malware Command and Control Activity Detected	192.168.2.7	49743	65.21.66.211	62520	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe

ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: RFQ.scr.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: RFQ.scr.exe

Joe Sandbox ML: detected

Source: RFQ.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: bzug.pdbSHA256hP. source: RFQ.scr.exe, RFQ.scr.exe.8.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: bzug.pdb source: RFQ.scr.exe, RFQ.scr.exe.8.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858791 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.7:49703 -> 65.21.66.211:62520
Source: Network traffic	Suricata IDS: 2858791 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.7:49743 -> 65.21.66.211:62520
Source: Network traffic	Suricata IDS: 2048902 - Severity 1 - ET MALWARE [ANY.RUN] PureLogs Stealer C2 Connection M1 : 192.168.2.7:49743 -> 65.21.66.211:62520

Source: global traffic

TCP traffic: 192.168.2.7:49703 -> 65.21.66.211:62520

Source: Joe Sandbox View

ASN Name: CP-ASDE CP-ASDE

Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.66.211

Source: RFQ.scr.exe, RFQ.scr.exe.8.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RFQ.scr.exe, RFQ.scr.exe.8.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: powershell.exe, 0000000C.00000002.1372631120.00000000033B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: RFQ.scr.exe, RFQ.scr.exe.8.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 0000000C.00000002.1373890457.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: RFQ.scr.exe, 00000001.00000002.1287957683.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1373890457.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 0000000F.00000002.1508488449.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000012.00000002.1604689552.00000000025C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.1373890457.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.1373890457.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1366527069.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1366527069.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.000000000300B000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RFQ.scr.exe, 00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: powershell.exe, 0000000C.00000002.1373890457.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1371085387.0000000004108000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1605871884.0000000003EC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1366527069.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.000000000300B000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.com/
Source: powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1366527069.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1366527069.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.000000000300B000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/
Source: RFQ.scr.exe, 00000008.00000002.1366527069.0000000003263000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RFQ.scr.exe, 00000011.00000002.1583023321.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: RFQ.scr.exe, RFQ.scr.exe.8.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: RFQ.scr.exe, 00000008.00000002.1366527069.0000000003263000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RFQ.scr.exe, 00000011.00000002.1583023321.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RFQ.scr.exe, 00000011.00000002.1583023321.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RFQ.scr.exe, 00000008.00000002.1366527069.0000000003263000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RFQ.scr.exe, 00000011.00000002.1583023321.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/

Source: C:\Users\user\Desktop\RFQ.scr.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

.NET source code contains very large array initializations

Source: 1.2.RFQ.scr.exe.4312b80.3.raw.unpack, Config.cs	Large array initialization: CountConfig: array initializer size 374400
Source: 1.2.RFQ.scr.exe.447ce90.1.raw.unpack, Config.cs	Large array initialization: CountConfig: array initializer size 374400

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ.scr.exe

Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_02FAD55C	1_2_02FAD55C
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_06457991	1_2_06457991
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_06452F48	1_2_06452F48
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_06452F58	1_2_06452F58
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_064517F3	1_2_064517F3
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_06451C58	1_2_06451C58
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_06453D40	1_2_06453D40
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_06453D30	1_2_06453D30
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_06453390	1_2_06453390
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 1_2_06451820	1_2_06451820
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_01641E88	8_2_01641E88
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_01641E88	8_2_01641E88
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_016458A0	8_2_016458A0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_016458B0	8_2_016458B0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_01644B10	8_2_01644B10
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_01641BF0	8_2_01641BF0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_016422CC	8_2_016422CC
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_01641C00	8_2_01641C00
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_056F2B68	8_2_056F2B68
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_056F2B49	8_2_056F2B49
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0574D668	8_2_0574D668
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05748EF0	8_2_05748EF0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0574DEF9	8_2_0574DEF9
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0574098D	8_2_0574098D
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0574D658	8_2_0574D658
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0574CE31	8_2_0574CE31
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05748EE0	8_2_05748EE0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0574CEA0	8_2_0574CEA0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0574CE90	8_2_0574CE90
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0574D847	8_2_0574D847
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0584B780	8_2_0584B780
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_058483A2	8_2_058483A2
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_058482BE	8_2_058482BE
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0584BCC0	8_2_0584BCC0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05847C70	8_2_05847C70
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05845FF8	8_2_05845FF8
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0584B780	8_2_0584B780
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0584B76F	8_2_0584B76F
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_058481D3	8_2_058481D3
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_058481E3	8_2_058481E3
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0584811B	8_2_0584811B
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0584E040	8_2_0584E040
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0584E070	8_2_0584E070
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05847DDC	8_2_05847DDC
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05847D37	8_2_05847D37
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0584BCB1	8_2_0584BCB1
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05847CC5	8_2_05847CC5
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05847CE0	8_2_05847CE0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05847C61	8_2_05847C61
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_058A79B0	8_2_058A79B0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_058A7CD7	8_2_058A7CD7
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_058A8A48	8_2_058A8A48
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B5B608	8_2_05B5B608
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B5E282	8_2_05B5E282
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B57DB0	8_2_05B57DB0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B5EC20	8_2_05B5EC20
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B57FD6	8_2_05B57FD6
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B5A9F0	8_2_05B5A9F0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B5E4EB	8_2_05B5E4EB
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B57300	8_2_05B57300
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B572F1	8_2_05B572F1
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B57DA1	8_2_05B57DA1
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B5AD38	8_2_05B5AD38
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B5EC10	8_2_05B5EC10
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B57FBE	8_2_05B57FBE
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B57F20	8_2_05B57F20
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B5EE8C	8_2_05B5EE8C
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B5EEF6	8_2_05B5EEF6
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_0605C4C8	8_2_0605C4C8
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_061D0448	8_2_061D0448
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_061D0438	8_2_061D0438
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_061D8557	8_2_061D8557
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_061D8568	8_2_061D8568
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_061D1EF8	8_2_061D1EF8
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_061D1EF6	8_2_061D1EF6
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068EBF90	8_2_068EBF90
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E9470	8_2_068E9470
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E3FD8	8_2_068E3FD8
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068EAFE8	8_2_068EAFE8
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068EAFF8	8_2_068EAFF8
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E9460	8_2_068E9460
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E5AA0	8_2_068E5AA0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E5AB0	8_2_068E5AB0
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E123A	8_2_068E123A
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E1252	8_2_068E1252
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E1270	8_2_068E1270
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E40B9	8_2_068E40B9
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E880F	8_2_068E880F
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E4008	8_2_068E4008
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E4018	8_2_068E4018
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E8820	8_2_068E8820
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E19D4	8_2_068E19D4
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E1910	8_2_068E1910
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E1920	8_2_068E1920
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_015BD55C	15_2_015BD55C
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_061934B8	15_2_061934B8
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06192106	15_2_06192106
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06199953	15_2_06199953
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06199960	15_2_06199960
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_062677C0	15_2_062677C0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06262F48	15_2_06262F48
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06262F58	15_2_06262F58
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_062617F3	15_2_062617F3
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06261C58	15_2_06261C58
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06263D30	15_2_06263D30
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06263D40	15_2_06263D40
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06263390	15_2_06263390
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 15_2_06261820	15_2_06261820
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_01311E88	17_2_01311E88
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_01311E88	17_2_01311E88
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_013158B0	17_2_013158B0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_013158A0	17_2_013158A0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_01311BF0	17_2_01311BF0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_01314A2B	17_2_01314A2B
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_013122CC	17_2_013122CC
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_01314508	17_2_01314508
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_01311C00	17_2_01311C00
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_054E2B68	17_2_054E2B68
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_054E2B4A	17_2_054E2B4A
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_054E2AFA	17_2_054E2AFA
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0553D668	17_2_0553D668
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05538EF0	17_2_05538EF0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0553DEF9	17_2_0553DEF9
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0553098D	17_2_0553098D
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0553D658	17_2_0553D658
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0553CE31	17_2_0553CE31
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05538EE0	17_2_05538EE0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0553CE90	17_2_0553CE90
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0553CEA0	17_2_0553CEA0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0553D847	17_2_0553D847
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0563B780	17_2_0563B780
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_056383A2	17_2_056383A2
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_056382BE	17_2_056382BE
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05637C70	17_2_05637C70
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0563BCC0	17_2_0563BCC0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05635FF8	17_2_05635FF8
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0563B76F	17_2_0563B76F
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0563B780	17_2_0563B780
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0563811B	17_2_0563811B
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_056381E3	17_2_056381E3
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_056381D3	17_2_056381D3
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0563E070	17_2_0563E070
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0563E040	17_2_0563E040
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05637D37	17_2_05637D37
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05637DDC	17_2_05637DDC
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05637C61	17_2_05637C61
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05637CE0	17_2_05637CE0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05637CC5	17_2_05637CC5
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0563BCB1	17_2_0563BCB1
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0569AE28	17_2_0569AE28
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_056979B0	17_2_056979B0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05697CD7	17_2_05697CD7
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_056989E0	17_2_056989E0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0598B608	17_2_0598B608
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0598E280	17_2_0598E280
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05987DB0	17_2_05987DB0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0598EC20	17_2_0598EC20
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05987FD6	17_2_05987FD6
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0598A9F0	17_2_0598A9F0
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0598EBF2	17_2_0598EBF2
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0598E4EB	17_2_0598E4EB
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05987300	17_2_05987300
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_059872F2	17_2_059872F2
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05988202	17_2_05988202
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05987DA1	17_2_05987DA1
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_0598AD38	17_2_0598AD38
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05987FBE	17_2_05987FBE
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05987F36	17_2_05987F36
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05F8C4C8	17_2_05F8C4C8
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_06100448	17_2_06100448
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_06100438	17_2_06100438
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_06108557	17_2_06108557
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_06108568	17_2_06108568
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_06101EF6	17_2_06101EF6
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_06101EF8	17_2_06101EF8
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D8630	17_2_070D8630
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D19B8	17_2_070D19B8
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D9000	17_2_070D9000
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D6811	17_2_070D6811
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D8630	17_2_070D8630
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D5E09	17_2_070D5E09
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D19B8	17_2_070D19B8
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D1AA5	17_2_070D1AA5
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D86E8	17_2_070D86E8
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D78A2	17_2_070D78A2
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D19A8	17_2_070D19A8
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D6C45	17_2_070D6C45
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D5080	17_2_070D5080
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D78A2	17_2_070D78A2
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 18_2_00B8D55C	18_2_00B8D55C

Source: RFQ.scr.exe

Static PE information: invalid certificate

Source: RFQ.scr.exe, 00000001.00000002.1294373002.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000001.00000002.1287957683.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000001.00000002.1292700855.0000000005780000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000001.00000002.1285083529.000000000122E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000001.00000002.1287957683.0000000003215000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUiyeslxmdm.exe" vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000001.00000000.1265371452.0000000000DB5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebzug.exe: vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000001.00000002.1293005972.0000000005B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000008.00000002.1365117252.0000000001438000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000008.00000002.1371085387.0000000004011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll" vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000008.00000002.1371085387.0000000004108000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000008.00000002.1377248005.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll" vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000008.00000002.1366527069.0000000003011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000008.00000002.1373050568.0000000005510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIdrcd.dll" vs RFQ.scr.exe
Source: RFQ.scr.exe, 0000000F.00000002.1512661720.0000000004182000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RFQ.scr.exe
Source: RFQ.scr.exe, 0000000F.00000002.1508488449.0000000003011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs RFQ.scr.exe
Source: RFQ.scr.exe, 0000000F.00000002.1508488449.0000000003085000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUiyeslxmdm.exe" vs RFQ.scr.exe
Source: RFQ.scr.exe, 0000000F.00000002.1512661720.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUiyeslxmdm.exe" vs RFQ.scr.exe
Source: RFQ.scr.exe, 0000000F.00000002.1512661720.000000000439B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RFQ.scr.exe
Source: RFQ.scr.exe, 0000000F.00000002.1504592342.000000000140E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000011.00000002.1605871884.0000000003EC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000012.00000002.1621476665.00000000038DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000012.00000002.1621476665.000000000372C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUiyeslxmdm.exe" vs RFQ.scr.exe
Source: RFQ.scr.exe, 00000012.00000002.1621476665.00000000036C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RFQ.scr.exe
Source: RFQ.scr.exe	Binary or memory string: OriginalFilenamebzug.exe: vs RFQ.scr.exe
Source: RFQ.scr.exe.8.dr	Binary or memory string: OriginalFilenamebzug.exe: vs RFQ.scr.exe

Source: RFQ.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RFQ.scr.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.RFQ.scr.exe.4312b80.3.raw.unpack, ExpressionModelDef.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RFQ.scr.exe.4312b80.3.raw.unpack, ExpressionModelDef.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RFQ.scr.exe.4312b80.3.raw.unpack, Config.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RFQ.scr.exe.447ce90.1.raw.unpack, ExpressionModelDef.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RFQ.scr.exe.447ce90.1.raw.unpack, ExpressionModelDef.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RFQ.scr.exe.447ce90.1.raw.unpack, Config.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	Security API names: _0020.SetAccessControl
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	Security API names: _0020.AddAccessRule
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, QWE7X7xsCNamVFI9jN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, QWE7X7xsCNamVFI9jN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	Security API names: _0020.SetAccessControl
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/10@0/1

Source: C:\Users\user\Desktop\RFQ.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.scr.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\b5362cbb5b11df1c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5128:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_piqfuzxk.cbt.ps1

Jump to behavior

Source: RFQ.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RFQ.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\RFQ.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1366527069.00000000034FE000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.000000000324C000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.00000000031FB000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: RFQ.scr.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\RFQ.scr.exe

File read: C:\Users\user\Desktop\RFQ.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ.scr.exe "C:\Users\user\Desktop\RFQ.scr.exe"
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe"
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Users\user\Desktop\RFQ.scr.exe "C:\Users\user\Desktop\RFQ.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Users\user\Desktop\RFQ.scr.exe "C:\Users\user\Desktop\RFQ.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"

Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Desktop\RFQ.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: RFQ.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ.scr.exe

Static file information: File size 1171976 > 1048576

Source: RFQ.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: RFQ.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: bzug.pdbSHA256hP. source: RFQ.scr.exe, RFQ.scr.exe.8.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: bzug.pdb source: RFQ.scr.exe, RFQ.scr.exe.8.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.RFQ.scr.exe.4312b80.3.raw.unpack, ExpressionModelDef.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.RFQ.scr.exe.447ce90.1.raw.unpack, ExpressionModelDef.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	.Net Code: JQbGUEVnrD System.Reflection.Assembly.Load(byte[])
Source: 1.2.RFQ.scr.exe.4312b80.3.raw.unpack, Config.cs	.Net Code: StartConfig System.AppDomain.Load(byte[])
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	.Net Code: JQbGUEVnrD System.Reflection.Assembly.Load(byte[])
Source: 1.2.RFQ.scr.exe.447ce90.1.raw.unpack, Config.cs	.Net Code: StartConfig System.AppDomain.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String'
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String'			Jump to behavior

Yara detected Costura Assembly Loader

Source: Yara match	File source: 8.2.RFQ.scr.exe.57c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1374201957.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1366527069.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.scr.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ.scr.exe PID: 7556, type: MEMORYSTR

Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05747531 push eax; ret	8_2_0574753D
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05746F50 pushfd ; retf	8_2_05746F51
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B51613 push esp; ret	8_2_05B51621
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_05B51603 pushad ; ret	8_2_05B51611
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_06211A60 push ss; ret	8_2_06211A77
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E0197 push ebp; ret	8_2_068E0198
Source: C:\Users\user\Desktop\RFQ.scr.exe	Code function: 8_2_068E1169 push es; ret	8_2_068E1178
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_03262CCB push 04B807B9h; retf	12_2_03262CEE
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_054E676E push 0805A5B7h; iretd	17_2_054E6785
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_054E4ED2 push 04418B05h; ret	17_2_054E4EF3
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05536F50 pushfd ; retf	17_2_05536F51
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05981612 push esp; ret	17_2_05981621
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_05981602 pushad ; ret	17_2_05981611
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_06141A60 push ss; ret	17_2_06141A77
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Code function: 17_2_070D93CA push es; ret	17_2_070D93D6

Source: RFQ.scr.exe	Static PE information: section name: .text entropy: 7.887067453401871
Source: RFQ.scr.exe.8.dr	Static PE information: section name: .text entropy: 7.887067453401871

Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, g2DD52lTFmk5C952M6.cs	High entropy of concatenated method names: 'iLhVjm8hwO', 'rhWVL7g2t4', 'jGOW5tj9KM', 'xhqWaY4Tfk', 'aLhVXfSZwX', 'dGHVu69H73', 'HKGVD3ouBZ', 'LHiVse8vAp', 'hHXVJpRaDb', 'MeKVNOeDmf'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, YW0uxdSmU0B7y4QRQ7.cs	High entropy of concatenated method names: 'Can3iFxS6B', 'exC3pBvjEn', 'hI33UZDDms', 'V8y3KcaH9Q', 'ttu3y023J2', 'zPT3MtS4JF', 'oTx38eveEn', 'SvP3qcXnid', 'L01jdLFlx8hL3nwYLe7', 'wrsDYXFORWNK2WNqM00'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, uP5QKJzN3tlT371pVk.cs	High entropy of concatenated method names: 'y97ByMPkAc', 'eOHBxA4k2P', 'DeQB8llWr1', 'PRlBFM3JIR', 'nmWBEtbne9', 'wlDBS1N7Qh', 'mw8BC9Diiy', 'hxXBiCDmdh', 'zIbBpE4ZMA', 'BUtBHSwiJW'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, Mr4ijSn9x1U4NLo9ch.cs	High entropy of concatenated method names: 'iOZ19dwlyW', 'pIe1vy3FOm', 'qYW13TGOEC', 'MiI3LWpwmf', 'RvY3zcIN6d', 'ufd15tWvnA', 'ol21a2qBNi', 'n8q1mRqtNX', 'RuY1OyEh5R', 'Ori1GdKreD'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, tb4XIy0rV9EuWWUN90.cs	High entropy of concatenated method names: 'gwO1pWc4g9', 'Dqe1HdiKRj', 'RKv1Uns9wZ', 'Cdl1KsxaDw', 'WcK1kgF4xK', 'x2Y1yma1Or', 'tR21ME5hc9', 'yc01xjTEn2', 'O7c18xramU', 'njV1qGIw9t'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, xl2YSia5JQRhNYgQLwS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TCYBX8PTpD', 'FTlBup230w', 'E5BBDJ6SnE', 'TwrBsbeTO7', 'YI1BJ6K2rD', 'OYIBN0WlTg', 'vDwB2TH8I4'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, er0ylwsBa91UN5BNAl.cs	High entropy of concatenated method names: 'FlXTwUgVga', 'wSiTu8LDvf', 'M9HTsaI09U', 'GD0TJraNuL', 'wIgTEdsWHf', 'Jj8Tfph53p', 'GJETSrG3AY', 'Qw3TC1SUpo', 'kDyTgZnZbG', 'cCETntIuxU'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, S566FEqSOr7qhDNn0v.cs	High entropy of concatenated method names: 'udQrkSlK0h', 'dFerMl7P1g', 'mNfvfQqF2m', 'Sq1vSMbjy7', 'lmRvCxrRBo', 'lyFvgKIIIn', 'WoJvn7pgRX', 'Mi4vb54NN6', 'CSNv0NOp6s', 'RxHvwwwmwZ'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, VtjY3FAOylNHSOafhD.cs	High entropy of concatenated method names: 's6yeT9aTkq', 'eAweVWaoMy', 'AfheeMGn08', 'uJyehiYsHF', 'dPneZqdw1g', 'spxeiGSTHQ', 'Dispose', 'f37W9Frnl5', 'EZAW4bqZHb', 'CLMWv4UEqx'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, QPNtJOGNi2qghSJrpx.cs	High entropy of concatenated method names: 'Xqsa1WE7X7', 'QCNaoamVFI', 'Xn1aQqdBjn', 'knTaddJ566', 'QNnaT0vmgb', 'XEWa7h2vcs', 'vRENbLJS7coZjPpBtm', 'ive3VYbkJIBwRmFFX3', 'NpYaa4oBmv', 'mhOaOt8H7w'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, GZuLWIaGZ4JqXZBCMM6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bFs6eMRQHE', 'mke6ByOfMl', 'twW6hQNQGl', 'QX8662DAEY', 'QkH6ZmHaJS', 'Px86R8fZ4f', 'vAJ6iUTtYa'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, O3JlH8aasE7dBRuK5a5.cs	High entropy of concatenated method names: 'BMsBLSjGUa', 'z9OBzhvq4I', 'Lpwh59PhtB', 'yWdhaM4DEO', 'w7Bhm2OENw', 'WakhO1MiQY', 'hbqhGvbEfp', 'd86hIKjHAm', 'tQmh9t4E18', 'CSyh4qhCnA'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, cgbYEWFh2vcs3VICk9.cs	High entropy of concatenated method names: 'Ury3IN4WUW', 'htn342aEZj', 'toG3rjqBMA', 'pNP31RMTOj', 'Rxu3owISVJ', 'ufKrPbPimt', 'Vofrlf2mEk', 'EbjrAnvmAj', 'YWNrjOEWSB', 'NVYrYg8a97'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, YmfBIoD62GBvZbBhNU.cs	High entropy of concatenated method names: 'zuetx0uQFM', 'h16t8SlUBh', 'iZ6tFv3nws', 'KontEWof9k', 'NdFtSR0jAb', 'WeltCHFQG3', 'GSVtnvHojw', 'MqEtbSsJEb', 'JiItw8UluU', 'e4DtXCVDkX'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, CssuM3N6c9WgjMOHgl.cs	High entropy of concatenated method names: 'ToString', 'AIn7X2awKu', 'Tfg7ELvERN', 'aHr7fsmLGy', 'dG37SAq9n3', 'M2j7CCkqwQ', 'qFH7gM0qLI', 'oSQ7nA380i', 'P2e7bHUCxu', 'g0r70hOn4K'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, VNJhvTYwWGJo93ge83.cs	High entropy of concatenated method names: 'xoneF0yCyJ', 'c2QeEUrWYX', 'peDef3NP49', 'ANteSjGYo3', 'mKweC4Ijde', 'zcYegQQClx', 'KBMenxuBD5', 'u3aebA1IrJ', 'hOUe0RhL6H', 'rLHewAHL8Q'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, VDatKWmKylAfhoT9IR.cs	High entropy of concatenated method names: 'G9XU1kZBF', 'BgAKVnHVN', 'lgCyPbeRU', 'pMPMWtn3n', 'z1h8NavLn', 's0mq0Y0x2', 'Bt79HAuQ0xMt1cYTYQ', 'P9bBIlklJ46OiS8kRJ', 'F8fW0oo9j', 'OB6BB0eev'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, PcyW0F4H3DE0s9FbQq.cs	High entropy of concatenated method names: 'Dispose', 'VNHaYSOafh', 'zLFmE5DMBR', 'Cv09hL9ocf', 'PTbaLLuZrm', 'sgjazybT1Q', 'ProcessDialogKey', 'jolm5NJhvT', 'NWGmaJo93g', 'r83mm9tWnD'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, ftWnDlLRmEY5WjIwcY.cs	High entropy of concatenated method names: 'tljBvoKBaF', 'agjBrCjmlL', 'zV1B3Px1k9', 'I4MB1llIau', 'MvTBeEG2iQ', 'k2eBocWsxN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, QWE7X7xsCNamVFI9jN.cs	High entropy of concatenated method names: 'qpb4sN05GX', 'gx04Jg2He0', 'o464NjGvyo', 't7142m7Rwa', 'Bjv4PslVC1', 'fb84lHEjZ2', 'Cvl4ACVg4t', 'gTT4jiea3y', 'dwu4YdaalR', 'lTv4LpN1yT'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, kKNd8j8n1qdBjnonTd.cs	High entropy of concatenated method names: 'xT4vK1Ywdd', 'egRvyy4Sv5', 'UnBvxf2vZv', 'jL8v87PrNU', 'CJ7vTCQ2MP', 'hqXv7XRahU', 'Ue7vVjtabS', 'm7UvWoy5YY', 'gdfveniBgb', 'QnZvBcdgUH'
Source: 1.2.RFQ.scr.exe.4264360.2.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	High entropy of concatenated method names: 'xWiOIJhKGM', 'R87O98Wg5j', 'R3dO4o0Zx2', 'jXVOvyUS3Q', 'b3iOrgmvOj', 'oSgO3dEusp', 'F3wO1vBIyX', 'GMeOolNO0e', 'PDEOcfgMK1', 'PpUOQmcWH0'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, g2DD52lTFmk5C952M6.cs	High entropy of concatenated method names: 'iLhVjm8hwO', 'rhWVL7g2t4', 'jGOW5tj9KM', 'xhqWaY4Tfk', 'aLhVXfSZwX', 'dGHVu69H73', 'HKGVD3ouBZ', 'LHiVse8vAp', 'hHXVJpRaDb', 'MeKVNOeDmf'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, YW0uxdSmU0B7y4QRQ7.cs	High entropy of concatenated method names: 'Can3iFxS6B', 'exC3pBvjEn', 'hI33UZDDms', 'V8y3KcaH9Q', 'ttu3y023J2', 'zPT3MtS4JF', 'oTx38eveEn', 'SvP3qcXnid', 'L01jdLFlx8hL3nwYLe7', 'wrsDYXFORWNK2WNqM00'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, uP5QKJzN3tlT371pVk.cs	High entropy of concatenated method names: 'y97ByMPkAc', 'eOHBxA4k2P', 'DeQB8llWr1', 'PRlBFM3JIR', 'nmWBEtbne9', 'wlDBS1N7Qh', 'mw8BC9Diiy', 'hxXBiCDmdh', 'zIbBpE4ZMA', 'BUtBHSwiJW'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, Mr4ijSn9x1U4NLo9ch.cs	High entropy of concatenated method names: 'iOZ19dwlyW', 'pIe1vy3FOm', 'qYW13TGOEC', 'MiI3LWpwmf', 'RvY3zcIN6d', 'ufd15tWvnA', 'ol21a2qBNi', 'n8q1mRqtNX', 'RuY1OyEh5R', 'Ori1GdKreD'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, tb4XIy0rV9EuWWUN90.cs	High entropy of concatenated method names: 'gwO1pWc4g9', 'Dqe1HdiKRj', 'RKv1Uns9wZ', 'Cdl1KsxaDw', 'WcK1kgF4xK', 'x2Y1yma1Or', 'tR21ME5hc9', 'yc01xjTEn2', 'O7c18xramU', 'njV1qGIw9t'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, xl2YSia5JQRhNYgQLwS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TCYBX8PTpD', 'FTlBup230w', 'E5BBDJ6SnE', 'TwrBsbeTO7', 'YI1BJ6K2rD', 'OYIBN0WlTg', 'vDwB2TH8I4'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, er0ylwsBa91UN5BNAl.cs	High entropy of concatenated method names: 'FlXTwUgVga', 'wSiTu8LDvf', 'M9HTsaI09U', 'GD0TJraNuL', 'wIgTEdsWHf', 'Jj8Tfph53p', 'GJETSrG3AY', 'Qw3TC1SUpo', 'kDyTgZnZbG', 'cCETntIuxU'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, S566FEqSOr7qhDNn0v.cs	High entropy of concatenated method names: 'udQrkSlK0h', 'dFerMl7P1g', 'mNfvfQqF2m', 'Sq1vSMbjy7', 'lmRvCxrRBo', 'lyFvgKIIIn', 'WoJvn7pgRX', 'Mi4vb54NN6', 'CSNv0NOp6s', 'RxHvwwwmwZ'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, VtjY3FAOylNHSOafhD.cs	High entropy of concatenated method names: 's6yeT9aTkq', 'eAweVWaoMy', 'AfheeMGn08', 'uJyehiYsHF', 'dPneZqdw1g', 'spxeiGSTHQ', 'Dispose', 'f37W9Frnl5', 'EZAW4bqZHb', 'CLMWv4UEqx'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, QPNtJOGNi2qghSJrpx.cs	High entropy of concatenated method names: 'Xqsa1WE7X7', 'QCNaoamVFI', 'Xn1aQqdBjn', 'knTaddJ566', 'QNnaT0vmgb', 'XEWa7h2vcs', 'vRENbLJS7coZjPpBtm', 'ive3VYbkJIBwRmFFX3', 'NpYaa4oBmv', 'mhOaOt8H7w'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, GZuLWIaGZ4JqXZBCMM6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bFs6eMRQHE', 'mke6ByOfMl', 'twW6hQNQGl', 'QX8662DAEY', 'QkH6ZmHaJS', 'Px86R8fZ4f', 'vAJ6iUTtYa'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, O3JlH8aasE7dBRuK5a5.cs	High entropy of concatenated method names: 'BMsBLSjGUa', 'z9OBzhvq4I', 'Lpwh59PhtB', 'yWdhaM4DEO', 'w7Bhm2OENw', 'WakhO1MiQY', 'hbqhGvbEfp', 'd86hIKjHAm', 'tQmh9t4E18', 'CSyh4qhCnA'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, cgbYEWFh2vcs3VICk9.cs	High entropy of concatenated method names: 'Ury3IN4WUW', 'htn342aEZj', 'toG3rjqBMA', 'pNP31RMTOj', 'Rxu3owISVJ', 'ufKrPbPimt', 'Vofrlf2mEk', 'EbjrAnvmAj', 'YWNrjOEWSB', 'NVYrYg8a97'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, YmfBIoD62GBvZbBhNU.cs	High entropy of concatenated method names: 'zuetx0uQFM', 'h16t8SlUBh', 'iZ6tFv3nws', 'KontEWof9k', 'NdFtSR0jAb', 'WeltCHFQG3', 'GSVtnvHojw', 'MqEtbSsJEb', 'JiItw8UluU', 'e4DtXCVDkX'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, CssuM3N6c9WgjMOHgl.cs	High entropy of concatenated method names: 'ToString', 'AIn7X2awKu', 'Tfg7ELvERN', 'aHr7fsmLGy', 'dG37SAq9n3', 'M2j7CCkqwQ', 'qFH7gM0qLI', 'oSQ7nA380i', 'P2e7bHUCxu', 'g0r70hOn4K'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, VNJhvTYwWGJo93ge83.cs	High entropy of concatenated method names: 'xoneF0yCyJ', 'c2QeEUrWYX', 'peDef3NP49', 'ANteSjGYo3', 'mKweC4Ijde', 'zcYegQQClx', 'KBMenxuBD5', 'u3aebA1IrJ', 'hOUe0RhL6H', 'rLHewAHL8Q'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, VDatKWmKylAfhoT9IR.cs	High entropy of concatenated method names: 'G9XU1kZBF', 'BgAKVnHVN', 'lgCyPbeRU', 'pMPMWtn3n', 'z1h8NavLn', 's0mq0Y0x2', 'Bt79HAuQ0xMt1cYTYQ', 'P9bBIlklJ46OiS8kRJ', 'F8fW0oo9j', 'OB6BB0eev'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, PcyW0F4H3DE0s9FbQq.cs	High entropy of concatenated method names: 'Dispose', 'VNHaYSOafh', 'zLFmE5DMBR', 'Cv09hL9ocf', 'PTbaLLuZrm', 'sgjazybT1Q', 'ProcessDialogKey', 'jolm5NJhvT', 'NWGmaJo93g', 'r83mm9tWnD'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, ftWnDlLRmEY5WjIwcY.cs	High entropy of concatenated method names: 'tljBvoKBaF', 'agjBrCjmlL', 'zV1B3Px1k9', 'I4MB1llIau', 'MvTBeEG2iQ', 'k2eBocWsxN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, QWE7X7xsCNamVFI9jN.cs	High entropy of concatenated method names: 'qpb4sN05GX', 'gx04Jg2He0', 'o464NjGvyo', 't7142m7Rwa', 'Bjv4PslVC1', 'fb84lHEjZ2', 'Cvl4ACVg4t', 'gTT4jiea3y', 'dwu4YdaalR', 'lTv4LpN1yT'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, kKNd8j8n1qdBjnonTd.cs	High entropy of concatenated method names: 'xT4vK1Ywdd', 'egRvyy4Sv5', 'UnBvxf2vZv', 'jL8v87PrNU', 'CJ7vTCQ2MP', 'hqXv7XRahU', 'Ue7vVjtabS', 'm7UvWoy5YY', 'gdfveniBgb', 'QnZvBcdgUH'
Source: 1.2.RFQ.scr.exe.5ca0000.5.raw.unpack, DZEHmPoLQ9YkORVoM6.cs	High entropy of concatenated method names: 'xWiOIJhKGM', 'R87O98Wg5j', 'R3dO4o0Zx2', 'jXVOvyUS3Q', 'b3iOrgmvOj', 'oSgO3dEusp', 'F3wO1vBIyX', 'GMeOolNO0e', 'PDEOcfgMK1', 'PpUOQmcWH0'

Source: C:\Users\user\Desktop\RFQ.scr.exe

File created: C:\Users\user\AppData\Roaming\RFQ.scr.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RFQ.scr			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RFQ.scr			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RFQ.scr.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ.scr.exe PID: 7240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ.scr.exe PID: 7400, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RFQ.scr.exe, 00000008.00000002.1366527069.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 68C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 78C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 7A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 8A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 1640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 15B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 5010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 67A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 77A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 78F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 88F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 1310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 2550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 4550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 5C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 6C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 6DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory allocated: 7DD0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6918	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2654	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Window / User API: threadDelayed 4685	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Window / User API: threadDelayed 4622	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3635	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2705	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Window / User API: threadDelayed 3507	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Window / User API: threadDelayed 5771	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -37000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -36875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -36750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -36637s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -36504s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -36375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -36264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -36070s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -35500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -35366s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -35234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -34906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -34765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -34656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -34544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -34437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7972	Thread sleep time: -34328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4720	Thread sleep count: 3635 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4720	Thread sleep count: 2705 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6188	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34529s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34417s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34139s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33901s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33480s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33372s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -64624s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34888s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34530s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34383s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34279s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -34156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33389s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33238s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32779s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32545s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -32093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -31984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1792	Thread sleep time: -31875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 1352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 37000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 36875	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 36750	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 36637	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 36504	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 36375	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 36264	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 36070	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 35500	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 35366	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 35234	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 34906	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 34765	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 34656	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 34544	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 34437	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 34328	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 35000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34529	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34417	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34139	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34017	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33901	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33480	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33372	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32782	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34888	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34530	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34383	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34279	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 34156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33389	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33238	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 33000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32779	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32545	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32431	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 32093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 31984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 31875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Thread delayed: delay time: 922337203685477

Source: RFQ.scr.exe, 00000008.00000002.1365592657.0000000001520000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: RFQ.scr.exe, 00000001.00000002.1285183521.0000000001265000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RFQ.scr.exe, 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen4win32_process.handle='{0}'
Source: RFQ.scr.exe, 00000008.00000002.1366527069.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
Source: RFQ.scr.exe, 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: RFQ.scr.exe, 00000011.00000002.1578527236.000000000114F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.scr.exe

Code function: 8_2_05B5BCE0 LdrInitializeThunk,

8_2_05B5BCE0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe"
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RFQ.scr.exe	Memory written: C:\Users\user\Desktop\RFQ.scr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Memory written: C:\Users\user\AppData\Roaming\RFQ.scr.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Users\user\Desktop\RFQ.scr.exe "C:\Users\user\Desktop\RFQ.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Process created: C:\Users\user\AppData\Roaming\RFQ.scr.exe "C:\Users\user\AppData\Roaming\RFQ.scr.exe"

Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'rfq.scr';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'rfq.scr' -value '"c:\users\user\appdata\roaming\rfq.scr.exe"' -propertytype 'string'
Source: C:\Users\user\Desktop\RFQ.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'rfq.scr';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'rfq.scr' -value '"c:\users\user\appdata\roaming\rfq.scr.exe"' -propertytype 'string'			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Users\user\Desktop\RFQ.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Users\user\Desktop\RFQ.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\RFQ.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\RFQ.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\RFQ.scr.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\RFQ.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RFQ.scr.exe, 00000008.00000002.1365592657.00000000014A8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\RFQ.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: RFQ.scr.exe PID: 7828, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electruml
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty"
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000033E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q7C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000033E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Profile 98rontdesk\AppData\Roaming\Binance\configigfig\Config.json
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000033E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q9C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: KeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RFQ.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1583023321.000000000300B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1366527069.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1366527069.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.scr.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ.scr.exe PID: 7556, type: MEMORYSTR

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: RFQ.scr.exe PID: 7828, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	41 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	51 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	51 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ.scr.exe	39%	ReversingLabs
RFQ.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\RFQ.scr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\RFQ.scr.exe	39%	ReversingLabs

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1366527069.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1371085387.0000000004108000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1605871884.0000000003EC3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.micro	powershell.exe, 0000000C.00000002.1372631120.00000000033B4000.00000004.00000020.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000C.00000002.1373890457.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 0000000C.00000002.1373890457.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000C.00000002.1373890457.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://icanhazip.com/	RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1366527069.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.000000000300B000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discordapp.com/api/v9/users/	RFQ.scr.exe, 00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.1387172622.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-net	RFQ.scr.exe, 00000008.00000002.1374377014.00000000057F0000.00000004.08000000.00040000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/	RFQ.scr.exe, 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000008.00000002.1366527069.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.000000000300B000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RFQ.scr.exe, 00000001.00000002.1287957683.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1373890457.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 0000000F.00000002.1508488449.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000012.00000002.1604689552.00000000025C8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	RFQ.scr.exe, RFQ.scr.exe.8.dr	false	high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	RFQ.scr.exe, 00000008.00000002.1366527069.0000000003263000.00000004.00000800.00020000.00000000.sdmp, RFQ.scr.exe, 00000011.00000002.1583023321.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 0000000C.00000002.1373890457.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefox	RFQ.scr.exe, 00000011.00000002.1583023321.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.21.66.211	unknown	United States		199592	CP-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560132
Start date and time:	2024-11-21 12:55:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/10@0/1
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 94% Number of executed functions: 591 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2920 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: RFQ.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
06:56:01	API Interceptor	103x Sleep call for process: RFQ.scr.exe modified
06:56:03	API Interceptor	20x Sleep call for process: powershell.exe modified
12:56:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RFQ.scr C:\Users\user\AppData\Roaming\RFQ.scr.exe
13:59:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RFQ.scr C:\Users\user\AppData\Roaming\RFQ.scr.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
65.21.66.211	TS-240511-UF1.exe	Get hash	malicious	PureLog Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CP-ASDE	hiss.arm7.elf	Get hash	malicious	Unknown	Browse	65.20.118.153
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	65.21.172.133
	Payload 94.75.225.exe	Get hash	malicious	Unknown	Browse	65.21.98.72
	0438.pdf.exe	Get hash	malicious	Unknown	Browse	65.21.245.7
	0438.pdf.exe	Get hash	malicious	Unknown	Browse	65.21.245.7
	J4zGPhVRV3.exe	Get hash	malicious	RMSRemoteAdmin	Browse	65.21.245.7
	J4zGPhVRV3.exe	Get hash	malicious	RMSRemoteAdmin	Browse	65.21.245.7
	FPPhfkcDCh.exe	Get hash	malicious	Remcos	Browse	65.21.245.7
	gBYz86HSwI.msi	Get hash	malicious	Unknown	Browse	65.21.245.7
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	65.21.196.90

Process:	C:\Users\user\Desktop\RFQ.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1260
Entropy (8bit):	5.3840843615352725
Encrypted:	false
SSDEEP:	24:3CWSKco4KmZjKbmOIKod6emZ9tYs4RPQoUGt/NK3R8IHia6mu:SWSU4xympjmZ9tz4RIoUeNWR8IH4mu
MD5:	A97E260001ACB3E4739A819D0AE7DF59
SHA1:	823D2946507EE2F54B25523063C9583955735A2A
SHA-256:	D0E8D6889F7777F93DF86295DA18023D21F37BF378A0FF1D404266BFC7FEF552
SHA-512:	D0744B7ED126739DEB8ADE2F568CA8E33AEC786AFCCA97DDBF4114E701692D52DBA14DD3752B1DB4C77CF1D2C0A04868EE242FF3848E49575A1D3DC831AF27F9
Malicious:	false
Reputation:	low
Preview:	@...e.................................:..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qltcpvq.3ze.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_id1secl3.die.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvuhdglt.g4z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_piqfuzxk.cbt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqd3gxp4.jo4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vip2ni4b.urz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\RFQ.scr.exe

Download File

Process:	C:\Users\user\Desktop\RFQ.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1171976
Entropy (8bit):	7.615188788998391
Encrypted:	false
SSDEEP:	24576:HEMpzxW67lClGVT2tpH3tJBmqzzz2LA5BEHgeCr0Mn0P6:jWAl/2ndJbzL/EHgtr4C
MD5:	F30993E7984AC60C08D69710EAAE6EF4
SHA1:	5CAAD7257CB88084AC77915BC6247450FDD7FAF1
SHA-256:	C8D717BC9D9C2BD335A79AC5E189D98F36FCD7AB0C62475A7AA7DA5FD5AE75D1
SHA-512:	C2A9353E6CF3CEB641DC4D4F68917D9D55A23CB8CA1CBC9F6C9BA9492CFB8FC7A8CBCC9A389AD877244AFC15FEC03204CD747B9A3E073B70A24776143A25BD74
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?g..............0.................. ........@.. ....................................@.................................^...O........................6..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............G......?.......x............................................0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+...0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..

C:\Users\user\AppData\Roaming\RFQ.scr.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RFQ.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.615188788998391
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	RFQ.scr.exe
File size:	1'171'976 bytes
MD5:	f30993e7984ac60c08d69710eaae6ef4
SHA1:	5caad7257cb88084ac77915bc6247450fdd7faf1
SHA256:	c8d717bc9d9c2bd335a79ac5e189d98f36fcd7ab0c62475a7aa7da5fd5ae75d1
SHA512:	c2a9353e6cf3ceb641dc4d4f68917d9d55a23cb8ca1cbc9f6c9ba9492cfb8fc7a8cbcc9a389ad877244afc15fec03204cd747b9a3e073b70a24776143a25bd74
SSDEEP:	24576:HEMpzxW67lClGVT2tpH3tJBmqzzz2LA5BEHgeCr0Mn0P6:jWAl/2ndJbzL/EHgtr4C
TLSH:	5445BE04B3381B90C4315FB6E814AE091F227F5D2C7DE42DA9BDF186A27B78215A5DCB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?g..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	f0d0f8f4f4d8f070

Static PE Info

General

Entrypoint:	0x4edcb2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673F07D2 [Thu Nov 21 10:13:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/11/2018 19:00:00 08/11/2021 18:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xedc5e	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xee000	0x2e918	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11ac00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xec380	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xebcb8	0xebe00	18a5c04cf8004ef9fef923517040ae84	False	0.912432308227345	data	7.887067453401871	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xee000	0x2e918	0x2ea00	6f7053356d5e4ba23583d3dfed85771e	False	0.27600850368632707	data	4.920590937479953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11e000	0xc	0x200	a24f7a72d812ea84a201d81b8cecfafc	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xee2b0	0x68d3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975032606670393
RT_ICON	0xf4b84	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.10162072636933633
RT_ICON	0x1053ac	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.14468152196762665
RT_ICON	0x10e854	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.17573937153419594
RT_ICON	0x113cdc	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.17725555030703827
RT_ICON	0x117f04	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.23091286307053943
RT_ICON	0x11a4ac	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.4146341463414634
RT_ICON	0x11b554	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.41270491803278686
RT_ICON	0x11bedc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.6524822695035462
RT_GROUP_ICON	0x11c344	0x84	data	0.7045454545454546
RT_VERSION	0x11c3c8	0x364	data	0.4308755760368664
RT_MANIFEST	0x11c72c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T12:56:04.952408+0100	2858791	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.7	49703	65.21.66.211	62520	TCP
2024-11-21T12:56:26.681199+0100	2858791	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.7	49743	65.21.66.211	62520	TCP
2024-11-21T12:56:29.419547+0100	2048902	ET MALWARE [ANY.RUN] PureLogs Stealer C2 Connection M1	1	192.168.2.7	49743	65.21.66.211	62520	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 12:56:04.700265884 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:04.820785046 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:04.820861101 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:04.832840919 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:04.952349901 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:04.952408075 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:05.072170973 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.338222980 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.338752031 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.338774920 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.338785887 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.338848114 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.338849068 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.338917017 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.338931084 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.338943958 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.338957071 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.338974953 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.339018106 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.339040995 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.339055061 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.339097023 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.459247112 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.459304094 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.459389925 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.463383913 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.463416100 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.463485003 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.534039021 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.534080982 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.535181999 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.538007975 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.538131952 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.538184881 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.546314001 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.546416044 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.546478987 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.555454969 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.555468082 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.555524111 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.563075066 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.563090086 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.563173056 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.571274042 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.571383953 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.571451902 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.579663038 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.579801083 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.579864025 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.588030100 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.588120937 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.588170052 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.596791983 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.596916914 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.596970081 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.604763985 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.604873896 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.604919910 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.612724066 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.612802029 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.612857103 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.685287952 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.685619116 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.685664892 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.689189911 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.722717047 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.722805023 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.722816944 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.725126982 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.725153923 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.725286961 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.728807926 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.728873968 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.728918076 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.733653069 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.733714104 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.733901024 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.738445997 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.738507986 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.738532066 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.743249893 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.743345976 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.743385077 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.748037100 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.748101950 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.748126030 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.752760887 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.752809048 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.752860069 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.757595062 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.757647991 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.757783890 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.762500048 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.762557983 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.762589931 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.767019987 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.767079115 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.767122984 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.771837950 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.771893978 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.771903038 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.776519060 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.776571035 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.776787996 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.781356096 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.781372070 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.781410933 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.786043882 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.786092043 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.786132097 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.790829897 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.790873051 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.790966988 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.795665026 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.795725107 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.795731068 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.800266981 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.800334930 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.800391912 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.805041075 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.805099964 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.805121899 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.809823036 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.809876919 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.809916973 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.814532995 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.814584970 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.814635992 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.819345951 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.819422007 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.877206087 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.877222061 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.877310038 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.878508091 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.878619909 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.878668070 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.883321047 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.883369923 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.883416891 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.914755106 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.914849997 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.914928913 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.916574955 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.916718960 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.916766882 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.920289993 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.920387983 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.920444965 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.924022913 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.924113035 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.924160957 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.927525997 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.927619934 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.927671909 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.931056023 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.931107998 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.931159973 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.934586048 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.934740067 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.934792042 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.937973022 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.938138962 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.938210964 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.941350937 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.941464901 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.941534996 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.944681883 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.944820881 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.944868088 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.946789026 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.946924925 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.946976900 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.948978901 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.949111938 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.949162960 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.951257944 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.951719999 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.951782942 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.953310966 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.953397989 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.953447104 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.955545902 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.955739975 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.955862999 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.957760096 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.957907915 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.957971096 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.960069895 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.960143089 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.960202932 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.962174892 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.962233067 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.962289095 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.964078903 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.964216948 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.964272022 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.966212034 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.966309071 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.966365099 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.968472004 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.968538046 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.968590975 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.970546961 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.970654011 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.970712900 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.972724915 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.972866058 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.972925901 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.974855900 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.974963903 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.975017071 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.977054119 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.977154970 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.977204084 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.979370117 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.979630947 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.979691982 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.981699944 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.981836081 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.981888056 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.983489037 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.983692884 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.983746052 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.985595942 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.985712051 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.985766888 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:06.987785101 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.987864971 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:06.987935066 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.069015980 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.069134951 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.069212914 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.070013046 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.071404934 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.071459055 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.071561098 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.072597027 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.072655916 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.072691917 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.074793100 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.074856997 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.074901104 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.077014923 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.077080011 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.077083111 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.106586933 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.106666088 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.106692076 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.107575893 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.107631922 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.107709885 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.109297991 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.109348059 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.109952927 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.110059023 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.110105038 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.112320900 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.112615108 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.112663031 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.113620996 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.113713026 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.113760948 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.115458965 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.115607977 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.115665913 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.117199898 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.117224932 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.117275000 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.118987083 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.119086027 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.119138956 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.120743036 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.120821953 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.120874882 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.122545958 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.122751951 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.122802973 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.124321938 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.124425888 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.124485970 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.126173019 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.126259089 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.126319885 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.127917051 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.128004074 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.128051996 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.129651070 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.129833937 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.129898071 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.131443024 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.131572008 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.131630898 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.133240938 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.133377075 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.133431911 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.135011911 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.135139942 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.135195017 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.137108088 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.137227058 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.137274981 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.138613939 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.138758898 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.138804913 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.140441895 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.140650034 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.140702009 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.142168999 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.142280102 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.142338991 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.143970966 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.144088030 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.144134998 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.145775080 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.145930052 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.145977020 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.147527933 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.147651911 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.147706032 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.149322033 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.149471998 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.149548054 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.151082993 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.151218891 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.151284933 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.152879000 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.152983904 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.153042078 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.154727936 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.154885054 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.154937983 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.156894922 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.156908035 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.156960011 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.158277035 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.158385992 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.158433914 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.160126925 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.160231113 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.160276890 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.161844015 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.161957026 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.162005901 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.163594007 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.163705111 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.163748026 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.165405989 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.165503025 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.165544033 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.167279005 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.167514086 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.167551994 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.168967962 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.169035912 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.169192076 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.170849085 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.170897007 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.170939922 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.172530890 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.172620058 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.172660112 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.174335957 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.174458981 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.174500942 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.176130056 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.176234961 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.176275969 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.177926064 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.178050041 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.178097010 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.179721117 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.179811001 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.179872036 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.181462049 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.181555033 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.181595087 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.183247089 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.183424950 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.183569908 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.185045958 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.185170889 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.185220957 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.186846018 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.186981916 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.187021017 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.188591957 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.188728094 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.188771009 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.190431118 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.190517902 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.190560102 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.260912895 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.260942936 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.260989904 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.261441946 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.261570930 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.261621952 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.263262987 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.263362885 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.263411999 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.265002966 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.265101910 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.265153885 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.298784971 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.298866034 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.298966885 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.299529076 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.299642086 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.299693108 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.301172972 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.301237106 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.301292896 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.303030014 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.303066969 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.303118944 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.304311037 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.304377079 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.304430962 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.305766106 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.305872917 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.305921078 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.307173967 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.307280064 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.307353020 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.308639050 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.308732033 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.308787107 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.310010910 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.310131073 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.310183048 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.311418056 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.311532974 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.311599970 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.312836885 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.312886953 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.312941074 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.314126968 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.314279079 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.314328909 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.315810919 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.315823078 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.315866947 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.316818953 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.316931009 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.316982031 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.318401098 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.318608999 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.318661928 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.319556952 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.319715023 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.319765091 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.320846081 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.320926905 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.320977926 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.322173119 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.322318077 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.322362900 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.323493004 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.323558092 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.323618889 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.324856043 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.324978113 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.325031042 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.326143980 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.326262951 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.326316118 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.327578068 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.327649117 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.327706099 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.328850985 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.328947067 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.329000950 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.330230951 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.330308914 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.330363989 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.331522942 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.331634045 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.331692934 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.332803011 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.332896948 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.332947016 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.334141970 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.334250927 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.334300041 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.335469007 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.335572958 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.335639954 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.336790085 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.336909056 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.336966038 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.338126898 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.338242054 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.338310003 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.339471102 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.339581966 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.339631081 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.340799093 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.340897083 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.340944052 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.342123985 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.342237949 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.342284918 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.343465090 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.343631029 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.343674898 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.344804049 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.344904900 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.344949961 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.346115112 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.346216917 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.346252918 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.347462893 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.347569942 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.347621918 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.348786116 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.348902941 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.348951101 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.350110054 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.350213051 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.350249052 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.351520061 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.351604939 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.351646900 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.352818966 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.352921009 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.352967978 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.354100943 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.354212046 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.354254007 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.355536938 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.355637074 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.355674028 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.356838942 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.357042074 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.357079983 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.358150005 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.358258963 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.358295918 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.359469891 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.359608889 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.359651089 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.360805988 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.360879898 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.360917091 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.362137079 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.362226009 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.362272978 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.363487959 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.363593102 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.363639116 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.364836931 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.364936113 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.364974022 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.453543901 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.453567028 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.453630924 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.454149008 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.454231024 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.454287052 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.456121922 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.456142902 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.456201077 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.456835985 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.490827084 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.490890026 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.490950108 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.491302967 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.491360903 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.491410017 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.492464066 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.492536068 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.492932081 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.493004084 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.493056059 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.494012117 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.494115114 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.494174004 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.495232105 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.495285034 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.495346069 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.574851990 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:07.695228100 CET	62520	49703	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:07.695383072 CET	49703	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.241223097 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.360727072 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.361067057 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.373384953 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.373384953 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.493082047 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493122101 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493134022 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493148088 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.493195057 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.493249893 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.493280888 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493299007 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493360043 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.493459940 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493485928 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493535995 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.493580103 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493604898 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493633032 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.493648052 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.493712902 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.493768930 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.612849951 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.612871885 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.612914085 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.612946033 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.612951994 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.612974882 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.613019943 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.613074064 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.613084078 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.613130093 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.661190033 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.661366940 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.777196884 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.777270079 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.825193882 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.825246096 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:08.941370010 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:08.941438913 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:09.029221058 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:09.029285908 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:09.181415081 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:09.181540966 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:09.358081102 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:09.404195070 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:09.591384888 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:09.595207930 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:09.714773893 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.253257036 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.253257036 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.253339052 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.372929096 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.372951984 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373049021 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.373054028 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373064995 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373100996 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.373255014 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373265028 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373291969 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373302937 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.373322010 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373339891 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.373411894 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.373414040 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373424053 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373461008 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.373564959 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373581886 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373605013 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.373671055 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.373748064 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373817921 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373877048 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.373902082 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373958111 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373967886 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.373981953 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.374010086 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.374021053 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374056101 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374105930 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374185085 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374216080 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374336958 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374391079 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374500990 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374517918 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374589920 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374615908 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374748945 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374758005 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374824047 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.374871969 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375005960 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375099897 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375109911 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375138998 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375260115 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375327110 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375437975 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375478029 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375606060 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375616074 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375684977 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375724077 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375799894 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375891924 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.375922918 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.376019955 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.376053095 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.376254082 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.376307964 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.376450062 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.376498938 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.376606941 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495058060 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495071888 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495081902 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495193958 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495203972 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495259047 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495302916 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495316982 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495363951 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495373011 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495384932 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495393991 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495498896 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495507956 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495526075 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495533943 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495611906 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495621920 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495665073 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495673895 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495722055 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495731115 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495836973 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495846987 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495882988 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495898962 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.495927095 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.496001005 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.496010065 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.496017933 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.776341915 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:10.895914078 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:10.895956993 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:11.015553951 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:11.348822117 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:11.400208950 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:11.580934048 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:11.634666920 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:11.772631884 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:11.822099924 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:11.841861010 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:11.966443062 CET	62520	49704	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:11.966511011 CET	49704	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:26.433155060 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:26.552746058 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:26.552845001 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:26.561516047 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:26.681112051 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:26.681199074 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:26.800745010 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.031454086 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.032708883 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.032768965 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.032783031 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.032783985 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.032823086 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.032840967 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.032854080 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.032866955 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.032867908 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.032916069 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.032916069 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.032953024 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.032964945 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.033010006 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.152508974 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.152599096 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.152880907 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.156584024 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.197186947 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.243240118 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.243365049 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.243591070 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.247307062 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.248909950 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.248985052 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.249056101 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.257344961 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.257402897 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.257424116 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.265602112 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.265672922 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.265712023 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.274068117 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.274132013 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.274157047 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.282697916 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.282808065 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.282836914 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.290766001 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.290895939 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.290934086 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.299150944 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.299211025 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.299256086 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.307512999 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.307559967 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.307653904 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.315876007 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.315908909 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.315928936 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.369178057 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.396018028 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.396123886 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.396205902 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.400186062 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.447189093 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.453799009 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.453955889 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.454008102 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.456568003 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.456618071 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.456686974 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.460796118 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.460891008 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.460985899 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.466142893 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.466285944 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.466444016 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.471746922 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.471786022 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.471865892 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.477035999 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.477127075 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.477441072 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.482482910 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.482608080 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.482660055 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.487930059 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.488051891 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.488128901 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.493411064 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.493488073 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.493536949 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.498852015 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.498934984 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.499082088 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.504321098 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.504360914 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.504458904 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.509824991 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.509866953 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.510121107 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.515216112 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.515377045 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.516011000 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.520703077 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.520982981 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.521039963 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.526170015 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.526226997 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.526355028 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.531913042 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.531956911 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.532006979 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.537039995 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.537203074 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.537467957 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.542388916 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.587791920 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.606545925 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.606569052 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.606699944 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.609294891 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.609430075 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.609638929 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.614614964 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.664390087 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.664432049 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.664463043 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.665679932 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.665719032 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.665791988 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.668423891 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.668467999 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.668468952 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.671251059 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.671307087 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.671341896 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.674073935 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.674109936 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.674185991 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.677792072 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.677830935 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.677932978 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.680483103 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.680525064 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.680551052 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.682502985 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.682549000 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.682602882 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.685436964 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.685477018 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.685554028 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.688178062 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.688216925 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.688278913 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.691071987 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.691112041 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.691204071 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.693881035 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.693921089 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.693989038 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.696646929 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.696690083 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.696748972 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.699547052 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.699620962 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.699666977 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.702327013 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.702373028 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.702404976 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.705228090 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.705265045 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.705305099 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.707990885 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.708029985 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.708053112 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.710788012 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.710829973 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.710880041 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.713674068 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.713692904 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.713740110 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.716500998 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.716571093 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.716579914 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.719355106 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.719419003 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.719432116 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.722141027 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.722201109 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.722286940 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.725064993 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.725116968 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.725119114 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.727802038 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.727920055 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.727933884 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.730582952 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.730634928 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.730679035 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.733489990 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.733531952 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.733535051 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.775336027 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.817012072 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.817034960 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.817130089 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.818348885 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.818443060 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.818494081 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.821187019 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.822187901 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.822228909 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.822246075 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.825028896 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.825098991 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.825166941 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.827879906 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.827945948 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.881115913 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.881197929 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.881386042 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.881597996 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.881853104 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.881910086 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.883203983 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.883301973 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.883357048 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.884840012 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.884964943 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.885018110 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.886451960 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.886569977 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.886625051 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.888112068 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.888252020 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.888299942 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.889866114 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.889978886 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.890023947 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.891870975 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.891998053 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.892045021 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.893601894 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.893660069 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.893709898 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.895426989 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.895540953 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.895589113 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.897495985 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.897562981 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.897607088 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.898751020 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.898947001 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.898993015 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.900290012 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.900351048 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.900391102 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.901698112 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.901830912 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.901881933 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.902940035 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.903049946 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.903100967 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.904743910 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.904948950 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.904997110 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.906234026 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.906358957 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.906405926 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.907861948 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.908004999 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.908050060 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.909560919 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.909620047 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.909666061 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.911228895 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.911286116 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.911329985 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.912834883 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.912918091 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.912965059 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.914521933 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.914659023 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.914707899 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.916110992 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.916214943 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.916265011 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.917877913 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.917990923 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.918040037 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.919401884 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.919522047 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.919564962 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.921019077 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.921168089 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.921215057 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.922748089 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.922816992 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.922862053 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.924334049 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.924438953 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.924494028 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.925959110 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.926116943 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.926168919 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.927666903 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.927789927 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.927844048 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.929404020 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.929496050 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.929543972 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.930893898 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.931010962 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.931055069 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.932535887 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.932667971 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.932715893 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.934201956 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.934340000 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.934385061 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.935852051 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.935966015 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.936012030 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.937504053 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.937638998 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.937684059 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.939148903 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.939194918 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.939239979 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.940793037 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.940964937 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.941009998 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.942486048 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.942558050 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.942604065 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.944314003 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.944397926 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.944441080 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.945930004 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.946055889 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.946100950 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.947714090 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.947948933 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.947989941 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.949532032 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.949640989 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.949681997 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.951065063 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.951162100 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.951206923 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.952279091 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.952399015 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.952442884 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.953928947 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.953954935 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.954000950 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.955596924 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.955703974 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.955749989 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.957285881 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.957380056 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.957420111 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:28.958887100 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.958914995 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:28.958957911 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.027267933 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.027360916 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.027416945 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.028109074 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.028290987 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.028337002 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.029730082 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.030349970 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.030390978 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.030426025 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.072207928 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.091543913 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.091742039 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.091823101 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.092061996 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.092247009 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.092293978 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.092801094 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.092947960 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.092994928 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.093732119 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.093856096 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.093900919 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.094697952 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.094793081 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.094836950 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.095603943 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.095745087 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.095786095 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.096570969 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.096640110 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.096683979 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.097496986 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.097642899 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.097688913 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.098444939 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.098525047 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.098566055 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.099366903 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.099483967 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.099529028 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.100265980 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.100395918 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.100440979 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.101226091 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.101361990 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.101403952 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.102176905 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.102291107 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.102333069 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.103091955 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.103200912 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.103245020 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.104031086 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.104239941 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.104294062 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.104964972 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.105096102 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.105142117 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.105876923 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.106024027 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.106070042 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.106884003 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.106971025 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.107018948 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.107786894 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.107882977 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.107923985 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.108696938 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.108802080 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.108844042 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.109628916 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.109749079 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.109793901 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.110605001 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.110699892 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.110749006 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.111567020 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.111695051 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.111737967 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.112585068 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.112782001 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.112824917 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.113383055 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.113487959 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.113534927 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.114300966 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.114420891 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.114461899 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.115247011 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.115382910 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.115422010 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.116321087 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.116422892 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.116462946 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.117247105 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.117379904 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.117419004 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.118115902 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.118232965 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.118273020 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.119249105 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.119330883 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.119400978 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.119956970 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.120081902 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.120121956 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.120883942 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.120987892 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.121028900 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.121819019 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.121936083 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.121978045 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.122744083 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.122848034 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.122890949 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.123681068 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.123790979 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.123836994 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.124604940 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.124696016 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.124834061 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.125556946 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.125597954 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.125643015 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.126502037 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.126544952 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.126590014 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.127454996 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.127573013 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.127618074 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.128381968 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.128473043 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.128518105 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.129290104 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.129393101 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.129440069 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.130233049 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.130332947 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.130378008 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.131187916 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.131300926 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.131351948 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.132154942 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.132215023 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.132257938 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.133085966 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.133200884 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.133248091 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.133972883 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.134022951 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.134066105 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.134908915 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.135093927 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.135140896 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.135871887 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.135948896 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.135992050 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.136795998 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.136851072 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.136895895 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.237848043 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.237962008 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.238012075 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.238442898 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.238461971 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.238502026 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.239245892 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.239362955 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.239402056 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.240127087 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.290935040 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.341876984 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.341984987 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.342039108 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.342175007 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.342376947 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.342425108 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.343096972 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.343236923 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.343281031 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.344022989 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.344223022 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.344265938 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.345009089 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.345119953 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.345163107 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.345942974 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.346009970 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.346052885 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.346796036 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.346919060 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.346960068 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.347749949 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.347866058 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.347909927 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.348709106 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.348856926 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.348908901 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.349669933 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.349756956 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.349800110 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.350637913 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.350836039 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.350879908 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.351583958 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.351667881 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.351711035 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.352494001 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.352596045 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.352643013 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.353540897 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.400285959 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.419547081 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.539448977 CET	62520	49743	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:29.539505005 CET	49743	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:29.999993086 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.119721889 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.119847059 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.132756948 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.132955074 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.252156973 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252509117 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252522945 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252538919 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252562046 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252563953 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.252614021 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.252680063 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252692938 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252732038 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.252743006 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252784014 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252825975 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.252841949 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.252929926 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.372133970 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.372266054 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.372267962 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.372322083 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.372417927 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.372432947 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.372467995 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.372497082 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.372505903 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.372519016 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.372564077 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.413093090 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.413224936 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.532903910 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.533010960 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.577049971 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.693202972 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.693267107 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:30.897228956 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:30.897363901 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:31.141263962 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:31.141319990 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:31.192125082 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:31.192358971 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:31.261099100 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:31.313230038 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:31.313247919 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:31.325483084 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:31.447031021 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:31.447462082 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:31.567651987 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:31.934844971 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:31.934963942 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:31.935045004 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:32.117458105 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117470026 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117480040 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117489100 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117497921 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117506981 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117516041 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117525101 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117535114 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117543936 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117552996 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117562056 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117572069 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117582083 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117590904 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117600918 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117609978 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117619991 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117634058 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117644072 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117652893 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117662907 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:32.117664099 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117674112 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117683887 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117695093 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117706060 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117716074 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117726088 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117734909 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117744923 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117753983 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117763996 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117774010 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117784023 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117793083 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117803097 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117811918 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117821932 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117831945 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117841005 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117851973 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117861032 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117871046 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117880106 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117888927 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117901087 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117912054 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117922068 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117930889 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117942095 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117953062 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117961884 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117965937 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117970943 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117974043 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.117978096 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.237659931 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.237770081 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.237790108 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.237868071 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.237915993 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238034964 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238085032 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238135099 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238185883 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238251925 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238301992 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238396883 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238456011 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238516092 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238579035 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238614082 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238677979 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238795042 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238806009 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238837957 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238898993 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.238956928 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.239005089 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.239084005 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.239100933 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.239182949 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.239228964 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.239306927 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.239418983 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.466149092 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:32.585633993 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:32.585753918 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:32.705239058 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:33.057305098 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:33.103490114 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:33.311024904 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:33.323285103 CET	49749	62520	192.168.2.7	65.21.66.211
Nov 21, 2024 12:56:33.443366051 CET	62520	49749	65.21.66.211	192.168.2.7
Nov 21, 2024 12:56:33.444292068 CET	49749	62520	192.168.2.7	65.21.66.211

Target ID:	1
Start time:	06:56:01
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\RFQ.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ.scr.exe"
Imagebase:	0xcb0000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:56:03
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ.scr.exe"
Imagebase:	0x330000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:56:03
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\RFQ.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ.scr.exe"
Imagebase:	0xbf0000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.1374201957.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1366527069.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1366527069.00000000030F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.1366527069.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1366527069.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:56:03
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:56:06
Start date:	21/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:56:11
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RFQ.scr' -Value '"C:\Users\user\AppData\Roaming\RFQ.scr.exe"' -PropertyType 'String'
Imagebase:	0x330000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:56:11
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:59:02
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\RFQ.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Imagebase:	0xc00000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:59:03
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\RFQ.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Imagebase:	0x100000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:59:03
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\RFQ.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Imagebase:	0x9e0000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.1583023321.000000000300B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.1583023321.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.1583023321.0000000002E95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:59:11
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\RFQ.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Imagebase:	0xc0000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:59:12
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\RFQ.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Imagebase:	0x3a0000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:59:12
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\RFQ.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Imagebase:	0x60000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:59:13
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\RFQ.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Imagebase:	0x150000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:59:13
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\RFQ.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Imagebase:	0x3c0000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:59:13
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\RFQ.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\RFQ.scr.exe"
Imagebase:	0x130000
File size:	1'171'976 bytes
MD5 hash:	F30993E7984AC60C08D69710EAAE6EF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	179
Total number of Limit Nodes:	15

Executed Functions

Function 06457991 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41a8e41df913ddb0a1cb819341628de304d2f006ba238c2fa21a536083808b3
Instruction ID: 06e4928c981ec3a35da7cc8df9027eadada89d5da9b6be77832e9fe6e513f613
Opcode Fuzzy Hash: a41a8e41df913ddb0a1cb819341628de304d2f006ba238c2fa21a536083808b3
Instruction Fuzzy Hash: 76E1C970B002088FEB6AEB65C860BAF77FBAF89740F15446AD5169B391CB34E805CB50

Function 02FACFD1 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02FAD05E
GetCurrentThread.KERNEL32 ref: 02FAD09B
GetCurrentProcess.KERNEL32 ref: 02FAD0D8
GetCurrentThreadId.KERNEL32 ref: 02FAD131

Memory Dump Source

Source File: 00000001.00000002.1286867061.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_RFQ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f05419af9aee7e59acd05d42e90eb43c0ae6079a4701bde9bec09a3ed511978a
Instruction ID: df6a30456fcc727fab8886b1c91d161753533286dd93701e84b7c733fc2af841
Opcode Fuzzy Hash: f05419af9aee7e59acd05d42e90eb43c0ae6079a4701bde9bec09a3ed511978a
Instruction Fuzzy Hash: 635166B0D003098FDB14EFA9D549BAEBBF1EF4C314F248459D019A72A0DB349985CF65

Function 02FACFE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02FAD05E
GetCurrentThread.KERNEL32 ref: 02FAD09B
GetCurrentProcess.KERNEL32 ref: 02FAD0D8
GetCurrentThreadId.KERNEL32 ref: 02FAD131

Memory Dump Source

Source File: 00000001.00000002.1286867061.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_RFQ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 76f82e05755d0b509442ee2b2f56648b949ba0b4b1aad605115dec53c4b14b97
Instruction ID: 4aad64c1ef9cbe6c100e22e4e35b6a7fb1215405106ef39a24d3f31e5e30f928
Opcode Fuzzy Hash: 76f82e05755d0b509442ee2b2f56648b949ba0b4b1aad605115dec53c4b14b97
Instruction Fuzzy Hash: 865145B0D003098FDB14EFAAD549BAEBBF1EB8C314F208459E419A7260DB749985CF65

Function 064544B6 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 064546F6

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8f1da14db7039aa3cc49ee98dc1a3ec2c351afb8ceb38ec9c915e599f407bec1
Instruction ID: 2db2c630ae7d7dfbe00383416f32eaae74af7277733110e71c6f90effd080e30
Opcode Fuzzy Hash: 8f1da14db7039aa3cc49ee98dc1a3ec2c351afb8ceb38ec9c915e599f407bec1
Instruction Fuzzy Hash: F3A16D71D003298FDB65DF68C840BEEBBF2BF48310F15856AE818AB240DB749985CF91

Function 064544C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 064546F6

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 834ccf215056ce6a4df1245a7083c936b5f4ffa625838e53cdc09017dc50c9d5
Instruction ID: c6ed66e89cd22c41d8eb3d49026b1098adfd8c30a91b9e7961dd95f7ada1aa4e
Opcode Fuzzy Hash: 834ccf215056ce6a4df1245a7083c936b5f4ffa625838e53cdc09017dc50c9d5
Instruction Fuzzy Hash: 33916D71D007298FEB65DF68C840BDEBBF2BF48310F15856AE808AB240DB759985CF91

Function 02FAAD48 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02FAAF9E

Memory Dump Source

Source File: 00000001.00000002.1286867061.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_RFQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a215d4583c230185c823f4a1e2fa957e823eaedcc7a067690862fb0c1e773265
Instruction ID: 03b5754c7bf711a14912b0c1fda3d8e6d889466d93d75dd7041f311f7e09619e
Opcode Fuzzy Hash: a215d4583c230185c823f4a1e2fa957e823eaedcc7a067690862fb0c1e773265
Instruction Fuzzy Hash: A47145B0A00B058FD724DF2AD49475ABBF2FF88344F10892DD18ADBA50DB35E849CB91

Function 02FA590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FA59C9

Memory Dump Source

Source File: 00000001.00000002.1286867061.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_RFQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 40bd4e7010774f694fde6d8eaee5d5e7ab7f2557bcbbd6d991a667af5f85f48c
Instruction ID: cd9f4a58590bf3abf6a6e0dbf1f55be8d29fb12ee20d14c4df9a5a08d054ea3e
Opcode Fuzzy Hash: 40bd4e7010774f694fde6d8eaee5d5e7ab7f2557bcbbd6d991a667af5f85f48c
Instruction Fuzzy Hash: 48410FB1D00729CFEB24DFA9C8947CDBBB1BF48314F20816AD509AB251DB756946CF90

Function 02FA44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FA59C9

Memory Dump Source

Source File: 00000001.00000002.1286867061.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_RFQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 57e6e6517f28bcfd8635eb1024ad73c5f040fe336dad615ba811288f06717a45
Instruction ID: 0302dd0ea53c4d5c188f8435c820112e7f5ec857a1b56084b01a730fa91b4902
Opcode Fuzzy Hash: 57e6e6517f28bcfd8635eb1024ad73c5f040fe336dad615ba811288f06717a45
Instruction Fuzzy Hash: 104100B1D0072DCBDB24DFAAC894B8DBBB1BF48304F60816AD509AB251DB756946CF90

Function 06454230 Relevance: 1.6, APIs: 1, Instructions: 84
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 064542C8

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e2a2770a348071aa33c2ba49b14cb5703ffd39db19b7c5c4ae66edb9d6e873b6
Instruction ID: 4712f42c8f0327d1756cf3044616c2277ab52f07b6b6b2216144527db9c88590
Opcode Fuzzy Hash: e2a2770a348071aa33c2ba49b14cb5703ffd39db19b7c5c4ae66edb9d6e873b6
Instruction Fuzzy Hash: 16315876D003199FDB10CFA9D881BEEBBF1FB48310F10882AE918A7241C7789551CBA0

Function 06450D98 Relevance: 1.6, APIs: 1, Instructions: 71
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06456D4D

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 43c2cb8ab46267b8dab0de458d8c18c651d9bf0432db29d2c8c1862e1d97dcfc
Instruction ID: d7202c6db508edac7bb021a6de7ee3b9474449a78b481ea996a1d1fc02bd3e76
Opcode Fuzzy Hash: 43c2cb8ab46267b8dab0de458d8c18c651d9bf0432db29d2c8c1862e1d97dcfc
Instruction Fuzzy Hash: B021DC758083588FEB21DF99C855BDEBFF4EF08320F11405AD844AB252C334A449CBA6

Function 06454238 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 064542C8

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5fafe56d9349d0fa0a9273b8b69af286f2b31477566fa24290ad0737c512082a
Instruction ID: 8a31c4935dd5d1c075e16e5ce24b13499ccf080636b6e1db436d09b583296c8a
Opcode Fuzzy Hash: 5fafe56d9349d0fa0a9273b8b69af286f2b31477566fa24290ad0737c512082a
Instruction Fuzzy Hash: FC215575D003199FDB10CFAAC881BEEBBF5FF48310F50842AE918A7240C7789941CBA0

Function 02FAD628 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FAD6B7

Memory Dump Source

Source File: 00000001.00000002.1286867061.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_RFQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc22f4afb5ae0cebaa949d9e5b5c50edfef99c7f556117160b7d1826f3e109a7
Instruction ID: 3be35df77de61372bd9dd2f9904cc88022d798534a60dd68c5907d9f7c124b08
Opcode Fuzzy Hash: fc22f4afb5ae0cebaa949d9e5b5c50edfef99c7f556117160b7d1826f3e109a7
Instruction Fuzzy Hash: 1D2116B5D00208DFDB10CF99D585ADEBBF5FB08310F14802AE958A3310D3399951CFA0

Function 06453C60 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06453CE6

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 476e73e40933793ba0322d5229fd20370be69b9590706a0515219e3a540ea899
Instruction ID: 587f4e6aff335cd94cfa370b681347d46e535b1ad960b6c89c06edabb7295ffe
Opcode Fuzzy Hash: 476e73e40933793ba0322d5229fd20370be69b9590706a0515219e3a540ea899
Instruction Fuzzy Hash: EC216876D003198FDB21DFAAC4857EEBBF4AF48310F54842AD859A7341DB789945CFA0

Function 06454320 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 064543A8

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b36d2a582de9cb29b10d53d95a7f03d9992cbe764c34de2c29af8a4339e78201
Instruction ID: ae8d5f1fd6b8cea74be18392d6b50c7332f52c125bce52da978f7a1c9c6714a0
Opcode Fuzzy Hash: b36d2a582de9cb29b10d53d95a7f03d9992cbe764c34de2c29af8a4339e78201
Instruction Fuzzy Hash: B22134B1D003599FDB10DFAAC885BEEBBF1FF48310F54842AE959A7241C7399941CBA0

Function 06453C68 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06453CE6

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fc107e83925705b6ab366bf600c6de7bd9110dcfeed20dcce6f982d484c07045
Instruction ID: 91e8ed08023eada342ab6fc84698a74b579b4371675aace10616de26c04ff5bf
Opcode Fuzzy Hash: fc107e83925705b6ab366bf600c6de7bd9110dcfeed20dcce6f982d484c07045
Instruction Fuzzy Hash: 60213571D003198FDB21DFAAC485BAEBBF4EF48320F54842AD819A7341DB789945CFA4

Function 06454328 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 064543A8

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: aa68430fef17d282aea3e72158ff209aafac4dd1a79cdff015a7374829483380
Instruction ID: 21c1316f608f9747cb4ddfe66bbb87faac546855f7384378ba5b7eb7ea2f8a92
Opcode Fuzzy Hash: aa68430fef17d282aea3e72158ff209aafac4dd1a79cdff015a7374829483380
Instruction Fuzzy Hash: 20212571D003599FDB10DFAAC885BEEBBF5FF48310F50842AE919A7250CB399941CBA4

Function 02FAD630 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FAD6B7

Memory Dump Source

Source File: 00000001.00000002.1286867061.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_RFQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5fdc4cda607d38bbb42e182ceb925b4e83699995956435f36350b0d6fbe2f8fe
Instruction ID: e918198fb4d866defb449fc286acb197e25a89f197d4691a340b55a72fb643b8
Opcode Fuzzy Hash: 5fdc4cda607d38bbb42e182ceb925b4e83699995956435f36350b0d6fbe2f8fe
Instruction Fuzzy Hash: 6921E4B5D002489FDB10CF9AD984ADEBBF4EB48310F14801AE918A3350C375A950CFA4

Function 06454170 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 064541E6

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8296817e7210ec3e0740ba6310a51af608d5a7b9cf1821eec00f8863ada0531a
Instruction ID: 6103362ceba2ec60f5cb2e6b0589b7ebf74a16a0338bca4d80bc0b057696161e
Opcode Fuzzy Hash: 8296817e7210ec3e0740ba6310a51af608d5a7b9cf1821eec00f8863ada0531a
Instruction Fuzzy Hash: 42111775C003499FDB20DFA9C845BEEBBF5EB48320F24841AE965A7250DB359551CBA0

Function 06454178 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 064541E6

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9d69dc0d6ba8d8b4a2ba211e684160f59630976c1e357ff283bb0f6636f34590
Instruction ID: 8abc6845bff33a3360cee1d76d351e1e7e578a7a606cb63bcce7478d2b3224a4
Opcode Fuzzy Hash: 9d69dc0d6ba8d8b4a2ba211e684160f59630976c1e357ff283bb0f6636f34590
Instruction Fuzzy Hash: C0112675C003499FDB20DFAAC845BDEBFF5EB48320F14841AE915A7250CB759951CFA0

Function 06453BB1 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06453C1A

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f97cbb7caf1fe9eb753de54c5dec22461dca04f7fc6f6c2bbd3c68c42c82a7b3
Instruction ID: a65c2f3622d50ab8c30006f3802f09284da4d2a092c2c17cd8fbc31bb9c020c5
Opcode Fuzzy Hash: f97cbb7caf1fe9eb753de54c5dec22461dca04f7fc6f6c2bbd3c68c42c82a7b3
Instruction Fuzzy Hash: FF116AB6D003598FDB21DFA9C8457EEFBF5AF48324F24842AD519A7240CB399941CF94

Function 06453BB8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06453C1A

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a260781f9e4767edff979386df79c8ae6c54cef618fee9c2676c8187ea307298
Instruction ID: cf3bc5d9c5c0af99dfd6e5a889293a1090da11474cd6e012cbe07958e124072c
Opcode Fuzzy Hash: a260781f9e4767edff979386df79c8ae6c54cef618fee9c2676c8187ea307298
Instruction Fuzzy Hash: 6E113A71D003598FDB20DFAAC44579EFBF5EB48320F24842AD519A7240CB79A941CF94

Function 06450D88 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06456D4D

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8637f919fe76b018d2f774fc4e31329ebb6ddbf6cab63a49688bb4a139138a43
Instruction ID: 2013b2f323bcfe64b561c3f940e6fe17278a215ccc657c83860373a6398a90b3
Opcode Fuzzy Hash: 8637f919fe76b018d2f774fc4e31329ebb6ddbf6cab63a49688bb4a139138a43
Instruction Fuzzy Hash: 3011F5B58003499FDB20DF9AC985BDEFBF8EB48310F21841AE915A7211C375A944CFA5

Function 02FAAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02FAAF9E

Memory Dump Source

Source File: 00000001.00000002.1286867061.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_RFQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 19f844ed57d3238ebfbd3489771f2bf3da89df8b356c61915f26161baa984d50
Instruction ID: 959f91b361824b5eb6e6d68e3da796b0124981d03b38175f8fbeb5b3bbce1872
Opcode Fuzzy Hash: 19f844ed57d3238ebfbd3489771f2bf3da89df8b356c61915f26161baa984d50
Instruction Fuzzy Hash: 251110B6C003498FCB24CF9AC444BDEFBF4EB88324F10842AD929A7200C379A545CFA1

Function 06456CE9 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06456D4D

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 962bff1c6288419bd2f4b5ba1b523514f723b1d5cce31517f8a718496ec83264
Instruction ID: c0e1ca32fb6a93010430f3c28145f702d9d1f2071d7c459291cbae7b72003a83
Opcode Fuzzy Hash: 962bff1c6288419bd2f4b5ba1b523514f723b1d5cce31517f8a718496ec83264
Instruction Fuzzy Hash: 601103B6C003598FDB20DF99C985BDEBBF4EB48320F25841AD918A7250C379A944CFA0

Function 015BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1285932936.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15bd000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e91641386c87ed6d1f8b50e1ce89d288f558bc89a445e6e8adec93b3ad236d3
Instruction ID: fc90c786cc9955e2e95c27adf2846656ad792b3191edaa72e3d95a39bd0acdd0
Opcode Fuzzy Hash: 8e91641386c87ed6d1f8b50e1ce89d288f558bc89a445e6e8adec93b3ad236d3
Instruction Fuzzy Hash: D9210375604208DFDB15DF54D9C4B56BBB1FB84318F20C96DD8090F246D33AD407CA61

Function 015BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1285932936.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15bd000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb27e8ea0792c49b382a56904a2482be3a64bf97a661d26666a662054994e8e
Instruction ID: 223641ce5e761b3c317e0e8624e4274187e633052592ea0241364003c898a3bc
Opcode Fuzzy Hash: eeb27e8ea0792c49b382a56904a2482be3a64bf97a661d26666a662054994e8e
Instruction Fuzzy Hash: 8B21D375A042409FDB15DF94D9C0B65FBB5FB84328F20C96DD8494F252C336D846CA61

Function 015BD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1285932936.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15bd000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78aa14cfbfbb0bd5e6917f2dfda52ec20b3dc4718102f8902d24804d69c43fe2
Instruction ID: ba3537ca18f4486453c4d569b5ff02a468b0750467b4194f5ea4e103d9168cb5
Opcode Fuzzy Hash: 78aa14cfbfbb0bd5e6917f2dfda52ec20b3dc4718102f8902d24804d69c43fe2
Instruction Fuzzy Hash: 4C218E755093848FCB02CF24D9D0755BF71FB46218F28C5EAD8498F2A7C33A980ACB62

Function 015BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1285932936.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15bd000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: fe028caf521fe1f4456d5c2e8648e1b03469bf6a637778035e516802a45639b2
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: B811A975504280DFCB06CF54C5C0B59FBB2FB84228F24C6A9D8494B296C33AD80ACB61

Function 015AD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1285860212.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15ad000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549dc3745fb993746d92fcba54a57ec69e2372278d86a3e83cc58b154fa23236
Instruction ID: ffbe32b631ff9da90a2a1ef670515cc88d6f19174d0087ddce20dccc05791823
Opcode Fuzzy Hash: 549dc3745fb993746d92fcba54a57ec69e2372278d86a3e83cc58b154fa23236
Instruction Fuzzy Hash: AC01F7314443849EE7246A55DCC4B6EFFF8EF45221F58C82AED090E683C6389840CAB1

Function 015AD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1285860212.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15ad000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d8077fd51cb0fc03b74d50ef613938ff846357dae3ec5560cd2b65a0326521
Instruction ID: b22b8ebdb461c2a80dc3d5e262fdbabf00bee786a045f7d8a5eda7b2806ccb37
Opcode Fuzzy Hash: 81d8077fd51cb0fc03b74d50ef613938ff846357dae3ec5560cd2b65a0326521
Instruction Fuzzy Hash: BEF0C2324443849EE7249A0ACC84B6AFFA8EF44634F18C45AED080E687C279A840CBB1

Non-executed Functions

Function 06452F58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82a32563a962c4d565367411653f7127c9d330b4a4f30e5eca3e1425f9b625a
Instruction ID: fac5e784aa8124205722a0d2c427689d8dac50606fb0416b8c2d64b1ecd4541c
Opcode Fuzzy Hash: f82a32563a962c4d565367411653f7127c9d330b4a4f30e5eca3e1425f9b625a
Instruction Fuzzy Hash: E9E1EB74E002198FDB55CFA9C580AAEFBB2FF49305F24816AD814A7356DB35AD41CFA0

Function 06451C58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f0f7e2c84dc7f86e18c7b5ef46d0a5550d84a5a1098ebd3f257edb1dc5d9d0
Instruction ID: 30efb7c88473bc2d864b873938700f3c7e8751e3ffe8260a088808a3d05a4ce2
Opcode Fuzzy Hash: b8f0f7e2c84dc7f86e18c7b5ef46d0a5550d84a5a1098ebd3f257edb1dc5d9d0
Instruction Fuzzy Hash: D0E1EB74E002198FDB54CFA9C580AAEFBB2FF89305F24816AD815A7356D735AE41CF60

Function 06453D40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f023377ed2b28cd74bd8d7a9c1cf64bb6bf53ffb237250143a99193ce3b45da
Instruction ID: 8170b6b1ee79e0dd03bdf1ff2b4e98bc3d67a7bd6b3ebdfec1fa552d37cb3324
Opcode Fuzzy Hash: 6f023377ed2b28cd74bd8d7a9c1cf64bb6bf53ffb237250143a99193ce3b45da
Instruction Fuzzy Hash: C4E1D974E002198FDB55DFA9C580AAEBBF2FF49315F24816AD814AB356DB30AD41CF60

Function 06453390 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8c5144fdd567026b2c3afeb30e2262d311630bb6a3c616c1cf113e6b7e73c0
Instruction ID: 64014f2de9ea3ae591083403c72f536c5449ebeedb63e76381e3b99df69c4413
Opcode Fuzzy Hash: 3e8c5144fdd567026b2c3afeb30e2262d311630bb6a3c616c1cf113e6b7e73c0
Instruction Fuzzy Hash: FAE1FA74E002198FDB55DFA9C580AAEFBB2FF89305F24816AD815A7356DB30AD41CF60

Function 06451820 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1279f86e49f74f97b26f884c59fab3b469ef90ff282b27dd98a9005a4ee47f3
Instruction ID: fa27a41303a715c173d817db330d030bfc7f924749ccc81c340f82c38ab56d9c
Opcode Fuzzy Hash: a1279f86e49f74f97b26f884c59fab3b469ef90ff282b27dd98a9005a4ee47f3
Instruction Fuzzy Hash: 67E10C74E002198FDB15DFA9C580AAEFBB2FF89305F24816AD854AB356D7319D41CF60

Function 02FAD55C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1286867061.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2fa0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063925193361bf2db8e6e2298fd9158aef3ced363343710a915f7a06d6befef0
Instruction ID: 9710a4ca6416883f0c9b7e4d3c7cd120b60694c16c7329a5157e9b52a852fc09
Opcode Fuzzy Hash: 063925193361bf2db8e6e2298fd9158aef3ced363343710a915f7a06d6befef0
Instruction Fuzzy Hash: 66A16B72E002098FCF19DFB4C85059EB7B2FF89340B15826AE905AF265DB72E946CF40

Function 064517F3 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e532b47c00cfaf83e198380cb89251fed811aee578b943a9798c112208aad42
Instruction ID: 236dacf28b14b959aa4230c68dd710eee13d66535b1e0e5709fc9f34d3f082b6
Opcode Fuzzy Hash: 0e532b47c00cfaf83e198380cb89251fed811aee578b943a9798c112208aad42
Instruction Fuzzy Hash: F1514C74E042198FDB15CFA9C5806AEFBB2FF89300F24816AD418A7356C7359E42CFA1

Function 06452F48 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0629ba0f0d40806e7977b6f2d72f80626ad341f4996bc9295af3c0deb8691d
Instruction ID: 86ec35166e910f1604043d879f557504bff2737ac77696ba1f34e3cd8f4ca864
Opcode Fuzzy Hash: fa0629ba0f0d40806e7977b6f2d72f80626ad341f4996bc9295af3c0deb8691d
Instruction Fuzzy Hash: 8751F970E042198FDB15CFA9C5405AEFBB2FF89204F24816AD818A7356D7359E42CFA1

Function 06453D30 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1294824363.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6450000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501ff6941033e5384b13ed4bd8c5bf27de5629f5c0c11ccd87464e66ed910109
Instruction ID: 840c13e2e75fe2cfe1d578c53e77fb1f0ffd982a443c7bc913fa86a5395355ab
Opcode Fuzzy Hash: 501ff6941033e5384b13ed4bd8c5bf27de5629f5c0c11ccd87464e66ed910109
Instruction Fuzzy Hash: E851F974E002198FDB15CFA9C6805AEFBF2BF89315F24816AD818A7356D7359E42CF60

Analysis Process: RFQ.scr.exePID: 7828, Parent PID: 7364COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.8%
Total number of Nodes:	56
Total number of Limit Nodes:	4

Executed Functions

Function 058A79B0 Relevance: 16.1, Strings: 12, Instructions: 1099COMMON

Download Yara Rule

Strings

$q, xrefs: 058A7E07
$q, xrefs: 058A8291
$q, xrefs: 058A7EA7
$q, xrefs: 058A82EA
,q, xrefs: 058A846A
$q, xrefs: 058A7EB7
$q, xrefs: 058A7C43
$q, xrefs: 058A8281
4, xrefs: 058A8385
$q, xrefs: 058A82DA
$q, xrefs: 058A7DF7
$q, xrefs: 058A7C33

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: ,q$4$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-2072453518
Opcode ID: 18456b37f91ab449e8b47e4caf55d4e218965dd96b073a1ed49a33ba1659ead0
Instruction ID: a0991425aa1779ed74921a041f0775416cb73bd80b0d844d61439102705057c0
Opcode Fuzzy Hash: 18456b37f91ab449e8b47e4caf55d4e218965dd96b073a1ed49a33ba1659ead0
Instruction Fuzzy Hash: 3AB2E735A002189FEB24CF94D894BADB7B6FF48701F158599E906EB3A5DB70AC81CF50

Function 058A7CD7 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$q, xrefs: 058A7EA7
,q, xrefs: 058A846A
$q, xrefs: 058A8281
4, xrefs: 058A8385
$q, xrefs: 058A82DA
$q, xrefs: 058A7DF7

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: ,q$4$$q$$q$$q$$q
API String ID: 0-3956183810
Opcode ID: 6277a468124df146e25b9af8f8c7f1b7012a88664c848df67b67971af5d1914a
Instruction ID: f055428bbc79de8643baae592821dc909e3e9afac5f84feffd905add674e6df8
Opcode Fuzzy Hash: 6277a468124df146e25b9af8f8c7f1b7012a88664c848df67b67971af5d1914a
Instruction Fuzzy Hash: 0A22ED35A00218CFEB24DF55C994BADB7B2FF48305F1481A9E909EB2A5DB709D81DF50

Function 0605C4C8 Relevance: 5.7, Strings: 4, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pq, xrefs: 0605CAF4
xbq, xrefs: 0605C529
TJq, xrefs: 0605C558
Teq, xrefs: 0605C7FB

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID: TJq$Teq$pq$xbq
API String ID: 0-2466396065
Opcode ID: a7d99b54759a11f44382e4042b7215380600744162a31a35012ade2c2bd4fe4e
Instruction ID: 6974b3f51a4458ee639e0ac58b23f602424a29cb7ce33213a1307236a702c85c
Opcode Fuzzy Hash: a7d99b54759a11f44382e4042b7215380600744162a31a35012ade2c2bd4fe4e
Instruction Fuzzy Hash: 42523975A402149FDB55CF68C984EA9BBB2FF49304F1681A8E509EB272CB31EC91DF41

Function 05845FF8 Relevance: 1.8, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

(q, xrefs: 058460C8

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 4560905389dcc898402c2ef31ceea231621cec7b81c40925f89944cca38966ca
Instruction ID: 96ca2b3dc8cf6dbf54adf13102f8aed8754845bac885376d2b63e74fbc82a598
Opcode Fuzzy Hash: 4560905389dcc898402c2ef31ceea231621cec7b81c40925f89944cca38966ca
Instruction Fuzzy Hash: 53226A74B0471A8FCB18DF6AC49466EFBF2BB89300F248529E95AD7341DB34AC41CB95

Function 058482BE Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

aq, xrefs: 05848319

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: aq
API String ID: 0-608928628
Opcode ID: 7477b86bf14b125bea8c942118b99435d4051e8e3831266f7efa0e083a567eee
Instruction ID: 4a2950cdf4b36b2506aa391f3f02cc989b83b3d59c1ad375959010bd4c75183b
Opcode Fuzzy Hash: 7477b86bf14b125bea8c942118b99435d4051e8e3831266f7efa0e083a567eee
Instruction Fuzzy Hash: 9EC18F74A0420CCFD708DBA4E048BAEB7A3FB84708F558165DC46EB6A4DB799C46CF85

Function 05B5BCE0 Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,05B5EDFA), ref: 05B5BCEB

Memory Dump Source

Source File: 00000008.00000002.1375705239.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5b50000_RFQ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 068E9470 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

KDBMZq, xrefs: 068E979B

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID: KDBMZq
API String ID: 0-1462230996
Opcode ID: 27a12dfb20cf3251178f59a63cf3714fdba7ae35481e6e8de12cfb8902033cb3
Instruction ID: 6889a724bb4eaff2405fa8682bf8b86a43875156345530760f77eb2df2f748e2
Opcode Fuzzy Hash: 27a12dfb20cf3251178f59a63cf3714fdba7ae35481e6e8de12cfb8902033cb3
Instruction Fuzzy Hash: 20B15A75A00109EFDB54CF99E580AAEB7F2FB8A304F10C12AE915EB344C775AD85CB90

Function 068E9460 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

KDBMZq, xrefs: 068E979B

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID: KDBMZq
API String ID: 0-1462230996
Opcode ID: 22574906fe102513d9e08cf9668410479b710973be0cce0cb4de5453c8a667dd
Instruction ID: b0671ee4dd9f84d7af416fa5930ce032b9c49ebf4c74d9eb9f46b64f69d1493a
Opcode Fuzzy Hash: 22574906fe102513d9e08cf9668410479b710973be0cce0cb4de5453c8a667dd
Instruction Fuzzy Hash: 33B18B74A00209AFDB54CF59E580AAEB7F2FB8A304F14C12AE905EB344C775AD85CF90

Function 0574DEF9 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Teq, xrefs: 0574DFED

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 377ee5b69d3a46962ebb6a0e250ffdd27bdf3068ee5a0e858ac9ce5316eda0dd
Instruction ID: 853d58804e52865d6ccac1929a753bb011da533dd2246a6904fc917da7b3d3f7
Opcode Fuzzy Hash: 377ee5b69d3a46962ebb6a0e250ffdd27bdf3068ee5a0e858ac9ce5316eda0dd
Instruction Fuzzy Hash: 37515F30704104CFE724CB55E448BBD77E7BB84321F69807AE4119BAA5DBB95C81EF46

Function 0574098D Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71fb30cd244ed1905989c8b0792760329f2bf66fe287ff8458267b37425e7a3
Instruction ID: 66ba4e9f7c63d3de5257a7d73999dbd704bb075b1f68b1cf5d113e6164a1cf62
Opcode Fuzzy Hash: f71fb30cd244ed1905989c8b0792760329f2bf66fe287ff8458267b37425e7a3
Instruction Fuzzy Hash: 1202D974A00219DFDB64DF68D888A9DB7F2BF88300F518599E90AAB351DB30ED85DF41

Function 068EBF90 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f301940a9987ff7c5500677d329443a59ec3410eb27d1e490b18f9f1df7cc47
Instruction ID: f98cf357947412f08f825fd9b2a75a5f0b75ee5018043b2fb609d79cc30a5aa7
Opcode Fuzzy Hash: 2f301940a9987ff7c5500677d329443a59ec3410eb27d1e490b18f9f1df7cc47
Instruction Fuzzy Hash: D2D1BE34B102148FCB98EB78E46567EB6F3EFCD210B558069E917E7380DE35AC428B95

Function 058483A2 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d75fac44d847f9d32f49c4072c68c01d878c0cc68ea6371af50c310e811d2a
Instruction ID: dc0fc2f136c47e1327ef8131abfa21e6aa6c38f3c508f34b44e21ecc76c77684
Opcode Fuzzy Hash: 50d75fac44d847f9d32f49c4072c68c01d878c0cc68ea6371af50c310e811d2a
Instruction Fuzzy Hash: 68C14A74A0410C8FD718DB94E0487AE72A3FB84708F55C165DD46EB6A8CB7D9C86CF85

Function 058481E3 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985cd4143abb8bcd47997973c8eb5ffdecde2fba454f75d8f5809f379d4553dd
Instruction ID: 5accd6fad6f5aee689ec0ccb23f1ea932f2e06b0f46d75cef5a8d82eed86a6b9
Opcode Fuzzy Hash: 985cd4143abb8bcd47997973c8eb5ffdecde2fba454f75d8f5809f379d4553dd
Instruction Fuzzy Hash: 63B14974A0410C8BD708DB94E048BAEB2A3FB84708F55C165DD46EB6A8CB799C86CF85

Function 05847C61 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d70b679c4fe5f9effd2755163a38691cf8adef5d21052fa858dcd69b59aba97
Instruction ID: d985ce2678b3360b628338bf7d5c2373fc82abd0de9142ed0b47389183bde20d
Opcode Fuzzy Hash: 8d70b679c4fe5f9effd2755163a38691cf8adef5d21052fa858dcd69b59aba97
Instruction Fuzzy Hash: 08B15B74A0410C8FD718DB94E048BAEB7A3FB84708F55C165DD46EB6A8CB799C86CF81

Function 05847C70 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeabc920219feac888315e49326f7436d7426d4e657131c69f39b45c92b46cf7
Instruction ID: 9ec6663e9ee897072e11993e67f8c2bf57fe6543d8570f88514cb5c4137b9d57
Opcode Fuzzy Hash: aeabc920219feac888315e49326f7436d7426d4e657131c69f39b45c92b46cf7
Instruction Fuzzy Hash: 27B15A74A0410CCBD708DB94E048BAEB7A3FB84708F55C165DD46EB6A8CB799C86CF85

Function 05847D37 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556d51226dd21b9f1fb4452942928707765583003454dc213d744128b6bef686
Instruction ID: 495b3daea4f67a911cc67a533c568259b9397a76eaa545e53f1183f2519f3654
Opcode Fuzzy Hash: 556d51226dd21b9f1fb4452942928707765583003454dc213d744128b6bef686
Instruction Fuzzy Hash: F0B14874A0410CCBD708DB94E048BAEB3A3FB84708F55C165DD46EB6A8CB799C86CF85

Function 05847DDC Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5472e5e2a98d36348a379be2957d2c84a74c1b23b2da9b7672d852cdc67d2f29
Instruction ID: 848ba5b3e7f100558c1230b335c9b34fc80fb55e78e286b2a0a6cba288a8164b
Opcode Fuzzy Hash: 5472e5e2a98d36348a379be2957d2c84a74c1b23b2da9b7672d852cdc67d2f29
Instruction Fuzzy Hash: 52B13A74A0410CCBD708DB94E048BAEB3A3FB84708F55C165DD46EB6A8DB799C86CF85

Function 05847CC5 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e1b9e4aed4dc9fe481d7e599f9556662630fa4088dbbf88d1d46b302791abf
Instruction ID: adae3a217562cca3d960ead2211a9d152ca263a50beb15e7c610463945c98817
Opcode Fuzzy Hash: b2e1b9e4aed4dc9fe481d7e599f9556662630fa4088dbbf88d1d46b302791abf
Instruction Fuzzy Hash: 84B14974A0410CCBD708DB94E048BAEB3A3FB84708F55C165DD46EB6A8CB799C86CF85

Function 05847CE0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438323c94cbec5698e7ed41c5d17e0140d8ef9a21fbbcfc6cfd8015baf79aae8
Instruction ID: 24cf99b5ad25533a0aa199877ae7670cd7556a1f34629350ca3d0ac16ffbaae0
Opcode Fuzzy Hash: 438323c94cbec5698e7ed41c5d17e0140d8ef9a21fbbcfc6cfd8015baf79aae8
Instruction Fuzzy Hash: 4BB14974A0410CCBD708DB94E048BAEB3A3FB84708F55C165DD46EB6A8CB799C86CF85

Function 0584811B Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3a2aecf5e3e643dffa968952a62298c5f9e04d7a7220eca3018b9fd0392cba
Instruction ID: e7ae3498529a553dcd162b9c5a1ed56ab7aef88e1efa953c7d206649c101fcf8
Opcode Fuzzy Hash: 7f3a2aecf5e3e643dffa968952a62298c5f9e04d7a7220eca3018b9fd0392cba
Instruction Fuzzy Hash: 25B13974A0410C8BD708DB94E048BAEB3A3FB84708F55C165DD46EB6A8DB799C86CF85

Function 058481D3 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57740bc533feb4577b0a072bd7b44a00348a1d4f94559741c962a8c0e986876d
Instruction ID: ca3f4736cafc9e3525781380e71b535f683a38ffb8f2fa5a1ed460cfbe0c07c5
Opcode Fuzzy Hash: 57740bc533feb4577b0a072bd7b44a00348a1d4f94559741c962a8c0e986876d
Instruction Fuzzy Hash: 57B14B74A0410CCBD718DB94E048BAEB3A3FB84708F55C165DD46EB6A8CB799C46CF85

Function 0574D658 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34949ed7e7795699f1b6a35f33d960720c26c7d68dc93f1ffe0cfcfca7c0e93
Instruction ID: 4ae47cdc8ace3da06269ab3b16f4fb611fb0ef4f065254ccf603d1309487f649
Opcode Fuzzy Hash: f34949ed7e7795699f1b6a35f33d960720c26c7d68dc93f1ffe0cfcfca7c0e93
Instruction Fuzzy Hash: A1A17D34A05204CFEB24CF54E448BAEB7F3FB88340F598165D44AAB6A5DB789D81DF41

Function 0574D668 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4f4391820fc8e2d7d1fd159ea46b8560157514033e7a4c3854d59725c7bf8a
Instruction ID: ef57adf686ff682738f6e7cc68a0bd147d38c85f3524c2e50e54a8aee9967aa4
Opcode Fuzzy Hash: 8c4f4391820fc8e2d7d1fd159ea46b8560157514033e7a4c3854d59725c7bf8a
Instruction Fuzzy Hash: 0B917C34A05204CFEB24CF55E448BAEB7F3FB88340F598165D44AAB6A9DB789C81DF41

Function 0574D847 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c0ca91c84a8b897a73b7824776d32277985fd546a806c08456e8ed33e6a2ec
Instruction ID: 1456dd4d457b6c3cefd798c5bf88d3aa2a7d826254ae707a9d44980b4365aca3
Opcode Fuzzy Hash: d2c0ca91c84a8b897a73b7824776d32277985fd546a806c08456e8ed33e6a2ec
Instruction Fuzzy Hash: B7916D34A05204CFEB24CF54E448BAE77B3FB88340F598165D086AB6A5DB789C85DF51

Function 056F2B49 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458a1fe139cd43ead891603980f63d285ebf8ab4bb3817e4e33312cc01faf9ca
Instruction ID: dd6d7cd1144df6c9b0aceccef564dc16d23eed5068fc47f9f60aac744bb3da2f
Opcode Fuzzy Hash: 458a1fe139cd43ead891603980f63d285ebf8ab4bb3817e4e33312cc01faf9ca
Instruction Fuzzy Hash: 8251E639B0470647D72A2A7A98B967F69DBAFD5501B04803DEE03C7385DF688C069B82

Function 056F2B68 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6327702938ee3198b0ba06e5647f1f802bf80e4c6ca2df0943a6c9d37b368f
Instruction ID: 49e13a11712ca10b2d00ba6f99de3f336b2ce8f8a9a3e8a367103caad814174e
Opcode Fuzzy Hash: cb6327702938ee3198b0ba06e5647f1f802bf80e4c6ca2df0943a6c9d37b368f
Instruction Fuzzy Hash: 97519339B0471647D7292A6A98B97BF55DBAFD4605F44843CDF03C7384DFA88C069B82

Function 0584BCC0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846c0d1276ade21d22a2e831017c0bb010d77dc380eabfe6808f59fadf62d1f5
Instruction ID: e5e816c03b78c37ba7261bd183d523b14bf9a81e5b5053c5baad63caf48710aa
Opcode Fuzzy Hash: 846c0d1276ade21d22a2e831017c0bb010d77dc380eabfe6808f59fadf62d1f5
Instruction Fuzzy Hash: 00513D34700108CFDB14DB28D449B6A76A3FB88716F598069ED069B6A5CB78EC42CF85

Function 0584BCB1 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f8c761426907c954043877d9eaedbc0dc1e188978cec4a59a35b3199b61897
Instruction ID: 4fb900df2715c24c129753905620db5b7e8277561626ec2628714b7bb8118a04
Opcode Fuzzy Hash: 96f8c761426907c954043877d9eaedbc0dc1e188978cec4a59a35b3199b61897
Instruction Fuzzy Hash: EE513E34700108CFDB14DB68D449B6A77A3FBC8716F59806AED069B7A5CA78EC41CF85

Function 05748EE0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be61b3eb028feaff1f6abf444755e19be3caddb252e5f3d11bf0e00285dba814
Instruction ID: 274d60e9e811e89a50c675da62a6732066bd97aa65bf784906e8f4aa9be27a99
Opcode Fuzzy Hash: be61b3eb028feaff1f6abf444755e19be3caddb252e5f3d11bf0e00285dba814
Instruction Fuzzy Hash: CF615CB0A00249DFCB04CFA9E455BADBBF2FF48304F45806AD006AB2A5EB789D45CF41

Function 0584B76F Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf55314c411120798af355fc7228e9d723770b703dbfea4a5ad0289fc65ff77
Instruction ID: 9f393f45309e629b38a557d2be984b5b04c66eb2961af1880d6a8d1ed33afadc
Opcode Fuzzy Hash: 2cf55314c411120798af355fc7228e9d723770b703dbfea4a5ad0289fc65ff77
Instruction Fuzzy Hash: 44518B34A0010C8BEB14CA59D445BAE77A3FB88356F59807ADD05A7664DB78DC82CF41

Function 0584B780 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2f0dbe1a40851e77f329b2ccee3c8bd54a1acc0fb5528b055c01dba8fc29e0
Instruction ID: 0d8e71f477f40f2f6fb08440013879cafcc2231a8bf5cc2ac7584e9507ec6c26
Opcode Fuzzy Hash: ff2f0dbe1a40851e77f329b2ccee3c8bd54a1acc0fb5528b055c01dba8fc29e0
Instruction Fuzzy Hash: E3515B34A00109CFEB14CA59D445BAE76A3FB88356F59807ADD05A7664DBB8DC82CF44

Function 05748EF0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2593a0a50acb3b88841493e4fb78f6e3cf63d3478beded76c0d37e7ad61d2c95
Instruction ID: f2f0246ce9a6c73e4be43f4d0267156342a093898ba98bc3290ac335b40d2159
Opcode Fuzzy Hash: 2593a0a50acb3b88841493e4fb78f6e3cf63d3478beded76c0d37e7ad61d2c95
Instruction Fuzzy Hash: 03514CB0A00249DFDB04DFA9E455BADBBF2FF48304F448069E016AB2A5EB789D45CF51

Function 061DCDD8 Relevance: 7.7, APIs: 5, Instructions: 214
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 061DCE56
GetCurrentThread.KERNEL32 ref: 061DCE93
GetCurrentProcess.KERNEL32 ref: 061DCED0
GetCurrentThreadId.KERNEL32 ref: 061DCF4E
DuplicateHandle.KERNELBASE(00000000,00000000,061B8F9C,?,00000000,061D0DD8,00000000,?,?,?,?), ref: 061DD06F

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: Current$ProcessThread$DuplicateHandle
String ID:
API String ID: 4285418203-0
Opcode ID: e63dad765899f5fb344a98543c50c414a8476ad12ecea659052a0da5b9ef5e09
Instruction ID: 78e17afbe25d98478b13eee00541266b5823fca0ede301f032b4c7f581d8c4c3
Opcode Fuzzy Hash: e63dad765899f5fb344a98543c50c414a8476ad12ecea659052a0da5b9ef5e09
Instruction Fuzzy Hash: DF9123B4D003099FDB50DFAAD989BEEBBF5EF48310F10841AE429A7250D774A845CFA1

Function 058AF430 Relevance: 7.6, Strings: 6, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 058AF5FA
4'q, xrefs: 058AF502
4'q, xrefs: 058AF57A
pq, xrefs: 058AF587
4'q, xrefs: 058AF4E4
4'q, xrefs: 058AF4B4

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: (q$4'q$4'q$4'q$4'q$pq
API String ID: 0-2944075406
Opcode ID: 1a1bb4da74f0f2c9229cb784b19e6e6c55845fbe06c1b6afe03f2ecb34d38360
Instruction ID: 211ac33941f866d80a1b5309e720cabc8611acfa6ff6351ecc30e2ede0993409
Opcode Fuzzy Hash: 1a1bb4da74f0f2c9229cb784b19e6e6c55845fbe06c1b6afe03f2ecb34d38360
Instruction Fuzzy Hash: 3551A171A003058FE714DB79D8517AEBBE6BFC8200F24852CD54A9B395DF34AD0687E1

Function 061DCD81 Relevance: 6.2, APIs: 4, Instructions: 163
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 061DCE56
GetCurrentThread.KERNEL32 ref: 061DCE93
GetCurrentProcess.KERNEL32 ref: 061DCED0
GetCurrentThreadId.KERNEL32 ref: 061DCF4E

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fc6104edc5c52344b582b0f98e8ae46d8d5f22896cedd38779262a17564007d4
Instruction ID: 2f2bf07d08cab52541b3f05495d3e7729c767971d855e592123f9175aa8055bd
Opcode Fuzzy Hash: fc6104edc5c52344b582b0f98e8ae46d8d5f22896cedd38779262a17564007d4
Instruction Fuzzy Hash: EA619BB0C013499FDB54DFAAD888BDEBBF5EF48314F10855AE429AB2A1C7345845CF61

Function 061DCDC8 Relevance: 6.1, APIs: 4, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 061DCE56
GetCurrentThread.KERNEL32 ref: 061DCE93
GetCurrentProcess.KERNEL32 ref: 061DCED0
GetCurrentThreadId.KERNEL32 ref: 061DCF4E

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a630eeed1f6ea20bd1fe13dbc38e0825899a120f8ec43233850d1580b83fd3ec
Instruction ID: 66b9483f97625ab4b663472b4f78dd4c8b1b9967a799302ab63da7f6eeafbf74
Opcode Fuzzy Hash: a630eeed1f6ea20bd1fe13dbc38e0825899a120f8ec43233850d1580b83fd3ec
Instruction Fuzzy Hash: 085146B0D003099FDB94DFAAD988B9EBBF6EF48314F10C459E429A7260D734A845CF61

Function 05849370 Relevance: 5.3, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 0584944B
(q, xrefs: 05849658
(q, xrefs: 0584941F
(q, xrefs: 05849553

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q$(q$(q$Hq
API String ID: 0-564500637
Opcode ID: 8a23dbe520473c9a4929698a6cc9b531d08fd717e115fca4492b180279fc02e6
Instruction ID: fd0c630cfe6d52953cec6ba0235b3e02ee2dda96a446f2d1a09bc98f40f73b3d
Opcode Fuzzy Hash: 8a23dbe520473c9a4929698a6cc9b531d08fd717e115fca4492b180279fc02e6
Instruction Fuzzy Hash: EF9106317043158FDB25AB78E85072E7BE2EFC4210B58847ED90ADB391EE349C06C7A6

Function 058AE160 Relevance: 4.2, Strings: 3, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 058AE664
Hq, xrefs: 058AE6B4
Hq, xrefs: 058AE635

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq
API String ID: 0-2505839570
Opcode ID: 40c4305fadcdaee88dc78ba53df7f85915862aa5808f0c9bd397d0afe31b5ecd
Instruction ID: 4c1480687d4a5376f8beefb3c5ec923987fba45f0874f7dc3a13cf72cc435333
Opcode Fuzzy Hash: 40c4305fadcdaee88dc78ba53df7f85915862aa5808f0c9bd397d0afe31b5ecd
Instruction Fuzzy Hash: DC126B72A003059FDB24DFA9D484A6EBBB6FF88314F148929E806DB350DB35EC46CB51

Function 0574E1D0 Relevance: 4.2, Strings: 3, Instructions: 421
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 0574E472
4'q, xrefs: 0574E551
4'q, xrefs: 0574E5D1

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q
API String ID: 0-3126650252
Opcode ID: 4d5bc802e0e771bc1fa78f5c0f4fe0be33c9121fc046c586247d98b8536455a1
Instruction ID: b886312559c9f4d8d2b5d0db7dfdf2b3a0bfae1d140c6e56f8c432ec03cf3b6d
Opcode Fuzzy Hash: 4d5bc802e0e771bc1fa78f5c0f4fe0be33c9121fc046c586247d98b8536455a1
Instruction Fuzzy Hash: 1B020B35A10218DFD714DFA8D598AADBBB6FF88311F158158E806AB3A5DB30EC42DF41

Function 05841D50 Relevance: 4.1, Strings: 3, Instructions: 359
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 05841E89
(q, xrefs: 05841EB5
Hq, xrefs: 05841EE1

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q$(q$Hq
API String ID: 0-2914423630
Opcode ID: c04449bda47db3db700b623e014da043b6496423e56ef39ca18209a695ea18b2
Instruction ID: dd335091c5edbe75acdd04fdc2cb4eb0c2d51369a6efdfcae77342b0fb8c3dc9
Opcode Fuzzy Hash: c04449bda47db3db700b623e014da043b6496423e56ef39ca18209a695ea18b2
Instruction Fuzzy Hash: 65E12035B00209DFDB14EF64D4989ADBBB2FF89310F548569E906AB365DB30AC42CF91

Function 056F0B28 Relevance: 3.9, Strings: 2, Instructions: 1383COMMON

Download Yara Rule

Strings

4'q, xrefs: 056F1CEA
4'q, xrefs: 056F1CDE

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 02de8f8c2f5eec87063812898622533545c501f14b0a6f938cf46cffa05a41a6
Instruction ID: 5420d841f1e3fd9fce4943c0ff62700c96fe28d71aaebbab20d6e4f1dc052f81
Opcode Fuzzy Hash: 02de8f8c2f5eec87063812898622533545c501f14b0a6f938cf46cffa05a41a6
Instruction Fuzzy Hash: C6A20830F04225CFCB385BA9845963E69E7BFDA6A2B444179DB07D7745DE308C02E7A2

Function 05843EE0 Relevance: 3.9, Strings: 3, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 05843FB6
PHq, xrefs: 05843F34
(q, xrefs: 05843F8A

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q$(q$PHq
API String ID: 0-3570811051
Opcode ID: 3d50f46456f110c7cc23866dc98679656ad33200b4e173f05e125092a56d545d
Instruction ID: 1502f289eab2b8b23de0b8ec0179d4dee1a0c330bab199f6aff2dab71f187674
Opcode Fuzzy Hash: 3d50f46456f110c7cc23866dc98679656ad33200b4e173f05e125092a56d545d
Instruction Fuzzy Hash: BD31BF717046058FD714DF29E454B2ABBF6FF88611B148179E90ACB361DB34EC42CB94

Function 061D1629 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 061D16BB

Strings

4'q, xrefs: 061D1674

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'q
API String ID: 2492992576-1807707664
Opcode ID: d9c49d1593f1ac8e37dd3e58dd1a0b25dc1b2a19e6c9476acbbf03b20867404c
Instruction ID: 682c716a9099fead836fa469f07db12975148d92a250390b5a4664a4c6ef5c55
Opcode Fuzzy Hash: d9c49d1593f1ac8e37dd3e58dd1a0b25dc1b2a19e6c9476acbbf03b20867404c
Instruction Fuzzy Hash: 2C2189B0D003898FDB10CFA9D9066EEBFB4FB08310F14855AE455B7281CBB46944CFA1

Function 061D1638 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 061D16BB

Strings

4'q, xrefs: 061D1674

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'q
API String ID: 2492992576-1807707664
Opcode ID: 6fc3e6d2d31705294eee5031c9189af90ab62e37fd2effc9c3c7f50bb213b26f
Instruction ID: caeb3ea89aad5ece4893a1635ed65efbd57ae16637d5bfdb095c9756e523ccb6
Opcode Fuzzy Hash: 6fc3e6d2d31705294eee5031c9189af90ab62e37fd2effc9c3c7f50bb213b26f
Instruction Fuzzy Hash: 0D2138B5D0034A9FDB10DF99D9466EEBBF4FB08320F148559E415B7280CBB56944CFA1

Function 0605AB20 Relevance: 3.3, Strings: 2, Instructions: 794
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 0605B367
$q, xrefs: 0605AE65

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID: 2$$q
API String ID: 0-2017333547
Opcode ID: 2b2a971c963a2908f559a8edfd0338a35df32e156a10af7d2f25d8192c6795e1
Instruction ID: e5efd4cf54d8fd8f7e9d52d441533016e0845f055f5a533d70d6ca0364c6ceef
Opcode Fuzzy Hash: 2b2a971c963a2908f559a8edfd0338a35df32e156a10af7d2f25d8192c6795e1
Instruction Fuzzy Hash: 99722974A00214DFDB64DF69E9946AEBBF2FB88300F1080A9E80AD7354DB35AD85CF51

Function 05740040 Relevance: 3.1, Strings: 2, Instructions: 599COMMON

Download Yara Rule

Strings

2, xrefs: 057404B6
$q, xrefs: 057402DF

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID: 2$$q
API String ID: 0-2017333547
Opcode ID: b44ec340fbaf338b9b57817dca7069fb1b6c5cf9fe5cf5d3fad7d1605e40a2c6
Instruction ID: 4486df97f21ffb51d9f3621f12fd727c246718b6c0e5b10a6eb37ccab5956842
Opcode Fuzzy Hash: b44ec340fbaf338b9b57817dca7069fb1b6c5cf9fe5cf5d3fad7d1605e40a2c6
Instruction Fuzzy Hash: 8842FA74A002158FDB64DF69D584BADBBF2FB88304F2084A9D50ADB365DB38AD85CF41

Function 058A9AC8 Relevance: 3.0, Strings: 2, Instructions: 516COMMON

Download Yara Rule

Strings

$q, xrefs: 058A9E33
$q, xrefs: 058A9E43

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 63e0d0b1370cadc8d9a061c4aad09d1907e76d2c6e6ded429ed44631b8028725
Instruction ID: 362a9eedfd10922d1595b31369c6a3d31b83f790b8dd90ae90cdb431f24a0b3f
Opcode Fuzzy Hash: 63e0d0b1370cadc8d9a061c4aad09d1907e76d2c6e6ded429ed44631b8028725
Instruction Fuzzy Hash: DC226B31A04219CFEB15CFA8D844AEDBBB2FF48311F148469E812FB294DB799D42CB51

Function 058AD810 Relevance: 2.8, Strings: 2, Instructions: 342COMMON

Download Yara Rule

Strings

d, xrefs: 058ADA71
(q, xrefs: 058AD824

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: (q$d
API String ID: 0-1617062230
Opcode ID: 419368901dc3bc0bc7b9eeeb286ac20b50ab8496e4720f31a31c226c4d81ab91
Instruction ID: a246df27ebecdc5e2a6a0b0c5906d1ab17c2dbd0ab96a8d21c420e878a306387
Opcode Fuzzy Hash: 419368901dc3bc0bc7b9eeeb286ac20b50ab8496e4720f31a31c226c4d81ab91
Instruction Fuzzy Hash: E5D158357016068FD724CF28C484A6AB7F2FF88310B198969E85ACB765DB30FC46CB95

Function 05843710 Relevance: 2.8, Strings: 2, Instructions: 315COMMON

Download Yara Rule

Strings

4'q, xrefs: 058439F2
4'q, xrefs: 05843A20

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 0d958ed7cd8b644eb51932d63ba13020811bb4e1f0c55d56e4e2b5171319910f
Instruction ID: 30c0214647380e81a0c92cdc1c8f28f514cc6ef212a9ae2be086564f351bc302
Opcode Fuzzy Hash: 0d958ed7cd8b644eb51932d63ba13020811bb4e1f0c55d56e4e2b5171319910f
Instruction Fuzzy Hash: C6D1DC75B00218DFD704DFA8C998AAEB7B6BF89300F504569E905AB3A5DB31EC42CF51

Function 05843740 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

4'q, xrefs: 058439F2
4'q, xrefs: 05843A20

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 2ffe44ed93ce431c10f4cd741eb82f75e5b94901334f6165f70b2b9601fc2d83
Instruction ID: 8a90fa04008b6b46e4fae06ba3a9c5666071980a730d525331ae2960b47a01fd
Opcode Fuzzy Hash: 2ffe44ed93ce431c10f4cd741eb82f75e5b94901334f6165f70b2b9601fc2d83
Instruction Fuzzy Hash: 20C19B75B00218DFDB04DFA8C998AADB7B6BF89300F504568E905AB3A5DB71EC42CF51

Function 056F1D20 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

4'q, xrefs: 056F20BD
4'q, xrefs: 056F20B1

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 0eee44b9ff318846c8161cdc061b2a1ae5c3c116ebb561848502c6e4235f8710
Instruction ID: 8617f67e38b5e4fb8cedca2ac712a4f27a665832511f060fcc12a66b34eaf0e9
Opcode Fuzzy Hash: 0eee44b9ff318846c8161cdc061b2a1ae5c3c116ebb561848502c6e4235f8710
Instruction Fuzzy Hash: BE918639F15221CB8F3927A4A56D53D39E3BBD96523049068F903DB784DF788C02EB92

Function 056F4640 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

4'q, xrefs: 056F49B7
4'q, xrefs: 056F49C3

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 172e8ec9b15f9c8549f2d12b28e82c414477b0505fd156b2c4a42493d78ffd4a
Instruction ID: 12e058cb08efcb0b0313169ec97f881aebebbe646c6bf431185d40ba9425aa20
Opcode Fuzzy Hash: 172e8ec9b15f9c8549f2d12b28e82c414477b0505fd156b2c4a42493d78ffd4a
Instruction Fuzzy Hash: 39818331F14174874F29777E216813F66ABABCA9523584519DE03DBB80FE66CC0687C3

Function 058499B8 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

(q, xrefs: 05849AE0
(q, xrefs: 05849CB8

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q$(q
API String ID: 0-2485164810
Opcode ID: 2a5441bf094fae0e2482da5e3a81914dc48ba433fc19a37423e28c759318d408
Instruction ID: 701f04c63a04114ccf06de3fd08ea77b63baa77c0e6b8a2491a432c4fed0629b
Opcode Fuzzy Hash: 2a5441bf094fae0e2482da5e3a81914dc48ba433fc19a37423e28c759318d408
Instruction Fuzzy Hash: E261BD31B046148FDB28DF78D554A6BBBE6FF89210B54892DE84AD7780DE34EC02CB95

Function 05843210 Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

Hq, xrefs: 058433DD
(q, xrefs: 058433B1

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q$Hq
API String ID: 0-1154169777
Opcode ID: 860954a83eb001b8300919dacdc6633fe40549ee56b9bf181f8590c05f51fcc1
Instruction ID: 5708d36d8f455d600cea940d0d23fd121dee80be772c505cfe978e4877e04a35
Opcode Fuzzy Hash: 860954a83eb001b8300919dacdc6633fe40549ee56b9bf181f8590c05f51fcc1
Instruction Fuzzy Hash: 8761BC307043598FDB299F39D82476E7BE2BF85214F084A2DE806CB2A1DE34DD45CB91

Function 0584FCF8 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

(q, xrefs: 0584FD6C
(q, xrefs: 0584FD98

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q$(q
API String ID: 0-2485164810
Opcode ID: 756a0b4839c1fac0536df9b216c02613c9b94b6c64c80b2d19afc76284ddfb72
Instruction ID: face11df5269f90dd40ad962cf54f9910c389be3aaccb7b8acf5cbfd90e9fe28
Opcode Fuzzy Hash: 756a0b4839c1fac0536df9b216c02613c9b94b6c64c80b2d19afc76284ddfb72
Instruction Fuzzy Hash: F151CF31A041489FE714CB59E444BAEB7E2FB89315F298029EE09EB395CB395C81CF51

Function 058A9090 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

(q, xrefs: 058A91A6
Hq, xrefs: 058A9235

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: (q$Hq
API String ID: 0-1154169777
Opcode ID: 6f6f0c8ae7282b4b3e8ffa4c8afd38a2410cbbfbc7d358be3ee0bae0023fc611
Instruction ID: ed40623c202fa307b735642a52c8b2cf337e7654061b3e44a0b2ac683959fb48
Opcode Fuzzy Hash: 6f6f0c8ae7282b4b3e8ffa4c8afd38a2410cbbfbc7d358be3ee0bae0023fc611
Instruction Fuzzy Hash: 13518A317043058FEB28AF78D854A2E77A2BF89211B54886DE906DB3A0DF35EC02DB51

Function 05843080 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

,q, xrefs: 05843090
(q, xrefs: 058430E7

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q$,q
API String ID: 0-275420656
Opcode ID: 79f9cebe50b7a494816be95f3c0b127f5e791b8a32723af842737107bb37cf13
Instruction ID: b0e322a6773b6ffce9ce77eaccb95b675b0cfe2af465d16d7a604a9652639a84
Opcode Fuzzy Hash: 79f9cebe50b7a494816be95f3c0b127f5e791b8a32723af842737107bb37cf13
Instruction Fuzzy Hash: 9041C4737041596FCF129EE9AC509FFBFEAEF89111B044066FA15E3241CA35CD259BA0

Function 06051AB9 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

`Qq, xrefs: 06051B89
PHq, xrefs: 06051D42

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID: PHq$`Qq
API String ID: 0-577899614
Opcode ID: cc9a95bd42694841ab9115745e981a5eb424b0f4df30563520cf69ef1e4f008a
Instruction ID: 1371486a03459ca08c2d2b16cc3a5bc15a38e139bda2c97e66e11c4b196d594a
Opcode Fuzzy Hash: cc9a95bd42694841ab9115745e981a5eb424b0f4df30563520cf69ef1e4f008a
Instruction Fuzzy Hash: 51711570A11219CFEBA49F24D959BAEBFB1FB44304F1054D9E90AA7280DB746EC1CF81

Function 0584C441 Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

(q, xrefs: 0584C484
(q, xrefs: 0584C50F

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q$(q
API String ID: 0-2485164810
Opcode ID: 52bce21eabb077d36faaaa85eda5e04317d8fb4abc653764b9010ddcfcb85975
Instruction ID: 86df26ddb2cb693ea5d79cede8185c1a53aa47de28d632e2aba88b22199b6bb6
Opcode Fuzzy Hash: 52bce21eabb077d36faaaa85eda5e04317d8fb4abc653764b9010ddcfcb85975
Instruction Fuzzy Hash: BE41E131E0421A8FDB05DBB9A4156AEBBF2FFC9250F14816AD906E7350EE309D06CBD1

Function 058AF423 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

pq, xrefs: 058AF587
4'q, xrefs: 058AF4B4

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q$pq
API String ID: 0-2294260830
Opcode ID: 9558a055efbd69bdd9fdff780dd6f87f7fe4a84817eaca9aac7faab829076f58
Instruction ID: ea01be79f3176b48052829450df5f29ddd2ea2a450914ecfbe2898f600661872
Opcode Fuzzy Hash: 9558a055efbd69bdd9fdff780dd6f87f7fe4a84817eaca9aac7faab829076f58
Instruction Fuzzy Hash: E541D231A003058FD725DF69D8807AEBBF6BFC8204F14852CD54A9B255DB75AD06C7A1

Function 058AA2D8 Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

$q, xrefs: 058AA34F
$q, xrefs: 058AA33F

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 796278479ce670bcf9e34fed4b0da55d2ce6be48190727fea726c48b8c126d04
Instruction ID: 5ffcf81cb41317020149d7ad8ed0f3433e2abd14bcf8bdb58a5022c7d83304a2
Opcode Fuzzy Hash: 796278479ce670bcf9e34fed4b0da55d2ce6be48190727fea726c48b8c126d04
Instruction Fuzzy Hash: 22117332A08309DFFB28CE59D440BADBBF5BF44254F1580A6E845CBA51D731DD80CB50

Function 058AA693 Relevance: 1.8, Strings: 1, Instructions: 537COMMON

Download Yara Rule

Strings

(_q, xrefs: 058AA930

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: 1f9921966b10158ff866c89e4f47e899de3f5f6b59dbdd69075d7fb69fa84d0d
Instruction ID: 4d6cedd5a4115d885c84364b66de8366de7eecd25f468ff0d184486e941eff5a
Opcode Fuzzy Hash: 1f9921966b10158ff866c89e4f47e899de3f5f6b59dbdd69075d7fb69fa84d0d
Instruction Fuzzy Hash: 1E228076B102049FEB18DF68D490A6DB7B2FF88314F198069E906EB361DB75EC41CB50

Function 061DD244 Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 061DD2D8

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c429f3a5f17a3e6c14bb890d794d78309c8e51c8c6e602589e54b4eb4f671faf
Instruction ID: 3a65ef39724161d7ab2877725f8fb87ab454622e97890210b2380b5404094e60
Opcode Fuzzy Hash: c429f3a5f17a3e6c14bb890d794d78309c8e51c8c6e602589e54b4eb4f671faf
Instruction Fuzzy Hash: 453123B0D01308DFDB24CFA9D984BCEBBF5AF48304F248059E404BB290DB74A845CB51

Function 061D1515 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 061D15C7

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 56a9aa421506649a10f01337380d2f9fecbb3760e8aa5bd5584e64d2cb82d53e
Instruction ID: 80803c989f80c0a3f4014743709f765f351cc2cc35ac08f45762fcac7b754ee1
Opcode Fuzzy Hash: 56a9aa421506649a10f01337380d2f9fecbb3760e8aa5bd5584e64d2cb82d53e
Instruction Fuzzy Hash: AD21DBB5C043889FCB51DFA9D845BEEBFF0EB49310F10844AE855AB281C378A945CFA1

Function 061D1528 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 061D15C7

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 995e95dfd494f5b32f9b3e30ebb88f0142936df89ff185a620838137dc8aa888
Instruction ID: 4de20fda0bdd2805231adb456a6e54cfb3b24a3cad3a5907cad6ad6e7053bec0
Opcode Fuzzy Hash: 995e95dfd494f5b32f9b3e30ebb88f0142936df89ff185a620838137dc8aa888
Instruction Fuzzy Hash: 88219876C003889FCB11DF99D845BEEBBF0EB49320F10844AE855AB281C378A945CFA1

Function 061DD250 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 061DD2D8

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: aaa77790252546359c315cf3bab2852aa9937c46c23ff395cfea90cf8f01a6cf
Instruction ID: 0d27b101d3fc1d646a54d31c6e01d9bcde44bbfcf2a9e707ec86febe510131b1
Opcode Fuzzy Hash: aaa77790252546359c315cf3bab2852aa9937c46c23ff395cfea90cf8f01a6cf
Instruction Fuzzy Hash: 9731F1B0D01209DFDB24DFAAD984BCEBBF5AF48304F248069E404BB290DB75A845CF55

Function 061DCFE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(00000000,00000000,061B8F9C,?,00000000,061D0DD8,00000000,?,?,?,?), ref: 061DD06F

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d5d9fc215f6951093777bda10d0e459f4788cac24323297793f325c8af7dc90b
Instruction ID: 4dab7a179155f67c5b14e424b1943a5e6c68a43f0917378c80910583d6886233
Opcode Fuzzy Hash: d5d9fc215f6951093777bda10d0e459f4788cac24323297793f325c8af7dc90b
Instruction Fuzzy Hash: B62116B5D00249AFDB10CFAAD885ADEBBF5EF48320F14801AE914A7350C375A941CF65

Function 061DCC54 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(00000000,00000000,061B8F9C,?,00000000,061D0DD8,00000000,?,?,?,?), ref: 061DD06F

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eee3057f9d259d08ca5c93ce8f2844287c62ef2c9599ff1dbd46605f76149d62
Instruction ID: c88f4bab581ae373c6eda0c33d512dae9a838951347f8efb42bbf10b55ad5388
Opcode Fuzzy Hash: eee3057f9d259d08ca5c93ce8f2844287c62ef2c9599ff1dbd46605f76149d62
Instruction Fuzzy Hash: EE21E4B5D00349AFDB10DF9AD984BEEBBF9EB48310F14841AE914A7350D379A941CFA1

Function 061D1548 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 061D15C7

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: edff81f7154f40b1650a5d05a62e4204c089ef8e612e64264b5a3a36b1e01ae3
Instruction ID: dbf1c93e85e6cb0e077fd5e2f5cded5d95d4ea9517028d9c15372412e91242df
Opcode Fuzzy Hash: edff81f7154f40b1650a5d05a62e4204c089ef8e612e64264b5a3a36b1e01ae3
Instruction Fuzzy Hash: B7218C75E002499FDB10DF9AD845BEEBBF5EB84310F108419E956BB380C779A944CFA1

Function 0164DA60 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0164DAD4

Memory Dump Source

Source File: 00000008.00000002.1366023144.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1640000_RFQ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: eb441f6fddca183b94599d9c3eba802a4bfb4469d0181d8ec703a287ee111768
Instruction ID: 0b634b8a28e9730d606abc1bed0211acdff1ac1d83b3bac763812d2585d3c722
Opcode Fuzzy Hash: eb441f6fddca183b94599d9c3eba802a4bfb4469d0181d8ec703a287ee111768
Instruction Fuzzy Hash: B711E371D003499FDB20DFAAC844B9EFBF5FB58220F54842AE919A7240CB759941CFA0

Function 061DD100 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 061DD15D

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1c347a87a9c32f50f20e38157661d21280bf4a7fc02093a1c812a56bf332c3cc
Instruction ID: b1617489b8332ea99135d95fc13141a8dd9c378d8fa2f4a57410f5981fe6e7d0
Opcode Fuzzy Hash: 1c347a87a9c32f50f20e38157661d21280bf4a7fc02093a1c812a56bf332c3cc
Instruction Fuzzy Hash: 941145B5C003498FDB20DFAAD845BCEBBF4EB48320F208419D558A7300C379A545CFA5

Function 061DCC6C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 061DD15D

Memory Dump Source

Source File: 00000008.00000002.1379596507.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_61d0000_RFQ.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b8502214c94f4ad98751e8c1e1ae03b6b99b6a9a261fae64ce672d7d0ae0189b
Instruction ID: 1ea7d0f556e86f6bcc8727445d9ef26c5d9fd6cccaa7dfd1b457437080d18b6a
Opcode Fuzzy Hash: b8502214c94f4ad98751e8c1e1ae03b6b99b6a9a261fae64ce672d7d0ae0189b
Instruction Fuzzy Hash: 9E1103B5D003498FDB20EF9AD445B9EBBF4EB48320F608459D518A7200C379A944CFA5

Function 057491E0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

Dq, xrefs: 0574927B

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: f2b35a4b4e69a62ade9bfb24c3e02d9c7073c9966fd953c9591219452c7459cb
Instruction ID: bc445234e9ba0f38e541994a51613a04360979560897d42b0338c73dd369a095
Opcode Fuzzy Hash: f2b35a4b4e69a62ade9bfb24c3e02d9c7073c9966fd953c9591219452c7459cb
Instruction Fuzzy Hash: 1AA18971A002049FC714DF69D894A6EBBF2FF89710F2581A9E506AB3A1DB35EC01CF90

Function 058AAE28 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

Plq, xrefs: 058AB010

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: Plq
API String ID: 0-3623438852
Opcode ID: e48a5ea9cfe9ccffc50b8ab9bb1a4c76143cffeccee698dec56fa07f9f223d2a
Instruction ID: f0887f4038bce2117c8fb19a5ff96385f3ee4444a2c76187b17cc3774a6a953c
Opcode Fuzzy Hash: e48a5ea9cfe9ccffc50b8ab9bb1a4c76143cffeccee698dec56fa07f9f223d2a
Instruction Fuzzy Hash: 54911631B006148FEB18DF29C494A6E7BE2BF89711F1581A9E906DB3B1DB71EC41CB91

Function 05849718 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

(q, xrefs: 0584981D

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 66d8b4f3cb5f1f9b21b9c2caf6c1db08eace97c08af18f99969863f29aed07a4
Instruction ID: 46a3c9bcae328b87c9106e41a9f3871d0856f0ebf3e43d3dad8053529e990456
Opcode Fuzzy Hash: 66d8b4f3cb5f1f9b21b9c2caf6c1db08eace97c08af18f99969863f29aed07a4
Instruction Fuzzy Hash: 6B716270F042199FDB54EFA8D4506AEB7F2FF88200B54816DD50AEB394DA34AD02DB95

Function 05844EB0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

4'q, xrefs: 05844FC1

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 3ee1054c80573f7c7766a746091d5dde217e8ff15f1345ad82c9f1f6fb80d9fa
Instruction ID: bd48b1ceedbde417b163b36a31dbb62cd821674a409a29173374f0874fd4336f
Opcode Fuzzy Hash: 3ee1054c80573f7c7766a746091d5dde217e8ff15f1345ad82c9f1f6fb80d9fa
Instruction Fuzzy Hash: 44714D35B00208DFDB15EB68D458BAE77B6BF88710F108469E906AB391DF71EC42CB91

Function 057491D0 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

Dq, xrefs: 0574927B

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID: Dq
API String ID: 0-144822681
Opcode ID: a51dfa5379b77a93d331d1e96dd423921ff19387ee2bef8133fe4825f2b147f6
Instruction ID: 880057942bb0afe6dd6b4e1eef2a08a85bb744e3e758cf82c9f8921521146fc1
Opcode Fuzzy Hash: a51dfa5379b77a93d331d1e96dd423921ff19387ee2bef8133fe4825f2b147f6
Instruction Fuzzy Hash: 1B716C75A006009FC714DF69D584A6EBBF2FF89310B1682A9E516AB3B1DB35EC05CF90

Function 058A4AF8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

pq, xrefs: 058A4BA8

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: pq
API String ID: 0-153521182
Opcode ID: baaac7577c5c3e2ba42c50cb37d456ab3f3bcb81eab7ca0936762cffa7da2100
Instruction ID: 10656b0477983d45be7f49bd57877b48aa3154ea5ca8f76aa24e503501efcd5f
Opcode Fuzzy Hash: baaac7577c5c3e2ba42c50cb37d456ab3f3bcb81eab7ca0936762cffa7da2100
Instruction Fuzzy Hash: 3F512C76600104AFDB459FA8D815E19BBF3FF8D3147198098E609DB372DA36DC22EB91

Function 05841430 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

4'q, xrefs: 0584146A

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: de5148af28904f854dc83a3c63092010fe98ea697045e41bb4adef7f27cd07e4
Instruction ID: 2c22fc1642cbac176f941f7f08797fbbc93778f77d498133f3ffb2f824b9148c
Opcode Fuzzy Hash: de5148af28904f854dc83a3c63092010fe98ea697045e41bb4adef7f27cd07e4
Instruction Fuzzy Hash: 4041A535B102188FDB14AB68C458AADB7BBAFC8700F504119E903EB394DF749C46DB92

Function 0574EB70 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

U, xrefs: 0574EC65

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: e6f14dabff7d4b8dc5aa7dc638d49a49fa35e81db2661ef0e6843d7420c0d67e
Instruction ID: fa9dcd5cf54da548e2df6292c41efbee84ef5d5d0ed1d7559809aef979cf9220
Opcode Fuzzy Hash: e6f14dabff7d4b8dc5aa7dc638d49a49fa35e81db2661ef0e6843d7420c0d67e
Instruction Fuzzy Hash: 6531EA317087049FC7249B69E84495ABBE9FF81361B1581BAE80ECB252DB30EC45CB51

Function 058A5B10 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

(q, xrefs: 058A5B24

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 89291e422f929a0ec196114fc121ffbb6f5a545ac3505ecbebfc88f5850a7ae6
Instruction ID: 998e9dc398e5a391b31e460efe18343669be863f01ce24043b4cf0a429a779b5
Opcode Fuzzy Hash: 89291e422f929a0ec196114fc121ffbb6f5a545ac3505ecbebfc88f5850a7ae6
Instruction Fuzzy Hash: 9241A036A00615CFEB10CF68C484A6AF7B1FF89324F558655D91ADB391D730EC92CB94

Function 05844D51 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

4'q, xrefs: 05844E06

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: ad129f14b672c2ee911b2d1ff5e9d4eb645eb20748d3ae04932973bf90fd3a5d
Instruction ID: 45c28ca6cf21303f93619a0af1d9959dd85f2cfa5cd2054784b87bbf688e7b6a
Opcode Fuzzy Hash: ad129f14b672c2ee911b2d1ff5e9d4eb645eb20748d3ae04932973bf90fd3a5d
Instruction Fuzzy Hash: 30315C717406149FE318DB69C859B2B77E6AFC8710F104568EA0ACB3A1DF71EC42CB91

Function 058A72A0 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

,q, xrefs: 058A7303

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: ,q
API String ID: 0-196045463
Opcode ID: caa44c7e88af99c7b281443cc098f5162d3f0fc8fb353902402fa1dca6fe1c96
Instruction ID: aa39688e6f3b370e2261895ee2bb65d5987b74fdb4407a7bb34baa67f64536fb
Opcode Fuzzy Hash: caa44c7e88af99c7b281443cc098f5162d3f0fc8fb353902402fa1dca6fe1c96
Instruction Fuzzy Hash: EC41A035B002058FDB14DF69D850AAEBBF2FF89211B5581A9E906DF361DB30ED02CB91

Function 056F7D76 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

PoZq, xrefs: 056F7E08

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID: PoZq
API String ID: 0-3465849047
Opcode ID: 563c80088985d6ca8118b80d67b3f4d422c15cac487b29f53ab7d36a4941c592
Instruction ID: 8d571095aa42a3e52369ac805d609649fd29589ebc7c65516223306cfa50bfff
Opcode Fuzzy Hash: 563c80088985d6ca8118b80d67b3f4d422c15cac487b29f53ab7d36a4941c592
Instruction Fuzzy Hash: F6312835B0434517DB1A6A7998A97BF699BAFD1600F08803EEB02CB385DE688D06D791

Function 05844D60 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4'q, xrefs: 05844E06

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 5b665cbf7f6df0821d0fbb27b5f0b874f2062f3de02f9a795f0be362009c283b
Instruction ID: 1237fbd74069ef2b0c3995fcea01a21d9ee93a29dc3472cf424ea38f01b99a79
Opcode Fuzzy Hash: 5b665cbf7f6df0821d0fbb27b5f0b874f2062f3de02f9a795f0be362009c283b
Instruction Fuzzy Hash: C8314A357406149FD319DB69C859B2A77A6AFC8714F204568EA0ACB3A1CE71EC42CB91

Function 058AEE93 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

4'q, xrefs: 058AEED9

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 25339ef23db3783132dc370de1af67ecd67303e03a99f36b9db35d224a278bfd
Instruction ID: 3bf95d6a8d46595530ada093d9b00eb7b045224da87437a89635906c85b01271
Opcode Fuzzy Hash: 25339ef23db3783132dc370de1af67ecd67303e03a99f36b9db35d224a278bfd
Instruction Fuzzy Hash: 2A3196367002049FDF158F94D845E597FBAFF8C321B1540A8FA0AAB361DA31EC12DB91

Function 05841420 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'q, xrefs: 0584146A

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 9003c1a59329cdcab5e85e390235f9bbed0f821372e7dfb0e3234f257041e249
Instruction ID: 6b8129ea1a46b24fbb6b8db8be4365a95ba9f19fc455284d5eeeb404c932bec7
Opcode Fuzzy Hash: 9003c1a59329cdcab5e85e390235f9bbed0f821372e7dfb0e3234f257041e249
Instruction Fuzzy Hash: 6D218131B102098BDB14AB68C45D6BEBAABAF84710F50402DE807EB394CF749C42DB42

Function 058A99F0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

p<q, xrefs: 058A9A3A

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: p<q
API String ID: 0-3896934649
Opcode ID: 3d199dd7d7dd7fb3de1fd262982a43616e5b1e3bc7e9faa09199195a35125a78
Instruction ID: 845160b7fb8709eb4ce4fd5b6fb8f5dd3dc772443fbb38c6b89eea2390b106e6
Opcode Fuzzy Hash: 3d199dd7d7dd7fb3de1fd262982a43616e5b1e3bc7e9faa09199195a35125a78
Instruction Fuzzy Hash: FD218E353082559FEB11CF2AC844AAA7BE6FF89310F048056FC19CB260CB35EC51DB60

Function 05842548 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

(q, xrefs: 0584259C

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 5e32512de8b6042ded871afef625f046222d780949e46188d381c568f710d576
Instruction ID: 0b28e14310d089ed0f3cd833a0f44c4f1f9d954863c38a7aa99333b03beeeb98
Opcode Fuzzy Hash: 5e32512de8b6042ded871afef625f046222d780949e46188d381c568f710d576
Instruction Fuzzy Hash: 7B11BE72A04214AFCB069FA8E814D597FB6FF8921071680AAE905DB232CB36DC11DF91

Function 056F0B08 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

4'q, xrefs: 056F1CDE

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: b1e679bd47b5f0192e24845580f4c65eb5cb522f6967cbb6f88eb2db78f7d8ee
Instruction ID: 4defd9fefe69cba32c3c0907c6105ce4dd737930884c0adff2c7573462bd1dcc
Opcode Fuzzy Hash: b1e679bd47b5f0192e24845580f4c65eb5cb522f6967cbb6f88eb2db78f7d8ee
Instruction Fuzzy Hash: BC110875E08314CFCB268BA4D8157BD7BB2BF82365F0950AAD942AB782CB358C46C751

Function 058A7291 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

,q, xrefs: 058A7303

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID: ,q
API String ID: 0-196045463
Opcode ID: dd9cbe59aa50902f5a5c653b70ec16812d6347b5469763ff9f32151acaffd64b
Instruction ID: 49e4a9fbbb3d4f77f1964a8646e5d2b83dd62634f189a3aba74b091613b40eb4
Opcode Fuzzy Hash: dd9cbe59aa50902f5a5c653b70ec16812d6347b5469763ff9f32151acaffd64b
Instruction Fuzzy Hash: E7116735B00206DFDB14DF69C894AAEBBA6EF85311F518069EE06DB361DB70EC01CB91

Function 0164DC30 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 0164DC92

Memory Dump Source

Source File: 00000008.00000002.1366023144.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1640000_RFQ.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8b925de5614a2125214f7e18c3b97c0499b5b1249882d446ce0971c91ca5b45a
Instruction ID: efa5396ed4ea7fada53190a0167bd463df87eb81cba6872952d130393036be14
Opcode Fuzzy Hash: 8b925de5614a2125214f7e18c3b97c0499b5b1249882d446ce0971c91ca5b45a
Instruction Fuzzy Hash: 01112871D003498FDB24DFAAC84579EFBF5EF48224F148419D519A7240CB756941CB94

Function 05749FBA Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2708c49f3535f909071b96eaae741dfe193bdb429c6c1ebf251a7bd3299cbb
Instruction ID: 664d90c2c9b4815c4ae3e83ce5f862b1f1b1fc6945dc5b62652b59f1ea76d268
Opcode Fuzzy Hash: ec2708c49f3535f909071b96eaae741dfe193bdb429c6c1ebf251a7bd3299cbb
Instruction Fuzzy Hash: 99E1AB63A2C6819BDF218B64D85467ABFB6FB56243F8D4664C05F8B221D335DC00BF42

Function 056F6C28 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af818fef5c66b7f57e91078940315121683a5eaaac812f2e790fe96253de513
Instruction ID: 5f5261e6784f31cda2afcd4c5764b4f933ad2e885d1babf1e692fb851122b2b0
Opcode Fuzzy Hash: 0af818fef5c66b7f57e91078940315121683a5eaaac812f2e790fe96253de513
Instruction Fuzzy Hash: 0D023B30A01219CBEF299F64C854BAEBB76FF84304F5045A9CA06A7784EF719E45CF91

Function 05841670 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5bb7a3d486a1f1fb6dd2b1de930f5b5f31bdfc0c4927406f21bd2bc763f4cdc
Instruction ID: c5aff1ce80cbc388e8a3b6a77f00cb28d2cb6787b0fce8974adc8ab20a1b61da
Opcode Fuzzy Hash: f5bb7a3d486a1f1fb6dd2b1de930f5b5f31bdfc0c4927406f21bd2bc763f4cdc
Instruction Fuzzy Hash: 3712EA35B102198FDB14EF68C898A9DB7B2BF89300F5085A8D94AAB355DF30ED85DF41

Function 056F6088 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47dd7f54f28bf3c34288d9de285bc6e5265e6a866a6dc5ffb510b4a6a94691a
Instruction ID: fbf13ce688e70db82ec7567c710d52c1f66bacf8329001418e0c2c487223fd5a
Opcode Fuzzy Hash: e47dd7f54f28bf3c34288d9de285bc6e5265e6a866a6dc5ffb510b4a6a94691a
Instruction Fuzzy Hash: 30C18420B0034557E724E9AED4E47ABD2DBAFD4600F50453E9B03DB799EEA5CC0687A3

Function 056F22D0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ad21426d378b7d34f23ad778d2b4e24e17784d026085a9b18e871db2841082
Instruction ID: c7ba9b3cf37f503012e0412a4fdafaba19aa8d4bbab9d8ea17ea1f727f457719
Opcode Fuzzy Hash: 89ad21426d378b7d34f23ad778d2b4e24e17784d026085a9b18e871db2841082
Instruction Fuzzy Hash: 4ED18B30B1430157D7199AA9D8A976BAAFFBFD4612F50803DB303DB794DEA08C06DB91

Function 056F77FA Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5ad5f8b493ccdbe5fdc5a8cdc85f1c49be00b1e4cb6e419781797d3687f4fa
Instruction ID: e140657ec2e1e7921064a4ae72e2f076efb6726c416ce5c5be856274ad9d66d8
Opcode Fuzzy Hash: cb5ad5f8b493ccdbe5fdc5a8cdc85f1c49be00b1e4cb6e419781797d3687f4fa
Instruction Fuzzy Hash: 3991D93070030647D7256E6D94E97BFA6DBAFD6600B94443DDE02DB394EFA89D058B82

Function 056F7810 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f07d2c58beef9b0d39952b6f830f59fb9a17d7374bcb9cacbbab22bbd5413dd
Instruction ID: 36f61fa32a97c836284ee523afe0930992d45431d9da3f0fa9d34dfab109147f
Opcode Fuzzy Hash: 5f07d2c58beef9b0d39952b6f830f59fb9a17d7374bcb9cacbbab22bbd5413dd
Instruction Fuzzy Hash: C291B73070030A47D7256E6D94ED6BFA5DBAFD6600B94443DDE03DB394EFA89D068B82

Function 05841661 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8234181691e0d8f827220db6013027dbc2b973e1a0ae9ad1765072b3ef0c6929
Instruction ID: 36458d569050481fcf0b602514721d7c32db2e0e0e86f0bd0eadc82487561440
Opcode Fuzzy Hash: 8234181691e0d8f827220db6013027dbc2b973e1a0ae9ad1765072b3ef0c6929
Instruction Fuzzy Hash: 2DA10E34B102198FDB14DF24C898B99B7B2BF89310F5085A8E94AAB355DF30ED85DF41

Function 068E8BA1 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3ace011b2a5c84b0604405eba047f9d7d31012379d5ab70d4b877d1e8bcc8b
Instruction ID: cf9e3b4ef606d91820ca8fb640e7c1b3f10e21b9791fffe3e314105f4046146f
Opcode Fuzzy Hash: 7e3ace011b2a5c84b0604405eba047f9d7d31012379d5ab70d4b877d1e8bcc8b
Instruction Fuzzy Hash: 3C9191B0E00149DFEB94CBA4C884BAFB7B2FB86304F119525D502DB294DB35AC86CF90

Function 05842608 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06bf2ca572629b1342b47698ba55ec66781f93b205cece08bf6af9fba39f1cb
Instruction ID: 7989c73364f1e6287b7e3e3c81c64665fea2a0387024513fa0e121e4d84fac38
Opcode Fuzzy Hash: f06bf2ca572629b1342b47698ba55ec66781f93b205cece08bf6af9fba39f1cb
Instruction Fuzzy Hash: 5A813B35B14218CFDB14DF68D498A6EBBB6BF88710F148169E906DB3A1DB34AC41CF90

Function 058A5E28 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0311b7a6f425ba8661eef8368e770295e3760d51beba623100f431f26d8e6f74
Instruction ID: d82548c554b1d3b0f7d174a36255fb49c9ececc2f28de7332dc4192491d18d7a
Opcode Fuzzy Hash: 0311b7a6f425ba8661eef8368e770295e3760d51beba623100f431f26d8e6f74
Instruction Fuzzy Hash: D3817632B15208DFDB14CFA5E459AADBBB2FF88311F148469E802EB391DB359D81DB50

Function 068EFC28 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b60b5d88581c8a6d6f177e06253084a56632108e59881c55261bbf984ab7b84
Instruction ID: 6d30f3f51591d02e3bd98f80a40198f6df2f0b4dc514ec0a5030bab9ba4f36f7
Opcode Fuzzy Hash: 2b60b5d88581c8a6d6f177e06253084a56632108e59881c55261bbf984ab7b84
Instruction Fuzzy Hash: BD816F75B001089FDB44DFA9E994BAEB7B3FB89304F158028EA06D7354CB3A9C55CB91

Function 058ABB88 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a9f4457ff84c576de02e98e8c7f39528b2b385f5f0baabbba94f1adce42e3b
Instruction ID: 30eee3e3bcae97990b2f8e51faa714d252d830f9bdebfa00eafb80bbb6ae7a5b
Opcode Fuzzy Hash: c9a9f4457ff84c576de02e98e8c7f39528b2b385f5f0baabbba94f1adce42e3b
Instruction Fuzzy Hash: 2D810635A00618CFDB24DF69C484AADBBF5FF48311B1685A9E816DB361DB34ED42CB90

Function 058443F0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f603a0fd07347ad436b8c100675d4d036b24b327a8d561d7aec804c8cffaee
Instruction ID: 4d94f13b45b4cc1b0c5bbac4ecb81ed41e205391eed2c0cf2501d25176568eb2
Opcode Fuzzy Hash: 87f603a0fd07347ad436b8c100675d4d036b24b327a8d561d7aec804c8cffaee
Instruction Fuzzy Hash: 91816C35B106189FDB15EF68C058BADB7B6BF89304F108169E902973B0DB749D86CF91

Function 068EBC30 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7a3f43ea4f9e4639f831c220a0d47ffa5c75496ab53ece0c506c05ea8cfad
Instruction ID: 29469183f29c09c089352c712ac28ecb2bc8c4fab69280cb0dc9e6bc38d477b7
Opcode Fuzzy Hash: 9eb7a3f43ea4f9e4639f831c220a0d47ffa5c75496ab53ece0c506c05ea8cfad
Instruction Fuzzy Hash: 45717D347001049FDB99EB24D694A7E77E3EB8A300B158069D916CB395DF35DD42CBD2

Function 056F65D8 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83157a9e70f633fdf90ece715a709332c226d65bc74fed6335927c9e7b6e6d2
Instruction ID: f208ffddad82c27b240ec3967beaa207053bed56c4c0ba0f18e2302a256f60f2
Opcode Fuzzy Hash: d83157a9e70f633fdf90ece715a709332c226d65bc74fed6335927c9e7b6e6d2
Instruction Fuzzy Hash: CE713D31E0071A8BCF19CFA5C4516AEBBB2FF84304F20852AD911BB754EF719986CB91

Function 068EBF81 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732c6e89f676b703ae67d1bf878a35b8c94d3f946274a969283d870d79fc46b4
Instruction ID: 85da8b8ae78ed20cca584231e3f06dbccf51e35e099fb8b2583acc6e768ffc89
Opcode Fuzzy Hash: 732c6e89f676b703ae67d1bf878a35b8c94d3f946274a969283d870d79fc46b4
Instruction Fuzzy Hash: A961B234F002049FC798EBB8E4956AEB7F3EF8E210B158169D916D7384DE35AC42CB91

Function 068EBC40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21beb6912533a0d55f3c04e7d1cb76f6b09d096f215bb87494964aa06ea27bd2
Instruction ID: fc09b97a14016904c70127e329f68552ef51339a6eb48e665ac7d2f63277a306
Opcode Fuzzy Hash: 21beb6912533a0d55f3c04e7d1cb76f6b09d096f215bb87494964aa06ea27bd2
Instruction Fuzzy Hash: 3E616B347001049FDB99EB28D694A7E77E3EB8A300B158069D91ACB395DF39DD42CBD2

Function 068E626F Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ad71f1b303e829d7ef457336954b3c1d9ce614e9679eb92202a662e7f33f74
Instruction ID: 486c3aa75f156ac807b895a7b3cb955ffbfba7e5473013f948c7a8767f77ac7c
Opcode Fuzzy Hash: 48ad71f1b303e829d7ef457336954b3c1d9ce614e9679eb92202a662e7f33f74
Instruction Fuzzy Hash: 11619035B001048FD7949B6DE2986AE32B3EB96314F148128D906DB385EF39AC95CBD1

Function 058443E0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9171db93a6b54678b9093f7ce022fe068b9e4182a3aa1ce38dbc8e010678d1c4
Instruction ID: f79debf91cd1826c34dc544c96774d5305159e2f5aa203b0c58cd060f281fe28
Opcode Fuzzy Hash: 9171db93a6b54678b9093f7ce022fe068b9e4182a3aa1ce38dbc8e010678d1c4
Instruction Fuzzy Hash: 38617B357106189FDB14EF68C458BACB7B6BF89304F108669E802973B0DB74AD86DF91

Function 058425F8 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd374cfb2e41ccea4b91f3073507ed511d30eff4c8a26ca23335b371a2ba2396
Instruction ID: 2d5654f856e6bb897d40854a9044a4f1ff57e84242c35bbadd5ac1c30844cc69
Opcode Fuzzy Hash: fd374cfb2e41ccea4b91f3073507ed511d30eff4c8a26ca23335b371a2ba2396
Instruction Fuzzy Hash: 1761FA39710218DFDB14DF68C498A6EB7B6BF88710F148169E906DB3A5DB34AC41CF91

Function 05846D40 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654fae861c83c04f42b019f325374922c65f0dd8247a8f2278ce04532fbe48ed
Instruction ID: ebb00d502e64d266e689b3e39b517d43ddf6627a95ca0fd8fe21e7a2677213ff
Opcode Fuzzy Hash: 654fae861c83c04f42b019f325374922c65f0dd8247a8f2278ce04532fbe48ed
Instruction Fuzzy Hash: 8E51F6317043248FC724DB69D08062ABBF6EB85215B28C97ED94AC7B41EA35EC43CF85

Function 068EBCC0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655a66729d163b2a73b3160b3cd4da397f3a61cfd23b53892e327c37d6333baf
Instruction ID: 65259a8345cce60a300954f7f5cce196df776b74e2486dceb601c85aaa64c10d
Opcode Fuzzy Hash: 655a66729d163b2a73b3160b3cd4da397f3a61cfd23b53892e327c37d6333baf
Instruction Fuzzy Hash: 795149347001009FDB89EF24D694A7E77E3EB8A300B158059D91ACB399DF39DD82DB82

Function 058AF9F8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733e8442b35e0bad1e44ea30a0bb5689ad4a33665e142a1c9977b9871de41038
Instruction ID: e82ac6d8afd87d66dfde97e98437836427f2a7bd364f202851c2564c9567b9d2
Opcode Fuzzy Hash: 733e8442b35e0bad1e44ea30a0bb5689ad4a33665e142a1c9977b9871de41038
Instruction Fuzzy Hash: 83519E35B106099FDB05DF64E498AAEBBB6FF88712F108119F502A73A4DF349D06DB81

Function 0584ABEB Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129950b16fa0182b29c4d04e98a4cd06f3a791031c849f507667b0278279599a
Instruction ID: ee3184f4f6beaf242ef31c5e5ac88d8c3a3f1722e9649e87ffe751831bc43998
Opcode Fuzzy Hash: 129950b16fa0182b29c4d04e98a4cd06f3a791031c849f507667b0278279599a
Instruction Fuzzy Hash: 79513934A84109CFDB48CB55E449BB977A3FB88315F598079EC06EBAA5CB786C81CF44

Function 0584A868 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8060e44b9fca4f23fa7da1a6cf9d7970da899f73ca8eddc549876c8c89c3220a
Instruction ID: 95c8313b09337e6bee55fc17553a511b9491f61419b48a0a53d71a48089e95d0
Opcode Fuzzy Hash: 8060e44b9fca4f23fa7da1a6cf9d7970da899f73ca8eddc549876c8c89c3220a
Instruction Fuzzy Hash: D8515C34A50109DFDB08CF54E549BAD7BB3FB88315F19806AED02AB695CB786C81CF45

Function 0584AC11 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c199b8b45958784461d37b00825c527cc0b25b0ac5c700ccc0b2851c01e4b791
Instruction ID: 0cf83f1bf29b6349c45de43df44077b7fe1eae442f9c344e8db6ed5a65376dc3
Opcode Fuzzy Hash: c199b8b45958784461d37b00825c527cc0b25b0ac5c700ccc0b2851c01e4b791
Instruction Fuzzy Hash: DA512A34A44109CFDB58CB15E449BBA77A3FB88315F598079EC06DBAA5CB786C81CF84

Function 0584AC20 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937e203b9ec15f9ae05ef33b37db8152ad2654105e79ab611e468ca17daa2d87
Instruction ID: 82c2644bd2495cb60095f2d66fe94f0b61abea38ceb7238d3540bfa634243622
Opcode Fuzzy Hash: 937e203b9ec15f9ae05ef33b37db8152ad2654105e79ab611e468ca17daa2d87
Instruction Fuzzy Hash: 18512A34A84109CFDB58CB15E449BBA77A3FB88315F598079EC069BAA5CB786C81CF44

Function 0584A878 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990b34b6365fc9001ea4b6d3f36f53dfcc27a1ccf876f76afd314b709243d984
Instruction ID: 6960ac7ef7dd42ae666033ebe7154bfc755185c67e0e6baf86e450cdc74cfd41
Opcode Fuzzy Hash: 990b34b6365fc9001ea4b6d3f36f53dfcc27a1ccf876f76afd314b709243d984
Instruction Fuzzy Hash: 25513A34A50109CFDB08CB55E549BAD7BB3FB88315F19806AED02AB695CB786C81CF44

Function 0574D2C8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedcb0f627d0e037284fd08250ba3170bde47431d8c0484e6a3a53717df44ca1
Instruction ID: fc383a8dc28de07d1f5939d6c0a4d920dae8f265422ef029c0de43b93dd06b57
Opcode Fuzzy Hash: dedcb0f627d0e037284fd08250ba3170bde47431d8c0484e6a3a53717df44ca1
Instruction Fuzzy Hash: 78512D38A04210CBD725DB68E00476E36E2FB89704F558076D946AB794DF3CAC46DB46

Function 0574D2BB Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a36b84d0df498566588d05d2b259c90d957768b7af2cefa9d4e52b6b6da147
Instruction ID: 9d0706741d885a0f9334eaac88638450a7a55fe17a4d0a8748c34d571cbacec8
Opcode Fuzzy Hash: d4a36b84d0df498566588d05d2b259c90d957768b7af2cefa9d4e52b6b6da147
Instruction Fuzzy Hash: 56515D38A04210CBD725DB68E00476E37E3FB89704F95817AD942AB7A4CB3C9C46DB46

Function 0584B48F Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b0ca678c16c10fa8144d7cae2a7e8ace1839d36c36865be25b770757fe422f
Instruction ID: b255e58560f0bcf4a2e234440bbd1641d3eac8c74bd87956ab104f3ca2a1106e
Opcode Fuzzy Hash: d5b0ca678c16c10fa8144d7cae2a7e8ace1839d36c36865be25b770757fe422f
Instruction Fuzzy Hash: 49518B34A00148CBDB14CA28E0457ADB7B3FB88316F5A8479DC46E7A64CB789D85CF45

Function 0584B4A0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74c303ca2a67248dc5d2967c889a4d3b936b516e888e649f2bd0c555c883855
Instruction ID: 2c17b4ce6a3098c70801684938d38d1e96e625f34182d3dfe7c61880265369bc
Opcode Fuzzy Hash: e74c303ca2a67248dc5d2967c889a4d3b936b516e888e649f2bd0c555c883855
Instruction Fuzzy Hash: 4C417F34A00148CFDF14DA19E448BADB7A3FB88316F5A8479DC06E7A64CB78AD85CF45

Function 068E86B6 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d4b7d75dbb03e7a0afb386026e2acbe2e891ff269d977c7db60e2f85d16c0a
Instruction ID: 7e8dc2fa208f76115fb93ce39fc49502190266c72ed1aaffec1fe14782af1237
Opcode Fuzzy Hash: b0d4b7d75dbb03e7a0afb386026e2acbe2e891ff269d977c7db60e2f85d16c0a
Instruction Fuzzy Hash: FF519170A00108DFEBA4DB95EA40BAE77F3FBCA300F158664D515EB294DB369C91CB85

Function 068EF590 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1b415bd6f27b16bcd7a0cf21096079104d9943096d8de4b247c1899f316740
Instruction ID: c2a6ad0dd5de6a1db66f48025a4d08fdddb75ce61662a87cd7059a99306203a6
Opcode Fuzzy Hash: 5b1b415bd6f27b16bcd7a0cf21096079104d9943096d8de4b247c1899f316740
Instruction Fuzzy Hash: 4A41BD31E0020ADFEB50CF55C844BAEB7B2FBD6314F11C626E612EB650D7B5A985CB80

Function 068EF582 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0c2ef825db98abeceed40d691343fe79669ee2b5976eb8dad529869deb6326
Instruction ID: b41ad5e32b739d3754e2df39969cdc7c4eb60228f554f1c8e0dec896892f005a
Opcode Fuzzy Hash: 7e0c2ef825db98abeceed40d691343fe79669ee2b5976eb8dad529869deb6326
Instruction Fuzzy Hash: 4141A031E0024ADFEB50CF55C844BAEB7B2FB96314F15C666E216EB650D7B4A8C5CB80

Function 05845988 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596d1289d1dfbba4aaaef0be91facd02f302e519e66c40d112602d449bfee07d
Instruction ID: 60649f22df4b7e5e4e38b54a24ca0e3e0a5fda54b6b5dca55663e087aa2496dd
Opcode Fuzzy Hash: 596d1289d1dfbba4aaaef0be91facd02f302e519e66c40d112602d449bfee07d
Instruction Fuzzy Hash: EC416A31B047188FDB64DB68E55469EBBF2FF84620B44892ED85AC7A84DB34ED41CF81

Function 068E864C Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fd884214bc3444fe0e4fa5627fd4c939be0002899da1db9fa2611b2b517add
Instruction ID: 47c63a7267b31d6dabdfd374eef8a6562393ccd9d67227bfdd9a387118b22524
Opcode Fuzzy Hash: d6fd884214bc3444fe0e4fa5627fd4c939be0002899da1db9fa2611b2b517add
Instruction Fuzzy Hash: 27518E70A00108DFEBA4DB95EA40BAE77F3FBCA300F118564D516EB294DB369C91CB85

Function 068E851D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13bdcc5beb9c9c609aca8bb3544237e79f55e901c5b0c0005a62233a55c82738
Instruction ID: 15a10cbae1f8c8075e1c739a89a704ebb6d872b48e74b518a3d5df721f2ff2a0
Opcode Fuzzy Hash: 13bdcc5beb9c9c609aca8bb3544237e79f55e901c5b0c0005a62233a55c82738
Instruction Fuzzy Hash: FA51A470A00104DFEBA4DB95EA40BAE77F3FBDA300F118564D515EB294DB369C91CB86

Function 05748CB1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393bd53c8be16b86891d7475871a4815e1adf33ca9eb1b4720b135b6ca4dc793
Instruction ID: 613e928afc16fe0d6ad46375c893dace0268c12bc0b89af345186bb3b68559c2
Opcode Fuzzy Hash: 393bd53c8be16b86891d7475871a4815e1adf33ca9eb1b4720b135b6ca4dc793
Instruction Fuzzy Hash: 5541C331E05229DBDB18DF54C8446AEB7B2BF59314F168166E916BB241D730AD02EF82

Function 05848B69 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761fa87e65427e72c767820dcf3142dc18437931cb7a6b7d64e6e6ce5a8fe877
Instruction ID: c084181772e7767deb7e50023ed05f4e7dd182e1f246578bd65334754d08b237
Opcode Fuzzy Hash: 761fa87e65427e72c767820dcf3142dc18437931cb7a6b7d64e6e6ce5a8fe877
Instruction Fuzzy Hash: C54158797001048FD704DFA4E448AAE77A3FBC9315F65806AED02A77A4CA3CAC06CF91

Function 068E84AA Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafd85f2e5b236585bac9d0f0ea250330ab60e01326a0061e06b554a1940ebb7
Instruction ID: 220796299b75ef04ad0bc926eb2fd4205719ad353f8deecbe006961adbb78eae
Opcode Fuzzy Hash: bafd85f2e5b236585bac9d0f0ea250330ab60e01326a0061e06b554a1940ebb7
Instruction Fuzzy Hash: F4418D70A001089FEBA4DB95DA40BAE77F3FB8A300F158564D516EB294DB369C91CB86

Function 068E858C Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4056d0b07e9735a23a2e019efc31ab420aa3710b426ad9520142df24811ed00b
Instruction ID: f16dc193517e04fe87287c53385c0b897e04ee17e33affb79726d361703f654a
Opcode Fuzzy Hash: 4056d0b07e9735a23a2e019efc31ab420aa3710b426ad9520142df24811ed00b
Instruction Fuzzy Hash: 9241B5B0A00108DFEBA4DB95DA40BAE77F3FBCA304F118564D415EB294DB369C91CB96

Function 05848B78 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2278d0c427de048f084d98936be1576ebb17b6452fd91b96ec663e55a8ea11bc
Instruction ID: e9a52f8b9c9386eb5fa7272050bdbb5419996c32810da7c87947f778d66d4e06
Opcode Fuzzy Hash: 2278d0c427de048f084d98936be1576ebb17b6452fd91b96ec663e55a8ea11bc
Instruction Fuzzy Hash: 984139797001048FD704DFA4E458AAE77A3FBC9315F65806AED02A77A5DA3C6C06CF91

Function 068E8438 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb19727c2586ddfc860a79be7373c3b877a2932403a5ec5228ce28f15db7728
Instruction ID: 65840ec76600c556fcfa727da046e14bd182e855a25eb563f9d72d3cee9bb22f
Opcode Fuzzy Hash: 0eb19727c2586ddfc860a79be7373c3b877a2932403a5ec5228ce28f15db7728
Instruction Fuzzy Hash: 5041B170A00108DFEBA4DB95DA40BAE77F3FBCA304F118564D512EB294DB369C91CB86

Function 058A6548 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9a1627299f5c1a929acb75bbec57c118e0db4ed9f0166753b0896453789440
Instruction ID: 8e5c713c6592f83e993c99bb72abc5494e43098e35ac984f5aa03666f1db252c
Opcode Fuzzy Hash: 0c9a1627299f5c1a929acb75bbec57c118e0db4ed9f0166753b0896453789440
Instruction Fuzzy Hash: D5416A35F00215DFEB24CB65D859B6ABBB2BB88714F18C429E806DB358EB35EC01CB50

Function 05845DB8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9805de2462e8cfeae5b7aae6fe412e27f8a640ed7d7221ae81863893682aded6
Instruction ID: cf27e9e725c23025787ebd855a99f58da22b968ec65bf22e9a0cf7b20f4aa314
Opcode Fuzzy Hash: 9805de2462e8cfeae5b7aae6fe412e27f8a640ed7d7221ae81863893682aded6
Instruction Fuzzy Hash: B7414875A04B089FCB21CF69C548A6EBBF2BF88200F14C919E986D7A51DB30E944CF51

Function 05842900 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bd67a23a5d7f51066cb5d5240fa523609024021a3c0f73c5f6043a51923281
Instruction ID: abde0ac5eb5b9d9ae6489c0c41ad9c00be7a53110c439fb0475e9b00cec6ac4a
Opcode Fuzzy Hash: 26bd67a23a5d7f51066cb5d5240fa523609024021a3c0f73c5f6043a51923281
Instruction Fuzzy Hash: F5416E39A042099BCB15DFA4D855BEEBBB6FF88310F14806AEC02B7255DB349D15CFA0

Function 05845F00 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7416a85003544d2adabf13d8d835f39388e8f9c442f409bbe6fae5fb55a101
Instruction ID: fe66c01aa2e487a90bc6ee2a78e3f1483cd0c6ea2887efdf3f42a82b7e6a4a90
Opcode Fuzzy Hash: de7416a85003544d2adabf13d8d835f39388e8f9c442f409bbe6fae5fb55a101
Instruction Fuzzy Hash: 6241BF30A043099FCB249B69D815BAEBBF6FF85710F10812AF91AD7290DB71AD45CB91

Function 068E8422 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea53bf1cceaf4ec5d83926fec3c33c73a21985ea3dea3c187754779a1206bca
Instruction ID: 302223ed86ce19115204c3623ce7240a5abbf51a5f1edec5ad62f1a319575759
Opcode Fuzzy Hash: 3ea53bf1cceaf4ec5d83926fec3c33c73a21985ea3dea3c187754779a1206bca
Instruction Fuzzy Hash: 0A41A470A00108DFEBA4DB95DA40BAE77F3FBDA300F118564D515EB294DB369C91CB86

Function 068EC698 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38990a4ec605181ceef820e2c64b3ef9f86c5b61a51a3bbbd4097289bce66e3e
Instruction ID: 1ab78c7daa24707f985a3385b403e34f421e13059a364feb7305e235a1addad1
Opcode Fuzzy Hash: 38990a4ec605181ceef820e2c64b3ef9f86c5b61a51a3bbbd4097289bce66e3e
Instruction Fuzzy Hash: 67310931A04204AFE794DB15D840FBF77E2EB86315F02A579C725CB6A0CB36AC85CB91

Function 068E8329 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07952753e139f3a0a5f3f3ecc3884797335e7ce8c4cd4d81faa95445e6bfdee1
Instruction ID: af376d1c1a9b942c3d086bdee05827d6cfbc51ab9a0b1d1c7f241867790022ef
Opcode Fuzzy Hash: 07952753e139f3a0a5f3f3ecc3884797335e7ce8c4cd4d81faa95445e6bfdee1
Instruction Fuzzy Hash: A7419270A00108DFEBA4DB95EA40BAE77F3FBCA300F118564D516EB294DB369C91CB85

Function 05BAF8E0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375839867.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5ba0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8af621c96fdf9b1f7b69dd863a5f5146208a7ac4fac3bd30da3bf1efdbfdba4
Instruction ID: a0ed2c8c53c9a64663f9a5780613102eb4ac361316cba798fa3075ac04c086f2
Opcode Fuzzy Hash: d8af621c96fdf9b1f7b69dd863a5f5146208a7ac4fac3bd30da3bf1efdbfdba4
Instruction Fuzzy Hash: A631D936610104EFCB05DF59D988EA9BBB6FF89320B1580A8F5099B372D731ED55DB40

Function 056F7E40 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc74747171aeb178a20b844df797646beb13427e0724506fd5e63cd4574ab0a
Instruction ID: 0d8170f5e14c54053cbe2274f444266f285d861f921627bfc8d3fbc2a8903d02
Opcode Fuzzy Hash: 1dc74747171aeb178a20b844df797646beb13427e0724506fd5e63cd4574ab0a
Instruction Fuzzy Hash: 9321CE35B0034647DB296A6A94A967FA59BEFD5710F04803DDF03C7384EF698C0287D2

Function 056F7E2E Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82703d3cb0b022615f97f7bb861e8dfd161e909510a0b14e6189165ee07b219
Instruction ID: b5e032f2ca3d8b44040680289a2878c0126006d122617f08582e2e84bb212e3b
Opcode Fuzzy Hash: f82703d3cb0b022615f97f7bb861e8dfd161e909510a0b14e6189165ee07b219
Instruction Fuzzy Hash: 7D21F235B0474647DB2A6A6A94A977FA5A7EFD5601B04803EDF03C7384EF688C02C7D2

Function 058A66D8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14338df161688f0a7855d1e44222e353b98152f7a51910472402d9306ee456cf
Instruction ID: fc5ce6ce08a81ac8ddac4d568c71100bd3e256f6039d8044ede165e547362a42
Opcode Fuzzy Hash: 14338df161688f0a7855d1e44222e353b98152f7a51910472402d9306ee456cf
Instruction Fuzzy Hash: D8418D32E102198FEB15CF6AC844ABEBBB1FF84714F048529D916E7264EB38DD45CB90

Function 056F7DCD Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3516a7a171f3c7d55b639f28f65714400cfe73de1bc5512ae71969bf32b6491b
Instruction ID: 328df08de7ec0157612fc416a75d0915ce17c412652fba7078ca8f6b86260f0e
Opcode Fuzzy Hash: 3516a7a171f3c7d55b639f28f65714400cfe73de1bc5512ae71969bf32b6491b
Instruction Fuzzy Hash: E821E335F0474647DB296A2A58A927F5597EFD5601B04403EDF02CB784EF688C06C792

Function 068EC6A8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8feb2af644f598e72f2cc18686d3152b7adcc1021e21c3842b533cad9a19f12a
Instruction ID: a2eca416f1ba9d7cd0cf4ad3ff7e1c0f4a318a9aa69cbd1764ca8b325c4043b3
Opcode Fuzzy Hash: 8feb2af644f598e72f2cc18686d3152b7adcc1021e21c3842b533cad9a19f12a
Instruction Fuzzy Hash: C631B431A04204AFE794DB15D940F7F77E2EB86315F01A529C725CB6A0DB36AC85CB91

Function 057417A8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3005d0a42ef30679b27494d4043af0d88a0d4615552df890839adf2b0575df8c
Instruction ID: 80fb74b22aec4d22b133a3b8e8de0705d73ea55d24a892f75ed6f70343ce7e2d
Opcode Fuzzy Hash: 3005d0a42ef30679b27494d4043af0d88a0d4615552df890839adf2b0575df8c
Instruction Fuzzy Hash: E631AF397002108FD724AB79D858B2A7BE6FF89720F4600B8E506CB3A1DB64DC45CB91

Function 056F6D56 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f348da61aa056941ea8abaea3e0d764c58acee2d8a71cda7a76828946fbe00a
Instruction ID: 5ec15f2c9215d93ed0ca8e331e2c80d62a5c15e09a9223fe40533c81ecd48731
Opcode Fuzzy Hash: 6f348da61aa056941ea8abaea3e0d764c58acee2d8a71cda7a76828946fbe00a
Instruction Fuzzy Hash: 2A411630A16215CBEB29DF20C864BADBB73FF40204F9401A8DA06A7790EF319D85CF51

Function 068E9868 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452ebd601849408d2c0dca2d7dc59a821a7802b5148d90edb64a9c09a671c321
Instruction ID: 499df396b5a70a4abdc0d2e67057cbd9abb7e7b3c97c3edb40add34d6dacc542
Opcode Fuzzy Hash: 452ebd601849408d2c0dca2d7dc59a821a7802b5148d90edb64a9c09a671c321
Instruction Fuzzy Hash: 81318F75B101449FCB54EFADE8809AFB7F6EB89310F10802AEA06D7344DA359D158BE1

Function 057417B8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90d7f40d329adfcf4ca7cadbca351f040ce9311f94c73d09b37affc89cdeacb
Instruction ID: 96dbbca24602a9d620606a374edbfa05d0dbf24ff22fdf07a4b2a2ad672df588
Opcode Fuzzy Hash: f90d7f40d329adfcf4ca7cadbca351f040ce9311f94c73d09b37affc89cdeacb
Instruction Fuzzy Hash: 44317E397002108FD724AB79D458B2A7BE6FF8A721F5640A8E506DB3A1DB64DC81CB91

Function 058A799F Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6061c8828d581946c138ad947f2aeefda34794ac7f3914c08d21875c8aafe45
Instruction ID: f4b596f0367ca62811f188b4311dae09a4db01a2189fc9f1f43eb7579938e042
Opcode Fuzzy Hash: f6061c8828d581946c138ad947f2aeefda34794ac7f3914c08d21875c8aafe45
Instruction Fuzzy Hash: 4741F635B112289FEB24DB28C895FA9B7B1FB48310F1441D9EA05EB395DA31EE81CF50

Function 056F6DDA Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9daef251c436396b3b992f41a2fa4cc7f561e6b3bb0d0bc75fd6a6e7b5b93ce8
Instruction ID: f35db412ee0f794b782ac533fcce5254f4890ca0653516eef3d93c3eb78a5b51
Opcode Fuzzy Hash: 9daef251c436396b3b992f41a2fa4cc7f561e6b3bb0d0bc75fd6a6e7b5b93ce8
Instruction Fuzzy Hash: EE310630A15219CBEB29DF20C864BADBB73FF41204F9405A8DA06A7790EF359D85CF51

Function 056F7B7F Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63fb945d2c7ef1f619a5d1932c100d0cf7836d42aa5cde4634c0c547e670aae
Instruction ID: 6b9cbc01712d24b979fbbe42d7acc16113f2055e7390abaa08721de269ee46c9
Opcode Fuzzy Hash: e63fb945d2c7ef1f619a5d1932c100d0cf7836d42aa5cde4634c0c547e670aae
Instruction Fuzzy Hash: FD213831F187514FCB265A78489467FBBE6EFD6205B04407AEE05D7386DE344C05C7A2

Function 058A4200 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ab9071d9b1e281fe45028cbdd515ac9e2586dc23892f79e24aacfeee9798b6
Instruction ID: 8834ac8f9b3525dc2f323668be5d87a741754c022f41160d30a094115338a1d7
Opcode Fuzzy Hash: 75ab9071d9b1e281fe45028cbdd515ac9e2586dc23892f79e24aacfeee9798b6
Instruction Fuzzy Hash: 2B31AF35A00108CFFF10CA99E845BAA77E3FB88305F198079E805A76B4EBF91C85CB54

Function 056F65BB Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b2b16ea00c94614ec1a2e6c7ed7f5984db41ab7eae05e877ef12ef77b77572
Instruction ID: 909b8eae31b11073e8da45073797b4dd14b5b63135a246eb25e6057a01b37e36
Opcode Fuzzy Hash: c6b2b16ea00c94614ec1a2e6c7ed7f5984db41ab7eae05e877ef12ef77b77572
Instruction Fuzzy Hash: 4631A431E0465A8BCF198FA8C4502AEBBB2BF85704F14856ADD01BB744EF719D85CB92

Function 056F6E63 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a166cef6cf075a6bd6f88a978e81b05938584f94658908f45d70e8d0c76d3281
Instruction ID: 7520103e79c872195471b2f07aa95b7f5d8f5e9a9acc771279469f7adf6137cc
Opcode Fuzzy Hash: a166cef6cf075a6bd6f88a978e81b05938584f94658908f45d70e8d0c76d3281
Instruction Fuzzy Hash: AF310530A15215CBEB25DF20C864BADBB73BF44204F5401A8DA06A7790EB759E85CF51

Function 068E8F70 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56fe10751b665b95b132afb214c4f2837b1d300e2ef15f8d507f99d73785bdf
Instruction ID: 0887a2fa4180e1127b678a9ed428a1ecf4423192b449829e0f4cf5ed316c56c3
Opcode Fuzzy Hash: b56fe10751b665b95b132afb214c4f2837b1d300e2ef15f8d507f99d73785bdf
Instruction Fuzzy Hash: 652103723080049FE790DA49F884F6F77A3FB86324F158136E600DB250C7BAAC91CB90

Function 058ABB2B Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb361018c10f0b1b2bdeec222405876a0fed75212a6f3b5220934a43526059f
Instruction ID: 0cd1a659c8ab6988861e87b03dc2d3c8c81f8f5261a68e5898dcf2c14bc34d0e
Opcode Fuzzy Hash: 8bb361018c10f0b1b2bdeec222405876a0fed75212a6f3b5220934a43526059f
Instruction Fuzzy Hash: 48217472A04218DFD719DFA9D851E9EBBF9FF88310F10856AE905D7260EB30AC05CB91

Function 056F7BA0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a2d7404cd074691fead714c4fef8cc81f951461b9bd4d8a1330bf9d1de293f
Instruction ID: 6973eb71a57c273a003a2f9ee6a1ab31c2cb55014c7371d2e9043ca3c69f19f5
Opcode Fuzzy Hash: 13a2d7404cd074691fead714c4fef8cc81f951461b9bd4d8a1330bf9d1de293f
Instruction Fuzzy Hash: 8C21DE31F142154BCB29AA69889877FA6ABEFD9715B008038EE06D3384DE744C02C7E2

Function 058A4210 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14695ffcdde6eff6cdfa868b1479766c088cb380c8eacef57da88fc6566fd0c
Instruction ID: 1ac9fee6e1c5873277e853443be7c27f4bbe47d563cf952081a8cf053629065d
Opcode Fuzzy Hash: d14695ffcdde6eff6cdfa868b1479766c088cb380c8eacef57da88fc6566fd0c
Instruction Fuzzy Hash: A8317C35A00118CFEF10CA99E445BAA77E3FB88305F198079E805A76A4EBB91C85CB54

Function 058408F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8dea436fc4f1e413b772155737b9703462b16e13f3a27b0564c6af63ea013d
Instruction ID: 5a85280c0b9778512e4b03e2aacb7adb613cd00160fcb0a1da8ecafa78a8f12b
Opcode Fuzzy Hash: ff8dea436fc4f1e413b772155737b9703462b16e13f3a27b0564c6af63ea013d
Instruction Fuzzy Hash: 24216735B106198FDB14EF68C5548AEB7B6FF89700B10411ADA05E7324EF30AD46CBA2

Function 056F6EEC Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a768883266eb6704dd01ecfc9537dd25c44a3db0267a2574245fffac65e97465
Instruction ID: 8fbd2b1bacacd6d2f5ec1be5382b148695acbbf0311c647f2b6c2e582ff07687
Opcode Fuzzy Hash: a768883266eb6704dd01ecfc9537dd25c44a3db0267a2574245fffac65e97465
Instruction Fuzzy Hash: A531E330A11219CBEB29DF20CC64BADBB72FF44244F9405A8DA06A7790EF759E85CF51

Function 0574DD0B Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e685eb5a4ecb57d36b71ac24ba505a3bd0f8786e50476302f5425c0d8e6bb94
Instruction ID: add021b5dd7adc46e543f69fee97f214de5dca057007b598b082ffbcf8a2f01c
Opcode Fuzzy Hash: 5e685eb5a4ecb57d36b71ac24ba505a3bd0f8786e50476302f5425c0d8e6bb94
Instruction Fuzzy Hash: 11316BB1A00215DFDB28DF69C458BAEBBF2BF48314F14806AE405A73A5CB749D40DF90

Function 05740007 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96014a86f21b2597aaf59a16a202921fb82d81c9b871d70e543020401ee70222
Instruction ID: 4a6b20499aff0670711959cee37d6b1768fae65b38e2743498f48c0664681ae1
Opcode Fuzzy Hash: 96014a86f21b2597aaf59a16a202921fb82d81c9b871d70e543020401ee70222
Instruction Fuzzy Hash: B53124719083449FD711CF54D898BADBFB1FF41300F1980AAD444AB2A2D7389D81DF91

Function 058A8F00 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61efdec3c3b7659fd166c56162f6e88a031ed9dee82b300291eace8dd919f15
Instruction ID: d2b24f3fb7264df71fdd8d5515f675b0dbd8107f8faf06e9d5dabf2a8302cc7c
Opcode Fuzzy Hash: c61efdec3c3b7659fd166c56162f6e88a031ed9dee82b300291eace8dd919f15
Instruction Fuzzy Hash: 42214A72E0020A9FEB10DAB8C404BAEBBF6AB44350F508066E915D7292E734DE54CFA1

Function 060592F0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e127b825f64bf4784bfab43e76732dc0684d13579f773c9f642712707734a0
Instruction ID: 3dc9ec4bc65c064adf79bd22fc6e4b13e0dd1055f96802654f2a1a72485f9681
Opcode Fuzzy Hash: 01e127b825f64bf4784bfab43e76732dc0684d13579f773c9f642712707734a0
Instruction Fuzzy Hash: 24210531A0D285CFD70197B5A855B5FBFB5AFC1204F1900BAE94ADB2C2DE254C028392

Function 056F6F75 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7469f14ee20224fb621cc65a9ae91f2e1560982b7e2592823e73b3abda8d675c
Instruction ID: 8c59a8d484a9de1d99df07df245235289fad7e24d293eeb48e6780c61e614069
Opcode Fuzzy Hash: 7469f14ee20224fb621cc65a9ae91f2e1560982b7e2592823e73b3abda8d675c
Instruction Fuzzy Hash: 58210630A11219CBEB29DF20CC64BADBB72FF44244F5405A8DA06A7790EF759E85CF91

Function 058A4EA1 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceacf7d0f9772b06ff982f32a31d7628e90ad6ee9f14afa1bd9af3a8fe7ca3a7
Instruction ID: 72d57eca07d5aed229d1ff1f12bea0546d2b2aeddf635379e110f9f5b327ba8f
Opcode Fuzzy Hash: ceacf7d0f9772b06ff982f32a31d7628e90ad6ee9f14afa1bd9af3a8fe7ca3a7
Instruction Fuzzy Hash: CB213B35A04208DFDF158FA8C858ADEBFB6EF88321F149129E911A73A1CF719D41DB90

Function 068E9260 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a3ef186d7da67da5a22e5073988ac3bcf74004fd8ea5527a586d6110c1bc3c
Instruction ID: 0212ba1750992c0f0778c0b1af28c15324ed8e2929c07a8f8a8f510ccf593ff2
Opcode Fuzzy Hash: c9a3ef186d7da67da5a22e5073988ac3bcf74004fd8ea5527a586d6110c1bc3c
Instruction Fuzzy Hash: E32115B5C012199FCF50CFA9D884BDEFBF4EB49320F14806AE818AB255D3749945CFA0

Function 058ADC28 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995554ae70904b049f8028194db77f998411820abe624decab4bdf1eb9e16469
Instruction ID: ff204a8f5ea19c473602231caece3895fca037d131d0b2f25df2841f8f0495e3
Opcode Fuzzy Hash: 995554ae70904b049f8028194db77f998411820abe624decab4bdf1eb9e16469
Instruction Fuzzy Hash: 9121F536A00219CFEB14DF58C545ADDB7F2BF48311F1045A4E905AB3A5CB76AD45CBA0

Function 058408E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed43dedd911eede7a8b048e51452fe9189c950ef8fc159ec8e2816fa3babc748
Instruction ID: e0ddf1c8ae911bd4a14307c71df809fa9d7aa12702bde101cfbce01cf1cad000
Opcode Fuzzy Hash: ed43dedd911eede7a8b048e51452fe9189c950ef8fc159ec8e2816fa3babc748
Instruction Fuzzy Hash: 40215035B10619DFDB14EF68D5449AEB7B5FF89300F10416AEA05E7320EB30AD46CBA2

Function 058A4827 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f1134aa7a2a033bb70012b590d6cba0918438c005f1eb73f08e3442aa5b1ce
Instruction ID: d415a08d0b37e8ad4a89364dc125c0ea4b552aee71582628ad26e54db9783c26
Opcode Fuzzy Hash: 48f1134aa7a2a033bb70012b590d6cba0918438c005f1eb73f08e3442aa5b1ce
Instruction Fuzzy Hash: 412107706103059FD710EB78E84A75E7FF6EB85310F008539E40ACB691DF74AC069B91

Function 068E56AC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133e1264a4074c2c42436b4dbe1994e15f2f3520ca2c316c845dc98f8577dda1
Instruction ID: 85149390bf90f2e68f5c77f4dc29dacf96b4216817a204a26ea7faa6421281aa
Opcode Fuzzy Hash: 133e1264a4074c2c42436b4dbe1994e15f2f3520ca2c316c845dc98f8577dda1
Instruction Fuzzy Hash: 9E21E2B5C012199FCF50CF99D484BDEBBF4EB49320F14816AE918AB255D3749A45CFA0

Function 058A4EB0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fc0e744f24de8d9aa34dfef2cc97f76765ac7644005055d18e20d2b7c08ef5
Instruction ID: cd0e18afbfb09508db58e464e7be14b37cf88f054404678fc80a76f75552b5fd
Opcode Fuzzy Hash: 20fc0e744f24de8d9aa34dfef2cc97f76765ac7644005055d18e20d2b7c08ef5
Instruction Fuzzy Hash: 11212835A04218DFDF148FA9C8549EEBFB6EB8C321F149129E911A73A0CF719981DB90

Function 068E8F60 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47b3f14df4862900a2a353160877c7533dc8b3580b767200d052c7f44fef353
Instruction ID: 4a44b90c79bcd3931262c279fa5abf620fa34338f5650d5c11d16b37b984de5c
Opcode Fuzzy Hash: a47b3f14df4862900a2a353160877c7533dc8b3580b767200d052c7f44fef353
Instruction Fuzzy Hash: 8611C4726081019FE791DA55F881BAF77A7FB86324F154526E200DB150C7BAAC51CB91

Function 068E6130 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52c132182d1eb1736a8fe631bf37b19998a767670443c2e6d10179f0ff61629
Instruction ID: 74da26a7589a9412a367a73160f4815b505656537523c446a4a9420023b48686
Opcode Fuzzy Hash: f52c132182d1eb1736a8fe631bf37b19998a767670443c2e6d10179f0ff61629
Instruction Fuzzy Hash: 1F1101307002008FD39766B498107AE7393EB97712F1640BED116CB342EA398CC287C1

Function 058AED20 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e824f1e95e396120b20df93d4d96e4dc74816d34baac53ead0cadb968b76bd
Instruction ID: e9601a71896a1946cfe0a218350132c93b29a1866b10b4a5f01984dec134ecf9
Opcode Fuzzy Hash: c0e824f1e95e396120b20df93d4d96e4dc74816d34baac53ead0cadb968b76bd
Instruction Fuzzy Hash: 9021DE32900A96AFDB14CF5CC9849B9FBBAFF80304B058969D9059B646C330BD55CB95

Function 056F6FFE Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14ee1a0c4d1786c13f241242c645c5547973b84830c5409adc3030a26a3e438
Instruction ID: 9b277a92a9c68888ef7a3f2efbec8d4e22e9f09417b6ddf9ad6806ddba2248ea
Opcode Fuzzy Hash: e14ee1a0c4d1786c13f241242c645c5547973b84830c5409adc3030a26a3e438
Instruction Fuzzy Hash: 7F211930A11219CBEB25DF20CC64BADBB72FF44204F544598DA06A7790EF759E85CF91

Function 058AEDD0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280a654f1eedb5a5208b43752b60059ae63c5f3d1025e047b4fc988a736675e2
Instruction ID: 833575a08c1f3c5eaf7e54ea7ee981968a85b7318bd30cd59d2649621baf87b6
Opcode Fuzzy Hash: 280a654f1eedb5a5208b43752b60059ae63c5f3d1025e047b4fc988a736675e2
Instruction Fuzzy Hash: E9114C737046115FD7214A29FC44B67FFD9EFD1525F04893EE849DB216DA209C068390

Function 058A3A50 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0b66c1b309fa7ab937a363dc83fdbc79d24c5351d61d4cc3b1366a4130b4a7
Instruction ID: 91deb8b096ed49a1f51f447623f7b367c4634b4a6cca3349ae50b906685a482c
Opcode Fuzzy Hash: 6e0b66c1b309fa7ab937a363dc83fdbc79d24c5351d61d4cc3b1366a4130b4a7
Instruction Fuzzy Hash: 79110E75B043149FD318ABB9681976F7EEEAFCD211319986AF40AD3345CE74AC0183A0

Function 0584DB47 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0312d7bb770d5d95e85d63d8ceac99b236f14c2a30ef76a3fd8e71643c0ecd
Instruction ID: 7d18171f3ab87d61dfed7fe5402b7a55c3e2ff31b7043f6f6c75a08e821cdf3a
Opcode Fuzzy Hash: fc0312d7bb770d5d95e85d63d8ceac99b236f14c2a30ef76a3fd8e71643c0ecd
Instruction Fuzzy Hash: 832159749092489BEB05DF68D0897DE7FB2EB4231DF1480E9DC12DB292CA795D858B82

Function 0584D5B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c335cd5d69be8162ed917f27638b90b4da7ada167ae7b43c8e708be47c6df270
Instruction ID: f82f0d443617c2ac72aebc62cbcf3891099186af6dabdc73622f81248a3d967d
Opcode Fuzzy Hash: c335cd5d69be8162ed917f27638b90b4da7ada167ae7b43c8e708be47c6df270
Instruction Fuzzy Hash: 89212970A06108CFDB14CF29E449B6A73A3F784305F5A807ADC09D7964DB799C82CF81

Function 058A3BC0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10d953407bfd10d56c868045d63857e2b443de0788219530b203fe034bda86a
Instruction ID: cba434f925b971b295b4192df22416f4248094faac682bb7da33d2a9fbe17ea4
Opcode Fuzzy Hash: c10d953407bfd10d56c868045d63857e2b443de0788219530b203fe034bda86a
Instruction Fuzzy Hash: 071106726082049FF720CB599844BAAB7B7FBC5300F29896AD905CB665EB75DC42C744

Function 056F7085 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8943a0590031dc7b95bcaad05ed1a4d5c14b66b1f94f27a4f76fab6366325a77
Instruction ID: 646b0b1c6c672f63c5f12ec6d28791d942af04b4d54b94dc3f009678543c945f
Opcode Fuzzy Hash: 8943a0590031dc7b95bcaad05ed1a4d5c14b66b1f94f27a4f76fab6366325a77
Instruction Fuzzy Hash: A7211830A11229CBEB25DF20CC54BADB772FF44204F540598CA06A7794EF719E85CF91

Function 068EF810 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0adf863daf45df7e0d11d4bc492b071f8f1ff4469a4fbe87f4ebb1184065e5
Instruction ID: 94b164c07b9de13e59ba4502a6375879feed02d9679f22baceb7cb9c0c260d09
Opcode Fuzzy Hash: 1f0adf863daf45df7e0d11d4bc492b071f8f1ff4469a4fbe87f4ebb1184065e5
Instruction Fuzzy Hash: D401B132B900249BD790DA9FF540ABF73DBDBC2625F158276E71DC3644DA24AC8287D1

Function 068EB9B8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd537093f5e500a281cf3aa3ef8832c9f204149fe999195ef32b760e99013a01
Instruction ID: d6a17dd443b236423b7d86dfa26fa93d167d3f71794dfc695cb0997e2ad520b5
Opcode Fuzzy Hash: cd537093f5e500a281cf3aa3ef8832c9f204149fe999195ef32b760e99013a01
Instruction Fuzzy Hash: CE11E73AB002059BC750EB69E880CCEB7A5FB85324710C529DA069B351DB31FD1ACBD1

Function 068E6140 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933e63c30d97f7d340f8e55a663653d14d3f87c062255f6b207c7dc71d0fd2ac
Instruction ID: 23d6375f576fdfb7be47a6a30773f50ac50992f04b34aee9042720028e00e461
Opcode Fuzzy Hash: 933e63c30d97f7d340f8e55a663653d14d3f87c062255f6b207c7dc71d0fd2ac
Instruction Fuzzy Hash: CF11ED30B000048FE396AAA9D91077E7293EBD6712F56407DD22ACB741EE398CC287C1

Function 058A5C51 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6dde7a8bb83173b64e568460d7d69e39f604fe3ab950d43f6b68ae2fad4555
Instruction ID: caedb3ab9f69451a676287115585160f14f948174652ad99e023982e98ee2ee7
Opcode Fuzzy Hash: ea6dde7a8bb83173b64e568460d7d69e39f604fe3ab950d43f6b68ae2fad4555
Instruction Fuzzy Hash: EB1182326112049FEF20DF7988557AA7BF2BB88711F148429F806DB384DB74C941CB90

Function 05742A20 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843efa0c6dc8c7739d97595c35c1b2c92114790300048e3cf91db112b42b292a
Instruction ID: bb3c8fb27cfdec3984676afc7bbdbcc24c40a8fcfa33a0a2cb3ffaf2a83ab629
Opcode Fuzzy Hash: 843efa0c6dc8c7739d97595c35c1b2c92114790300048e3cf91db112b42b292a
Instruction Fuzzy Hash: 1401D63AB041109BC730CBA5D805A6EBBAAFB88714F05C079FD09E7241DF31A9025F94

Function 058A5C60 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed5e043bcefc7b3980da90404d874ac51088f158eeefee9ae997bcebdfdac09
Instruction ID: c37ff493cef684c7a3874bba5bbd6c9c7486654ca18c6a6ba4dba88c3c7dae5a
Opcode Fuzzy Hash: 0ed5e043bcefc7b3980da90404d874ac51088f158eeefee9ae997bcebdfdac09
Instruction Fuzzy Hash: 95117331B012049FEF20DF698855BAA7BF6BF88711F108429E906DB384DE74C941DB91

Function 058A59C9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ecd25c7aadb09a7a9f75dcbde1902bed5dd6988272a3a2367a4ec575f06e6f
Instruction ID: 9f8eaefaf3b85549e965697c1cb8017df1c1d5f9b5964ced6877a5df60c39017
Opcode Fuzzy Hash: 93ecd25c7aadb09a7a9f75dcbde1902bed5dd6988272a3a2367a4ec575f06e6f
Instruction Fuzzy Hash: 42217D79B12619EFDB04CFA8D594EADB7F2BF49310B204198E806EB361CB30AD41CB50

Function 058A3C83 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50777c5ce63cb90eaef6ccbf101ce5ebbb5fc82663bf7c277aa0c8d9d8fd9c34
Instruction ID: fc8b5516c86fbf32d06f55b9ec133d92c1275a293384df041b2e09142a5eb46f
Opcode Fuzzy Hash: 50777c5ce63cb90eaef6ccbf101ce5ebbb5fc82663bf7c277aa0c8d9d8fd9c34
Instruction Fuzzy Hash: 1611E5772082048FF711CB48E848BA9B7A3FB84304F2984A6E945CF6A5EB76DC42C740

Function 058A5899 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01a150579c6c184ad8586a7a047c9aebbde21ab5995ffcacf0e00191b19bd75
Instruction ID: d89bb30ac18cd28f7fe8d9a0a03767237dc383d37da695001308e1b20836c62d
Opcode Fuzzy Hash: f01a150579c6c184ad8586a7a047c9aebbde21ab5995ffcacf0e00191b19bd75
Instruction Fuzzy Hash: 5A018036340355AFDB118E59EC81FAB7BE9EB89721F108066FA04CB291DAB1D9049B51

Function 056F711C Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8f971670edf1317aafad441d630bfd561d279feaa1ce3477aab4f0c73b673a
Instruction ID: 500bb9a826d5de7655014f024c57d004336ddd3887146c7bf21006a58bec43d4
Opcode Fuzzy Hash: 4a8f971670edf1317aafad441d630bfd561d279feaa1ce3477aab4f0c73b673a
Instruction Fuzzy Hash: 4C110730E11229CBEB29DF24CC54BAEBA72FB44204F544594CE06A7794EF719E89CF91

Function 058A3B03 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7124b3fbcea50e28923947a510e9618ea92c91355448417a17e47213a25da23b
Instruction ID: bbeb7450bf6bdf61ef2bc8e051add47e691bb04c342439025c585bd3cc6cadc0
Opcode Fuzzy Hash: 7124b3fbcea50e28923947a510e9618ea92c91355448417a17e47213a25da23b
Instruction Fuzzy Hash: 20012632B003155BE719B779AC497AE768BEFC9250B048479E409D7205CD359C0353D0

Function 05749587 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd45bb074db9d40952a142ec9aa182b683034f2db590fa348c87f6314a205a8
Instruction ID: c92c615f4faa49578ee5e98f0e96e9eb7eeec25de8f181f419708aacc06113ca
Opcode Fuzzy Hash: abd45bb074db9d40952a142ec9aa182b683034f2db590fa348c87f6314a205a8
Instruction Fuzzy Hash: 55019E357083452FC7146B75581476BFB56AF91200F21817FD60EDF6A2CA3A4C034785

Function 0584DB70 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c71e8245c1afa96a431e792ed8108603cfd67bb96d822e436e6bf4200b2162
Instruction ID: 77ad0e736e3228ce967ec35019ca886abfdfa6f792278f0c1cce61edfcb1c144
Opcode Fuzzy Hash: 16c71e8245c1afa96a431e792ed8108603cfd67bb96d822e436e6bf4200b2162
Instruction Fuzzy Hash: AB11237490920CEFEB04DFA8D1897AE7BF2EB45309F2080A5DC06D6390CB795D848F91

Function 058AE828 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286f4942c897bfe33425bc54c0690f85782b3cb6e854e195d21eb44c2cfe70a0
Instruction ID: 21fba701947fed22d513849b1659e29e9d2eaccee2708846f822a5d373277e83
Opcode Fuzzy Hash: 286f4942c897bfe33425bc54c0690f85782b3cb6e854e195d21eb44c2cfe70a0
Instruction Fuzzy Hash: 2911CE71A00305AFCB10CF68C845B9ABBB4FF45324F108629E819AB341C772BD0ACBA1

Function 058A3BD0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5a77acfc3858cd36c169d860826317c2225de7515ffbe04af6127ff6bfd3de
Instruction ID: 581eeb230f5616628eb89535f999d68b22bd95e2dbfb597c45bbe84918cf4f7e
Opcode Fuzzy Hash: bf5a77acfc3858cd36c169d860826317c2225de7515ffbe04af6127ff6bfd3de
Instruction Fuzzy Hash: 090192722082099BF724CA49E844B6BB2A7FBC4314F25856AD909CB694EF75EC42C744

Function 058AF9EB Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a594218aa009609e59f4da8d319494b6a5c758a78e8a03e62cffb41222d5e2d
Instruction ID: a81139d427d08334443a170bea700e3f1b5c781345c1dfde53795287f1ea375e
Opcode Fuzzy Hash: 7a594218aa009609e59f4da8d319494b6a5c758a78e8a03e62cffb41222d5e2d
Instruction Fuzzy Hash: 4701D8367101049FDB149B19D485D6ABBAAEFC8361B048066FE19D7331DB319C16D781

Function 058492C9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8173dfb73238c9e1a59c05039945727b68036da557bcac9f4a91bcc39d98b1c3
Instruction ID: 35685cc2bfd99b21b908b19203cc1d1f2ed0d95a1ec10e65519312a5d8541c10
Opcode Fuzzy Hash: 8173dfb73238c9e1a59c05039945727b68036da557bcac9f4a91bcc39d98b1c3
Instruction Fuzzy Hash: 1201A131614218DBCB255B64D8195AEBEBAEB88751F108069FC02A3380CF715D04DF91

Function 0584FCE8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0337fd7d470c0961965bfb77f561e516ee68bf3e131625d1f16c01d372036fd
Instruction ID: aad456ba1a46787491c1f916f2158e4607b236025fa0a439190b6e8333fd27d8
Opcode Fuzzy Hash: e0337fd7d470c0961965bfb77f561e516ee68bf3e131625d1f16c01d372036fd
Instruction Fuzzy Hash: 82011636605208AFDB658B58D844FAABBA6EB88364F14802AAE099B351C6359D01CB51

Function 058AE838 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007232a9a60d2367273b4730ce4344aaec5d3eceafdbb5ab0cd9dd8d9130e429
Instruction ID: 44043ddac7b70949354ef857abb08f59ca8389f061a2679baf822a44166d43b8
Opcode Fuzzy Hash: 007232a9a60d2367273b4730ce4344aaec5d3eceafdbb5ab0cd9dd8d9130e429
Instruction Fuzzy Hash: 5E018BB1A00205AFDB14DF68D845B5ABBB4FB49224F10862DE519AB741C772BD0ACBA1

Function 05742A41 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064c75098717c4295267f8232c05a1921369e229527a5114c8cfd57a3bc122fb
Instruction ID: 42a388eb82a4dd9cc855f639c9d5b4144fbf68af830fd114251ab8f7eb10e9f6
Opcode Fuzzy Hash: 064c75098717c4295267f8232c05a1921369e229527a5114c8cfd57a3bc122fb
Instruction Fuzzy Hash: F5012436A04210CFC721DBA598049AABBE6FB49714F05807AED49E7141EB305A019F84

Function 013DD76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1364469926.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13dd000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d397f4dc23ddb70a708680dbe9f13c2e4740651e1902ff4532e69bea8b067ce3
Instruction ID: 3e06e8d455d1fe98a69d6c5463e1deb2ea483e8694696660a1e98cfcf515e8b9
Opcode Fuzzy Hash: d397f4dc23ddb70a708680dbe9f13c2e4740651e1902ff4532e69bea8b067ce3
Instruction Fuzzy Hash: 8301F7320083889EE7214E55EC84B66FFDCDF41229F05C4A9ED090E5C2C2389844CA72

Function 058492D8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1446fa610790d4b3d683ef50c9b54b34cecb06f17ab9a97b55162121101fb33
Instruction ID: a63ea1c129080d032d9cf9d61ad31d0e7e184d309603c18a3d2ecbd1cebbd02a
Opcode Fuzzy Hash: c1446fa610790d4b3d683ef50c9b54b34cecb06f17ab9a97b55162121101fb33
Instruction Fuzzy Hash: 3C01B131614218DBCB299F64D8196AEBFFAEF8C711F108029F802A3380CF755D01DB91

Function 056F6066 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010a028f55c7ea2a6a907bd92b4852d7b8e1bfbfaf5de81402b492eb8e2ffe18
Instruction ID: 9561b598efa745768b91de2983a61286dd32bcb821b7de92d84650db4476261d
Opcode Fuzzy Hash: 010a028f55c7ea2a6a907bd92b4852d7b8e1bfbfaf5de81402b492eb8e2ffe18
Instruction Fuzzy Hash: A9F07831B083414BC7248908D960662A7BABFD1210F15807BCB04CBB02DA218C02C392

Function 05840248 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d5a2a3c173ae657e7e117b9017000af1d0c1219c1652e59d58898da75d3943
Instruction ID: 1d7d894ce4259eb328a74ce05eb9183161efbc377f4a7f5e856f3a8b5b00e6ad
Opcode Fuzzy Hash: 61d5a2a3c173ae657e7e117b9017000af1d0c1219c1652e59d58898da75d3943
Instruction Fuzzy Hash: 42018F363007109FC7069B24E455B6ABBA6FF88722F108169F90A9B394CF31EC52DBD0

Function 0584C808 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c58cfddc9d23a52cfe8c5d6823889987de13ef1621e3878af149394f0cf120
Instruction ID: cb14ef816b557b5e999de0587ab6bb7a2650084e0278d02e16fed8c20fee9b9e
Opcode Fuzzy Hash: 07c58cfddc9d23a52cfe8c5d6823889987de13ef1621e3878af149394f0cf120
Instruction Fuzzy Hash: 4AF03637B442085BD624DB5AB401EAAB7DAEBC4671B24846FE54CD7240D9316C01C754

Function 060591E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0242142dfe8d670a92e156b3866be95612fcea576cb80949a1b502970943b47
Instruction ID: 52fea1e340f25137dc80fd49ebacc3508d83560bf517200a4c5349db57401d54
Opcode Fuzzy Hash: a0242142dfe8d670a92e156b3866be95612fcea576cb80949a1b502970943b47
Instruction Fuzzy Hash: 21011AB0D94249DFEB80DFB5894D29EBEF5AB44300F21C4A6DC05E2204EB34AA808E41

Function 058496E3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea505fcf9f7698064b374c8d8e65b78b872ee63e80733609f4676dc76a27dc2
Instruction ID: 8a29f012bc01185e9b3fa414fc32ca17dc7851c798067f642d317538b994d05c
Opcode Fuzzy Hash: dea505fcf9f7698064b374c8d8e65b78b872ee63e80733609f4676dc76a27dc2
Instruction Fuzzy Hash: 71012971E04608AFCB24CE59D486A9AFBF1EF48710F14C169E959D7750E731A942DF80

Function 058A4CD0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d699eb2b202f82705d779f60e24275fba2f64abe080179cd13028e404fb59b
Instruction ID: 990ea6acb36564ca75767d9d2b1102cb4c369f56f1bee7f25462b567aa33d63e
Opcode Fuzzy Hash: 19d699eb2b202f82705d779f60e24275fba2f64abe080179cd13028e404fb59b
Instruction Fuzzy Hash: 7EF0C832B053515FFB258B18A810B2BBBE5FBC9314F148079ED06DB361DBA5EC418780

Function 05749528 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdaa30bcc2853e1c65f5a9367e31499c8892ad1c7a7afe7083bf1f1f71e2bcc4
Instruction ID: ceeb1b3f8ebc990bbe7e5b1451498d0204597b6fe252daf8992e6841186d3dcb
Opcode Fuzzy Hash: fdaa30bcc2853e1c65f5a9367e31499c8892ad1c7a7afe7083bf1f1f71e2bcc4
Instruction Fuzzy Hash: 77F0B4327043452FD3156779281076BAB9ABFD6210B29816EE009DB292C9728C0247A1

Function 05742A50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf245b8e0cd25209aa41304eeab14c8bb7798a972ef83ebb0e9c614e3686233a
Instruction ID: 091cf3c1c3aaa206db434d6fe9711903685a1d00147238e2c6eb980d61997397
Opcode Fuzzy Hash: bf245b8e0cd25209aa41304eeab14c8bb7798a972ef83ebb0e9c614e3686233a
Instruction Fuzzy Hash: 8DF0683AB041109BC731DBA5D40496EB7AAFB88714F058176ED09E7141EF3459115F95

Function 05840258 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70db0755e73a1cebf9b67930a7fc3d994ce830f51e558234272f3235838917b6
Instruction ID: 7d8a41d29bd346c258bdaa696134f5825560dae54e1e2733ed1192d5d6827708
Opcode Fuzzy Hash: 70db0755e73a1cebf9b67930a7fc3d994ce830f51e558234272f3235838917b6
Instruction Fuzzy Hash: C50144363006109FC7099B25D454A6ABBA7EFCD722B10C169F90A97794CF35EC52CBD4

Function 0574E1C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709ac72921721a39e1c01381c49a89a677ed22edef327bf565a5b0a96473450
Instruction ID: c1677ed41aab1c1164e2d0c52c6fba6b312cc6b5726ce46bcb690909498fb56d
Opcode Fuzzy Hash: 8709ac72921721a39e1c01381c49a89a677ed22edef327bf565a5b0a96473450
Instruction Fuzzy Hash: 28F0A431A157509FC7218B24F514E353BAEBB85331F0A40A5DC05CB251C720E841EF53

Function 058A4D38 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d1048ac85ae97d80bf76f14deec98b31de0b607eff3e3635922b14f9ed0286
Instruction ID: 8c0fd6d21ae74c3440177f99bc5f78879d7d2b623a1c91451f9106e25afc5d7c
Opcode Fuzzy Hash: 09d1048ac85ae97d80bf76f14deec98b31de0b607eff3e3635922b14f9ed0286
Instruction Fuzzy Hash: 28F09063B0D3D15FFB224A2458617356FA19BC6119F1840AAD486CF2B2DA9ADC07C351

Function 0621EF50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1379750569.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6210000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd11a3443d678ec590af78b952f5fc044bab70311d71149ea0bf0c9eb29802b
Instruction ID: 4ff10eb4def4f08b74b3eb93105ff8f1457019fe7dd37667f4d9019b193d2cb3
Opcode Fuzzy Hash: 0bd11a3443d678ec590af78b952f5fc044bab70311d71149ea0bf0c9eb29802b
Instruction Fuzzy Hash: 2D016DB4D38208DFEB80DFA5A84969DBFF5FB54700F2184A6DCA5DA200E7719A808B41

Function 05741C9C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01e05365c7d7a5c68dd6b8bbb0903ebd9a8b2ece5cc9753a179c3d8b2a640b1
Instruction ID: 9e7de06091249712711c27bc24637a5f2242b435c0adf64c3d20cf1565fb5054
Opcode Fuzzy Hash: d01e05365c7d7a5c68dd6b8bbb0903ebd9a8b2ece5cc9753a179c3d8b2a640b1
Instruction Fuzzy Hash: 70F03C36F142258BEB14FB54D8006EDB2B2BF85310F9980B5C90177354DB38AC86EF92

Function 058A3A10 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9083deae2fa8824b1b868cc0f7f3445ed79f76465f93780c138e44375d0a060
Instruction ID: 48f3ac5f07cc31e3b204de200191ef65709e66bdd6377d0f52fb1fa75f420e73
Opcode Fuzzy Hash: f9083deae2fa8824b1b868cc0f7f3445ed79f76465f93780c138e44375d0a060
Instruction Fuzzy Hash: 86E06D1726DFE91FF34AA3B01C2A9403F39840344234658C6D898F647B9C017C0D9266

Function 013DD76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1364469926.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13dd000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77919a591ca9208b23953e1a08ce6c579f3c58f19a4d02b2dfa5418f5077f71
Instruction ID: 92457787a6569e97d25b8a98a99f1188cb997c3d9bd8901dac171a479d67a0fe
Opcode Fuzzy Hash: d77919a591ca9208b23953e1a08ce6c579f3c58f19a4d02b2dfa5418f5077f71
Instruction Fuzzy Hash: 34F062724043849EE7118E19E884B62FF98EB45734F18C59AED584E2C7C279A844CB71

Function 05BA1B8C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375839867.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5ba0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43365f031eba4ec533148ba84d6e75c3e8ab85e0cd52a8e542364ebb2f071487
Instruction ID: 5ec26a5bea31efe5535050344bc100c520c9d919f471bcaac4480bab99be39e9
Opcode Fuzzy Hash: 43365f031eba4ec533148ba84d6e75c3e8ab85e0cd52a8e542364ebb2f071487
Instruction Fuzzy Hash: 5401C279E082288FCB50DF28D898B997BB1FB89315F0440E5D50DA73A0DB38AD858F51

Function 068E6AC0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54174610a276a41371d304c027aeaccf6a40a3a88f00cd53f5511ebda0f490b9
Instruction ID: f467c888b271e9038240c03faf91fab222a63a61af15833a43418da1a0314e05
Opcode Fuzzy Hash: 54174610a276a41371d304c027aeaccf6a40a3a88f00cd53f5511ebda0f490b9
Instruction Fuzzy Hash: 4BF0BE329481609FC39257A4B4062E8BFA1F753226B0944A3E40DE6841D72648D0C781

Function 0584970B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e14b544ff6800581d6a356e51c941750676fc66d71d5bbec7c4eac9e1cf76e
Instruction ID: 187b790ab7143a985806dea7043bad41a958fe2dd93e8bfb53d7d84ae57277e5
Opcode Fuzzy Hash: 99e14b544ff6800581d6a356e51c941750676fc66d71d5bbec7c4eac9e1cf76e
Instruction Fuzzy Hash: F301FB71E04718AFDB20CE59D44569ABBF5EF48710F008169DD55E3650E730A941CF80

Function 058AFE1B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d41873c40d191f4a351f3e802d35579c9e1b400081f8d14ed12c32c9a67f63
Instruction ID: e3328b08bbbf1828ff46ccb84fb98159bf5b1c3da815ada79c95868871f00d3c
Opcode Fuzzy Hash: 76d41873c40d191f4a351f3e802d35579c9e1b400081f8d14ed12c32c9a67f63
Instruction Fuzzy Hash: 7AF06D363102009FD305DB29D459E3A77AAEFC8722F2480A9F946CB3A1CB31EC01DB90

Function 058A3B53 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72c678db07f0f2de7f81aaf13bf3d41ae48166d9ebe2b703deba5244050eb2e
Instruction ID: c68533ee8b27d5697c030aa0e8d9fcab34c7aa3582c55edf91a359686315a261
Opcode Fuzzy Hash: a72c678db07f0f2de7f81aaf13bf3d41ae48166d9ebe2b703deba5244050eb2e
Instruction Fuzzy Hash: 13F0E27B80D3447FF3068654DC07B803F269B17701F0A04D2E5048F6F3DA66D8068795

Function 0605ED30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae759da59e0a2f57ea4ddd3cb97ed27ed208a4e914167ed8ced17daa2e188f43
Instruction ID: 6e73233acc3b8e0d5384041952564a9417b2d71eaf7332f570e2bc7559106e59
Opcode Fuzzy Hash: ae759da59e0a2f57ea4ddd3cb97ed27ed208a4e914167ed8ced17daa2e188f43
Instruction Fuzzy Hash: 9EF0A737E441249BEB94DE66E40479FBFA9DBC4251F0AD07AEC49D7140DE7496008AA1

Function 05848232 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999e2bd57d3f8f0288d74628aaaa8baa04cf6841327ce68f3ffda6d5f20aca67
Instruction ID: 1a2df71b4c438d09f1d6997db9a3ada844c6d7b07d99e1e4af6e34b72c6f6374
Opcode Fuzzy Hash: 999e2bd57d3f8f0288d74628aaaa8baa04cf6841327ce68f3ffda6d5f20aca67
Instruction Fuzzy Hash: 08F062793101158FC304AB68E45862E36A3F7C8719B518129DE02A77E4DE3C6C078B8A

Function 058AFE28 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efbcb83399d9768150f2b149294f34bdcdfc0046192948db75c5f44bc745e4e
Instruction ID: 947ee879e291cf2b82d36c0c4ec2f4b29396ef0237570e6c828e7d5d89411769
Opcode Fuzzy Hash: 9efbcb83399d9768150f2b149294f34bdcdfc0046192948db75c5f44bc745e4e
Instruction Fuzzy Hash: F2F05E3A3102009FC305DB19D458D3A77AAEFC8722B1480A9FA46CB3A0CF71EC02DB90

Function 0574BFA0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca86ca991cf13ae2c68b38021c6bc4856327be26e9f81338b931475908f1338
Instruction ID: 9d6f6c990cd99a0bf332a5589fbe2ea50ce382a7cec7a67342ead60f17c46428
Opcode Fuzzy Hash: 2ca86ca991cf13ae2c68b38021c6bc4856327be26e9f81338b931475908f1338
Instruction Fuzzy Hash: 8AF0E97190D2848FC702DBB09C1045DBFF28F56104B1540EFE44CDF2A2D631CE02AB92

Function 0584B401 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab185bb1fb520649a852c3eeaf763298d981e5bb135df299c7c5b8fd187bcbd
Instruction ID: f6dffb40891ef8f39f5f6905a69d5fdee757295197e880094b4dc8add51d7559
Opcode Fuzzy Hash: 4ab185bb1fb520649a852c3eeaf763298d981e5bb135df299c7c5b8fd187bcbd
Instruction Fuzzy Hash: C6F0BE3181424AEFCF02DFB4C901A99BFB5EF06211F4141FBE984DA111EB318A61DB85

Function 058A0964 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03a6d1c430edf17dbd00dc71f880add261d99502e5cc01d1a153984eab7e588
Instruction ID: e75bb17a71f0148471c91a0d5a8e1452d31321b3bdd6e62e4b3ef9b381790847
Opcode Fuzzy Hash: f03a6d1c430edf17dbd00dc71f880add261d99502e5cc01d1a153984eab7e588
Instruction Fuzzy Hash: D2F0B435B00211CFD744DB34C05C72D77E2BF88204F0640A8E54ADB790DE349C01DB51

Function 058A789F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6974d789ebedd2c6ff33504484d4ee5bd854b2aaa408fb578b2a191f13b31a
Instruction ID: c788447ede16c35b05ca7df00608592cbfb99905847804f1f7fb83b43994a2f4
Opcode Fuzzy Hash: da6974d789ebedd2c6ff33504484d4ee5bd854b2aaa408fb578b2a191f13b31a
Instruction Fuzzy Hash: 31F0E932908218EFDB19DBA4D4497DD7FF6EB40211F04C4A5E806E2181EF701D81CB84

Function 05848175 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f689fbea0931f58daf6c53cf3233ae3c5dd8b49b6180d70b7e8c64783c4db0
Instruction ID: 6f959dcc013562a0c5d2712409698da2751c606db9e6218d7a1271300040d529
Opcode Fuzzy Hash: 60f689fbea0931f58daf6c53cf3233ae3c5dd8b49b6180d70b7e8c64783c4db0
Instruction Fuzzy Hash: 18F03030714149CBEB14DB15D449F7A36A3FB84305F598076DD029B9A4DBBD5C81CF41

Function 058AE7D1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5322e0e794d637fac93b087152ba3731e104c9cf44a7018f1ce6aeec8b76aeb
Instruction ID: aa5a8f36592f58e20fa3b712b3772b9a576d2beacda70ca405d4f83034d6b65a
Opcode Fuzzy Hash: e5322e0e794d637fac93b087152ba3731e104c9cf44a7018f1ce6aeec8b76aeb
Instruction Fuzzy Hash: 2EE09235B18B525FE7128B39EC027963AD1AB44614F04816AB884C7258EB24E9969780

Function 058A43B7 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c69379dad0c841c078f7cb55227e2c3c0adc8f8494fc77fa53b98e46d7365c
Instruction ID: f9ae2b9be98d14c81c9cbc0c7c0a6c438768c083062c51a58199f30869e8fe96
Opcode Fuzzy Hash: 74c69379dad0c841c078f7cb55227e2c3c0adc8f8494fc77fa53b98e46d7365c
Instruction Fuzzy Hash: 9EF0273290D344BFEF02CB709840E6E3FB1DF02100F0144D9E981DB292D6B27D09A741

Function 058AEE3F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc699fe90d653b2ab5f6288b5d79eaffbf19b5c5730d2427e6fce2d1780cf4f7
Instruction ID: b4f3288435fb16b4eecd7c680137be7afca89344b0c2ccb00e0d7108651e1824
Opcode Fuzzy Hash: fc699fe90d653b2ab5f6288b5d79eaffbf19b5c5730d2427e6fce2d1780cf4f7
Instruction Fuzzy Hash: 17F065316087459FD721DB26EC45D4BBFAADFC1222704C53AF8498B125DE70AD0A9B91

Function 068ECD94 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dc5d0b98493bcbf2ef2d46858cfc0686334e2d9c79ee732814ebd0ab265e74
Instruction ID: db92c39806e91b30855821ade1eb3489f78363b8a03a646ee7f84a05c4aa09b9
Opcode Fuzzy Hash: 57dc5d0b98493bcbf2ef2d46858cfc0686334e2d9c79ee732814ebd0ab265e74
Instruction Fuzzy Hash: 70F0E735A00508DFDB419F80DC48E99BBB2FF49315F05C4A5E21A9B171C736D994EF40

Function 058A3D79 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494ba1bff80171eda62a93ae53c00bf0949f5c1ad2aae1a27a14a5f2c3aa12de
Instruction ID: 46743b5749c31bb6a337e9ce1431517c7de017787d4d5e9eeed0598406e61e62
Opcode Fuzzy Hash: 494ba1bff80171eda62a93ae53c00bf0949f5c1ad2aae1a27a14a5f2c3aa12de
Instruction Fuzzy Hash: 05F0E536B00285CFF7509A65A4007792293BFC4318F188C28ED09C7688CF359C01C744

Function 056F66F9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f5e6bbd93b9f0b476d21af61097bb7721493d8f5f0d14e27ad4ade83723fb0
Instruction ID: a9e7b14e0108cec77728445834d2893b47f03e195857aef70f1274be9601e224
Opcode Fuzzy Hash: c7f5e6bbd93b9f0b476d21af61097bb7721493d8f5f0d14e27ad4ade83723fb0
Instruction Fuzzy Hash: D1F01C35E01216CBCB258B25E1156A97B33FB80215F6080ADDE16AA300EF35DD82CB91

Function 05BA5896 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375839867.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5ba0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc1d27c8d5269b706c5469f27a128902dc960445058d7892ce13a32b73ab36d
Instruction ID: cacc21c9225191e3e6d04d84dafb62f4f3affbf92253afa2c24af90ea74779c3
Opcode Fuzzy Hash: bdc1d27c8d5269b706c5469f27a128902dc960445058d7892ce13a32b73ab36d
Instruction Fuzzy Hash: 18F03775B022288FDB60DF18D954E89BBB1FB49310F0540E4D409E37A0DA346D80CF02

Function 05BA58EE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375839867.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5ba0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1146ab10272cde79e7c4b7fa133e612f1d6f589125102ff40239627a11e4361
Instruction ID: 1a30f92a5a119d6f64fb1b1d11d1e93cebdb5de7ac8570426e24022045d53031
Opcode Fuzzy Hash: d1146ab10272cde79e7c4b7fa133e612f1d6f589125102ff40239627a11e4361
Instruction Fuzzy Hash: 74019279A023288FD754DF18D994E89BBF1FB8A314F5540E5D409E77A0CA38AD85CF12

Function 0574DA70 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56c6451f72be3840885656d0cb991c2a332318359a053377da60c60345e7936
Instruction ID: c6762634c5f197c9949acc1b5a3ea17672c282bd0b6265299d0979698a13806e
Opcode Fuzzy Hash: c56c6451f72be3840885656d0cb991c2a332318359a053377da60c60345e7936
Instruction Fuzzy Hash: 29F0E52644D39D5ECB16A365281A681FFFC5F03218B4B92D3D498EF0F382046C8D8B96

Function 068ED432 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6717b626a96bcd5bf2a66f06088b2404ed763687078b6be5112b83934938a9
Instruction ID: 25e9c5d079a67d54678bbe8fcc05fffd6f02046de3358d6320609bc02176dab5
Opcode Fuzzy Hash: da6717b626a96bcd5bf2a66f06088b2404ed763687078b6be5112b83934938a9
Instruction Fuzzy Hash: A0F06730A00608DFDB60CF80DC44B9A7BB2FB02706F404AE5E218AB1A4C3766EC0DF40

Function 0574DEB8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13672ee478878c3a5fb0f9ac080d9f8857847c3474668cce8b9605da24f149b
Instruction ID: 9f464ab15d4733ff7188cc20082e3307cdbf4133396dcc5b36a0e1737dc43930
Opcode Fuzzy Hash: c13672ee478878c3a5fb0f9ac080d9f8857847c3474668cce8b9605da24f149b
Instruction Fuzzy Hash: 3CE0807140D314EFC725CB70890249D77F9AF1620571145E6D945C7167E7368D01DB51

Function 058AFF22 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6765bb3cc11b932232fd21522660ce8f0cb7e0475edad63ac07bc38c98ce4c43
Instruction ID: 99fb1b05053a3d68d29cd7a5ac9ffbc4623de4db2c8865c42271511ee8a39adb
Opcode Fuzzy Hash: 6765bb3cc11b932232fd21522660ce8f0cb7e0475edad63ac07bc38c98ce4c43
Instruction Fuzzy Hash: 36E01AB701E3C49FD3839BB0A9550553F31EE5325A34A04DBD48DDF263DA2A491AC752

Function 06216DAD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1379750569.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6210000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123aa716cd5f015a9a98155b2354765abb63670a6a37d6ef6bbfbc14cbf4bbea
Instruction ID: 5ff11a204df40a6c0043ea3fd82513c5af577cba4d0522c617eb825ee8c2de47
Opcode Fuzzy Hash: 123aa716cd5f015a9a98155b2354765abb63670a6a37d6ef6bbfbc14cbf4bbea
Instruction Fuzzy Hash: B4F0C474D151298FEB64DF28E954A9ABBB6FB59305F0040AADD0AA7341DF30AE81CF41

Function 058AEE50 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20379b520cad3886e80cfb424514c0eb203f28f486a3fe165680f046086ee830
Instruction ID: 6bf1d23005e8247ea2b8f23dd0508462fc23c303161c7ba7febbda59d2b0be87
Opcode Fuzzy Hash: 20379b520cad3886e80cfb424514c0eb203f28f486a3fe165680f046086ee830
Instruction Fuzzy Hash: 94E04F367043155FC7219A1AEC84C4BFF9EEFC0266714CA3AE10A8B225DE70BD4A87D1

Function 068E7171 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f05b55dd10b965dae7a797c6ce464ff298f302ffad04bea767640f322a9b8d
Instruction ID: 183df993decdf28e5f81b2270b5da11355ffe32ff5361603efcfc454d68f12b6
Opcode Fuzzy Hash: f6f05b55dd10b965dae7a797c6ce464ff298f302ffad04bea767640f322a9b8d
Instruction Fuzzy Hash: F0E04F32845348AFCB92ABB459005DA7FA58E0611071109EBD549DB111D8358E0547E2

Function 058A4370 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebde34cd527405f40ce44d781e9657439d470709a0a79d231508eb8160b9d3a
Instruction ID: 28d468e0fd433079d44bc9000b0c0da8b0f2df8619eff669474eeeb6ea5e701e
Opcode Fuzzy Hash: 2ebde34cd527405f40ce44d781e9657439d470709a0a79d231508eb8160b9d3a
Instruction Fuzzy Hash: 84E0D871909204FFCF00EBB4D51064C7BF5DF49200B1444E5D808D7352D9B16F0097D2

Function 058A92A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584e563c9509b636e7ba04bf5029e3945cba4164d6d3c086c1e9ac7de118ea93
Instruction ID: c3b92b9624f6e490c12c031bf6002a43d272c87dbe8837c2bd8742aac470b87a
Opcode Fuzzy Hash: 584e563c9509b636e7ba04bf5029e3945cba4164d6d3c086c1e9ac7de118ea93
Instruction Fuzzy Hash: D7E086337083089BFB30A9645801BA532996B45611F100875DE15DF281E9A1EC418752

Function 058AFEF0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa686116cd859841cc18412a9b8be7915a105484691c55c72e03fb4703d1996
Instruction ID: 99e5fd0c5a00c89de4326d67533232bb75c9548e6b21c09812d22aba17da3933
Opcode Fuzzy Hash: 0aa686116cd859841cc18412a9b8be7915a105484691c55c72e03fb4703d1996
Instruction Fuzzy Hash: 49E04F305083446FD322AB88C910862FBBDEF46650354C89BECC58B652C672AC02C7A0

Function 0621773B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1379750569.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6210000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67af38382a952ba1440f5feffd0b1a2d16b139015310ee8bcb8ebce6a5d83235
Instruction ID: a5dc89759942430c34926b97023fe28b14e267589a23dff0325d5bc25c7011b9
Opcode Fuzzy Hash: 67af38382a952ba1440f5feffd0b1a2d16b139015310ee8bcb8ebce6a5d83235
Instruction Fuzzy Hash: 3AF0E778A10368CFCB60DF18D884A99BBB1FB4A301F1040E4D90AA3750CB346D80CF41

Function 056F67A1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0e74473926e533b4102590bdc086a93d00af73a0898dbc6f4cce16ef60cc1a
Instruction ID: 1ad1192c478509affae19f959fca6124dc4b1629b1653421ad9954c8580a8cf0
Opcode Fuzzy Hash: 1c0e74473926e533b4102590bdc086a93d00af73a0898dbc6f4cce16ef60cc1a
Instruction Fuzzy Hash: 4AE04F35E01216CBCB25CB24E0052AC7733FB80225F5040ADDE06A6300DF31DD42CB91

Function 068ECD10 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a621a0bc4e6d45aa4607edb3dd19283523e7e81fb80643f7bd2296dd46fa80
Instruction ID: a8c440f2eb62793c2aa3ed48b1bcf53f2459b16451676662ff728e6c9dc62d2e
Opcode Fuzzy Hash: e2a621a0bc4e6d45aa4607edb3dd19283523e7e81fb80643f7bd2296dd46fa80
Instruction Fuzzy Hash: 90F06D34600105DFEB408F80D844BA9BBB2FB4A305F15C4A5E21ADB165C735D995EF00

Function 0574ECF1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6983e421d85494894916d8c29d227c30b47120dba85fdf6713575a03ee3982
Instruction ID: 995d2adae0320427d3db46ff3114a095b1cca98423723da675eb24908a872204
Opcode Fuzzy Hash: 4d6983e421d85494894916d8c29d227c30b47120dba85fdf6713575a03ee3982
Instruction Fuzzy Hash: 92E0CD31B046704BDB71C739E8067A73BE9AF46531F18556DE846CB709FA20DC025B80

Function 0574BF1F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aea0c7c7ce3f168a56ec7129816e1ed418ed324714a0ef703aa3347462ac2d3
Instruction ID: 6687cbf99c9210b0c5d043d5b9f2432cfe96a582c7445528ccb79ac79d484266
Opcode Fuzzy Hash: 0aea0c7c7ce3f168a56ec7129816e1ed418ed324714a0ef703aa3347462ac2d3
Instruction Fuzzy Hash: 81D02B3531821CAFC7105F54E411BAE3AEDEB86254F141075E549736D0CE28EC054F91

Function 05746B91 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523797ab7a3d8db9903ae5394de35989da53a8c004e1c68314ccb771f67681ce
Instruction ID: 7006a6ebcc37608626405d3ebdfb00c13d9e7efedb726aa5e67e84f07b586815
Opcode Fuzzy Hash: 523797ab7a3d8db9903ae5394de35989da53a8c004e1c68314ccb771f67681ce
Instruction Fuzzy Hash: 47D05B7120D2483F9747C754EC52C51BF698B47300318C0AA7808D7763E623ED41D664

Function 05745F51 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe68cdaf303c552e0fbc36f4ef44f995178d6a2080e3d8cb9781f1b4a5d4d7f6
Instruction ID: ba7caa270243c07d0589b295e5f78fabfbaa1c9ef709948bbc3f9420c098b4c3
Opcode Fuzzy Hash: fe68cdaf303c552e0fbc36f4ef44f995178d6a2080e3d8cb9781f1b4a5d4d7f6
Instruction Fuzzy Hash: EBD02EBA80D2803FC306C290ED81E843B29849214030C80A6E0098BA33C721ED03AA96

Function 0574DEC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5011758ad67bb6c4e2a86c9652fa4581a87821dbfb5f1a39ed1696a606c4dfd6
Instruction ID: c1a02cc88731518921ac425a7a9bab2e6a5d6b2fa04006c155782dc4262e9641
Opcode Fuzzy Hash: 5011758ad67bb6c4e2a86c9652fa4581a87821dbfb5f1a39ed1696a606c4dfd6
Instruction Fuzzy Hash: 3ED01772A0530CEBCB20DEB499015AAB7ECEB09215B1005EAEC09C3204EA32DE10DB91

Function 0584FFA8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458c30a81ac15f9f8aab9b423af32d7016bd993b1265e34197f546de53878531
Instruction ID: ddf8ef6a1a211a7f8e84ef2aeb2076269612f6e1e215d852bd4b38ecc05b9b2c
Opcode Fuzzy Hash: 458c30a81ac15f9f8aab9b423af32d7016bd993b1265e34197f546de53878531
Instruction Fuzzy Hash: 82E086315082886FC301CB5CC8508A2BF69EF86120319C09BECC4CB342D671AD13DBD0

Function 0574E1A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7d57514de95c57d6d2f16529d9c816c450ae4f6e40e22b398f399687548939
Instruction ID: 85aeacc75142d70ea395556ed1fdea334912fd46421fb68c1a507983c44455a1
Opcode Fuzzy Hash: 6f7d57514de95c57d6d2f16529d9c816c450ae4f6e40e22b398f399687548939
Instruction Fuzzy Hash: 12D05EB2968794AFD306D764E92A8653FF8BE2311530604DAE544CF373E322EC149B56

Function 058A3CA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9045cfdd14a5dd36443dd63cad6d29eba1472b9a5cfe0676d033cc3eb855fb
Instruction ID: 19a812a9cb5cdb8f76f7fdf857bfc7901d6eb9e0bd71c41e203782563c1e1d26
Opcode Fuzzy Hash: cd9045cfdd14a5dd36443dd63cad6d29eba1472b9a5cfe0676d033cc3eb855fb
Instruction Fuzzy Hash: 1FE0127A418344BFD742DF74DC05894BFB1AF562507158096F985CB233D7318D1AEB60

Function 068E6671 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8a1906920831f7bc135c1a9f7a289c0fe7511e12b8136c9f7ff9a718b6cda6
Instruction ID: 1c218ed3166be0c5b93cd78af2e6915afe2c170a24a54f53910bfae0e243a544
Opcode Fuzzy Hash: 4e8a1906920831f7bc135c1a9f7a289c0fe7511e12b8136c9f7ff9a718b6cda6
Instruction Fuzzy Hash: 0ED05B302093845FD346C658C850952BBE59F4A150B44809FE889CB253D925FD03C251

Function 068ECCCE Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205c249bd2c3859aeed67eb2e9f8c307e29a0ce9150bf1a233612a1e8c57d002
Instruction ID: 01fdc37baa79874d48c77c32b644d67355cb927876475597d85bf94b5ce7ba02
Opcode Fuzzy Hash: 205c249bd2c3859aeed67eb2e9f8c307e29a0ce9150bf1a233612a1e8c57d002
Instruction Fuzzy Hash: D5E0E570A44618DFDB60CF84EC54B9A7BB2EB45706F5044E5E209AA194C7765EC0DF40

Function 0584D700 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c2ade25e150cd4a75e511c3c2315335d932aa39d8362668d1324ebad21250a
Instruction ID: a70d5dfaccb54d7a9a289a3aa77a6aa074e567993ecafac037252224fe8f96fc
Opcode Fuzzy Hash: 95c2ade25e150cd4a75e511c3c2315335d932aa39d8362668d1324ebad21250a
Instruction Fuzzy Hash: 47D02E323883600FE3068628C820D087BB89B0A711F0000DAEA05DB3A2C881EC0483A5

Function 05846D30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064bbad7e632a0cfa0972e79864b52b4e476890ac141a24a39e5cb4a4f9cab08
Instruction ID: 01b4926774e72571e5dc50d3660950f892a8cf7d4e63548d1f3e9a6e9629c30e
Opcode Fuzzy Hash: 064bbad7e632a0cfa0972e79864b52b4e476890ac141a24a39e5cb4a4f9cab08
Instruction Fuzzy Hash: 0CD0A7767081284BEB350548F902BB417CCD70A636F484627FE09C11C1EE06C8014A14

Function 058A43C8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1c4de908e9b743020eec6b0c6d487c33fbc8731efd3b602216a1762f07a305
Instruction ID: 7ed434350cd37a07048d56aa364c82df3e7e9afec66a5f1b9c518bc571ab6950
Opcode Fuzzy Hash: 3a1c4de908e9b743020eec6b0c6d487c33fbc8731efd3b602216a1762f07a305
Instruction Fuzzy Hash: F6E01270A01209EFDB00DFB4E945A6E77B6EB94215F5085E8E4059B281DA317E01A781

Function 06052481 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2e7fd00c42c662a8e0d0facdf6e5f9a393b64a3c2371f2396b38b72093f3a9
Instruction ID: 53bcfe4badf4718b21e886ec3489b4b1c93cc6f738246a7dc944bc0c985f6c03
Opcode Fuzzy Hash: ed2e7fd00c42c662a8e0d0facdf6e5f9a393b64a3c2371f2396b38b72093f3a9
Instruction Fuzzy Hash: EAE01A74A50115CFE7609F24E45872F7AA2F749305F115296EE17D3380CB35AD91CF86

Function 0574B338 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ac68af442e702e3cd1cd7065228921980f9873cec3eabb07c575999ab82b0f
Instruction ID: e0937664a53b26d5bfdf403f373c5bb144924b1f9d57f1c261b5adccfa94a8f4
Opcode Fuzzy Hash: c8ac68af442e702e3cd1cd7065228921980f9873cec3eabb07c575999ab82b0f
Instruction Fuzzy Hash: F5D05E31284604AFD714CA65DC03F957BB0EF55710F144464F604CF2B3C266D8108B44

Function 058481BE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6d33135e9485590de698b2dee6c072df4102deb22facff080fef521a20bf0a
Instruction ID: 860108acef7c5dc18784e94f4d5aa3b15f8bfef373d356e8429f62a51092a798
Opcode Fuzzy Hash: bf6d33135e9485590de698b2dee6c072df4102deb22facff080fef521a20bf0a
Instruction Fuzzy Hash: A9E05B3171431C8BF620AE21D445B7B2597F740705F554025DD01AF6E4DBFD5C468F92

Function 0584AB20 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed23ad1c92be2d719e62e3206d12be2fff8df9bf89101ba28b8ab8cb9c9392b
Instruction ID: d0cb6683182d9d75067c48060f01ede109b8f5d43aa50dec4fff958d85d46722
Opcode Fuzzy Hash: bed23ad1c92be2d719e62e3206d12be2fff8df9bf89101ba28b8ab8cb9c9392b
Instruction Fuzzy Hash: 18E08C9549D3D84FDB1786B41D2020F3F301B03056B4945EFE885CB083D50CC428C311

Function 058A255B Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a3da864a54710daa4001c460e4b9251e7fcaea88e66104bd37e272652ca846
Instruction ID: 93d74e32c07ba2d54aac2fa275ff610356da55caec07b9cf188ebee81d3ce171
Opcode Fuzzy Hash: 12a3da864a54710daa4001c460e4b9251e7fcaea88e66104bd37e272652ca846
Instruction Fuzzy Hash: 5BE0753AE14515DFEB149F60D85E7A8BAE1BB44201F0494A4E94AD3641DF709D45DB01

Function 058A4380 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c7e7635154cd59937c8b0536a29373826c20745b0d62ddc864dbe53d87dcc3
Instruction ID: 5222688b04b12698138642f9bc94372a4e647a9f0a8ea1a94c8e2b823e672b53
Opcode Fuzzy Hash: f2c7e7635154cd59937c8b0536a29373826c20745b0d62ddc864dbe53d87dcc3
Instruction Fuzzy Hash: 50E01271A00108EFCB10EFA8E64165DB7F5EB48205F1055B8D809D7341DA716F10AB91

Function 068E87E9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd26ce38a44d61aa430d8bef0a0e6ad1f20beb530cbc9a62dcf543c89badfd3
Instruction ID: 8ca0ddffe335e9ce7c2ebddef46718a7ddc87f700998fa0e5d2f574e2acaa53e
Opcode Fuzzy Hash: dfd26ce38a44d61aa430d8bef0a0e6ad1f20beb530cbc9a62dcf543c89badfd3
Instruction Fuzzy Hash: 77D0C936049388BFCF032FA0EC128DD3F66FB163607058453FA1899022C6339660DBD1

Function 068EC861 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b57596e06d632c04e3fcc437b03bb138e48076d9434c0da5c77236c204d63e
Instruction ID: 47733d7d944ae31c47379f78d9aebb4ef37d32ffaf7bdc9fc4e5e5eba402ce4a
Opcode Fuzzy Hash: 74b57596e06d632c04e3fcc437b03bb138e48076d9434c0da5c77236c204d63e
Instruction Fuzzy Hash: BBC08C1A84E3886FD6A33B507C26DE03FAD440B3213444093F18DEA293440B6A4B83A3

Function 057491A3 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1299561df8e929659daf10b65efa6038ea6d485516116acbe63bc908e60633b1
Instruction ID: 84bcea83fbeef141f5a87249c3bea1f26bb1c8aec52fc56a941c446b03394867
Opcode Fuzzy Hash: 1299561df8e929659daf10b65efa6038ea6d485516116acbe63bc908e60633b1
Instruction Fuzzy Hash: 59D0223730A2220BC3252258B0183FAB75AE782268F0500BBF308DB3C5CA644C0A03C9

Function 05743A02 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f3478ab97fce97f5600c9eac275c6ce891b8268abe179fd06de860dca96f7e
Instruction ID: 655d20e33f8606c3ad80ae48e33c054f3c08b0381d9f5fd2f117bcd471dda23a
Opcode Fuzzy Hash: c7f3478ab97fce97f5600c9eac275c6ce891b8268abe179fd06de860dca96f7e
Instruction Fuzzy Hash: 13D0C9363141086BD248CA58CA42B25B7E9EB98610F18C029B90AC73A1DA32FD47E555

Function 05849298 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd784776a74c73b54dba38029abb6cc08f4a2ae36ebd14e8ff972dd097aebaf
Instruction ID: dbfcf5333bcf4df10923ee7518fde3c22abb68f9a1e9f208396088301f107fcc
Opcode Fuzzy Hash: bfd784776a74c73b54dba38029abb6cc08f4a2ae36ebd14e8ff972dd097aebaf
Instruction Fuzzy Hash: 47D05E32A14221AFF7139A18A491BA237B2EB99211F14846AE9008A114CF685C82D7C0

Function 068EEA80 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9ccb2de5d73327fc8ba1a8702b6938aaf733bc8dcf6538f01124cb76bcc5d5
Instruction ID: b4e70af28d437c5afa6040cce2aa59996d6c91a8748cc7f02cf67087a43da571
Opcode Fuzzy Hash: fa9ccb2de5d73327fc8ba1a8702b6938aaf733bc8dcf6538f01124cb76bcc5d5
Instruction Fuzzy Hash: 92C04C160CD3D92FC6D362743C255D67F69081316839B02D7F5D9E9053840A558783E6

Function 068E7180 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d655e3d4c02d98a46b693065e52e80db0f3abbf2fa7ecaa63673114fd6296a5a
Instruction ID: ba7927eeac7903a8657f42bb8f96b1fd1c15e6244e808d06ca32a2e4f4b6e2bc
Opcode Fuzzy Hash: d655e3d4c02d98a46b693065e52e80db0f3abbf2fa7ecaa63673114fd6296a5a
Instruction Fuzzy Hash: 55D0C771D4120CEFCB80EFF19D0059FBBE9DF45110B1145EA990997110ED329F1057D1

Function 057419D1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a93a21096cf8c40059b05f3f80d974eb947e7275cc2833b68241c8f0c469697
Instruction ID: 7f9cab339b5c59cd8b87765a0b35b860afacdafffe2c2dc7d70fb45dbe801e40
Opcode Fuzzy Hash: 8a93a21096cf8c40059b05f3f80d974eb947e7275cc2833b68241c8f0c469697
Instruction Fuzzy Hash: A3C08C321480185FC204E1C8D892B80BB99C790628F58C278AC0CD7342CA6BF803D094

Function 05742B39 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0468f1a6032c4c8b47a8a3eac52de9722b15767da989a3034085c774602c96
Instruction ID: 52e8149d71045349abc78198f976eaf558b9af9d88b03a944cd62a9a55d473ec
Opcode Fuzzy Hash: cb0468f1a6032c4c8b47a8a3eac52de9722b15767da989a3034085c774602c96
Instruction Fuzzy Hash: D5D0C7722046046BD304C798C852B66B7E9DB94614F14C46DA449C7352D925FD129650

Function 0584ABC0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e37de10f5f3fe86090d1dc2853d802f2c570f3e9dbe7ed7073a11f817d941d
Instruction ID: 855561cbbeca8611fd732e1b381e3f9fff2158dfac69f1ffe707cfe092473ad7
Opcode Fuzzy Hash: 55e37de10f5f3fe86090d1dc2853d802f2c570f3e9dbe7ed7073a11f817d941d
Instruction Fuzzy Hash: 85D092306006049FE746DA68D856E21B7E9EB98610F20C42EED08CB211EE32AC42CAD0

Function 058A167C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c862bf66bc90eca0e6527d596d2121f8c8a44d1c28459a40cae6771fcc52ee8
Instruction ID: 3e2e54ded341f884ba2124efed908f11bec6bf80e8173cc431467a3695e991df
Opcode Fuzzy Hash: 0c862bf66bc90eca0e6527d596d2121f8c8a44d1c28459a40cae6771fcc52ee8
Instruction Fuzzy Hash: 17D05EF9B0520DCBEB64CF20E1086363717B7C8241F2C94749C02CB124DF389C468B41

Function 0605D050 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b643a384cef05e2bd38f0f12ed0f65c969e10f269b74186a1c768e1ce7c5731c
Instruction ID: db282e905ebd652300a05dbebc503a27698c8e302c47d993d4521f4d444b5acb
Opcode Fuzzy Hash: b643a384cef05e2bd38f0f12ed0f65c969e10f269b74186a1c768e1ce7c5731c
Instruction Fuzzy Hash: 70D09272D41208AB8B81EFA1991099FBBA9AB45200B5149EA9A09A7210E9329E145BD1

Function 0605C488 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4858382b932fa5efa83ac852e02998f967cb60e055e29350f3979044fabccf4b
Instruction ID: 3d2e5181666fe1b113f64b18adbfeb91fd06786e280f088be28c39fbfa1d7b1f
Opcode Fuzzy Hash: 4858382b932fa5efa83ac852e02998f967cb60e055e29350f3979044fabccf4b
Instruction Fuzzy Hash: E5D05E3180120CAFCB00DFA0C80048EBBF8DB05210B1045A6DD09D3200ED319E0457C1

Function 06051DB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466ecd189fb128eb3c2af638cca0a07fc22436b6ce35599171ff5d2fd3d2d206
Instruction ID: ecd9fc83a9e4c62fea094625ba51fd37f274b682f2d269a56d6b0dd347d64bc3
Opcode Fuzzy Hash: 466ecd189fb128eb3c2af638cca0a07fc22436b6ce35599171ff5d2fd3d2d206
Instruction Fuzzy Hash: A2E092B4A44215CFDB649F24E44876E7AB1FB48305F11429AEA1A93380CB395E91CF86

Function 06051DBC Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466ecd189fb128eb3c2af638cca0a07fc22436b6ce35599171ff5d2fd3d2d206
Instruction ID: ecd9fc83a9e4c62fea094625ba51fd37f274b682f2d269a56d6b0dd347d64bc3
Opcode Fuzzy Hash: 466ecd189fb128eb3c2af638cca0a07fc22436b6ce35599171ff5d2fd3d2d206
Instruction Fuzzy Hash: A2E092B4A44215CFDB649F24E44876E7AB1FB48305F11429AEA1A93380CB395E91CF86

Function 056F6847 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1373790484.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_56f0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ebb8a08fcea87140870ee4907b82db6f6493bbbcefb61766bf1f7c148a37855
Instruction ID: 3335ab4b3c332124d02e7f8816682fc2ccb1a0e4677603d759f9037e3a7ba771
Opcode Fuzzy Hash: 1ebb8a08fcea87140870ee4907b82db6f6493bbbcefb61766bf1f7c148a37855
Instruction Fuzzy Hash: 94D0C936E02226CBCB61CA64F0153ED7B32FB40266F0000AEDA56A6200DB319E55CBE1

Function 068E6222 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a523f138cf2fb32d0c2e26349cdbfba9ea648c3c9987da91546c2de05801fc
Instruction ID: 9d88f95da20569f54b85a84d916851abdb292f07b454d7481c53ac76557c7bc9
Opcode Fuzzy Hash: 52a523f138cf2fb32d0c2e26349cdbfba9ea648c3c9987da91546c2de05801fc
Instruction Fuzzy Hash: 58C012360093C55FC3232731B80AAD2BFA88F42220B0900C3F0888A8438A6A19D083B3

Function 05749E63 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975409b2cf08740604660eb9e99d0b705b22b829b7e114e9a4e0eb8d2343faed
Instruction ID: 5883d286c33fc2708a35e65d4cd8525d6c7f0c93d562fdbcfc45758cbe6eff01
Opcode Fuzzy Hash: 975409b2cf08740604660eb9e99d0b705b22b829b7e114e9a4e0eb8d2343faed
Instruction Fuzzy Hash: 56D0A9322001085BD300CA48C842B20BBB2DB88214F14C0B8AC08CB742DE36DC028380

Function 0584FFB8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 058AFF00 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 0621817D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1379750569.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6210000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08aa7011d13f278209fd0e4af4e3dc29967c316fd386012d7f514f58501963ab
Instruction ID: e4a0aff5d97ab29d2e202cb0804bd95c135bd7e49d41236c9f276d51c5d85cc2
Opcode Fuzzy Hash: 08aa7011d13f278209fd0e4af4e3dc29967c316fd386012d7f514f58501963ab
Instruction Fuzzy Hash: 79E07578A10625CFC754CF18C884E99BBB1FF49314F0101E4E909A7351CB70AE80CF51

Function 068EBC10 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d5810b95f5b28df7b4e563e0fb4669da2633dd8b44805d149c42b5f1b2338c
Instruction ID: b08cf0171d0e4b3ed73e15f5230066f71895d7ed181dcf7108fc08c075e5377d
Opcode Fuzzy Hash: 76d5810b95f5b28df7b4e563e0fb4669da2633dd8b44805d149c42b5f1b2338c
Instruction Fuzzy Hash: BFD0C97150C3C49FC34396A49811515BBA89E8650478984DBECCCCB257D62AAD168395

Function 0574BF30 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0cbfc3d048ddd7e4517a320da96c7a85635f4fb8831ca6f953c3b36a80b3f2
Instruction ID: d1cb5b847bcffd225850a44afc0a32c0fb49dfda063b6db94f33f74cd175575a
Opcode Fuzzy Hash: ec0cbfc3d048ddd7e4517a320da96c7a85635f4fb8831ca6f953c3b36a80b3f2
Instruction Fuzzy Hash: B9C0803530412CC7C2042E4CF404DDE37DDE7CA665B504075E50963794CD6C6C0107D6

Function 05741F80 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec32260e91b44315f1bf08ddb49197bb6833d39d2ee11935f1ceca1cf10011b
Instruction ID: 008c9beb33b7e34acda8c8386fd3f70c58a81a22fff528219de56e78298835cc
Opcode Fuzzy Hash: 3ec32260e91b44315f1bf08ddb49197bb6833d39d2ee11935f1ceca1cf10011b
Instruction Fuzzy Hash: 90C08C361081084BD78082D8D942B80B398E780218F98C169AD0CC7385CA2EF8034898

Function 068ED07B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef279788b369046e337931bb8d58d7a33be704ae2af98746e15c3323c8902f7e
Instruction ID: 310399045530a816862dc959093accc3403f8c5cd5b25bed4df856c73535d3cd
Opcode Fuzzy Hash: ef279788b369046e337931bb8d58d7a33be704ae2af98746e15c3323c8902f7e
Instruction Fuzzy Hash: 13D017B0A04204CFD754CF40E88475C7BB2EB42312F1089A5D2069A214C7356FC0DF40

Function 0574BF00 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f30c30e552101459723495b6f41fa66c86941a2514d566b43d25036cd358aa
Instruction ID: a6d9fca6ee75ea360914a6b0bf650768cb025c257fd26495f23b9ea9a0a449d0
Opcode Fuzzy Hash: e7f30c30e552101459723495b6f41fa66c86941a2514d566b43d25036cd358aa
Instruction Fuzzy Hash: A4D0127510C2484BCB05C674D882B097BF8CB45214F9880ADA81887653C56AE9168344

Function 05749E70 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694

Function 0574D610 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042dd8b4e2ac18e644fbc19d9e2766cb59324d45f04d1611a5a1b080af5e183b
Instruction ID: eb1aa1971170b04e8c73c467ebdebbda4fad1f7fcb9585cb6a625396b17cdb2f
Opcode Fuzzy Hash: 042dd8b4e2ac18e644fbc19d9e2766cb59324d45f04d1611a5a1b080af5e183b
Instruction Fuzzy Hash: 51D0123450C2885FC3469BF5AC50814BF658E4614870880DEE48C97293DA73A8029796

Function 057491B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e0fe5f68a9b9b42eb213570370367b36d01c0ea598f420d772a94d1ab9dd8a
Instruction ID: 2042e4c096ea6a206d9384c2e17da8734f43ca2a334c4f5beef9a715e9746292
Opcode Fuzzy Hash: e9e0fe5f68a9b9b42eb213570370367b36d01c0ea598f420d772a94d1ab9dd8a
Instruction Fuzzy Hash: A8C08C3660522807C614228CB0042DE728EE7866A8F4000A6A309A72C4CD641C0103DA

Function 057430DC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49e4e085888c087e6000a189b1f1888744decdd9f6c58a48d0657266df8b30d
Instruction ID: 1e9779c3b5b2499a14dda5e5b11ab3940df322baa983d9121135033d160178f9
Opcode Fuzzy Hash: b49e4e085888c087e6000a189b1f1888744decdd9f6c58a48d0657266df8b30d
Instruction Fuzzy Hash: C6D0C974728104CBD714ABE9E85866E76BAFB84349B548025610BFA2E8DF64AC419B21

Function 05741380 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2364718b8c96d5acc25d2b8abdf77e17a3369315c7b3bd447bccb17743164b7
Instruction ID: ab25d5f2bc806cf8333d2e10b75e896c4f2652e35e428371459bd5667ba14ad0
Opcode Fuzzy Hash: f2364718b8c96d5acc25d2b8abdf77e17a3369315c7b3bd447bccb17743164b7
Instruction Fuzzy Hash: B5C08C312042088BE700DAC8C886B01F3E8EF80228F88C0A9AD0C8B342CB36F8079A51

Function 058474B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b581e712082315145d89bfd3c863df8b4c29d5621db6ad547167f3c7f3622eb8
Instruction ID: c60543c15df2ad5dd431ad87414d90f4e32d97e4c84ee33fdd5e92cff96b01f7
Opcode Fuzzy Hash: b581e712082315145d89bfd3c863df8b4c29d5621db6ad547167f3c7f3622eb8
Instruction Fuzzy Hash: FED0123020C1585FC704CBF8D845E14FB5A9B84204B14C49EAC0CD7247D732F8238A85

Function 05849130 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aacfa7e629206bca4a14f715a4ce5f9abe2a9460338e5bc0b1de2fe97be671bd
Instruction ID: b7d7db0dbf04e96b253b766c3e1f256af485bf906716466ba0b1095ab8c40e6a
Opcode Fuzzy Hash: aacfa7e629206bca4a14f715a4ce5f9abe2a9460338e5bc0b1de2fe97be671bd
Instruction Fuzzy Hash: 7FD012345082548FD747DBA8E841624B7A5EB44214F54C56FF9488B101DF32A842CBC4

Function 0584BC91 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4497dd2bc5199b32ac95973aea0298f8b107d5c32229d0000c4746500719bc
Instruction ID: cd8c2cda9e651c0921108e4d0642f28ef6b93d07c3b23235cd2926c160e2d7a7
Opcode Fuzzy Hash: cb4497dd2bc5199b32ac95973aea0298f8b107d5c32229d0000c4746500719bc
Instruction Fuzzy Hash: 83C012305082144FDB02DBD4E40162073A8EB44204F40C56EE90CCB111DF76A802C5C4

Function 05848F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6491f05af6b064dfd61032afbc38ff2ae47da3764bde17f79eaaf8fd042abc1
Instruction ID: 32160d4a90ee5de66ee92877e23328c91a4843f729713939e7c832e969972985
Opcode Fuzzy Hash: f6491f05af6b064dfd61032afbc38ff2ae47da3764bde17f79eaaf8fd042abc1
Instruction Fuzzy Hash: E6C01273054208EBCB02AFA1D809B807BA8EB26228F508429E60488621DB329411CB84

Function 05BAF890 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375839867.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5ba0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 068E6680 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 0574A359 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747e2b928015e5509ae9bdd635497a2f24fd7a34bf095afdbcfc92aef20a5bb7
Instruction ID: c0b028f58004852fc4c170fd913572922f5e64a0b13472e971656972dcad84b9
Opcode Fuzzy Hash: 747e2b928015e5509ae9bdd635497a2f24fd7a34bf095afdbcfc92aef20a5bb7
Instruction Fuzzy Hash: 2DD09235C05228CBDB24CA94D0047AEB772AB48320F18D066992667294C7395981EF41

Function 0574B348 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Function 05746BA0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 05743A10 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 0584D580 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f580e3a0bd420ee05b5fe72fed3cc80a7dc40fb8e6b12ec69575d45ea6ef07d
Instruction ID: 05d50be4a2995a0b6af5f9efe9cc2278165f281d2fdf7a6e5daf896fb5c7165a
Opcode Fuzzy Hash: 5f580e3a0bd420ee05b5fe72fed3cc80a7dc40fb8e6b12ec69575d45ea6ef07d
Instruction Fuzzy Hash: ECC0123415C3C45FC301C7D49A13C107F648A5650430980DBDC484B253D912A806C752

Function 0584B478 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 0584594F Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afe36e19852df8693bd4f9e8f6d4e66bf8a07813beb3c87874983a847c92ff1
Instruction ID: 2dfa3fa196e155a9b4173e597c1d16bb7bf40af9e11f7ed2feed3b946aae8d56
Opcode Fuzzy Hash: 8afe36e19852df8693bd4f9e8f6d4e66bf8a07813beb3c87874983a847c92ff1
Instruction Fuzzy Hash: 50D0C73410A6409FC342DB50CDA1916BBA1AF85215B18C49EE84987292DB32D813EF51

Function 0584C860 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce18377d6714d9179c32d8859843d72b028f02930a7146f7047aa6a8c4a8dfc
Instruction ID: fc26ca4f4c71d92431a5c87fbbbe8244cc6fc91c47464b600123f66aadeb41de
Opcode Fuzzy Hash: fce18377d6714d9179c32d8859843d72b028f02930a7146f7047aa6a8c4a8dfc
Instruction Fuzzy Hash: 83C012312442489FC301DB2CE849B4077BAAF05604F8040D8E244CF233C725A821CA88

Function 05847B60 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef6a597e389de5958208379b350156f59e8c5b7a86d58d2976657cb72976595
Instruction ID: e80dd676c8956eaa3742680299632338dd41945f647fcabee03404760cce1ac1
Opcode Fuzzy Hash: eef6a597e389de5958208379b350156f59e8c5b7a86d58d2976657cb72976595
Instruction Fuzzy Hash: C5C012302485445BC205D6A4DC91B05F7AADB44604B5480BD9C1CC7747C622F8329594

Function 058A3B80 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Function 068EF7E0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42f16346cea69abaf392b04ee01b4024ea62a88387f6d8c67f41626fd9bf730
Instruction ID: 164270383c089c2b58e9f8d8c0f81cbaef0c1a6b1b6c8ddc56b310c4b9aa7154
Opcode Fuzzy Hash: f42f16346cea69abaf392b04ee01b4024ea62a88387f6d8c67f41626fd9bf730
Instruction Fuzzy Hash: 00C0023B000208AE8B42AF94DC04C95BBAAAB59310705C491E6194A032D662D664EB55

Function 05848743 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9922b2f0b31565ee5bf72c9001784f1cf953158cf60192309ee90cec7cfb7a
Instruction ID: 92fdbcd101cb7cd35fa9ab8ca8552c092c4d72b4b596ddbff16312e03dfe4822
Opcode Fuzzy Hash: 8d9922b2f0b31565ee5bf72c9001784f1cf953158cf60192309ee90cec7cfb7a
Instruction Fuzzy Hash: D1C04C351583449FD702DAA9D946725BB98DB45614F1880EEED0C9F252EE33FE02C694

Function 0584A3B9 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896f474159cc5c63ef3adb080f514bc7a64c519d50203eb02856697b67a25f06
Instruction ID: d0ca444d0cfddb74916ed119b3a8c33919353ce2735f5eb3aff76b6b4b0e5c45
Opcode Fuzzy Hash: 896f474159cc5c63ef3adb080f514bc7a64c519d50203eb02856697b67a25f06
Instruction Fuzzy Hash: 2BC09B315181149F9745D694F541C24B7A9DB85614354D06DFD0CCB241DF73FC03C5C4

Function 0584FCD0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9e6fb0805775bf6fdb711c51a85d043e47f6c8dd1bb3b83f7b715f213779fc
Instruction ID: d7e32b5fc2dc579baa845dfff65c18995d4dfbf3f8cf18b5bfdd8950d9844702
Opcode Fuzzy Hash: 2d9e6fb0805775bf6fdb711c51a85d043e47f6c8dd1bb3b83f7b715f213779fc
Instruction Fuzzy Hash: 4DB0223200032A0BC2203AAAE800882BB8CC8000223000A22F80C8A008AEA2BC0203E8

Function 0584AF03 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9442a195193e57a69a434929052d2c2f2ea5ffeaa57699e5bcfce50095ca36f
Instruction ID: 7e9f4bb0745ed9b9b38059041eaa1975c4d9fe69785a1277f514fd7e11ca0d11
Opcode Fuzzy Hash: f9442a195193e57a69a434929052d2c2f2ea5ffeaa57699e5bcfce50095ca36f
Instruction Fuzzy Hash: D1C04C319646058FD701DE59D446B6437A8FF14A15F4114A5F604CB632DF61FC01CA80

Function 0584AF40 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85502a76d699ba4ee979e99dbd27d74458d4b40df07e163866eec86954c649ff
Instruction ID: 322149b300cddea1d56422c345e8e495538fc76e46b13d700af7419a893dfbd0
Opcode Fuzzy Hash: 85502a76d699ba4ee979e99dbd27d74458d4b40df07e163866eec86954c649ff
Instruction Fuzzy Hash: B2C0803104C38CAFD7034F55DC158557F29DB1635174141A7FE444D462DF71D510D799

Function 058A1B70 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99484dd13d7b8d0f7abf0aeb70bd5683040b3abaa30146ae413f8ff6562632e6
Instruction ID: d068bffa027e0362f04fea5375819e38f6fb892ff5f098cbee335c7b66d90143
Opcode Fuzzy Hash: 99484dd13d7b8d0f7abf0aeb70bd5683040b3abaa30146ae413f8ff6562632e6
Instruction Fuzzy Hash: 55D0C936C05328CFEB25CA00EA4D3E8B762AB40319F0810B188066B0A59A791E46CA92

Function 068ED35C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be54379def8fdcb96e74f55d9817e8c7dc92faa6b80530ba54e438b8f44cf9b
Instruction ID: 26d6b6a9940da65a465d84a56027c024296f95f04a0e22121b722b3ff5ec2663
Opcode Fuzzy Hash: 6be54379def8fdcb96e74f55d9817e8c7dc92faa6b80530ba54e438b8f44cf9b
Instruction Fuzzy Hash: 74D01230E11508CFE7508780D8443DE7735FB4135DF105156D616D328593345B85CE81

Function 05745250 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1abf1665f4f7dc77274a41c632614c47453b6dba5651994f817fe6c0688cf58
Instruction ID: 21db95f939eb17096b5ca68bacfe0d4037cd6a1c53ac67dee81db8b8abed01a4
Opcode Fuzzy Hash: d1abf1665f4f7dc77274a41c632614c47453b6dba5651994f817fe6c0688cf58
Instruction Fuzzy Hash: 3BC08C287142048BD2409B24D08973E31D3E3C9308F4080309906633C5CE3C0C067B42

Function 0584A82B Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583a9544a96dc01f1c3e95c9d3892ceee75af1f70baff8c48e67a9a2ea16bd64
Instruction ID: 7592844ebb8e43b8cdb89da359ab63ae9a66538aa3d710f8a8c8be78bc895ace
Opcode Fuzzy Hash: 583a9544a96dc01f1c3e95c9d3892ceee75af1f70baff8c48e67a9a2ea16bd64
Instruction Fuzzy Hash: 8EB092352081085B8244E6D8E992919BBADEB84618398C0ADA90CCB303CA33EC038588

Function 068E87F8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f492a8684b75204fd1faa4842eb0302f408001bd713ee0fac70f32a5f1e45c
Instruction ID: 6bf0646e45d9a0761f2c98b57df0f32404dd9f2c5f555a88fdbabf957e06be34
Opcode Fuzzy Hash: f6f492a8684b75204fd1faa4842eb0302f408001bd713ee0fac70f32a5f1e45c
Instruction Fuzzy Hash: 6EC0483200024DFB8F025F81EC06CAEBF6AFB183A0B008015FA18040228B32A630AB90

Function 068EBC20 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 068E6AA9 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66918042c9adc76b9e87c759e65cbf45f580373ec11ae73cdd48edabba6a5304
Instruction ID: c196dae644b5db3c7d9df89849536031a1e4c77beeb2f1a88cc935ac19247c98
Opcode Fuzzy Hash: 66918042c9adc76b9e87c759e65cbf45f580373ec11ae73cdd48edabba6a5304
Instruction Fuzzy Hash: 82B012B98801140A8604A9D039024F033D4D2011313850553E40CE5A00C02708D58201

Function 05748CC0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05745F60 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0574BF10 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05742A30 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 058474C0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0584B760 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0584B6EF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7bf2c23eae8a14194b21ff59bef64da806f9556d63d978dfcf128c33ed3d818
Instruction ID: 579b2c83eef4c49cf684c83f6136c0edb06bf32dcbff399ee843389fc749559d
Opcode Fuzzy Hash: b7bf2c23eae8a14194b21ff59bef64da806f9556d63d978dfcf128c33ed3d818
Instruction Fuzzy Hash: EDC04C724446025FCB18CE84D9D7795B3E1EF00369B130957C858C1156D321A1714906

Function 05849140 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0584A3C0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0584FCCF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896aa24490002cbb955d7eea0231d1f0548e36d006fec26d0848189c6eb71794
Instruction ID: ddded9b87dae0f21027949ecfc8e840a9561c6110f9fb8fd73a2d449fd37571e
Opcode Fuzzy Hash: 896aa24490002cbb955d7eea0231d1f0548e36d006fec26d0848189c6eb71794
Instruction Fuzzy Hash: BFB0923A9002264BD6216AA0E6461957B5099401263084A66E45D9A528DE76AC464788

Function 05847B70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0605215C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e364dd64825b8eec1104f347b90bda30aa3555c481ff4dddaa4c3bb8f236412d
Instruction ID: 18da22c52f4055758278d0556c6bcc651ee6cfa56311e885c7898e003106dced
Opcode Fuzzy Hash: e364dd64825b8eec1104f347b90bda30aa3555c481ff4dddaa4c3bb8f236412d
Instruction Fuzzy Hash: C3C01234B222008BEB440B74A21E66E3EA2EB48319F0020AAFC07C2380DE3498408A80

Function 06054DC8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66f164f56b94dd03fb42487b191d759e0283a09df007978afa2ed8ae86f07ca
Instruction ID: 511ef567416b83def0cf27795fb2f3b8b70816e9ac9b97dd03c97d333a7dd468
Opcode Fuzzy Hash: c66f164f56b94dd03fb42487b191d759e0283a09df007978afa2ed8ae86f07ca
Instruction Fuzzy Hash: 02C04C309951098BE7D49A14E58876F7FB1AB40340F111162FC0B92240CA25A9918A56

Function 068E7440 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580

Function 0574DE6F Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e33bfc1124fffcfa58b02da1a24c74d3c42a2f0e707d7099d84723c8eae4115
Instruction ID: 9f6bcb47aa68e890048a06e3506536dc0524151981982c2045cd1dc37c5a9700
Opcode Fuzzy Hash: 8e33bfc1124fffcfa58b02da1a24c74d3c42a2f0e707d7099d84723c8eae4115
Instruction Fuzzy Hash: CFB09237A00019968B04D699E4404ECBB30DA94232F044032C20062000862015AA8662

Function 0574E1B0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction ID: cfd3c94acb28e12ede7e7a80c62375d018fe088f1f186957f4485c32e65079b3
Opcode Fuzzy Hash: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction Fuzzy Hash: 6CB092301602088F82009A59E448C0137ACAF08A0434100D0E1088B632C621F8008A51

Function 05848750 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580

Function 058A39DB Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f81e898eaf93195e1b8c78ea28f7b766cbdd8202f0de6462a9ffe5aeb999017
Instruction ID: c714d350393f30d55231dd8fd618dd7027f697c200a1038a46ea5a3cb39cf73e
Opcode Fuzzy Hash: 6f81e898eaf93195e1b8c78ea28f7b766cbdd8202f0de6462a9ffe5aeb999017
Instruction Fuzzy Hash: 30B0123200570982820136A0980111536DC44310043800479A10C15A13C422D060404C

Function 0621762C Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1379750569.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6210000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34f2b17e3f90fc2f277c639e91f1af3eae5fa420c87f8f450a8a67455ba15a1
Instruction ID: 5b4abd1d90e1a43b22ef9bd40ab6e87704fe8c57658ee1d0040ae60257a645ae
Opcode Fuzzy Hash: e34f2b17e3f90fc2f277c639e91f1af3eae5fa420c87f8f450a8a67455ba15a1
Instruction Fuzzy Hash: 6DC09B7595D5508FE3014E50D0142D57F615B75311F099053DC05673D5C9A45D81CB93

Function 0621F3D0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1379750569.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6210000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction ID: 20159973dc6c4478fa717a34ac84a2881d4813b9dc5cbab7339b5de6a68ee492
Opcode Fuzzy Hash: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction Fuzzy Hash: 0DB01231250208CFC300DB6CE444C0033FCAF4DA1431000D0F10C8B331C721FC008A40

Function 06057660 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
Instruction ID: 7de4840db72a739a7296ecabbd3d178890c8b70a70b6a7fce96b4b1d731f9c0f
Opcode Fuzzy Hash: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
Instruction Fuzzy Hash: 6AB092341502088F82409B59D449C00BBE8AF08A243454090E1088B632C621F8008A40

Function 0574ECD0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374135550.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5740000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ec41bdac204d3f873df3d8e6fbffea6cca7f2da7527fff76d3290fb52c6b07
Instruction ID: 4f0efd6b7fe4414c6c3ecfb8a3e1882457e6e02fdc7f4c7117d475d8ea36491d
Opcode Fuzzy Hash: 40ec41bdac204d3f873df3d8e6fbffea6cca7f2da7527fff76d3290fb52c6b07
Instruction Fuzzy Hash: 79B00275955B4186FB207FF5D74A3C9B790BF40211FC4595AEC00C1510DB7C4557B501

Function 058A8ED9 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ff5540496abf004f93f2eebc2a4053e3dce3aecf039842669ec20ac069d930
Instruction ID: f20bff0d958cf5e88ba184553a856b95db42a489ecb198f5d69fea18a1535808
Opcode Fuzzy Hash: c4ff5540496abf004f93f2eebc2a4053e3dce3aecf039842669ec20ac069d930
Instruction Fuzzy Hash: 16B09270810201DEA712CA20D91BE4A7AE5EB90300B10D029F404C2054DF30C8E0FA10

Function 058A39E0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012e1be5d0d7e98a7c654bc9688b3f0b886bbe41ce2fb9673593d8e15f5a9ccd
Instruction ID: 21992942e3a667dee052780e8cc3f98449978e53bd737656fa79d184401c3df4
Opcode Fuzzy Hash: 012e1be5d0d7e98a7c654bc9688b3f0b886bbe41ce2fb9673593d8e15f5a9ccd
Instruction Fuzzy Hash: 38A02230002B0E83830233F02800028338C082200838008BC820C0AA208833E0B0808C

Function 060572D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b14fa5932e50b435433f38828520fb225bd83fc7579562d0079d3ab94ed7f4f
Instruction ID: 8332c4fe800b3ff00ce3e70e53e2e0d0cab8ff35754b34a57dfcc32077a61837
Opcode Fuzzy Hash: 5b14fa5932e50b435433f38828520fb225bd83fc7579562d0079d3ab94ed7f4f
Instruction Fuzzy Hash: D0A02230003B0C83830032B02A00028338C0CA022A38000BC820C0CE228833E8A0C088

Function 068EEA90 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d2fd5b1844775dbba3de8a1d54d1fcd72dab8c5000fc70ac6e40ffd009c656
Instruction ID: c0245687415cb91bcb5945d85c9f8110f6ad73ef8492846fddfa15c5b26043d3
Opcode Fuzzy Hash: f4d2fd5b1844775dbba3de8a1d54d1fcd72dab8c5000fc70ac6e40ffd009c656
Instruction Fuzzy Hash:

Function 068E6AB0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825ee8193311a5d16e021f593ba0d5a8dd818cceb8a992b075cc4eeeb137be33
Instruction ID: b35b2dbd1a2ddf53f775ae34ca4d1a6d52fc2af7a9dbe6937ae9342a5b1d598f
Opcode Fuzzy Hash: 825ee8193311a5d16e021f593ba0d5a8dd818cceb8a992b075cc4eeeb137be33
Instruction Fuzzy Hash: 68902230020A0C8F000023A0300A0803B8CA0000323800000B80C008000E0338000282

Function 068E6230 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b960690147ddfa00ecbc518c403586db9d64214911c849cdeceabde5bbf19af7
Instruction ID: 49e41250b11785f54c5f65c17fccfd53d97961097f9870f9ee04d7cd8297a507
Opcode Fuzzy Hash: b960690147ddfa00ecbc518c403586db9d64214911c849cdeceabde5bbf19af7
Instruction Fuzzy Hash: B690027216460C8B45406795790A555BB9C95449197844051B90D419025E6B79104596

Function 068EC870 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1381617609.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68e0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4182ad031f27a6aa13343071bf1b9f459873b78b3bce26814d8560786e8055f
Instruction ID: 052687dd6ea8bf5a3df27b81beaa4ffba6eed95719152b51df3c67e29b108d97
Opcode Fuzzy Hash: d4182ad031f27a6aa13343071bf1b9f459873b78b3bce26814d8560786e8055f
Instruction Fuzzy Hash: 2D90023105470C8B554037957409955B7AD9544725B80C061F60D915025A6AB41546D5

Function 0584AB50 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93918dec01590dee3fd24080be27cbd0d1b9b7808c836e1eb746ba66ad0fadec
Instruction ID: 88b47dd63b061453a70e34e5b9905b80a3fb9023578d398c2336c9bd68ff5093
Opcode Fuzzy Hash: 93918dec01590dee3fd24080be27cbd0d1b9b7808c836e1eb746ba66ad0fadec
Instruction Fuzzy Hash: 3190023548460D8B865527997809555775DA54461AF840055F50D415075A55641046D9

Function 058A171F Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4dd19bd5b0f2a9cada3e86bd1756696000cb13228c7af966443efb1b6afecff
Instruction ID: 25dd782d72b6f7bc1bdf0aec22362ec8ca57a09afe1819d9b61e420caf7e11c1
Opcode Fuzzy Hash: e4dd19bd5b0f2a9cada3e86bd1756696000cb13228c7af966443efb1b6afecff
Instruction Fuzzy Hash: E6B0123AC00325CFE600CE10FA4D1553B12E740315F04513054015B026DD795D0747C1

Function 058A3A20 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1375273770.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_58a0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5db954a390b20b7a099f7ee1e3e69b0513e3727e112461831580643f9f70675
Instruction ID: 8579a0f56b0bef9a1aa3acf0b20233fb98b6d83742b6f099efa2898a7e72fd2d
Opcode Fuzzy Hash: e5db954a390b20b7a099f7ee1e3e69b0513e3727e112461831580643f9f70675
Instruction Fuzzy Hash: 5A900271054B0CCB85502BD5780A955BFAC95445557819151F54D425025E65A4105595

Function 0621C610 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1379750569.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6210000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863f350c07dba853450f0e35990b2663bf1805b8950cbb14ff35b1bf6ff8e7f0
Instruction ID: 3f0bbd5a71bc10afbb227b839d03815e0b75cb7d652702f624030b39ece4883c
Opcode Fuzzy Hash: 863f350c07dba853450f0e35990b2663bf1805b8950cbb14ff35b1bf6ff8e7f0
Instruction Fuzzy Hash: 6690023105664C8B4B4027A6750A5557B5CA5445157941051F94D455015E5578104595

Function 0621EDA0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1379750569.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6210000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a3a4acbb7e2ee1cdfeb7b2cb1c758db9bb025890f6e46410c3db230a0cc24a
Instruction ID: d4d8ea772cca2a7aa27b2851eb740cc3414aad025c987b4cd773092b1b6ca077
Opcode Fuzzy Hash: 53a3a4acbb7e2ee1cdfeb7b2cb1c758db9bb025890f6e46410c3db230a0cc24a
Instruction Fuzzy Hash: E290023105560C8B4B4037A6750A555BB9C95445157805151F94D465025E6578104595

Function 0605D320 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187182cca2050521081cec35cac0239e4ff297e7f5369fb6c59f1e4968374def
Instruction ID: de17188702611d404489a93c3eeb453e11f8b4f891d6024027edec8d21edb901
Opcode Fuzzy Hash: 187182cca2050521081cec35cac0239e4ff297e7f5369fb6c59f1e4968374def
Instruction Fuzzy Hash: 1F90023105460DCB4F402795B40E655BB5C95445157805455F90D415425F7574104995

Function 06057B30 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ae0b2b70f37db360f2294ae4501a730f2ea23476859809695003e12464b278
Instruction ID: 8d66d3fb78607890dd12d9ef103b59d10a97175cbd440b78f92fa129847d4bcb
Opcode Fuzzy Hash: 51ae0b2b70f37db360f2294ae4501a730f2ea23476859809695003e12464b278
Instruction Fuzzy Hash: 5590023107570C8B47402799740A5597B9CE5545297842091F90D815055E59741045D5

Function 06057A40 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8aa3cedf2697c7ea37fa6a51530e5fa4b04c7e0ffafbc4c22ea1e16a1ddb025
Instruction ID: 3e16570e522919992983fc7dba452bf00fad6bb7120b1792824ba60198821302
Opcode Fuzzy Hash: f8aa3cedf2697c7ea37fa6a51530e5fa4b04c7e0ffafbc4c22ea1e16a1ddb025
Instruction Fuzzy Hash: 4A90023515470C8B46402795791A9557B5CD54451A7801091F90D81A015E55771045D5

Function 0605D8E0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0c7b4e1fb046a76052f80b15f4f251ec8fbe387b3495cf49bd093b3fbdf0b
Instruction ID: 3ab4c9a7d98146708691c046ebb37507648d22e447e95c1f9e187bcb68865274
Opcode Fuzzy Hash: 1fb0c7b4e1fb046a76052f80b15f4f251ec8fbe387b3495cf49bd093b3fbdf0b
Instruction Fuzzy Hash: C090023105464C8B46402795740E5D57B5C95445267802051FA0D415415E657454459A

Function 06053DAB Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1378707897.0000000006050000.00000040.00000800.00020000.00000000.sdmp, Offset: 06050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6050000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea80f555927a23b45228e5261713293c37a8dd56a0704a0348227bc3fd5a10f
Instruction ID: 83df83f91bde5a8c34892ed62d9f6fc3e085a968d9724093da5427a700743f59
Opcode Fuzzy Hash: 2ea80f555927a23b45228e5261713293c37a8dd56a0704a0348227bc3fd5a10f
Instruction Fuzzy Hash: 97A001346A51089BE745AA54E95966E7FA2BB44341F012126FC07922908A25A991CA41

Non-executed Functions

Function 058409CF Relevance: 5.2, Strings: 4, Instructions: 198COMMON

Download Yara Rule

Strings

(_q, xrefs: 05841111
(_q, xrefs: 0584108B
(_q, xrefs: 05841095
(_q, xrefs: 058410DB

Memory Dump Source

Source File: 00000008.00000002.1374709289.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5840000_RFQ.jbxd

Similarity

API ID:
String ID: (_q$(_q$(_q$(_q
API String ID: 0-1088526261
Opcode ID: d74eb8a8caeba992683e1c77d26b2a2fe430c32434a872833e384d92a5537880
Instruction ID: bdd74e8ad02cc4617b5e3c0fdefa2a2fdce016b134fec1902abb60a103fa4c95
Opcode Fuzzy Hash: d74eb8a8caeba992683e1c77d26b2a2fe430c32434a872833e384d92a5537880
Instruction Fuzzy Hash: 9C71BF75A04248CFC704DF78D459AAA7BB2BF8A314B148569ED46DB3A2DB31DC85CB80

Analysis Process: powershell.exePID: 2920, Parent PID: 7828COMMON

Executed Functions

Function 07AC1820 Relevance: 5.6, Strings: 4, Instructions: 577COMMON

Download Yara Rule

Strings

4'q, xrefs: 07AC1B5E
4'q, xrefs: 07AC1CC2
4'q, xrefs: 07AC1CB8
4'q, xrefs: 07AC1B68

Memory Dump Source

Source File: 0000000C.00000002.1390668582.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ac0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: db3b303fc892d38ae9ed103ce0242083257af4a8008f9ef0628ca446c3685f1d
Instruction ID: 7f0a6bc18528caaa83179303345b60aff3b4578b0723eb0e8da0955fd3ca1a15
Opcode Fuzzy Hash: db3b303fc892d38ae9ed103ce0242083257af4a8008f9ef0628ca446c3685f1d
Instruction Fuzzy Hash: AB123AF1B04309AFDB25DB68D81176A7BB2AFC6211F1484BED525CB396DA31C842C7A1

Function 032690F8 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1372339804.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e85c179b8ceb952e005da07d54ce73d001a336fac726cc4acf698b0e4b926bf
Instruction ID: a260a084228d9d454d2ccd7e611b9df0529f4985a229a6f9b99aea52c15950c1
Opcode Fuzzy Hash: 1e85c179b8ceb952e005da07d54ce73d001a336fac726cc4acf698b0e4b926bf
Instruction Fuzzy Hash: 5A020A74A102199FDB15CF98D494AAEFBB2FF88314F288159E805AB355DB31EDC1CB90

Function 032629F0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1372339804.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a31bcbabb440f9d32dbe429d60fd857c2dd9f9c093066d80d8a003f688b52f
Instruction ID: 340050fa11593cd5cc43e3b4b64aeba7b3966819f36112b05f569833637e42fb
Opcode Fuzzy Hash: 58a31bcbabb440f9d32dbe429d60fd857c2dd9f9c093066d80d8a003f688b52f
Instruction Fuzzy Hash: 34917C74A00205CFCB15CF5CC494AAEFBB5FF49310B298699D855AB3A5C736EC91CBA0

Function 03266C00 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1372339804.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e867fe03e57c0f29668ef4e43d59f23954f7890ef5cb88de5c799f1f08b53ba
Instruction ID: 6ecd90115882c3cff1553970e45e0a823ba31d7c5a593b6418f6cd7575c6626e
Opcode Fuzzy Hash: 1e867fe03e57c0f29668ef4e43d59f23954f7890ef5cb88de5c799f1f08b53ba
Instruction Fuzzy Hash: 25513B75A102049FCB14DFA9D588A9EFBF5FF88310F19809AE408A7761C731E885CBA0

Function 03269075 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1372339804.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f085de6b2eeb482baa2ccd84ce66cea3ce61ab463591d33a414ddf6a868cbd
Instruction ID: 0d963db620e18f7ea0eb85438a0f8be4aedef3d9ed743e27f15abd9c87337645
Opcode Fuzzy Hash: a8f085de6b2eeb482baa2ccd84ce66cea3ce61ab463591d33a414ddf6a868cbd
Instruction Fuzzy Hash: 264184716083869FCB02CB68C854999FFB5FF4A31471981DAD884DF663CB35AC81CBA1

Function 07AC1805 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1390668582.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ac0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d655740039508575480198b17e6531801bac821aede14372d59205bc8c29e1cc
Instruction ID: 61072886d0d58aebd7b3989a46fe42b8795c12b88ee4cf802a27083565a59076
Opcode Fuzzy Hash: d655740039508575480198b17e6531801bac821aede14372d59205bc8c29e1cc
Instruction Fuzzy Hash: 474127F1B04305AFDB25CF94C901B6A7BB2AFC1251F5880EEE9249B257D735C941C7A2

Function 03262B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1372339804.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3b075dd4081d742748f424d72023d8163a1feabe67e81497550b212ed1a0fb
Instruction ID: 6dadf3add167b23be422a9071cea1c416607f5c6f728506de56aa5402ec653b7
Opcode Fuzzy Hash: 6b3b075dd4081d742748f424d72023d8163a1feabe67e81497550b212ed1a0fb
Instruction Fuzzy Hash: C0415774A10205DFCB15CF48C498AAEFBB5FF48310B258699D855AB364C736EC92CBA0

Function 032690E8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1372339804.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de3f8fb4c4f98cd34908f8e48af2ae1a86bfba5f7a9dfaa3c0c170bb078f6e9
Instruction ID: a5b3d94f8e47304877ff93a505e0cdb2e9cecf5e94577866c8950dbbdf6c65a5
Opcode Fuzzy Hash: 2de3f8fb4c4f98cd34908f8e48af2ae1a86bfba5f7a9dfaa3c0c170bb078f6e9
Instruction Fuzzy Hash: 16212A75A0060A9FCB04CF48C8849AAFBF5FF4D310B258195E809EB751C736ED81CBA0

Function 0326761B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1372339804.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0749fb30bdcc431583908016f3680274cf31b9461753dc16f4503b36c6898bb5
Instruction ID: d664b6188f976183698152fc0492c3375eeca4029f6d1dfc3ec647a38358a0da
Opcode Fuzzy Hash: 0749fb30bdcc431583908016f3680274cf31b9461753dc16f4503b36c6898bb5
Instruction Fuzzy Hash: 51016278B002159FDB00DB98D490AAEF771FF8E214B248159D95A97361CB36EC43DB50

Function 031FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1371812757.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a754defd5d0cfc33bf73d322fa1aa767ea8b89f0dd72aa3a104bffda73d60130
Instruction ID: 49f61d70153b9fbe0266ce5d4a8c7fa1ed536ec0a2077ccc1e13aaeedcf378a7
Opcode Fuzzy Hash: a754defd5d0cfc33bf73d322fa1aa767ea8b89f0dd72aa3a104bffda73d60130
Instruction Fuzzy Hash: F701F771404300AFE720CA15EC84B77FF9CDF49225F18C15AEE480B18AC7799885CAB1

Function 031FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1371812757.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd42c6a062d6824fa902f7f45725344cbcf6f596683f66264613f82024d9435
Instruction ID: c8d174374cbe35169b6d37f790c2328b961504aa0af2d4440d9004e3bb33e85f
Opcode Fuzzy Hash: 7bd42c6a062d6824fa902f7f45725344cbcf6f596683f66264613f82024d9435
Instruction Fuzzy Hash: 7501407100E3C09FD7128B25D895B66BFB8DF47224F1D81DBD9888F1A7C2699848C772

Function 0326768E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1372339804.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0328d557f61443f6a28611895a6599873864e2735cad46ef7fe780304961ac
Instruction ID: 3541dd97ba9f141beea124c6a0cf87a7eb5333d0efb714bc69c367b8b2f40dde
Opcode Fuzzy Hash: 4f0328d557f61443f6a28611895a6599873864e2735cad46ef7fe780304961ac
Instruction Fuzzy Hash: 8EE06D74B052498FCB01CA5CDC905EEFB75EF89214B1881AAD909D7293C63198478BA1

Non-executed Functions

Function 07AC1460 Relevance: 10.3, Strings: 8, Instructions: 319COMMON

Download Yara Rule

Strings

tPq, xrefs: 07AC14DD
$q, xrefs: 07AC1472
4'q, xrefs: 07AC166D
$q, xrefs: 07AC1746
4'q, xrefs: 07AC1661
$q, xrefs: 07AC1498
$q, xrefs: 07AC14A4
tPq, xrefs: 07AC14E9

Memory Dump Source

Source File: 0000000C.00000002.1390668582.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ac0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q
API String ID: 0-2958727440
Opcode ID: 6539b2c35edec2ea027903ce6d59d45d1e08599034c55b6ff218bb46ee6be8f9
Instruction ID: dd0628ae56fb556b209f3b8f2667581eb8262f374b4618e0ce62fdbd8471c642
Opcode Fuzzy Hash: 6539b2c35edec2ea027903ce6d59d45d1e08599034c55b6ff218bb46ee6be8f9
Instruction Fuzzy Hash: CCA139F1704309AFD724DB69D801766BBF2AFC6211F18846ED965CB392DA31DC41CBA1

Function 07AC0560 Relevance: 9.1, Strings: 7, Instructions: 323COMMON

Download Yara Rule

Strings

tPq, xrefs: 07AC07AD
tPq, xrefs: 07AC07B9
4'q, xrefs: 07AC0663
$q, xrefs: 07AC0774
$q, xrefs: 07AC0742
4'q, xrefs: 07AC066F
$q, xrefs: 07AC0768

Memory Dump Source

Source File: 0000000C.00000002.1390668582.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ac0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
API String ID: 0-2432477355
Opcode ID: 6d28c338895751520bc5363ce490df22ad670980da6d0a0df4a3a0b65dd338fb
Instruction ID: b102bbe879a9c658e158ca96ba2d64819dbe07d60b57ef58cf221d9b7edc42c3
Opcode Fuzzy Hash: 6d28c338895751520bc5363ce490df22ad670980da6d0a0df4a3a0b65dd338fb
Instruction Fuzzy Hash: 11A169B1704315EFD725CB699C1167BBBA5EFC6211F18807FE565CB291DA31C801CBA2

Function 07AC11B0 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

$q, xrefs: 07AC136E
4'q, xrefs: 07AC1266
4'q, xrefs: 07AC125A
$q, xrefs: 07AC1362
$q, xrefs: 07AC1337

Memory Dump Source

Source File: 0000000C.00000002.1390668582.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ac0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: a00e0171fa28df53efb88ae53f90fd9ddc2cf5a1f1e9152f3d39a266cee4d362
Instruction ID: 2d736c44a2dbe2294da10714f93c1f815fa14932398c0bc2e18d3012ddef9b41
Opcode Fuzzy Hash: a00e0171fa28df53efb88ae53f90fd9ddc2cf5a1f1e9152f3d39a266cee4d362
Instruction Fuzzy Hash: D45137F570430AEFDB25D769D80036ABBB6AFC6215F18807ED465CB342DA35C842C791

Function 07AC32C0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07AC331C
$q, xrefs: 07AC32EE
$q, xrefs: 07AC32D2
$q, xrefs: 07AC3328

Memory Dump Source

Source File: 0000000C.00000002.1390668582.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ac0000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 3c4e9bd47f9719740a71710dc416611cee93aa670af6a2c9b222ee5f20d15cfe
Instruction ID: ec0cea974e0cc25f79efbca4e95792fc697101ed2ce0a96c67695f0017179648
Opcode Fuzzy Hash: 3c4e9bd47f9719740a71710dc416611cee93aa670af6a2c9b222ee5f20d15cfe
Instruction Fuzzy Hash: 8E2138B1310312BBEF38D76E6801B26B6DA9BC5651F24C43EE965CB381CD31C8028762

Function 07AC0309 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

$q, xrefs: 07AC0352
4'q, xrefs: 07AC037F
$q, xrefs: 07AC035E
4'q, xrefs: 07AC0373

Memory Dump Source

Source File: 0000000C.00000002.1390668582.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ac0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: c1e800b5ee3391dc7f3ae253b6a1775fe689df3ccb287e8f4874a0716e4a4642
Instruction ID: 94e92c943e3d92e6ea5109af0d46df7b021fd0defd99845e3fc7cf7a23ed4bfe
Opcode Fuzzy Hash: c1e800b5ee3391dc7f3ae253b6a1775fe689df3ccb287e8f4874a0716e4a4642
Instruction Fuzzy Hash: 6001F7617093969FC72B536828201562FB25FC355072E81EBD451CF393C9148C0A8797

Analysis Process: RFQ.scr.exePID: 7240, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	194
Total number of Limit Nodes:	13

Executed Functions

Function 061934B8 Relevance: 5.6, Strings: 4, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 06193874
~, xrefs: 061936D6
pq, xrefs: 0619393D
:, xrefs: 06193737

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q$:$pq$~
API String ID: 0-4038137657
Opcode ID: 78acf3351ae3304cba4dfe884a6c61a52d2f064e4b9763035e37837987ff39ab
Instruction ID: d187b8038f69acd68092c2953e27d55514fa05552ed26e248fdae0c1dd4c8752
Opcode Fuzzy Hash: 78acf3351ae3304cba4dfe884a6c61a52d2f064e4b9763035e37837987ff39ab
Instruction Fuzzy Hash: D0420275E00228DFDB59CFA8C984B99BBB2FF88300F1580E9E509AB261D7319D91DF50

Function 06192106 Relevance: 1.8, Strings: 1, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 0619210B

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: d4ec1beb20188d7b40529a0453dc4d6c9c5beb985e69a3c8e55cbc1b0e37681e
Instruction ID: 215994d693e94d178a4402493faf1b34caa19ede977e7d71d4c22fc05173407a
Opcode Fuzzy Hash: d4ec1beb20188d7b40529a0453dc4d6c9c5beb985e69a3c8e55cbc1b0e37681e
Instruction Fuzzy Hash: C952C774A112199FDB64DF64D898B9DB7B2FF89300F1081D9D50AA73A4CB34AE81DF90

Function 06192C38 Relevance: 7.9, Strings: 6, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 06192CAE
$q, xrefs: 06192D00
4|q, xrefs: 06192E43
4'q, xrefs: 06192C53
4'q, xrefs: 06192CDE
4|q, xrefs: 06192E28

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4|q$4|q$$q
API String ID: 0-3102600102
Opcode ID: 3934701e99d0cfca9f367f3e30026b815dce86dd3c314ef74d5d35d6c7a8d40d
Instruction ID: 41b1e48a3c7087568fd25b79398827a3d1bb0795534875038d8d2ff37be9e577
Opcode Fuzzy Hash: 3934701e99d0cfca9f367f3e30026b815dce86dd3c314ef74d5d35d6c7a8d40d
Instruction Fuzzy Hash: 74E1DF30F202059FDF59DB79D858A6E7BE6BF89210B198469E406DB361DF30CD02CBA1

Function 062644B6 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 062646F6

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 81c8acbd88783e77d4b9d5276b35816ed13306fc2d3e9db0adbaf70bd7fbccdb
Instruction ID: 78a0d2669792c8552e0150e343cd96b3386090b044693776043ce16ee5d79ad1
Opcode Fuzzy Hash: 81c8acbd88783e77d4b9d5276b35816ed13306fc2d3e9db0adbaf70bd7fbccdb
Instruction Fuzzy Hash: 44918B71D1071A8FEB64DF69C841BEDBBF2BF48310F1481A9E859A7280DB749981CF91

Function 062644C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 062646F6

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4cb575162583fbe7d406b77163b2da14232977b130de2a8fdcc06334ce1e85b0
Instruction ID: ebc8377c917d7182d913e070a79f7133df2ac4d8403303719e692b80ab12e042
Opcode Fuzzy Hash: 4cb575162583fbe7d406b77163b2da14232977b130de2a8fdcc06334ce1e85b0
Instruction Fuzzy Hash: 21917A71D1071A8FEB64DF69C841BEDBBF2BF48310F0485A9E858A7280DB749985CF91

Function 015BAD48 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015BAF9E

Memory Dump Source

Source File: 0000000F.00000002.1507401128.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_15b0000_RFQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8265a8fd29a4948cfb773ffab68b1538450fd7407be923e4a634d32105773d2c
Instruction ID: fceb2353d4793a30ed08046fcc8d0bb4b0b75aecaa7684ea64827b39ab6972e6
Opcode Fuzzy Hash: 8265a8fd29a4948cfb773ffab68b1538450fd7407be923e4a634d32105773d2c
Instruction Fuzzy Hash: 2F816B70A00B058FD725DF29D48579ABBF1FF88304F10892ED48ADBA50D735E849CB91

Function 015B44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015B59C9

Memory Dump Source

Source File: 0000000F.00000002.1507401128.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_15b0000_RFQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0dfa7e7a9ffed5744f88f34f6c3c7a200beda7e6a4bba376a1fc948f91c54d41
Instruction ID: b4661fb92415ed3b86d1d5e1f01766cdd2c26a923a4e792c22b9acc4eb9b9f64
Opcode Fuzzy Hash: 0dfa7e7a9ffed5744f88f34f6c3c7a200beda7e6a4bba376a1fc948f91c54d41
Instruction Fuzzy Hash: 6941E070C10719CBDB28DFA9C8857CDBBF1BF49304F20806AD508AB251DB756946CF90

Function 015B590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015B59C9

Memory Dump Source

Source File: 0000000F.00000002.1507401128.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_15b0000_RFQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6b3f01574c1bbc1cf08604191f356bd98ce13cec43ab5edda7a3f8951a928b6b
Instruction ID: 83c2268370b798c723e4e1de63d969ed5821f1fda269b744a0ed109bc004be83
Opcode Fuzzy Hash: 6b3f01574c1bbc1cf08604191f356bd98ce13cec43ab5edda7a3f8951a928b6b
Instruction Fuzzy Hash: 804112B0C00719CBEB28CFA9C8857CDBBF1BF49304F20806AD508AB250DB755946CF90

Function 06264230 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 062642C8

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e2f088cfcf0f281fe2849a0452b37e11d0f669adb392d0d061e12eabba1c0ab7
Instruction ID: 6ad13573a5c9d1e238a51badbb9425e613b5530fbd0accef8ad0ac8be0f67bfe
Opcode Fuzzy Hash: e2f088cfcf0f281fe2849a0452b37e11d0f669adb392d0d061e12eabba1c0ab7
Instruction Fuzzy Hash: 152148B6D103099FDB10DFAAC981BDEBBF1FF48310F10882AE959A7240C7789541CBA0

Function 06264238 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 062642C8

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5ff162eafb5bb04848a5c3ecf2fe32965a2345bcc5b861e140ea3e737bd8ebff
Instruction ID: 96d7152778cd76c668970ba85f3b33a0b9b5a4503ad518282e45fa773446069d
Opcode Fuzzy Hash: 5ff162eafb5bb04848a5c3ecf2fe32965a2345bcc5b861e140ea3e737bd8ebff
Instruction Fuzzy Hash: BB213475D103099FDB10DFAAC881BEEBBF5FF48310F50882AE959A7240C7789941CBA4

Function 015BD628 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015BD5F6,?,?,?,?,?), ref: 015BD6B7

Memory Dump Source

Source File: 0000000F.00000002.1507401128.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_15b0000_RFQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 335855d4af9b16a66a5e80555736b26eabb4a4ba99217e4e964e538a3018f371
Instruction ID: edb1de6ab8c2991bd82233153b8b86b5d098659993031dc3b3b63046a3e36c70
Opcode Fuzzy Hash: 335855d4af9b16a66a5e80555736b26eabb4a4ba99217e4e964e538a3018f371
Instruction Fuzzy Hash: AC2124B58002499FDB10CFA9D985BDEBBF5FF08320F24815AE958A7251C338A941CF64

Function 06260DD0 Relevance: 1.6, APIs: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06266B65

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 167b59cd4a5199fc69f2b2cb98f64c7751e0c9f3a505933a18c96ec94f46b245
Instruction ID: 989af9bed145e5e451832cda445c4c4560d536a360db830a8c41c5ec8ee88ff0
Opcode Fuzzy Hash: 167b59cd4a5199fc69f2b2cb98f64c7751e0c9f3a505933a18c96ec94f46b245
Instruction Fuzzy Hash: FC217CB5804348DFDB10DFA9C895BDABFF4EF58710F14805AE944A7241C3746548CFA6

Function 015BD21C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015BD5F6,?,?,?,?,?), ref: 015BD6B7

Memory Dump Source

Source File: 0000000F.00000002.1507401128.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_15b0000_RFQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 640e46721fb3325b3412167132a689c8b231a5de782a2fcd2d89d9311b6f8f5b
Instruction ID: 820807d2ecf73272e901aa683e7fb57351181116b0e3fa1c7c0628c0bec67b85
Opcode Fuzzy Hash: 640e46721fb3325b3412167132a689c8b231a5de782a2fcd2d89d9311b6f8f5b
Instruction Fuzzy Hash: 002103B5D00308AFDB10CF9AD885ADEBBF4FB48320F14841AE918A7310C374A940CFA4

Function 06263C60 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06263CE6

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 55b8d3c471751ee09a827286f367db0910ce68e7955925a4a0875224a080ac08
Instruction ID: b0dcd444e886267162fa1e84e27475798c106d7b47f76634c2c3d7636eeeb720
Opcode Fuzzy Hash: 55b8d3c471751ee09a827286f367db0910ce68e7955925a4a0875224a080ac08
Instruction Fuzzy Hash: FA213875D103098FDB10DFAAC585BEEBBF5AF48310F54842EE859A7280CB789945CFA0

Function 06264320 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 062643A8

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 39c9a5acc752f456a1ce1f88770cb6497951f69db4f05b2bf72db5a43b530747
Instruction ID: 671c4ec9bb3efa8efd22c20492851eaad91d7def3da636eaa060ead9bcfa8316
Opcode Fuzzy Hash: 39c9a5acc752f456a1ce1f88770cb6497951f69db4f05b2bf72db5a43b530747
Instruction Fuzzy Hash: 4B2134B5C003499FDB10EFAAC981BEEBBF1FF48310F50842AE959A7240C7389941CB60

Function 06263C68 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06263CE6

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bb7e23fcce2039e0a57f4a39effad5512c8d9d4635145a7aae7a18cc742641ba
Instruction ID: 0b37647842fbf2903bf698416f4b2dd3456375939c9a20a779b2e827e6809762
Opcode Fuzzy Hash: bb7e23fcce2039e0a57f4a39effad5512c8d9d4635145a7aae7a18cc742641ba
Instruction Fuzzy Hash: BC213871D103098FDB10DFAAC885BAEBBF4EF48310F548429E819A7280CB789945CFA4

Function 06264328 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 062643A8

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3a380fa9c8e8ac6bfe8f698b03a2472d29d2ea6e3be501ba9da0b7b4c82e90e7
Instruction ID: 38e104fe46d696306c7eedc44d7585feae43a94d6787e813de2bd4fa27c2bc26
Opcode Fuzzy Hash: 3a380fa9c8e8ac6bfe8f698b03a2472d29d2ea6e3be501ba9da0b7b4c82e90e7
Instruction Fuzzy Hash: 4A212571C003499FDB10DFAAC881BEEBBF5FF48310F50842AE959A7240C7399941CBA4

Function 06195597 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

@, xrefs: 061956BF

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9fb0151b09a06ef0fc801ec25aa981af48b3750673c3170e2671d5f9f66f6ca0
Instruction ID: d225c1e3d3e240a3ca6100c99774425aaa717d909b1bc0654ee787e60cc47be8
Opcode Fuzzy Hash: 9fb0151b09a06ef0fc801ec25aa981af48b3750673c3170e2671d5f9f66f6ca0
Instruction Fuzzy Hash: F9E19374E002198FDB95CFA9C980A9DBBF2FB49314F5481AAD818F7351D7349A81CF60

Function 06264170 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 062641E6

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ef3645a301bba0cf45efb556acb0d0e6a22cba4b58d0bcf32d8db43b0a08947
Instruction ID: a31c5e1950058b21d896c3872079070d27633343b6fac3e417fe7d40fbbaa7e4
Opcode Fuzzy Hash: 1ef3645a301bba0cf45efb556acb0d0e6a22cba4b58d0bcf32d8db43b0a08947
Instruction Fuzzy Hash: F01156B6C103099FDB20DFAAC845BDEBBF5AF48310F248819E915A7250CB399551CFA0

Function 06264178 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 062641E6

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 973558c64c90ee94044f111e3e087e54682f21c923a89276aa02eeb476d6886f
Instruction ID: 8e567fbcae74a0febae84a708f9a47f87e40065b9395e3c67a72eff66edb1617
Opcode Fuzzy Hash: 973558c64c90ee94044f111e3e087e54682f21c923a89276aa02eeb476d6886f
Instruction Fuzzy Hash: E0112375C003499FDB20DFAAC845BDEBBF5EF88320F248419E959A7250CB75A951CFA0

Function 06263BB1 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06263C1A

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c178fddce9761b7a10da5a776f7a04a2a3f5cfec49b6e5af2403f913a1a4c614
Instruction ID: 446dddad8393e9ed0d109c8087bdf842a7c1ec8232e61617aaf04270915980be
Opcode Fuzzy Hash: c178fddce9761b7a10da5a776f7a04a2a3f5cfec49b6e5af2403f913a1a4c614
Instruction Fuzzy Hash: E7118F75C003498FDB20DFAAC5457DEFBF5AF48310F148419D516A7240C735A541CF94

Function 06263BB8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06263C1A

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 173d560e9effe78ebc6edc69b6717a983e4cf763ce7de433fbfec25731786b49
Instruction ID: 430ccbe8b7112a50a56da70df5b64f3785c703d19d13126f337372efdc1ef875
Opcode Fuzzy Hash: 173d560e9effe78ebc6edc69b6717a983e4cf763ce7de433fbfec25731786b49
Instruction Fuzzy Hash: 19113A71D003598FDB24DFAAC84579EFBF5EF88320F248419D51AA7240CB79A941CFA4

Function 015BAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015BAF9E

Memory Dump Source

Source File: 0000000F.00000002.1507401128.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_15b0000_RFQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 25f738b97afdbce070f0a158682117e1e497540a420fc1de74b1dce70da277d4
Instruction ID: 7d96aea509bc21436e51d7e4f70e1c53d1bbcf127785ee3cc30458ed81a0f9b7
Opcode Fuzzy Hash: 25f738b97afdbce070f0a158682117e1e497540a420fc1de74b1dce70da277d4
Instruction Fuzzy Hash: BB1102B5C003498FDB20CF9AC444BDEFBF4AB88314F10841AD829A7240C379A545CFA1

Function 06260DC0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06266B65

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d65a0ec24cedf9491b9343c2c7003f51674ac4501fd2432d33f6322614dca61f
Instruction ID: a0d024201b75727157cc3a43a95d74ffa65517613327814dad7f56dccced9932
Opcode Fuzzy Hash: d65a0ec24cedf9491b9343c2c7003f51674ac4501fd2432d33f6322614dca61f
Instruction Fuzzy Hash: A511F5B5810349DFDB20DF9AC985BDEBBF8FB48310F108419E919A7240C375A944CFA1

Function 06266B00 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06266B65

Memory Dump Source

Source File: 0000000F.00000002.1515961371.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6260000_RFQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cbeea3a4c91e36c7eea0ce80fdaae69e9862007d6055e4cbb10b2b4551a100d1
Instruction ID: e2556200e25d51ecd51df237a70f5a318398233c2231bb6fb52403b1ce0cae4c
Opcode Fuzzy Hash: cbeea3a4c91e36c7eea0ce80fdaae69e9862007d6055e4cbb10b2b4551a100d1
Instruction Fuzzy Hash: 6411B0B9810349DFDB10DF9AC985BDEBBF4EB48310F20881AE919B7650C375A584CFA5

Function 06193D9E Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

LRq, xrefs: 06193E1A

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 7effd8dfa7c18dbe6463bde632a65ec32188d27625787b5d3540e5f6008e3f28
Instruction ID: 392cec51948739f1520fa4eb1b864c763d90c1f10a9e99c974287af13bb13671
Opcode Fuzzy Hash: 7effd8dfa7c18dbe6463bde632a65ec32188d27625787b5d3540e5f6008e3f28
Instruction Fuzzy Hash: 1191C174E142199FDF94DFA9D494AADBBF2EB89314F10842AD829EB340E7359902CF50

Function 0619B4BC Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

E, xrefs: 0619B4BC

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 53c8995f0b3bd54db6e466b2c303c9b589667e7a6183029116cbf078abef09d3
Instruction ID: 2e90c23cf7114895862823312ff6db62c40bfab577cee9abff37856d210c478b
Opcode Fuzzy Hash: 53c8995f0b3bd54db6e466b2c303c9b589667e7a6183029116cbf078abef09d3
Instruction Fuzzy Hash: 3E71AF74E042188FDF54DFA9D980AAEBBF1BF49314F2485A9D819EB306D734A941CF50

Function 0619553C Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Teq, xrefs: 06198BB1

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 8bb6ff91c762e9fe74282e52d6f62866a68c1634dcb5d52b769080a894acc502
Instruction ID: 3028db664952c955cc8c81fe419e70630bb1766d070945fac83f1b7873d60007
Opcode Fuzzy Hash: 8bb6ff91c762e9fe74282e52d6f62866a68c1634dcb5d52b769080a894acc502
Instruction Fuzzy Hash: 1451A170B102068FDF55DBB9D84896EBBF6FFC52207188969E41ADB391DF309C0687A1

Function 06194830 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8q, xrefs: 061948D1

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: c1b85d287b6e69584b81e301e13d657a3ca0a8112da7442be919897aaaf11ccf
Instruction ID: c2e68c80a5d32937fcfcc8361aadf1f0765da3f9724d7313274057cf45ee5522
Opcode Fuzzy Hash: c1b85d287b6e69584b81e301e13d657a3ca0a8112da7442be919897aaaf11ccf
Instruction Fuzzy Hash: B5410778E012199FDF48DFA9D5949ADBBF2FB89300F108429E815A7350DB359D42CBA0

Function 06194823 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

8q, xrefs: 061948D1

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 855ecb2c7f6a0a8da0ade58bb1728f7adb7ff7a36a421a383fb7b220dabb8d74
Instruction ID: da63528a73eea90489e3abd898a131ed1ab4028095dc724278305b35c90d8317
Opcode Fuzzy Hash: 855ecb2c7f6a0a8da0ade58bb1728f7adb7ff7a36a421a383fb7b220dabb8d74
Instruction Fuzzy Hash: 56411A74E001199FDF48DFA9D594AAEBBF2FF89304F10842AE815A7350DB359D02CBA0

Function 06198D58 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

y, xrefs: 06198D60

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: y
API String ID: 0-4225443349
Opcode ID: 7928ea162140431e7a9a157c18fbebc8d4491e15983465805d414cb901be31f2
Instruction ID: e0cd1747f1fbc01b229bcbb6469927d583507921bce791dd2759865eae036538
Opcode Fuzzy Hash: 7928ea162140431e7a9a157c18fbebc8d4491e15983465805d414cb901be31f2
Instruction Fuzzy Hash: 1D11B435A002068FCB51EB79C9145ABBBF6BF81210B048969D516DF391EB70EC09CFA1

Function 06195D40 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Teq, xrefs: 06195DAB

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: ac83a59355c0bd513554458f0627c402efe4bfc04fc7a0d96960989e88681bf7
Instruction ID: fafa1beebf40095dcf3722a7fc0bea17eb89b8ebe117a3bcc9648c1f78318d60
Opcode Fuzzy Hash: ac83a59355c0bd513554458f0627c402efe4bfc04fc7a0d96960989e88681bf7
Instruction Fuzzy Hash: BC111C31F102198BCF65EBB998156EEBAF6AFC8311B104079C915FB344EB358D01CBA1

Function 0619A798 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

m, xrefs: 0619A7AC

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 27fee2b67df79e3f8cc5b5d29f583e522d995bfeab52169a01f5ac081da1d4b0
Instruction ID: 69ed68f875f7da89dd436cfe60b399072bb2a067a3991c0bfad15be063206f04
Opcode Fuzzy Hash: 27fee2b67df79e3f8cc5b5d29f583e522d995bfeab52169a01f5ac081da1d4b0
Instruction Fuzzy Hash: C0E0C230D0120CFBDF88EBF4C40A36C77B89F05200F100094C40553340E7320E49DAB2

Function 06193348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

6, xrefs: 0619335C

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: 41673bd1dc75cdba666639bc20542017bd5a8f6836ebbbbea46248de893267c4
Instruction ID: 91c4caa754a8b9fb959995700137018b03a5ec974f022dc02260b8511ccc9249
Opcode Fuzzy Hash: 41673bd1dc75cdba666639bc20542017bd5a8f6836ebbbbea46248de893267c4
Instruction Fuzzy Hash: ABE0C230D55208FBDF54DFB4D50926DBBB89B0A201F508094D40A93280EF304F41E6A1

Function 06199F83 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7148f462f0d79a161f1812c5926975d9bfc5a6e093e22b1af1e33d966e37fc37
Instruction ID: 5c8d813ea6deafb0271fb03ff8b71bb89de531b0e2189e8cff176a23000d454b
Opcode Fuzzy Hash: 7148f462f0d79a161f1812c5926975d9bfc5a6e093e22b1af1e33d966e37fc37
Instruction Fuzzy Hash: 97A1A275E002198FDF54CFA9D880AAEBBF6BF49304F148469E819EB311E7359A46CF50

Function 0619A288 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96bda6021131c6377df90e97e68f2e7af0cabc70070ca7973c46cb14bd5d5289
Instruction ID: 480b852cd11625d1662e7167c81fd590bbfcdc8739838f403e8c0e9afcba3a7c
Opcode Fuzzy Hash: 96bda6021131c6377df90e97e68f2e7af0cabc70070ca7973c46cb14bd5d5289
Instruction Fuzzy Hash: 28413635E083849FCF46CBB59C145AE3FB9EF82100B1544EBE404CB252EA349D0ADB71

Function 061990A1 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd647e8e8a33dc1d64299223396966ab2d27e2db4f64a4b308b313905976735a
Instruction ID: 1ea96d17d67aa3e9f689f4f40efaa8f6e5343ac12be1e09127fec58a0ccc4fad
Opcode Fuzzy Hash: fd647e8e8a33dc1d64299223396966ab2d27e2db4f64a4b308b313905976735a
Instruction Fuzzy Hash: 3A514D759006059FCB64CF18C888A99BBB5FF49334F19CA6DE4798B2A1C330E945CB61

Function 0619EA60 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d51b6a5c037d6fb1457e142bb84bd684692de231307971788ef2d354e2f08e
Instruction ID: 2423c3b337a77d61ea8eb69da79a8d6f8f82e58c0af208010f64304f221ac2ae
Opcode Fuzzy Hash: 05d51b6a5c037d6fb1457e142bb84bd684692de231307971788ef2d354e2f08e
Instruction Fuzzy Hash: 82410474D082088FEF48CFAAD4446AEFBF6BF8D300F15D42AE41AA2261D7305941CFA4

Function 0619FB78 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9853728cef5689c5582127933394c3b49a00ed7bf10cadde468a0b8eb2c9da6a
Instruction ID: fc17c007a54d927b3b00d386455f360bd0524a5d2850a5c4d7fc6ca418558081
Opcode Fuzzy Hash: 9853728cef5689c5582127933394c3b49a00ed7bf10cadde468a0b8eb2c9da6a
Instruction Fuzzy Hash: 32410774D08109EFDF48CFA9C4849AEFBBABB8D301B12C555E81AE7255D7309942CFA0

Function 0619B9D8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d108bcea464dbdc3daae4dd0ae8fb5b6bda1fe55e6d03d05f2035b2065d24c
Instruction ID: c539ac063ce371ecc5cf3626768ec3396071262bcf7c70f3eea4f21d216f16a0
Opcode Fuzzy Hash: 45d108bcea464dbdc3daae4dd0ae8fb5b6bda1fe55e6d03d05f2035b2065d24c
Instruction Fuzzy Hash: 6F41F874E04219DFDF84DFA9D884AAEB7F1FB89210F148469D815EB390DB359D01CBA1

Function 061989A8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcc5f9421edce51b306d1a42749789dd2e73b9cf866da44cd7ba4cec5cffd4d
Instruction ID: de667d93bcd086055270541c704af53fdc94b9afd7986fa56b124fe56adabdef
Opcode Fuzzy Hash: 7bcc5f9421edce51b306d1a42749789dd2e73b9cf866da44cd7ba4cec5cffd4d
Instruction Fuzzy Hash: AA317462D193A10BEB52EB7CD8613DA7FB1EFC2521F0944A6C494CE152DA24484EC3EA

Function 0619B9C7 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba6f1b09d91e2d29ac5b56c2513a107fd5c28fcfd7b96ae384623f61acd9616
Instruction ID: 12ae976fcb36b64ec80059413b5848bcec294c922b7e058d388bfd094c379c8f
Opcode Fuzzy Hash: 2ba6f1b09d91e2d29ac5b56c2513a107fd5c28fcfd7b96ae384623f61acd9616
Instruction Fuzzy Hash: D6414B75E04208DFDB84CFA8D985AAEB7B2FF89210F548469D415EB390DB35DE02CB61

Function 0619E270 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3272b9134815baaca28c4d172531f3271355a407614aaa25838291336b75b5e
Instruction ID: 10df1d37dd0485ba001dfb44fbc640ac466c8e773935e78b172d6136f3ad26b8
Opcode Fuzzy Hash: e3272b9134815baaca28c4d172531f3271355a407614aaa25838291336b75b5e
Instruction Fuzzy Hash: 9E41D474E042198FEF48CFAAD8456AEBBF6BF89300F10942AD419AB354DB705946CF90

Function 06198E64 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7e366907e380145c323aab24f257d4d187924a9e2c56957b191843c20b4651
Instruction ID: 47909827fbc963f853c2cede55c80523d8f0376a2acc1e4795bf811b609725c1
Opcode Fuzzy Hash: fb7e366907e380145c323aab24f257d4d187924a9e2c56957b191843c20b4651
Instruction Fuzzy Hash: 3641D1B1D00318DBDB64DFAAC985ADDFBB5BF49304F24842AD409AB200D775AA46CF91

Function 06197E24 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc09f8484e6a77de46136067a00cde5301d8437052c0bf71d162bc7ed4e9e7a
Instruction ID: 007435baa6a8ec7506ff39ee72875d81a826acbba6799b39a08383583fcee4fe
Opcode Fuzzy Hash: 3dc09f8484e6a77de46136067a00cde5301d8437052c0bf71d162bc7ed4e9e7a
Instruction Fuzzy Hash: C541D2B1D0030C9BDF64DFA9C984A8DFBB6BF49304F648429D408AB204D775AA46CF90

Function 06198D68 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ffe816294213a401308f42fab443e6209bdf455b262a188fce73b81ccb9199
Instruction ID: 046cba03243d37112a4a9bd914c20cd55a75263cec52b912fc8760d07463f465
Opcode Fuzzy Hash: e0ffe816294213a401308f42fab443e6209bdf455b262a188fce73b81ccb9199
Instruction Fuzzy Hash: 9021D535A002014FCB51EF79D45449BBBE6BF85210715C8AAD506DB391EB71EC0A8BA1

Function 0150D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1506209690.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_150d000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1f056de6cb722908ac4239eb6e8dd0b7b6083d3a2ae779981463f47f9cc4fa
Instruction ID: e580f88870bec75418ca7317a619aec4d67f800c23ffa8aa759c6767cfa31ee0
Opcode Fuzzy Hash: 3f1f056de6cb722908ac4239eb6e8dd0b7b6083d3a2ae779981463f47f9cc4fa
Instruction Fuzzy Hash: 45210671504204DFDB16DFD4D9C0B5ABFB5FB84324F20C569E9090F296C376E456CAA2

Function 06195090 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11935d0b6a0361770fe3ee43c9b692f8b6af3dca44e081579844115b1efd980
Instruction ID: 17bb4ba94a7704edb6afcde705cd10509987e86cba84b13043a8b2f6c8784b2c
Opcode Fuzzy Hash: e11935d0b6a0361770fe3ee43c9b692f8b6af3dca44e081579844115b1efd980
Instruction Fuzzy Hash: 43316AB4E1020ADFDF81CFA9D9856AEBBF5AB09214F14846AD815F3300E7349A41DFA1

Function 0151D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1506957199.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_151d000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442e184bd829e76db2abb0b0b5f4f0e4cfd374dc3ff6805a6fdaa82a642b3d34
Instruction ID: 6884bebb89e499a112abf47bf23bb9418e423a7d1b7a5aa2f9e197919064207d
Opcode Fuzzy Hash: 442e184bd829e76db2abb0b0b5f4f0e4cfd374dc3ff6805a6fdaa82a642b3d34
Instruction Fuzzy Hash: 91210771604300DFEB16DF94D9C8B55BBB5FB84324F20CA6DD8694F25AC33AD446CA61

Function 0151D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1506957199.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_151d000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f50400d096053d8ae5cfaa868e695b98a61dfb9c18841aac6ce33701af5d64
Instruction ID: 5635d31aa224ab32a895a66c69e49d21c8e99af2bba3c12b70f2323c1a79cd94
Opcode Fuzzy Hash: 52f50400d096053d8ae5cfaa868e695b98a61dfb9c18841aac6ce33701af5d64
Instruction Fuzzy Hash: 2321D375604204DFEB16DF54D9C8B16BBB5FB84314F20C96DD8494F24AD33AD847CA62

Function 06195080 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef526af60ca586d4738a846acb1839715b8f7c0531324ae0a78fee2262b6142d
Instruction ID: fdc79a13327bdb90d1dcf22905c2896acd664121ad87b56ec7af9bbb34db13c3
Opcode Fuzzy Hash: ef526af60ca586d4738a846acb1839715b8f7c0531324ae0a78fee2262b6142d
Instruction Fuzzy Hash: 2831B3B4E1424A9FCF41DFB9C9446AEBBF1AB09244F1484AAD824F7341E7749A41CFA1

Function 061988C0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fefd5ec43b5ed336e99fbda3b201a3a8213ac5feb61c377be0d89258e0665b
Instruction ID: a54f3a8e3686f4309ec4cbe5c2565eb865d9149d58fe5a4a8cbe7a5f97b6171d
Opcode Fuzzy Hash: 52fefd5ec43b5ed336e99fbda3b201a3a8213ac5feb61c377be0d89258e0665b
Instruction Fuzzy Hash: F42166B2C043889FCB10DFAAC845ADEBFF4EF49210F14845AE844AB211C335A549CFA5

Function 06198BF5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2da71595935cafe15ca690c5181ec3a9fd52291f7242ab107f0927afc18da8d
Instruction ID: 8d44d01ba3a657775794470e1467d6ae03be0ca603d88941f69286b4b9516e7b
Opcode Fuzzy Hash: d2da71595935cafe15ca690c5181ec3a9fd52291f7242ab107f0927afc18da8d
Instruction Fuzzy Hash: 6031E0B0C01318DFDB60DF99C985BCEBBF5BB49314F24891AE405AB290C7755845CFA1

Function 06197DF4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6011ab6593e770ecbf82b00d067e1819ff3c1e57c8efd5565f1b087f4b410a11
Instruction ID: af0a53bbd374571aac7e3a808e10ae0b7f119944ca8708d931b8f34198c1d8e9
Opcode Fuzzy Hash: 6011ab6593e770ecbf82b00d067e1819ff3c1e57c8efd5565f1b087f4b410a11
Instruction Fuzzy Hash: C431E0B0C01318DFDB60DF99C985BCEBBF5AB49314F24892AE405BB280C7B56845CFA5

Function 0619B808 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3febe1f4dedcfd448a709b647cb32f5282b2ac6805a8fc6af12e9ba5efa0f04
Instruction ID: 5a05900de77402877cfb7d176ad614e0bd410e982d60a90e30b978151de4eb82
Opcode Fuzzy Hash: e3febe1f4dedcfd448a709b647cb32f5282b2ac6805a8fc6af12e9ba5efa0f04
Instruction Fuzzy Hash: 05217CB0D1934A9FCB58DFB9D8456AEBFF1BF49210F1089AAD424E7252E7348600DB90

Function 0619A308 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fdfea05e1a2d368bfe495b05dea348d8c4281d34af6bd2890f43bb852c3242
Instruction ID: c77a6e74e5e08526d01c738ad37c0f2d2a343280918f89906ed4c1553fbac52c
Opcode Fuzzy Hash: c8fdfea05e1a2d368bfe495b05dea348d8c4281d34af6bd2890f43bb852c3242
Instruction Fuzzy Hash: 0D11C231D092846FDF86CB759C508AA3FB5EFC715030980E7E444CB263E7249A0A9B71

Function 0151D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1506957199.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_151d000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633a973b0392aea5afd143805043def8c787567dd228b4e7d6dda905a1c357e6
Instruction ID: dd9e7ddde0cdd142a12787ffe1076cc9c0a60527dac2d72d12c1f876f189ffca
Opcode Fuzzy Hash: 633a973b0392aea5afd143805043def8c787567dd228b4e7d6dda905a1c357e6
Instruction Fuzzy Hash: 02218E755093808FDB07CF24D994B15BF71FB46214F28C5EAD8498F2A7C33A984ACB62

Function 0150D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1506209690.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_150d000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: b1ed9aab76f132d80a5f5b14420e9876557ac4a68f58172589564e89c567f4ac
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: CC11CD76504240CFCB06CF84D5C0B5ABF72FB84324F2482A9D8090A296C33AE456CBA1

Function 061988E4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f799333a0bdf5415070aea8c2dc21c9c30031f2c8eb41b4017de912cec834c0e
Instruction ID: 81f656bf672a9ab47c43f60ad11528daed68e75860bb5110b7703e0a34f4e65d
Opcode Fuzzy Hash: f799333a0bdf5415070aea8c2dc21c9c30031f2c8eb41b4017de912cec834c0e
Instruction Fuzzy Hash: 182103B5C003499FCB20DF9AD985BDEBBF4FB48310F148429E919A7210C775A945CFA1

Function 0619A400 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2bc0d15e7ef159b516ac719fc7e1c5790505206cca37a5e87457148839240f
Instruction ID: 0f16bfb4478441c62023763010a74be07ef5519a0a4c1dbfb34d4112e2d30a0e
Opcode Fuzzy Hash: cc2bc0d15e7ef159b516ac719fc7e1c5790505206cca37a5e87457148839240f
Instruction Fuzzy Hash: 8D2103B6C003499FDB20CF9AD885BCEBBF4FB48320F148419E919A3210C779A545CFA1

Function 0151D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1506957199.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_151d000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: cda9c198e29f4b0ee8961ede6d23068f62074231e70b4c8388b0cb37972f38e6
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 5611BB75504280DFDB06DF58C5C4B59BBB2FB84324F24C6ADD8594F69AC33AD40ACB61

Function 0619F158 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188165a7c903293e58a3e61c44349eca31b56d7347b26ff1efbaf15f3e8dc8c8
Instruction ID: 3e08b4d73fe289c85417b83aea2396b993247d8947903f0f156a11cc98a06ec8
Opcode Fuzzy Hash: 188165a7c903293e58a3e61c44349eca31b56d7347b26ff1efbaf15f3e8dc8c8
Instruction Fuzzy Hash: 0811D2B1D006189BEB18CFABD8447DEFAF6AFC8300F14C06AD508B6254DB750986CFA0

Function 06197E00 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787b41ac6283c0bff2532d6882c054a4f030aedd00422767fe2838bd4b0790d1
Instruction ID: bd79498607cc3fbddd0b2c08b0209f0a400a524ac8d2285c7dca58a1e07bb77c
Opcode Fuzzy Hash: 787b41ac6283c0bff2532d6882c054a4f030aedd00422767fe2838bd4b0790d1
Instruction Fuzzy Hash: 581122B5C003488FDB20DF9AD945BDEBBF4EB48320F24841AD929A7300C779A944CFA1

Function 06199451 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c0ad3186f1224f4a58a4991a7ef586c3ad29a7d15f5c548e0dfcc37e3c6926
Instruction ID: cbb0536f23ae8ceadbd14b6bf7f560fe1e030f641f954e8ebcdec88fd877f32d
Opcode Fuzzy Hash: 33c0ad3186f1224f4a58a4991a7ef586c3ad29a7d15f5c548e0dfcc37e3c6926
Instruction Fuzzy Hash: D41125B5C002488FDB20DF99D545BDEBBF4EB58310F24841AD859A7740C334A945CFA1

Function 0150D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1506209690.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_150d000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5858c9f17ce3c5c04f00f418ddae6cbc8a4a827ddca3d42e85b3b80d0d3096a
Instruction ID: 1afdd260a0bdb536f34d19083b4ecb3de542278565b45dcd138ae8bd97cb34fb
Opcode Fuzzy Hash: d5858c9f17ce3c5c04f00f418ddae6cbc8a4a827ddca3d42e85b3b80d0d3096a
Instruction Fuzzy Hash: A101A7315043849EF7215AD9DC84B66FFE8FF81625F18C95AED094E2C7C2799844CAB2

Function 06198FED Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06aa1218b00d881b56e29735b37004b0e63755b2c27a1474de7b2c088f17d3d3
Instruction ID: 243ca07513b5e30e33d49f0624f18f8da893ff47224c79b03375a7642f07f23a
Opcode Fuzzy Hash: 06aa1218b00d881b56e29735b37004b0e63755b2c27a1474de7b2c088f17d3d3
Instruction Fuzzy Hash: CB115E71D00208DFEF14CFAAC4447DEBEF5EB48360F28C569D828AB290C7718984CBA4

Function 06198FF8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e20c8ddcb71a79e2bc208771ecca2d68815a4479f0868506a845a71900c397
Instruction ID: 826cacb359b585cae64f81d37f34811434729b4826c7cf2141f2119e80a79cae
Opcode Fuzzy Hash: 23e20c8ddcb71a79e2bc208771ecca2d68815a4479f0868506a845a71900c397
Instruction Fuzzy Hash: BF01DB70D00208DFDF14CF5AC44479EBEF5AB48360F28C569E828AB290C7758984CBA4

Function 061947B9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a2de948194840ef0eb4cc0ffb716f2e8976f86c81a668cc1c23ac050579dd6
Instruction ID: 05f100f77cc717fe248ec207858d2719d2234db8b4ca687f31bd50c0ec39259a
Opcode Fuzzy Hash: 02a2de948194840ef0eb4cc0ffb716f2e8976f86c81a668cc1c23ac050579dd6
Instruction Fuzzy Hash: A6016270D193499FCB55DFB8C9051AEBFF0AB4A310F1441AAD414E3352E7708A02DBA1

Function 0619B8B8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cb7863725ca06335ba12b5db29cb9ae73a17af6e6f26e37256e6e16d30b4f1
Instruction ID: 36af922ee1612b99d61043e0881b6bab4aa516f8de5c94388874854bb6e3edf2
Opcode Fuzzy Hash: 21cb7863725ca06335ba12b5db29cb9ae73a17af6e6f26e37256e6e16d30b4f1
Instruction Fuzzy Hash: 9001DAB4E152099FDB84DFA8D5406AEBBF5FB49300F108469C818E7340E7309B01DBA1

Function 0619B8A8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5236772bced560c4f2d7c89de297070481cecf7515f342c4d4f6448afa6154
Instruction ID: 2a5d9d637a5d9fefc0a538f99e523634b449131b91ad06ea48abe324fb1f4d73
Opcode Fuzzy Hash: 0d5236772bced560c4f2d7c89de297070481cecf7515f342c4d4f6448afa6154
Instruction Fuzzy Hash: B70171B4E152099FCB84CFA8D44469EBBF4FF59300F1080AA8808E7340E7349E01DB61

Function 0619B768 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b92bbdf43be68997feeed51b535fd87d882dfbdfcb760ec9443d0107744fd7
Instruction ID: bc40f9545e432d5613143890bc42bdc3dbdc9ccf5346becb0ab7b67205ab6802
Opcode Fuzzy Hash: 74b92bbdf43be68997feeed51b535fd87d882dfbdfcb760ec9443d0107744fd7
Instruction Fuzzy Hash: BA014FB4D042099FDF58DF69D946AAFBFF0BF09310F104669D565D7281E7749101CBA0

Function 061988D4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572c5a3768ea09bda7eb71d51c10ba5480828193c480b4fcfa8d7e653daf0973
Instruction ID: 436f8a2f6e349916214fbb0b15e8f1ef015a42447bb59351ed0f178be649e5a2
Opcode Fuzzy Hash: 572c5a3768ea09bda7eb71d51c10ba5480828193c480b4fcfa8d7e653daf0973
Instruction Fuzzy Hash: 92F09036A00209BF9F89EF9ADC40D6E7BBAEFC5210700C476E518DB210DB30E9059BA4

Function 06193D21 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0b4ea609d9649b38d04882057a2a6b94d2f00f30476435d21243d4d6be0bf2
Instruction ID: 1fecd87fc5605d59bd84249ae00517a8cf9efe1d17f38c917964351fe76c607e
Opcode Fuzzy Hash: 3f0b4ea609d9649b38d04882057a2a6b94d2f00f30476435d21243d4d6be0bf2
Instruction Fuzzy Hash: EA01A4B0D0828AAFCF96DF7888151ADBFF0AB06210F4085A9D824E7396E7704A01DB51

Function 06199F10 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc31ba11694d77fb9cd267a459b55818d722264c15bbcc4ea5afc0d7e1626386
Instruction ID: 34efb1731495bb23263b0cdabcfcd41add2be41ea2260c5a8cf9dc86e71c3903
Opcode Fuzzy Hash: fc31ba11694d77fb9cd267a459b55818d722264c15bbcc4ea5afc0d7e1626386
Instruction Fuzzy Hash: EE01FB74E15209DFDF44DFB9D5056AEFBF5AB48300F14846AA815E3340EB308A01CBA1

Function 06199F00 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23a3fb809c1abc4546fcb10a420ce19c93e71a6391596b4f8ff1b6fc65cd71c
Instruction ID: 91e098b4b32571ce7bb2f78f377c0e4ea8e5789f340d2b16654246562005c80d
Opcode Fuzzy Hash: a23a3fb809c1abc4546fcb10a420ce19c93e71a6391596b4f8ff1b6fc65cd71c
Instruction Fuzzy Hash: ED018B74E192099FCB50DFB8D8052AEBFF4AF09300F0484AAA804E3391EB308A01CB61

Function 0619FF38 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a024ff5b708b11b51bacadebd5268b5f0fee9a7589f7ce74996d9a2aac4f6fa4
Instruction ID: 2d6dd63f211aa223cd098e243393f3d2dfc9db7119158f20207ca68c5a683651
Opcode Fuzzy Hash: a024ff5b708b11b51bacadebd5268b5f0fee9a7589f7ce74996d9a2aac4f6fa4
Instruction Fuzzy Hash: 6AF0AF32908208EFDF08CFA5D4009BDFBB8AB8A309F1195A4A4089B215C7309A46DB90

Function 0150D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1506209690.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_150d000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efc4910f49b26804b2da6adeab2f0f9e0f2c09f5cebebf4f46be130a7f55c12
Instruction ID: 770b646c31b64eccb1a3ef72efd76082a5ad998445ec8718e0a4b0e5fe27458e
Opcode Fuzzy Hash: 6efc4910f49b26804b2da6adeab2f0f9e0f2c09f5cebebf4f46be130a7f55c12
Instruction Fuzzy Hash: 75F068714043449EE7258A59DC84B66FFA8EF81735F14C55AED094E2C7C2759844CA71

Function 061932D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d7e8666a79332219e6bf7ed51e521c9275ee0239c609e06577c960200b88e1
Instruction ID: 461061b8de27bb8a45a1b10c4266e65a2b21e4e8b1b124a328552ada40e9ab7e
Opcode Fuzzy Hash: f9d7e8666a79332219e6bf7ed51e521c9275ee0239c609e06577c960200b88e1
Instruction Fuzzy Hash: 44F04F74E04209AFDB80DFB8C4446AEB7F4FB4A300F0084A9C824E3340DB719A01CB91

Function 06198828 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787abf4ae7fb4289373897196f874bb67e680f87d918210b100837d9af2742dc
Instruction ID: 10fe2b2681d38ce16170d05e5f8256350ab6a48a1ebab88c675f9df10bb5d0ea
Opcode Fuzzy Hash: 787abf4ae7fb4289373897196f874bb67e680f87d918210b100837d9af2742dc
Instruction Fuzzy Hash: E3F0AC26C5A3A05BF752BB78E8613CA3F219FA2926F044483D1944D152D415448FD3FF

Function 061947C8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146d6651f96f10447ea58fab69f90dcc7aa6ab8ca6285609c2d70c4be61df7ee
Instruction ID: 12776db6ba2c079b0a519f5f4cf5930205fb6285f1bf1fc8e33e3fbf25fbe7dd
Opcode Fuzzy Hash: 146d6651f96f10447ea58fab69f90dcc7aa6ab8ca6285609c2d70c4be61df7ee
Instruction Fuzzy Hash: 2AF097B4E15219DFDB48DFA9D5456AEBBF4BB49300F10856AD819E3340EB309A01DBA1

Function 0619B298 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d4179919ec9d257f07b7f080d88c6e2bdc32aebc3a88f0910ba3ee5aef6c99
Instruction ID: e9ca14e95b2403b9e097ee773930e39e63fec2c6c175534153c898f48492a504
Opcode Fuzzy Hash: 97d4179919ec9d257f07b7f080d88c6e2bdc32aebc3a88f0910ba3ee5aef6c99
Instruction Fuzzy Hash: 79F0E7B4E192099FDF44DFB9D5056AEBBF4FB49300F1085699818E3340EB30AA01DBA1

Function 0619B288 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff80c44362471b7d3bf5d4b5798792634010353459f0874c59db571a29b173ac
Instruction ID: 00164e94cd29ff983968e457ebf418f5e29a84ffca9d9703e2c0f54ace8dc49d
Opcode Fuzzy Hash: ff80c44362471b7d3bf5d4b5798792634010353459f0874c59db571a29b173ac
Instruction Fuzzy Hash: 15F0F670E142099FDB00CFB8C8017AEBBB1EB4A310F14C1A9D415D3391DB349602DB51

Function 06198D01 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1999a6284b406be4a9acb5cf8f2308a915c7c1e5cd6adc7a5d68c2990fc7b660
Instruction ID: 070d4f3a544896832ddc41b6c5ac321ad616233c0a19e2c1e171ed5ec4d14566
Opcode Fuzzy Hash: 1999a6284b406be4a9acb5cf8f2308a915c7c1e5cd6adc7a5d68c2990fc7b660
Instruction Fuzzy Hash: 02F0B4B1D0934A9FCB52DF70D85045DBFB5FB83214B2045ABD405AB351EB3A2E02DB22

Function 0619B6C9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a2dc6e79be892d311f3137fa24b125936be0a17fbc32305f0ba4b8317dd57b
Instruction ID: 2776df19210cb29a7f4d30926ab33ba7ddc1b8e8a8071e811a93acf158390199
Opcode Fuzzy Hash: 72a2dc6e79be892d311f3137fa24b125936be0a17fbc32305f0ba4b8317dd57b
Instruction Fuzzy Hash: 10F0AE70D082459FCB90DF79D84869FBFF0FB08294F208669D025D7251E7F065428BA1

Function 06193D30 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be67d9568a1e475a5ba1a58fdeeed6a4c0c6befdd163de8e13eee3d60b341665
Instruction ID: e9e218580918bdbe8f59ca03b2e9a026126cb79054d8985dcde1b301592d4bda
Opcode Fuzzy Hash: be67d9568a1e475a5ba1a58fdeeed6a4c0c6befdd163de8e13eee3d60b341665
Instruction Fuzzy Hash: 04F03AB4D14209EFDF84DFB9C5556ADBBF4EB49300F4088AAD829E3310E7704A00DB50

Function 0619B818 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1548a12adfef525be5376a7b96bd8282e42deae61538d75ea2db319fc5e384d4
Instruction ID: e49d9c6470d57d7fb1a6fff0838baad67591610f51e4c870d073161fc745ba3c
Opcode Fuzzy Hash: 1548a12adfef525be5376a7b96bd8282e42deae61538d75ea2db319fc5e384d4
Instruction Fuzzy Hash: FBF0B7B4D1920DEFDF88DFA9E5456AEBBF4BB49200F0088AAD419E3214E7705A41DB50

Function 0619B778 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baeddd537b77aeed1b1aeb84343777e22a7f7c820a1e6f2e4d12586423f70c80
Instruction ID: 24252e29877ee89a346169a9aab89d6eb7cc1ae0290638bac4cfdccccea30914
Opcode Fuzzy Hash: baeddd537b77aeed1b1aeb84343777e22a7f7c820a1e6f2e4d12586423f70c80
Instruction Fuzzy Hash: E0F0D0B4D0420A9FDB54DFA9D44566FBBF4FF48300F104559D518E7240D7749500CBA0

Function 0619B980 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c534001143e4d35bb17b50cb7eece03d5144322e5083268ba55695f8dbea2791
Instruction ID: d1748e53f9026717396ad7db7d6803791033ec7da06171e677e2438816abb436
Opcode Fuzzy Hash: c534001143e4d35bb17b50cb7eece03d5144322e5083268ba55695f8dbea2791
Instruction Fuzzy Hash: B0F0C9B4D29208AFCB90DFB8E5496AEBBF4AB1A200F1095A9D419E3240E7305A41DB65

Function 06194E90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12e42f57214d2642946cb06d4cc8db16b8d00ab557e7d8459d1286d3db19f4b
Instruction ID: 895eb3dd645918accdf74976b023e81bec90dde734f8e966d2d90382a981533c
Opcode Fuzzy Hash: c12e42f57214d2642946cb06d4cc8db16b8d00ab557e7d8459d1286d3db19f4b
Instruction Fuzzy Hash: 67E0C230D1120CABDF94EBB6C4086AC77F89B06200F504498C40553340DB340E45DBF2

Function 06198D10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc8d245914b58b4202077311cf83ebae6d912f5f8136331a93e699285656c50
Instruction ID: 60037aa4097cf42c0480ac950bb040d6ca183b1d359bc49623017fd7674aefcf
Opcode Fuzzy Hash: 8fc8d245914b58b4202077311cf83ebae6d912f5f8136331a93e699285656c50
Instruction Fuzzy Hash: 88E08670D1120DEFCB00EFA1E81145CBFB9FB44200B1085A9D805B7310DE3A2F10DB51

Function 0619B6D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320d64639780caa0c84e5ee78eca16d9193cec53bd221308d1469d6a83516a88
Instruction ID: 83c3b56242b5fd398c3474c9f15d073499854197f1a67a1c8bd032414341ef62
Opcode Fuzzy Hash: 320d64639780caa0c84e5ee78eca16d9193cec53bd221308d1469d6a83516a88
Instruction Fuzzy Hash: DAE046B0D04209DFDB80EFB9C904A5FBBF0BF08600F1189AAC018E7351E77486008FA0

Function 0619E230 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad06c80b9d8decd254bcff049919d9568964ca8020f2a2de5288d1324ab416c
Instruction ID: b39016f63bca62c1065d11f731986da47a57b9e6c7beea269067c349226e8575
Opcode Fuzzy Hash: 2ad06c80b9d8decd254bcff049919d9568964ca8020f2a2de5288d1324ab416c
Instruction Fuzzy Hash: 1DE0E278D15208AFCB80EFB8E54A69DBBF4AB49201F6001AA9908A3240EA315A85CB51

Function 06195D08 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3507560e18090e84a83ffc46823827689a345bc4e196bcaa26e6709b3bd0f91b
Instruction ID: a7fcdff8327f40db1d993851fd14b956ba012a891a76b492fa08dd47d6e7208a
Opcode Fuzzy Hash: 3507560e18090e84a83ffc46823827689a345bc4e196bcaa26e6709b3bd0f91b
Instruction Fuzzy Hash: 1AD0A73AC142405FDFAB6B50CC5499D7FB6BB5331074682D3D0B0A71B2D66584069B32

Function 0619B880 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf81f3ea34269b3aeca942259e6d39cf8cb9addab8ad396ed409d974fbe75df
Instruction ID: 250f8360e29ff502f5aae24b315347c6737f120ba569889ad59c9108f881ecb3
Opcode Fuzzy Hash: 8cf81f3ea34269b3aeca942259e6d39cf8cb9addab8ad396ed409d974fbe75df
Instruction Fuzzy Hash: 2AD0123216410C5E8FC0EED4E800C53B7DCBF58740741C422E544C7021E722E438EB61

Function 0619D838 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f56244362528474c217554cdae78281a4b81df2dfb088e645ccc4c27b2543ca
Instruction ID: 705dc64e5eab9a446300f68fab6ebcdabcb79d86e63fbbe1896cb551640c70d1
Opcode Fuzzy Hash: 0f56244362528474c217554cdae78281a4b81df2dfb088e645ccc4c27b2543ca
Instruction Fuzzy Hash: 7AC08C34091A0487CA186BE4B60F32C7F689BC2306F800424F309004508F724442CE25

Function 0619551C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d428eed717ce32d2b6a0bdae0b255be7bb07c86185a81b73126fdfe234d5e8d
Instruction ID: ab02303b4438c88a8c5f48cedb941bdb1d38a194138f1642732b19d044b40737
Opcode Fuzzy Hash: 3d428eed717ce32d2b6a0bdae0b255be7bb07c86185a81b73126fdfe234d5e8d
Instruction Fuzzy Hash: 02C09B3E014104AF9F8AE750D984D5A7EE3FF95300782CC52B14456031CB31C51DAF67

Function 06198874 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1515543159.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6190000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98c51481bc1b342cd8536b39c68ab4a20df3921a89fdc9e4767bb86284ba55c
Instruction ID: 57f3b90188d8ba42ae190cbb09443692c9428877ffacf48db2c8986d398c4b09
Opcode Fuzzy Hash: e98c51481bc1b342cd8536b39c68ab4a20df3921a89fdc9e4767bb86284ba55c
Instruction Fuzzy Hash: 17B01239194305EAAECCA6B04C80A1B58A1BFF3701BC28C12724400100CA20442EB37F

Analysis Process: RFQ.scr.exePID: 7556, Parent PID: 7240COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	86
Total number of Limit Nodes:	6

Executed Functions

Function 070D19B8 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3640d522ac4aa7cdefbdd8158c2815384ec643120de740cf3109587f03792a
Instruction ID: 978a605e3f5e0d29d8d9569a129f8bd7c90915a05544de13065a8888ef350d63
Opcode Fuzzy Hash: 0d3640d522ac4aa7cdefbdd8158c2815384ec643120de740cf3109587f03792a
Instruction Fuzzy Hash: 47D13870B103198BD745EB6AE464BAE77F3EBC9315F568229D4068B398DE349C82CF41

Function 070D19A8 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41f361703f2a925c7c6873c9b5096f0390754b91e9646c969e89dd4dd859dc2
Instruction ID: 8479618ae3546628b9b8e9e566f9f55fc89dc6702b0c0142595d2d03198548a7
Opcode Fuzzy Hash: f41f361703f2a925c7c6873c9b5096f0390754b91e9646c969e89dd4dd859dc2
Instruction Fuzzy Hash: 88C15C70B103198BD745EB6AE464BAE77E3EBC9315F168228D4029B298DF349C82CF41

Function 070D1AA5 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2006e8eb07f6cdca80d260a312e146540d396da66abf3e3e15b5a611f153272
Instruction ID: 0be1882f2a3126ba14daa050e2568aef6d58299ea176eecb07e13c775560055a
Opcode Fuzzy Hash: b2006e8eb07f6cdca80d260a312e146540d396da66abf3e3e15b5a611f153272
Instruction Fuzzy Hash: 9D913970B103198BD745EB6AE464B6E73F3EBC9715F568268D4028B298DF399C82CF40

Function 070D8630 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2e08d6c2aa81123db527df04d14dbddb3446eeb9ba6f5bcd342e351eda1fe2
Instruction ID: 82c91fc913941f87923fe63dfd7e3c743b064e8dc81755fc4288877cf0df3e5c
Opcode Fuzzy Hash: 6f2e08d6c2aa81123db527df04d14dbddb3446eeb9ba6f5bcd342e351eda1fe2
Instruction Fuzzy Hash: 318181703212119FD705EB6AE464BBE32F3EB89715F1582B5E912873D8CF389C428B42

Function 070D86E8 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c1fa76d3891a81ac3431c367455264900e5edd245ce08304e8dc34434ce499
Instruction ID: 968e75c6b65e62fcf4746bcbbddbd723bf6387c80b92531964286dc7db658301
Opcode Fuzzy Hash: 89c1fa76d3891a81ac3431c367455264900e5edd245ce08304e8dc34434ce499
Instruction Fuzzy Hash: D8816E707213119FD705EB6AE0A4B7E32F3EB89715F1582B5D912873D8CE389C428B42

Function 070D5E09 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53a49d7da274d0c2007234e7787757efa723ba4159886d540b37747c566ee3f
Instruction ID: 031f483c87317ecd4a06f62a36d09fdea396aeef991bbbcd931298e592db7689
Opcode Fuzzy Hash: b53a49d7da274d0c2007234e7787757efa723ba4159886d540b37747c566ee3f
Instruction Fuzzy Hash: E261E070A10305CFEB05EB5AD894BAE77F2FB89311F158265D9019B788CB795C82CF81

Function 070D9000 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652d2bb6b7aca36cb0deff14e678404517226d38511dc4e80accf7b5de8b6c5a
Instruction ID: 9eb57700f6fe67c25c87636046b477f485accccf8044f2b50d33ba3408930eba
Opcode Fuzzy Hash: 652d2bb6b7aca36cb0deff14e678404517226d38511dc4e80accf7b5de8b6c5a
Instruction Fuzzy Hash: 1F417BB4A203218FDB51DB6AE4587AE37E3EB86711F168374D40587788DB386D82CF91

Function 070D4360 Relevance: 6.4, Strings: 5, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 070D44D4
Hq, xrefs: 070D4500
(q, xrefs: 070D4378
Hq, xrefs: 070D452B
(q, xrefs: 070D44A8

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID: (q$(q$(q$Hq$Hq
API String ID: 0-501546185
Opcode ID: 5b609d5051d63a6988f433a2e5fb3ade2fc1592743c8d05a6e9a7d9186a88fc0
Instruction ID: edb5cb4b1836172cd5e83b3baf0552707a036e8dfc36269ebe2a1a300c2ccaa5
Opcode Fuzzy Hash: 5b609d5051d63a6988f433a2e5fb3ade2fc1592743c8d05a6e9a7d9186a88fc0
Instruction Fuzzy Hash: FC510F71B047015FDB18AB68A45156EB7E2EFC42107688A2EE94BDBB50CF34EC028799

Function 070D59A1 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0e7d4ed76894fc646588860161bb80bdbd7a2f02c6aef7e6c6d942e7b4f23a
Instruction ID: 5b9836909343f3b219f059225ff8f6dc2a82ed0a75532f69a570ef76824281c4
Opcode Fuzzy Hash: da0e7d4ed76894fc646588860161bb80bdbd7a2f02c6aef7e6c6d942e7b4f23a
Instruction Fuzzy Hash: A971E9B13253219FD7119A26E8547BF73A3E786321F154375ED128B3C9CE389C528BA2

Function 070D29B0 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e76791020046849ac7a70bf0248f0b8a0082c6adf9770b401874ee715c2562
Instruction ID: 1283127550762e22b87634491b34cfc15c4b2d0ef366a2c99784848f6745650a
Opcode Fuzzy Hash: 37e76791020046849ac7a70bf0248f0b8a0082c6adf9770b401874ee715c2562
Instruction Fuzzy Hash: 84717F34B106258FCB49EB69E0A85BD7BF2BF887107555169E807E7384DF30AC428B95

Function 070D5E18 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6873bedf047f41d0f6a3404a5852b6fefedfad447256f399ba58079958c016e1
Instruction ID: 72a67aa91ff6988808fff51dcaa99ce1ce4aa87430282805b0d2d0ac099502e3
Opcode Fuzzy Hash: 6873bedf047f41d0f6a3404a5852b6fefedfad447256f399ba58079958c016e1
Instruction Fuzzy Hash: 62618D70A10315CFEB04EB5AD894BAE77F2FB89315F158265E9019B388CB795C82CF91

Function 070D6348 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d25f4feb62fb50b67da9397ab7fe9bb46903ae70628a40417f7900102f5f47b
Instruction ID: d39b4391c6967ec82724eed87e2832c5981013290d0f1b6729a5db0abf854ad0
Opcode Fuzzy Hash: 9d25f4feb62fb50b67da9397ab7fe9bb46903ae70628a40417f7900102f5f47b
Instruction Fuzzy Hash: F251DD70A20325DBDB01EA5AE494BAE73A7FB84340F158235D81197788CB779C86CF51

Function 070D6358 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176f2ca07ff7d5f97f7207cdf383074ce7f40ba7d221cb4df9717e740c84197a
Instruction ID: b6f6714595103330cf4c7a268e445e3ca1c4302cf74e3502b85ec8cbf7c6bb99
Opcode Fuzzy Hash: 176f2ca07ff7d5f97f7207cdf383074ce7f40ba7d221cb4df9717e740c84197a
Instruction Fuzzy Hash: 5D51CB70A20325CBDB01EA5AE494BAE73B2FB89340F118235D80197788CBB69C86CF55

Function 070D75A0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae0fdc1749606e35be7df2e6ea89e0286e180631bea90d6154ad7a6fc31e4ef
Instruction ID: 391f42347652902e975eff7f280b4b890d7e28b83a9907d392c9a779263fdbe0
Opcode Fuzzy Hash: bae0fdc1749606e35be7df2e6ea89e0286e180631bea90d6154ad7a6fc31e4ef
Instruction Fuzzy Hash: 6251EC70B103158FDB01EBAAD464BAE73E3EB89310F25A675C412A7788DB755C42CF91

Function 070D4990 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564573b02682e137202ab0b89326e42b67fbc443b40d97359dbeb8374ee64c06
Instruction ID: d9c2579a9c4595b6bbee27c34f373769963fe2162b2505b08f487d117203ea17
Opcode Fuzzy Hash: 564573b02682e137202ab0b89326e42b67fbc443b40d97359dbeb8374ee64c06
Instruction Fuzzy Hash: 96418B74610214CFCB05EB6AE498BAE77B3FB89312F0542B5E90687298DB345C42CF91

Function 070D6004 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f652d83623091e87a3af7200a0fa309b613dc2787785d943c521dc3d4894961
Instruction ID: 005343e56d52d127360556b939be14a7ae1ac161f84c2a053b7d411764333b0f
Opcode Fuzzy Hash: 8f652d83623091e87a3af7200a0fa309b613dc2787785d943c521dc3d4894961
Instruction Fuzzy Hash: 7A416BB0A10305CFEB04EB5AD894BAF77F2FB89341F158265E9019B298CB795C92CF51

Function 070D2F88 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c971980f1174b7fc0aa2b139af8495fd76eea48387183489b99242a8413db635
Instruction ID: cef554a957852fe10e4d063882ca13cb287d1634f4ef6ff251227fda6ed9561b
Opcode Fuzzy Hash: c971980f1174b7fc0aa2b139af8495fd76eea48387183489b99242a8413db635
Instruction Fuzzy Hash: 884153752242118FD745EA2AE0A8AAE33B3F7D5311F5183B4D9068B399CF384D46CB91

Function 070D4EA0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795b71b6d00df5e08947f36de6d3c69b1f2e0f54911cd89fe6a353aaa5502913
Instruction ID: 637fbb130dbcf23624a262dac484a794a14a2752711a99c00102a60a6f8a6884
Opcode Fuzzy Hash: 795b71b6d00df5e08947f36de6d3c69b1f2e0f54911cd89fe6a353aaa5502913
Instruction Fuzzy Hash: 4631BC70A1035ACFEB10DB12D854BEEB7F3EB89311F158365E801AB2A8DB755D85CB90

Function 070D3AE0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923ac6b2b0ebb441dd9e5de4dbae88e47b24d22ac23ebdae5d81ee777bfe4aa0
Instruction ID: fda33ac524f2f6f4f4f6084024bab24c595d5a28344b4cf192f0b5f44c76fc8b
Opcode Fuzzy Hash: 923ac6b2b0ebb441dd9e5de4dbae88e47b24d22ac23ebdae5d81ee777bfe4aa0
Instruction Fuzzy Hash: C231BD75A00319CFEB14DB56D855BAEF3F3EB85321F258276D200A7288CB741C82CB56

Function 070D4EBC Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82943a44a74e6df460224aeb9262dd7d038c31fd80b54e41052bd0e3d9b860d
Instruction ID: e87db7df9e3f7ed2b6b8d64afc84645ee0ef6eed7d515efd752601e104374e4e
Opcode Fuzzy Hash: a82943a44a74e6df460224aeb9262dd7d038c31fd80b54e41052bd0e3d9b860d
Instruction Fuzzy Hash: BA31ABB0A1034ACFEB10DB12E454BEEB7F2EB89311F058370E8019B2A8CB745D82CA50

Function 070D3AF0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda807858f08fdf264b07a71782b15614c8e0077473e405dd3b1c36e0aa01a6a
Instruction ID: 5eeaaa4b32c57bb101bbbec1eea42abd942827b567fbe58bcfd4bf25d7651f22
Opcode Fuzzy Hash: bda807858f08fdf264b07a71782b15614c8e0077473e405dd3b1c36e0aa01a6a
Instruction Fuzzy Hash: C4217771A00359CFEB14DB56D855BAEF3F3EB89321F258276D201A7288CB741D82CB56

Function 070D8BC1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c5cd95b84d011d3a204167eba12b7f7d6d08ee881afbc0fc4bf7b52edc07b0
Instruction ID: 20d6a959d1bbcc609899eb590eb131124fe97ca62f43a610774004bfd16966b8
Opcode Fuzzy Hash: e6c5cd95b84d011d3a204167eba12b7f7d6d08ee881afbc0fc4bf7b52edc07b0
Instruction Fuzzy Hash: 8221AF347112258FDB55BB6AE4546AF36F3EB89351F1082B5DA1683784DB344C428F92

Function 070D9392 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d869d57a375fefba3f1a58af88505af834dd852704241f53ea5d9dba6bdb88
Instruction ID: cd12e54e8022b1531000cc5224f8c6d93eeee750517154ff99daeb1a07ced14e
Opcode Fuzzy Hash: f5d869d57a375fefba3f1a58af88505af834dd852704241f53ea5d9dba6bdb88
Instruction Fuzzy Hash: 7211B2B03103005FC724EB29D84589B7BEAEF956103088569E51ACB751DBB1FC068B90

Function 070D8BD0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c8181d54c4e411d593dbe0fcc1f7a832ca06dad2733d7a53b503b73bf397e6
Instruction ID: 15d5ea599a622f05ec8e760b60f730bdf0259c7fc273409b5b18a8d20f09b356
Opcode Fuzzy Hash: 36c8181d54c4e411d593dbe0fcc1f7a832ca06dad2733d7a53b503b73bf397e6
Instruction Fuzzy Hash: BC218E347112158FDB85BB6AE4546AF36F2EB89355F0082B5DA0687788DB344C428F92

Function 070D8E30 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d741055146f7a0e5a01dfc722d90bb91ccfaf6058ccb24aae932957c6fea9b6b
Instruction ID: 33647dce53b7d9f929fb45b76b2a1833f0e949b6dea28d8c76de52aa1fbbd351
Opcode Fuzzy Hash: d741055146f7a0e5a01dfc722d90bb91ccfaf6058ccb24aae932957c6fea9b6b
Instruction Fuzzy Hash: 590192213253A49FC716773AA8245EB3FABD7C612475542AAE405872C6C9285C12CBE2

Function 070D42B0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2938475fcc679446e6e2d6a8baf709bed48fc651062895735036bb0815691b
Instruction ID: 7fe0545ca4ace2fa7d0d9b754c359a167d81f07b29611a830946e974279b8d06
Opcode Fuzzy Hash: bc2938475fcc679446e6e2d6a8baf709bed48fc651062895735036bb0815691b
Instruction Fuzzy Hash: 670121723007085BCB20AEA9D880B7E76DAAFC4364F608228F9488B340DF70CC42C3C4

Function 070D6750 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b463bc3932c5d0578f599955466ff884cdc1aa51614e192a61059536c13b01
Instruction ID: 910e485c7029a587d2af53525cd1bfbd8a42349b9e1b0d72f5f4d6a1d957bd85
Opcode Fuzzy Hash: 69b463bc3932c5d0578f599955466ff884cdc1aa51614e192a61059536c13b01
Instruction Fuzzy Hash: C0F096303052546FC706CA54DC10CE77FAADB89160309859BFC19C7352CA339D22D7E0

Function 070D891D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7a06464d0144c10ecb6097883984fb00a639d0a92dc971a930423185a0343c
Instruction ID: f97907b6a3ab3b8fdb07d4b4a5a648942f74dfebb1182b5554b20d975d5ba1ba
Opcode Fuzzy Hash: ad7a06464d0144c10ecb6097883984fb00a639d0a92dc971a930423185a0343c
Instruction Fuzzy Hash: 1C01CCB0610302CFEB56DB06C459BBEB3E3E784705F088224D040562D8CB342C82CF46

Function 070D8611 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc2f53750d3a5823dc16ed10bce327c2782e87fe7ab6848e6616787677a464a
Instruction ID: 3af47a9556d776dab6d517a302dbf5508a21c3bd6e4c18416a7e8ceb7c6e7e9d
Opcode Fuzzy Hash: 9dc2f53750d3a5823dc16ed10bce327c2782e87fe7ab6848e6616787677a464a
Instruction Fuzzy Hash: 8DF0984604F7D42FC3136670AE72AE23FB9980B15174E41C3E088EF6A7C0494A98D3B3

Function 070D3200 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7137f855f86bc4695e670dca109bf94a92b15c64c9ccc18968e8442b92fa7e
Instruction ID: fe1a1ac9756e62e81f77eab20a7694e261e7aac029806d5032ee498d414eef1f
Opcode Fuzzy Hash: cb7137f855f86bc4695e670dca109bf94a92b15c64c9ccc18968e8442b92fa7e
Instruction Fuzzy Hash: 77F0E2B18543A0DFD7015B58F4056F9BB69FB07316F0A03E3F44AE590096290C4487A3

Function 070D8E50 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df639d59053748e4893221ae4dbc06f48bd7dba91e890f043a25cffa1e9faf4
Instruction ID: b2c0bfdaf769218ffe18217379b099684d3ac7649f5698b393c9d38dd90204a3
Opcode Fuzzy Hash: 1df639d59053748e4893221ae4dbc06f48bd7dba91e890f043a25cffa1e9faf4
Instruction Fuzzy Hash: 66F03A713203608F8785FB76EC2059E3BA7E7CA5503608239D4058B7D8DE305C138BD1

Function 070D4260 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b1464a2345219672b664bace8feac781532f4dfcf254d4ba9f726ec5af096f
Instruction ID: c2a027ee8f0f81e7a93898ccbcbadd7954772fe66aa8cec33a6193841c481a69
Opcode Fuzzy Hash: 95b1464a2345219672b664bace8feac781532f4dfcf254d4ba9f726ec5af096f
Instruction Fuzzy Hash: D4E065363007148FC364D69DE944AABB7D9FBC8721F24462AF54EC3B00DA30FC018A94

Function 070D4E81 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c726a54c63170edce4b6312ac49ebc84b8468886378de9b72bc85d43e983c468
Instruction ID: 2e4d9c3d853b37affe52c3299d5083a57817431afab94164c3948973d7bad943
Opcode Fuzzy Hash: c726a54c63170edce4b6312ac49ebc84b8468886378de9b72bc85d43e983c468
Instruction Fuzzy Hash: ABF0EC3164E3C57FC703DB705D584AA7FB99E0610071901DBF448DB172D6364E14D7A1

Function 070D8ED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd65c8becc49834ce3e4e962a494e67ffe5aa9bd9a4eaaff59fb0d9f79a7e72
Instruction ID: 7fe2f54b02d3cbe930da856ead4c9d2b2800c75aa994714456bfc5db69cfc4be
Opcode Fuzzy Hash: 0cd65c8becc49834ce3e4e962a494e67ffe5aa9bd9a4eaaff59fb0d9f79a7e72
Instruction Fuzzy Hash: BAF01C713203248B8646BA6AE8605AF33ABE7C9264B518234D505873C8DD345C138BD2

Function 070D66E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd908761becc93f89874cfd8c087887dc23bf872693ba6f14897af229ae5468
Instruction ID: 9c2ef97c9817102ea7b9a37020141f779723025d7594fd8fa2d4d34dac435c4c
Opcode Fuzzy Hash: ddd908761becc93f89874cfd8c087887dc23bf872693ba6f14897af229ae5468
Instruction Fuzzy Hash: 80E08C342462643FC3068A64EC41CE3BF6EEB86520308809BB8548B392CA63AD12C3F1

Function 070D4952 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf3651c4aebbf63145cba8bb345f8b22ac4f71dbd9dfc9263ddbe7bbfc07c81
Instruction ID: dd2f4f51628745b9668813d6ae2f749be4acfc88ffbfaccc9c10b4933e2a833e
Opcode Fuzzy Hash: 9bf3651c4aebbf63145cba8bb345f8b22ac4f71dbd9dfc9263ddbe7bbfc07c81
Instruction Fuzzy Hash: E8E0929300A2D59FC7124F60BE167E17F25DF1301570E02C7F4889B2B7D62655B9C395

Function 070D8E60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107b8d174bcd70bc0f0a43b0ffbd00e69a875755f8464e6f2fcf714157c0e68e
Instruction ID: 6be144d782a237b10f6bad4489bf9badabf64bca4e6884c840071ccd5ada5a1c
Opcode Fuzzy Hash: 107b8d174bcd70bc0f0a43b0ffbd00e69a875755f8464e6f2fcf714157c0e68e
Instruction Fuzzy Hash: EBE0C9703203608F8B85FBB6EC608AE77A7E7862403909339D4158B7D8DE305C128FC5

Function 070D8FBF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41770f8adfcf6e6742e7fc020882bd8d830331885394dcc7581d69795b1f3ff6
Instruction ID: 62a65702a34a29eafaf6c47be7aba01afa9ee7882d6bd79392299aba2fe9676d
Opcode Fuzzy Hash: 41770f8adfcf6e6742e7fc020882bd8d830331885394dcc7581d69795b1f3ff6
Instruction Fuzzy Hash: E2E0B6CB80E7C45FD7031A609E726403F664A67112B5E45D7A088CF7A3E1298959C376

Function 070D4350 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617796f0dab09afbcc065d33be159ccc7e232d0932e989e560b7feee0f1b27ad
Instruction ID: 72cb060b24dc8ac484e81c503581e2d08e0c80e2fb4f8e859e537bf6b0ec34ac
Opcode Fuzzy Hash: 617796f0dab09afbcc065d33be159ccc7e232d0932e989e560b7feee0f1b27ad
Instruction Fuzzy Hash: 70D02EF80063462FC3098F618E019227F36EF8314231A828ABC88CAA02C736482083A0

Function 070D67C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ce09d66094ca5c7849ce7f13932016eae5f0f832edc4a588835bbd77ef78fa
Instruction ID: f3ff7b5f41d289ab39ca3fa17f756b6f0167e67e5a11f5c21a164b646542b5d2
Opcode Fuzzy Hash: e9ce09d66094ca5c7849ce7f13932016eae5f0f832edc4a588835bbd77ef78fa
Instruction Fuzzy Hash: 79D0C7307491405FC30A869C5D54C976B9A8B8515431D849AB81DDB352DA178E5382A0

Function 070D2FF8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1d3230f62da4e830438532812ac11d3a22e206b80eb043d53b71e58dd8e845
Instruction ID: c230cb85f89e363cf97e1408b71d9d443c83bdedbebd7a2556dd92c9eb5b55ad
Opcode Fuzzy Hash: 0b1d3230f62da4e830438532812ac11d3a22e206b80eb043d53b71e58dd8e845
Instruction Fuzzy Hash: 10D012312092546FC305C799DC51D92BBA99B49510714C0AAB948CB253D633ED53C7B1

Function 070D6680 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd26cca9bdcf7de5baa814c8e34d9ef6c7146cbb7ab2ba54f47257ec07e24e54
Instruction ID: 30d79b50aca487e27a53b3bf749bf910d6517b65dac6594cdf577090c3fb758a
Opcode Fuzzy Hash: bd26cca9bdcf7de5baa814c8e34d9ef6c7146cbb7ab2ba54f47257ec07e24e54
Instruction Fuzzy Hash: ADD0C73024D3842FC34783B4BC55CD27F5D4A4252430981DEF858CB553C6639916C2F2

Function 070D7F1F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66230a170f42dce5f8940bfde78be3d0405ca3bd58409034baf1b4d2e3f898c
Instruction ID: 3cf55223430dc5028ca49aeaf7ca684e99664f7929cb2a0271f59291e46707bd
Opcode Fuzzy Hash: c66230a170f42dce5f8940bfde78be3d0405ca3bd58409034baf1b4d2e3f898c
Instruction Fuzzy Hash: 4CE0C2B0600786DFEB548B02D050B7E37F3E785311F15A320C5124378CD638EC428A01

Function 070D6760 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
Instruction ID: 877f0f7dcd895513f3842dead994786ff947c22c1e70ab8d1161cd6d10d093a9
Opcode Fuzzy Hash: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
Instruction Fuzzy Hash: 04D09E36200118BF9B05DE84DC41CA6BB6AEB89660B14C45AFD1547351CAB3ED22DB90

Function 070D92CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aaa55e23c5c7fc0f7746e293f04d2b03127248eed5c6dcac51d40b603f6541d
Instruction ID: ec2e5ed0a49b7cbacae7b7c35572a5dbc3098eb14e9b16f3fd3a93318ad54df2
Opcode Fuzzy Hash: 4aaa55e23c5c7fc0f7746e293f04d2b03127248eed5c6dcac51d40b603f6541d
Instruction Fuzzy Hash: 64D012743401046B8244C59DDC41CA3BB9DDB98520324C029F80DC7301DA32FC03C5E1

Function 070D8D90 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dd03a77793710425b5370d4934fb03d9dac253cfeaed4b6d30945e3eb0ab65
Instruction ID: ccf93461dcf0e42bb6e4065d9c91a90f0b7b80ab7e83723d3188350b52d8ea34
Opcode Fuzzy Hash: 34dd03a77793710425b5370d4934fb03d9dac253cfeaed4b6d30945e3eb0ab65
Instruction Fuzzy Hash: AED0127160D3581FC752C7A4FC12824FB798A86125758C1FEFC4C9B693E923AC2282D2

Function 070D5570 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3e002420c79c31df72c78000e74b5b2ecfc2dfc5fabfa629c773eb4a96caea
Instruction ID: 9f61ec5ef8d57c992366b77850d5aba88e6b6ed17bbaa8a517e22afdcab1472e
Opcode Fuzzy Hash: 5a3e002420c79c31df72c78000e74b5b2ecfc2dfc5fabfa629c773eb4a96caea
Instruction Fuzzy Hash: DBC04C752CA3F56FC20306A02D268EA3F6EC4061253095183F664DB5A3D716465686E7

Function 070D2980 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1a2fdc99f680bb930492cc1aba021162e25faa59ddeee2537fcf860cc5dc33
Instruction ID: f1094808c2aa1a2309c3f1a5b36b4da2f7685625a689d869b83b7357fa75601e
Opcode Fuzzy Hash: af1a2fdc99f680bb930492cc1aba021162e25faa59ddeee2537fcf860cc5dc33
Instruction Fuzzy Hash: 7CC0802106D7945FC7411B709C146D27F2CC90750530501C2F599C5443C515551187F1

Function 070D66F0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 070D8E10 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54632e470981b76f49efc7ef95856f85f2e25ee887be934fa052c31401244112
Instruction ID: 0d79ebf5114eb2e3757e164277b5ac6a186f1c62a2fb4db5bd58439c5d0a969a
Opcode Fuzzy Hash: 54632e470981b76f49efc7ef95856f85f2e25ee887be934fa052c31401244112
Instruction Fuzzy Hash: A0C08C2008E7E46FC26223A51C219D63F2E480201030800CBA08C8A04344091925E3FA

Function 070D67F1 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40384accd365d9f5c5cfafaf0680fe8da217fe622ec1ab957d32d4d14b1aea18
Instruction ID: 9e8f12a4ab0365038d3aa8ff9063bb7220ce43c6bb3384cc0878023013a50391
Opcode Fuzzy Hash: 40384accd365d9f5c5cfafaf0680fe8da217fe622ec1ab957d32d4d14b1aea18
Instruction Fuzzy Hash: 35C0929398AB889FCB0716A07E526A12B7A585302134E06D3F558CB2B2D1064764C369

Function 070D92D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 070D7580 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc357ec77d83fa7a97474f99cedcf4e2a5c16874e0d5550cae49bb3c6dc53624
Instruction ID: a9aeb67d78d3831eaaf3b999c61675a7d7bad39b72477742981c442c561b8e0c
Opcode Fuzzy Hash: dc357ec77d83fa7a97474f99cedcf4e2a5c16874e0d5550cae49bb3c6dc53624
Instruction Fuzzy Hash: 41C08C2004A3C70BCB0302602CA99C17F28880B0A870412C7F0CAEA493C72404919371

Function 070D3008 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 070D93A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684

Function 070D67D8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684

Function 070D8F9F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c420ef281dda7a14c22a2603e46f4f8da6a0c134a42c9cead72e3f6ea1c7eba
Instruction ID: f2b9538a3f6e2ebcb1993978dfccd6528393e1746eaf173d4610b9e91ceaac35
Opcode Fuzzy Hash: 7c420ef281dda7a14c22a2603e46f4f8da6a0c134a42c9cead72e3f6ea1c7eba
Instruction Fuzzy Hash: DFC08C3244920AEBC7150FA0A618040BB31EB89212B2900F7A00859212CA364022C302

Function 070D3ABF Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d405eabc52bab8b0eb736373b12d72dc6e0eba8d7855840347266e215e2d5bd0
Instruction ID: 0b19a6900592c49f4105e19403054f5ea690849ac006bc98a5d7e3b7dbef52b7
Opcode Fuzzy Hash: d405eabc52bab8b0eb736373b12d72dc6e0eba8d7855840347266e215e2d5bd0
Instruction Fuzzy Hash: 74C04C6344E3C79FD7020BB06A59240BF25DF4B312B1A10C7E15489993EE3544659316

Function 070D6690 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 070D8AC0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73cfe1f279ed5348ff3ebac62bd7b5c26b4bdb1e6bfc250db1768c5840c781f
Instruction ID: abd668c97e904ea188680fe1a703f2c2e5125a5c289a1c68ac240974687da3d5
Opcode Fuzzy Hash: c73cfe1f279ed5348ff3ebac62bd7b5c26b4bdb1e6bfc250db1768c5840c781f
Instruction Fuzzy Hash: 8FB0126244439C9BC3013FD47B194E03B27C79E136F0500BFF72969F93B11108545113

Function 070D8DA0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 070D8FB0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fa7dcbc4eafab11f3c81e1a7ae46f68657bf90a1ad394a35764a1fb09a37b9
Instruction ID: f9671c000d13da851521fb4cdef76d4d66ed157be3657fecdc6eb9f8596ea264
Opcode Fuzzy Hash: d4fa7dcbc4eafab11f3c81e1a7ae46f68657bf90a1ad394a35764a1fb09a37b9
Instruction Fuzzy Hash: B9A01130082B0CCB83202AA0A00A020BBACAA0020ABC000B8A20C00A208A32A020CA8A

Function 070D8FF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ece1286b8bbd3b977acbfcede5b629d043df1ab9ac70e20cde9f35f52218bf2
Instruction ID: 74505f192318b3cdd9df5d5dec957ccf79d81a4035962ae87af8a405f5c05b3f
Opcode Fuzzy Hash: 2ece1286b8bbd3b977acbfcede5b629d043df1ab9ac70e20cde9f35f52218bf2
Instruction Fuzzy Hash: B6902230000B0C8B02002380300A0A03B8CC000022B802000B00C000020E00200002E0

Function 070D3210 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24004dd57e23108a1b0bb8db942de9e8e856dcf7166d2515ceef7777e4dddf19
Instruction ID: 664cafe98c469b5227c46483354157690fa73cfc55900e490dd92ea0e85b9f35
Opcode Fuzzy Hash: 24004dd57e23108a1b0bb8db942de9e8e856dcf7166d2515ceef7777e4dddf19
Instruction Fuzzy Hash: F5902230020A0C8BA20023A0300A0A03B2CA0002223800080B00C00C000E02280002A0

Function 070D8620 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabf4e1b3e11273764088d3eabbeec829dca5a7af75f914ef72880a4cded33ac
Instruction ID: 35c4f00c86eed9c2eee07d0ca6d058286aafaba5ac0b18539bf17a02264c6a3b
Opcode Fuzzy Hash: dabf4e1b3e11273764088d3eabbeec829dca5a7af75f914ef72880a4cded33ac
Instruction Fuzzy Hash: 21900231054B0D9B8A402795750A5757B9DD54C6557801151B60E415115E55B4104695

Function 070D8E20 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4b6dfe96e412706dec918e7cf4d78d406789b03a453ea6d26fdbb080d76967
Instruction ID: 06e888b680105b783580130a6f740a9fc6be3491d3bc81766da842b6a9e5cd87
Opcode Fuzzy Hash: 7d4b6dfe96e412706dec918e7cf4d78d406789b03a453ea6d26fdbb080d76967
Instruction Fuzzy Hash:

Function 070D8E40 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a1727a18f616f62a1ab2833235953ccbb01592b687dd42a2393b4f8f8502da
Instruction ID: 0c1deab50fcbdaf603f38c2e229ab32ee380db918e516fc3317bad84fe2ad156
Opcode Fuzzy Hash: e5a1727a18f616f62a1ab2833235953ccbb01592b687dd42a2393b4f8f8502da
Instruction Fuzzy Hash: C090023105464C8B564427D5B449995775E965452A7800051F60D415419A556850459A

Function 070D4E90 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd69769baabb72c47e33b18db386627a7ce26d67a8a30ec629f761660a6bb28
Instruction ID: 1da2545cba6a4f144a83da0b00fdec661cdd2502a0bdcd3f950f953388d69037
Opcode Fuzzy Hash: 9cd69769baabb72c47e33b18db386627a7ce26d67a8a30ec629f761660a6bb28
Instruction Fuzzy Hash: BD90223000020E8B02002382300A2203B0C88000003800000B00C00A000E8020800080

Function 070D8AD0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b9f0ef1822b58e21621aeb55e748a585c767dbc139b45a6e312b2de3a0355a
Instruction ID: 3a42871f0853e96b51534161191233fd429b111c12787fb3364158933b11c43f
Opcode Fuzzy Hash: 34b9f0ef1822b58e21621aeb55e748a585c767dbc139b45a6e312b2de3a0355a
Instruction Fuzzy Hash: B790023104460C8B464427D57449995775E954853A7800051F71D415415A55A4504596

Function 070D3AD0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fd7097df9cf1b1922c0307c487529058aa99f72e637497baf4f4b70ee0d78f
Instruction ID: e663dbf73ad3261a6c5c8c45e1f977c24e4857a1f92260d7f536f82204f75d7d
Opcode Fuzzy Hash: 84fd7097df9cf1b1922c0307c487529058aa99f72e637497baf4f4b70ee0d78f
Instruction Fuzzy Hash: E190023109470C8B4B406795750A755BB5C9544516B8010D1B50D455015E6664605696

Function 070D4980 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdb2500d7b659f1d08574c2d1d0218cf65d7646ab0967c0e39d509248635b2b
Instruction ID: 5b4eed496a61d658857ef4468faca6d9d1dadad157cfbc4ce6a48dbb055aab78
Opcode Fuzzy Hash: 6fdb2500d7b659f1d08574c2d1d0218cf65d7646ab0967c0e39d509248635b2b
Instruction Fuzzy Hash: 5D90223000020C8B03002B80300A2203B0CA000000B880000B00C000200E0220800080

Function 070D5580 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c4d7bade68f59f3bcfb94ab485c103f3b8f5c8a267fc2213eabcadd6ab73d1
Instruction ID: cbf840dd8e9e6db717db4b7646af0e63444140ec48cb92cfb4d2092992b6d13e
Opcode Fuzzy Hash: 50c4d7bade68f59f3bcfb94ab485c103f3b8f5c8a267fc2213eabcadd6ab73d1
Instruction Fuzzy Hash: F5900235054B0C9B464027A5740A565BB5DD5446157805152F60D415125E6664154695

Function 070D7590 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24b52718ba15b90f6fa8f9f89b4ae81ac5d85c4b9465cde01f1d7f2f4bdada3
Instruction ID: 07f5842e0939472b240e4ce831533ae7512f455201c4c97d6a67412ff06ac4d4
Opcode Fuzzy Hash: e24b52718ba15b90f6fa8f9f89b4ae81ac5d85c4b9465cde01f1d7f2f4bdada3
Instruction Fuzzy Hash: 9690023109470C8B4E816795B40A599BF5CD544566B801151B50E425015E59785045F5

Function 070D2990 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc62f757e17d1ee895f38fb10b2e207dd86c611f1a1b65a364aced6248039c4
Instruction ID: c3046624bf0c9bd09471205d80d86110f089120fff7dc5a0bb07a71cb9751153
Opcode Fuzzy Hash: 0cc62f757e17d1ee895f38fb10b2e207dd86c611f1a1b65a364aced6248039c4
Instruction Fuzzy Hash: CB900232064A0C9B964067997C0A965BB5D9544A197805191B60D459025E65A91045A5

Function 070D8366 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1616284816.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70d0000_RFQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6cf9da1b6b8a78a85c0451eee020bf71df4367b82521b7e48f1169294a7275
Instruction ID: 03c3d2843e90c4117d7c6fe11f5b7bd62a8a04f19127a4d35e10b6ac567b96c7
Opcode Fuzzy Hash: 3b6cf9da1b6b8a78a85c0451eee020bf71df4367b82521b7e48f1169294a7275
Instruction Fuzzy Hash: A4A00268124B45E7E3041761945D73A39B2D745311F117711A4734275B897898414605

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qltcpvq.3ze.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_id1secl3.die.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvuhdglt.g4z.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_piqfuzxk.cbt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqd3gxp4.jo4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vip2ni4b.urz.psm1

C:\Users\user\AppData\Roaming\RFQ.scr.exe

C:\Users\user\AppData\Roaming\RFQ.scr.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
RFQ.scr.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre